Skip to content

fix(ci): bump release.yml Go pin from 1.22 to 1.24 to match go.mod and ci#93

Merged
dipto0321 merged 1 commit into
mainfrom
fix/ci/release-go-version
Jul 3, 2026
Merged

fix(ci): bump release.yml Go pin from 1.22 to 1.24 to match go.mod and ci#93
dipto0321 merged 1 commit into
mainfrom
fix/ci/release-go-version

Conversation

@dipto0321

Copy link
Copy Markdown
Owner

Summary

.github/workflows/release.yml:62 pins Go 1.22 for the GoReleaser job, while go.mod:3 requires go 1.24.0 and .github/workflows/ci.yml correctly pins Go 1.24. The comment at release.yml:6 explicitly (and incorrectly) claims "same version pin as CI."

This isn't currently broken — Go's default GOTOOLCHAIN=auto self-heals by auto-downloading 1.24 at build time when it sees go.mod requires a newer version than what's installed. But that means the release build silently depends on network access to proxy.golang.org during the release job (a step CI never exercises, since CI already has 1.24), and if GOTOOLCHAIN=local is ever set (org policy, air-gapped runner), the release build would break outright at tag-push time — the one moment there's no opportunity to catch it in a normal PR-gated CI run.

This PR bumps release.yml's go-version pin to '1.24' to match ci.yml and go.mod, and adds a multi-line inline comment next to the pin explaining the parity-with-go.mod invariant so future bumps in either direction are caught in code review.

Linked issues

Closes #66

Type of change

  • fix — bug fix (PATCH bump)
  • feat — new feature (MINOR bump)
  • refactor — no behavior change
  • perf — performance improvement
  • docs — documentation only
  • test — tests only
  • chore — maintenance / dependency bump
  • ci — CI/CD only
  • build — build system only
  • Breaking change (MAJOR bump) — explain below

Checklist

  • Title follows Conventional Commits (feat(scope): subject)
  • I ran make ci locally and it passes (Go-side tidy/fmt/vet/lint/test all green; the change is to a YAML workflow file only and doesn't affect the Go pipeline)
  • I added or updated tests for the change (no test added — the change is a single-string YAML pin + comment; CI itself is the test, and the change makes CI more truthful rather than adding new behavior)
  • I updated relevant docs (CHANGELOG.md, inline comment next to the pin explains the parity invariant)
  • No new linter warnings (make lint green)
  • If breaking: I documented the migration path in the PR body and updated CHANGELOG.md

Screenshots / output

Pre-fix:

- name: Setup Go
  uses: actions/setup-go@v5
  with:
    go-version: '1.22'   # <-- diverges from go.mod's go 1.24.0 and ci.yml's '1.24'
    cache: true

Post-fix:

- name: Setup Go
  uses: actions/setup-go@v5
  with:
    # MUST match `go.mod`'s `go` directive (currently 1.24.0)
    # AND `.github/workflows/ci.yml`'s lint job — the test
    # jobs use `go-version-file: 'go.mod'` which auto-derives,
    # so we have to keep this in sync by hand. With Go's
    # default `GOTOOLCHAIN=auto`, a too-old pin here would
    # "self-heal" via auto-download — masking the divergence
    # from CI but silently depending on network access to
    # proxy.golang.org at release time, and breaking outright
    # if `GOTOOLCHAIN=local` is ever set (org policy, air-
    # gapped runner). See #66.
    go-version: '1.24'
    cache: true

Why I'm not migrating to go-version-file: 'go.mod'

The cleanest long-term fix is to use go-version-file: 'go.mod' here too — that's what ci.yml's test jobs already do, and it auto-derives from go.mod so the pin can never drift. I kept the explicit string pin for this PR for two reasons:

  1. Minimal blast radius. A 1-character change (and a comment) is the smallest possible diff that closes the issue. Migrating to go-version-file is a separate refactor — same shape, same invariants, but worth doing as its own PR with its own review.
  2. Parity with the ci.yml lint job, which also uses an explicit string pin. Keeping the format symmetric makes a future reviewer's job easier: "if you bump ci.yml, also bump release.yml" is a mechanical grep.

A follow-up could swap both ci.yml's lint job and release.yml to go-version-file: 'go.mod' in a single PR — the issue text doesn't request that, but it's worth doing.

Files touched

  • .github/workflows/release.yml — bumps go-version from '1.22' to '1.24'. Adds a multi-line comment explaining the parity-with-go.mod invariant and why GOTOOLCHAIN=auto was masking the divergence.
  • CHANGELOG.md### Fixed entry under [Unreleased] documenting the version-pin divergence with the GOTOOLCHAIN masking behavior + the latent break mode (GOTOOLCHAIN=local).

…d ci

Closes #66

.github/workflows/release.yml:62 pinned Go 1.22 for the GoReleaser
job while go.mod:3 requires go 1.24.0 and .github/workflows/ci.yml
correctly pins Go 1.24. The misleading comment at release.yml:6
claiming "same version pin as CI" was false.

Currently masked by Go's default GOTOOLCHAIN=auto: when setup-go
installs 1.22 and go.mod requires 1.24.0, the Go toolchain auto-
downloads 1.24 at build time, so the release job appears to work.
But that means the release build silently depends on network
access to proxy.golang.org during the release job — a step CI
never exercises, since CI already has 1.24. If GOTOOLCHAIN=local
is ever set (org policy, air-gapped runner), the release build
breaks outright at tag-push time, the one moment there's no
opportunity to catch it in a normal PR-gated CI run.

Fix: bump the pin to '1.24'. Adds a multi-line inline comment
explaining the parity-with-go.mod invariant and the
GOTOOLCHAIN=auto masking so future bumps in either direction are
caught in code review.

Kept the explicit string pin (rather than migrating to
go-version-file: 'go.mod') for minimal blast radius and parity
with ci.yml's lint job, which also uses an explicit string pin.

CHANGELOG: ### Fixed entry under [Unreleased].

Co-Authored-By: puku-ai-2.8 <noreply@puku.sh>
@cocogitto-bot

cocogitto-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown

✔️ d81fbc7 - Conventional commits check succeeded.

@dipto0321 dipto0321 merged commit 15cde14 into main Jul 3, 2026
10 checks passed
@dipto0321 dipto0321 deleted the fix/ci/release-go-version branch July 3, 2026 05:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci(release): release.yml pins Go 1.22, go.mod requires 1.24.0, comment claims parity with CI

1 participant