Skip to content

Bump Go version to 1.25 and fix broken GitHub CI #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump Go version to 1.25 and fix broken GitHub CI #43

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
126 changes: 124 additions & 2 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,125 @@
on:
push:
branches:
- master
- main
pull_request:
branches:
- master
- main
env:
GOPATH: /home/runner/go/
GO_VERSION: 1.25

jobs:
build-kas:
name: Build kas
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v4
with:
go-version: 1.25
- run: PATH=$PATH:$GOPATH/bin TARGET_DIRECTORY=. make build-kas
build-agentk:
Comment on lines +14 to +23

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 12 days ago

To resolve the issue, explicitly set a permissions block at the workflow level or for each job, specifying the minimum required access, namely 'contents: read'. In this context, it's best to add a global workflow-level permissions block to .github/workflows/ci.yaml immediately after the name key and before on:. This applies to all jobs unless overridden and ensures that only the minimal repository content read access is provided to the GITHUB_TOKEN, mitigating risk in all contained jobs. No changes to steps or functionality are required, only the addition of the block.

Suggested changeset 1
.github/workflows/ci.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: read
 on:
   push:
     branches:
EOF
@@ -1,4 +1,6 @@
name: CI
permissions:
contents: read
on:
push:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Build agentk
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v4
with:
go-version: 1.25
- run: PATH=$PATH:$GOPATH/bin TARGET_DIRECTORY=. make build-agentk
image-kas:
name: Build kas image
Comment on lines +24 to +33

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 12 days ago

To fix this issue, add an explicit permissions block at the top level of the workflow or at the relevant job level(s). The minimal and safest starting point is to give the workflow (or jobs) only contents: read access, which suffices for the actions shown (building, testing, linting code, and building Docker images), unless some jobs require additional permissions. This block should be placed after the workflow name: and before the other top-level keys like on:, env:, or jobs:.
The precise fix:

  • Insert a permissions: key with contents: read at the root level (so it applies to all jobs).
    No new methods, imports, or definitions are needed; only the permissions block is required in .github/workflows/ci.yaml.
Suggested changeset 1
.github/workflows/ci.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: read
 on:
   push:
     branches:
EOF
@@ -1,4 +1,6 @@
name: CI
permissions:
contents: read
on:
push:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: PATH=$PATH:$GOPATH/bin TARGET_DIRECTORY=. make docker-kas
image-agentk:
name: Build agentk image
Comment on lines +34 to +39

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 12 days ago

To fix this issue, you should add a permissions block at the top level of the workflow file .github/workflows/ci.yaml. This block should grant only the minimal privileges required for the workflow to run correctly, typically "contents: read" for workflows that only require read access for checking out code and building/testing it. You should place the permissions block immediately after the workflow name: field and before other top-level directives like on: or env:. If you have jobs in the workflow needing write permissions (not shown in the snippet), you would add a more permissive permissions block for only those jobs.

Suggested changeset 1
.github/workflows/ci.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: read
 on:
   push:
     branches:
EOF
@@ -1,4 +1,6 @@
name: CI
permissions:
contents: read
on:
push:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: PATH=$PATH:$GOPATH/bin TARGET_DIRECTORY=. make docker-agentk
test:
name: Unit test
Comment on lines +40 to +45

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 12 days ago

To address this issue, you should explicitly specify a permissions: block in your workflow YAML file to restrict GitHub Actions' GITHUB_TOKEN's access. If none of your jobs need to write to repository contents, or create issues, or PRs, the minimum safe value is contents: read, which is recommended by the CodeQL warning. This block should be added at the workflow root (top-level, so it applies to all jobs unless overridden) or within individual jobs. Since the workflow currently contains only build, test, lint, and image creation steps, none of which need write access to repo contents, placing permissions: contents: read at the top level is sufficient, and allows you to follow the least privilege principle without interfering with any job's functionality.

Make this change directly below the workflow's name: block, before the on: section begins, in .github/workflows/ci.yaml.

Suggested changeset 1
.github/workflows/ci.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: read
 on:
   push:
     branches:
EOF
@@ -1,4 +1,6 @@
name: CI
permissions:
contents: read
on:
push:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v4
with:
go-version: 1.25
- run: PATH=$PATH:$GOPATH/bin make test
lint:
name: Lint
runs-on: ubuntu-latest
Comment on lines +46 to +55

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 12 days ago

To fix the issue, you should explicitly set the permissions key in the workflow file to restrict the default permissions of the automatically generated GITHUB_TOKEN. Since the workflow only includes jobs for building, testing, linting, and building Docker images (with no indication that any steps require write access to the repository or related GitHub API objects), the minimal permission contents: read is likely sufficient for all jobs. The change should be placed at the root of the workflow file (directly under the name: and on: blocks) so that it applies to all jobs. This will ensure that if anyone adds permission-sensitive steps in the future, they'll have to explicitly escalate them. No extra imports, functions, or variables are required; this is a single YAML configuration addition.

Suggested changeset 1
.github/workflows/ci.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: read
 on:
   push:
     branches:
EOF
@@ -1,4 +1,6 @@
name: CI
permissions:
contents: read
on:
push:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: 1.25
- uses: golangci/[email protected]
with:
version: v2.4.0
publish-debug-docker:
name: Build and push debug kas containers
runs-on: ubuntu-latest
permissions:
Comment on lines +56 to +67

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 12 days ago

To fix this issue, add a permissions block to the lint job that grants only the minimum required permissions for the job to work (which, for linting, is only contents: read). This block should be added inside the lint job definition, alongside name and runs-on, before steps. No additional imports or method changes are necessary, as this is a workflow configuration change.

Suggested changeset 1
.github/workflows/ci.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -53,6 +53,8 @@
   lint:
     name: Lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
EOF
@@ -53,6 +53,8 @@
lint:
name: Lint
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
Copilot is powered by AI and may make mistakes. Always verify output.
contents: 'read'
id-token: 'write'
packages: 'write'
strategy:
matrix:
image: [kas-debug, agentk-debug]
include:
- image: kas-debug
dockerfile: ./build/docker/kas.debug.Dockerfile
- image: agentk-debug
dockerfile: ./build/docker/agentk.debug.Dockerfile
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/pluralsh/${{ matrix.image }}
tags: |
type=sha
type=ref,event=pr
type=ref,event=branch
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Docker
uses: docker/login-action@v3
with:
username: mjgpluralsh
password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: "."
file: "${{ matrix.dockerfile }}"
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
GIT_COMMIT=${{ github.sha }}
GOPROXY: "https://proxy.golang.org"
jobs:
build-kas:
Expand All @@ -16,6 +129,9 @@
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v4
with:
go-version: 1.25

with:
go-version-file: go.mod
check-latest: true
Expand All @@ -26,6 +142,9 @@
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v4
with:
go-version: 1.25

with:
go-version-file: go.mod
check-latest: true
Expand All @@ -48,6 +167,9 @@
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v4
with:
go-version: 1.25

with:
go-version-file: go.mod
check-latest: true
Expand Down