From d81fbc7f44bf31bd90ceb03d5eada26472a3a1fa Mon Sep 17 00:00:00 2001 From: dipto0321 Date: Fri, 3 Jul 2026 11:32:19 +0600 Subject: [PATCH] fix(ci): bump release.yml Go pin from 1.22 to 1.24 to match go.mod and ci MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #66 .github/workflows/release.yml:62 pinned Go 1.22 for the GoReleaser job while go.mod:3 requires go 1.24.0 and .github/workflows/ci.yml correctly pins Go 1.24. The misleading comment at release.yml:6 claiming "same version pin as CI" was false. Currently masked by Go's default GOTOOLCHAIN=auto: when setup-go installs 1.22 and go.mod requires 1.24.0, the Go toolchain auto- downloads 1.24 at build time, so the release job appears to work. But that means the release build silently depends on network access to proxy.golang.org during the release job — a step CI never exercises, since CI already has 1.24. If GOTOOLCHAIN=local is ever set (org policy, air-gapped runner), the release build breaks outright at tag-push time, the one moment there's no opportunity to catch it in a normal PR-gated CI run. Fix: bump the pin to '1.24'. Adds a multi-line inline comment explaining the parity-with-go.mod invariant and the GOTOOLCHAIN=auto masking so future bumps in either direction are caught in code review. Kept the explicit string pin (rather than migrating to go-version-file: 'go.mod') for minimal blast radius and parity with ci.yml's lint job, which also uses an explicit string pin. CHANGELOG: ### Fixed entry under [Unreleased]. Co-Authored-By: puku-ai-2.8 --- .github/workflows/release.yml | 12 +++++++++++- CHANGELOG.md | 18 ++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0c4d89b..1507329 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -59,7 +59,17 @@ jobs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: '1.22' + # MUST match `go.mod`'s `go` directive (currently 1.24.0) + # AND `.github/workflows/ci.yml`'s lint job — the test + # jobs use `go-version-file: 'go.mod'` which auto-derives, + # so we have to keep this in sync by hand. With Go's + # default `GOTOOLCHAIN=auto`, a too-old pin here would + # "self-heal" via auto-download — masking the divergence + # from CI but silently depending on network access to + # proxy.golang.org at release time, and breaking outright + # if `GOTOOLCHAIN=local` is ever set (org policy, air- + # gapped runner). See #66. + go-version: '1.24' cache: true - name: Run GoReleaser diff --git a/CHANGELOG.md b/CHANGELOG.md index ff13d67..3aeef93 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -552,6 +552,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 slip entry throws, the absolute-outside entry throws). No JS test framework introduced; same reasoning as #63. Closes #65 (points 1 and 3). +- `.github/workflows/release.yml`: bump the GoReleaser job's + `go-version` pin from `'1.22'` to `'1.24'` to match + `go.mod`'s `go 1.24.0` directive and `.github/workflows/ci.yml`'s + lint job (the test jobs in ci.yml use `go-version-file: 'go.mod'` + which auto-derives, so we have to keep the explicit pin here in + sync by hand). Pre-fix, the comment at release.yml:6 claiming + "same version pin as CI" was misleading — the divergence was + masked by Go's default `GOTOOLCHAIN=auto` (which auto-downloads + the missing toolchain), but that meant the release build + silently depended on network access to proxy.golang.org during + the release job — a step CI never exercises, since CI already + has 1.24. If `GOTOOLCHAIN=local` is ever set (org policy, + air-gapped runner), the release build would break outright at + tag-push time, the one moment there's no opportunity to catch + it in a normal PR-gated CI run. A multi-line inline comment + next to the pin explains the parity-with-go.mod invariant so + future bumps in either direction are caught in code review. + Closes #66. ## [0.0.0] - 2024-07-01