Skip to content

govulncheck-action: semver tag 'v1' not updated for release v1.0.1 #63281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bplessis-swi opened this issue Sep 28, 2023 · 7 comments
Closed

govulncheck-action: semver tag 'v1' not updated for release v1.0.1 #63281

bplessis-swi opened this issue Sep 28, 2023 · 7 comments
Assignees
@zpavlinovic
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@bplessis-swi
Copy link

Hi guys,

The golang/govulncheck README document the use of the "@v1" tag for referencing the action and common practice/expectations for those short tag is to be a floating tag, however when trying to use parameters like go-version-file that are also documented in the README we get a warning like this:

Warning: Unexpected input(s) 'go-version-file', 'repo-checkout', valid inputs are ['go-version-input', 'check-latest', 'cache', 'go-package']

After a short pondering it occured to me to check the tag, and this happens since thoses options are part of release 1.0.1, and v1 is actually really v1.0.0.

It would be great to convert "v1" as a floating tag and create a "v1.0.0" for identification of the old release.
Alternatively maybe update the README.md with the current @v1.0.1 tag but that is not the common expectation around github actions.

Regards,
Benoit
@bcmills bcmills added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 28, 2023
@thanm thanm added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 28, 2023
@thanm
Copy link
Contributor

thanm commented Sep 28, 2023

@golang/vulndb

@zpavlinovic zpavlinovic self-assigned this Sep 28, 2023
@zpavlinovic
Copy link
Contributor

Is this related to the govulncheck command or the govulncheck Github action?

@bplessis-swi
Copy link
Author

it's the govulncheck Github Action sorry

@bplessis-swi bplessis-swi changed the title golang/govulncheck: semver tag 'v1' not updated for release v1.0.1 golang/govulncheck (github action): semver tag 'v1' not updated for release v1.0.1 Sep 28, 2023
@zpavlinovic zpavlinovic changed the title golang/govulncheck (github action): semver tag 'v1' not updated for release v1.0.1 govulncheck-action: semver tag 'v1' not updated for release v1.0.1 Sep 28, 2023
@zpavlinovic
Copy link
Contributor

zpavlinovic commented Sep 28, 2023
edited
Loading

If I understand correctly, the idea is to always have the floating v1 point to the latest release of v1, which in this case is v1.0.1. This would also imply that the previous v1 version, in this case v1.0.0 should lose the v1 floating tag?

but that is not the common expectation around github actions.

You have a link for this perhaps?

@bplessis-swi
Copy link
Author

For example you can see that behavior on the setup-go action:

https://github.com/actions/setup-go/tags

v4.1.0: 93397be
v4: 93397be
v4.0.1: 4d34df0
v3.5.0: 6edd440
v3: 6edd440

@bplessis-swi
Copy link
Author

This would also imply that the previous v1 version, in this case v1.0.0 should lose the v1 floating tag?

Yes,a tag can only point to on commit so the update of the 'v1' tag will make it move to the new release (it need some 'force' btw ^^)

@prattmic
Copy link
Member

prattmic commented Oct 3, 2023

v1 now points to 7da72f730e37eeaad891fcff0a532d27ed737cd4
v1.0.0 was also created to point to dd3ead030e4f2cf713062f7a3395191802364e13

@prattmic prattmic closed this as completed Oct 3, 2023
@golang golang locked and limited conversation to collaborators Oct 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zpavlinovic zpavlinovic

Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@zpavlinovic @prattmic @bcmills @gopherbot @thanm @bplessis-swi