go-version: ">=1.20" with check-latest: true does not resolve to 1.20.5

[silverwind]

go1.20.5 was released on 2023-06-06, but this action does not find it, even with check-latest enabled. This is problematic for us because we have govulncheck in the pipeline and all builds fail because of vulnerabilities in go1.20.4.

- uses: actions/setup-go@v4
  with:
    go-version: ">=1.20"
    check-latest: true

Run output:

Run actions/setup-go@v4
Setup go version spec >=1.20
Attempting to resolve the latest version from the manifest...
matching >=1.20...
Resolved as '1.20.4'
Found in cache @ /opt/hostedtoolcache/go/1.20.4/x64
Added go to the path
Successfully set up Go version >=1.20

[silverwind]

It may be because versions-manifest.json was not updated for the release, even though the releases on that repo include a number of go1.20.5 releases. Is this not automated correctly?

[silverwind]

Likely depends on actions/go-versions#75.

[didrocks]

I confirm having the same issue. And indeed, with govulncheck in the pipeline too, it means that we will always have the CI failing PRs when new security release version of Go is made, until the manifest is updated.

I was expecting though that check-latest: true with no cache would still try to download latest minor version from Google's website and bypass the manifest.json check. Is there any way to achieve this?

[silverwind]

Working now that actions/go-versions#75 is merged:

Run actions/setup-go@v4
Setup go version spec >=1.20
Attempting to resolve the latest version from the manifest...
matching >=1.20...
Resolved as '1.20.5'
Attempting to download 1.20.5...
matching 1.20.5...
Acquiring 1.20.5 from https://github.com/actions/go-versions/releases/download/1.20.5-5218672569/go-1.20.5-linux-x64.tar.gz
Extracting Go...

For the future, I suggest check-latest to check agains actual go releases instead of a outdated manifest file. The expectation here is certainly that check-latest follows upstream releases closely, not be 3+ days out of date.

[gaby]

@silverwind @dmitry-shibanov Using "1.20.x" still pulls 1.20.4 or am I doing something wrong? 🤔

[silverwind]

Try adding check-latest: true.

[gaby]

@silverwind I can't, I'm using an official action from Golang 😂

https://github.com/golang/govulncheck-action

Their action.yaml does the setup-go

[gaby]

I probably need to find a different action then, since they are only mirroring those to Github.

This whole setup of having versions in 1 place and actions in another is a single point of failure. I haven't been able to run any Golang CI job since yesterday