deps: bump Go dependencies and CI actions#796
Merged
Conversation
Go dependencies: - aws/aws-sdk-go v1.45.9 → v1.55.8 - google/go-cmp v0.5.9 → v0.7.0 - hashicorp/awspolicyequivalence v1.6.0 → v1.7.0 - hashicorp/go-cty v1.4.1-0.20200723130312-85980079f637 → v1.5.0 - hashicorp/terraform-plugin-sdk/v2 v2.29.0 → v2.39.0 - minio/madmin-go/v3 v3.0.18 → v3.0.110 - gotest.tools/v3 v3.5.0 → v3.5.2 CI actions: - actions/checkout → v6.0.2 - actions/cache v4 → v5.0.3 - github/codeql-action v4.32.4 → v4.32.5 - securego/gosec v2.22.11 → v2.24.7 - aquasecurity/trivy-action 0.18.0 → 0.34.1 - crazy-max/ghaction-import-gpg v6.3.0 → v7.0.0 - goreleaser/goreleaser-action v6 → v7 Fix madmin-go v3.0.110 breaking change: SiteReplicationAdd now requires SRAddOptions parameter.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Pin all remaining tag-based action references to their commit SHAs to satisfy the OSSF Scorecard "Pinned-Dependencies" check.
Add golangci-lint exclusions for SA1019 deprecation warnings: - aws-sdk-go v1 (deprecated in favor of v2) - madmin SetPolicy (use AttachPolicy/DetachPolicy) - madmin InfoCannedPolicy (use InfoCannedPolicyV2) These are tracked as TODO items for separate migration PRs.
Add continue-on-error to Trivy step and check file existence before upload to prevent failures when Trivy exits non-zero or produces no SARIF output.
- Remove `config` input from gosec v2.24.7 (not a valid input) - Remove `config-file` input from codeql-action/upload-sarif v4.32.5
The codeql-config.yml exclusions were never actually applied since the `config` and `config-file` inputs are not supported by gosec or upload-sarif actions. Apply the exclusions via gosec flags: - -exclude-dir=vendor: skip vendor directory - -tests=false: skip test files - -exclude=G101: skip hardcoded credentials (provider handles user credentials by design, equivalent of go/hardcoded-credentials)
Move the uint-to-int bounds check before the conversion to prevent the overflow that gosec G115 flags (CWE-190).
- Add -stdout flag so findings are visible in pipeline logs - Add continue-on-error so the step doesn't fail the job - SARIF upload still runs (if: always()) for Security tab reporting
Gosec should fail the pipeline when security issues are found. Only -stdout is needed to make findings visible in logs.
Fixes govulncheck findings for crypto/tls and net/url vulnerabilities present in go1.24.2. Go 1.24.12+ includes security fixes for both.
The action default v0.69.1 was yanked from GitHub releases, causing installation failure. Pin to v0.69.2 (latest stable).
Trivy should fail the pipeline when security vulnerabilities are found. The upload step still uses hashFiles check to handle missing SARIF gracefully.
For both gosec and trivy: 1. Run scanner with continue-on-error so SARIF file is always produced 2. Upload SARIF to Security tab regardless of outcome 3. Check scanner outcome — if it failed, post findings table to job summary and exit 1 to break the pipeline
The -stdout flag dumps unreadable SARIF JSON into pipeline logs. Findings are already reported via the job summary table and the Security tab.
felladrin
approved these changes
Mar 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Go dependencies:
CI actions: