Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump golang from 1.22.2-bookworm to 1.22.3-bookworm in /go_modules #9733

Closed
wants to merge 3 commits into from
Closed

Bump golang from 1.22.2-bookworm to 1.22.3-bookworm in /go_modules #9733

wants to merge 3 commits into from

Conversation

TomSellers
Copy link
Contributor

Similar to PRs #8374 and #8548, this allows Dependabot to function when used against Go projects that require Go 1.22.3.

Go 1.22.3 addresses some security issues. I have verified that the docker image exists.

Reference:

@TomSellers
Bump Golang to 1.22.3
ec35436 
Similar to PRs dependabot#8374 and dependabot#8548, this allows Dependabot to function when used against Go projects that require Go 1.22.3.

Go 1.22.3 addresses some security issues.
@TomSellers TomSellers requested a review from a team as a code owner May 14, 2024 15:59
@github-actions github-actions bot added the L: go:modules Golang modules label May 14, 2024
@rickardgranberg
Copy link

Any way this can be expedited? Don't like being without a working dependabot for this long...
Also, I think there's a dupe: #9701

@TomSellers
Copy link
Contributor Author

These changes have been approve, can we have them landed? Dependabot is currently broken on Go codebases using the latest version of Go.

@TomSellers
Copy link
Contributor Author

Note: This will need to be done again next Tuesday when Go 1.22.4 is released.

https://groups.google.com/g/golang-announce/c/ZMLFbgVXBI4

@jakecoffman
Copy link
Member

@rickardgranberg @TomSellers What error are you seeing?

In #9435 I put back the auto-download behavior in the Go CLI so it should be working even though Dependabot isn't running the latest Go. We're seeing Dependabot PRs flowing on the Dependabot CLI even though it's on Go 1.22.3: dependabot/cli#326

So if you're seeing an error I'd love to fix the root cause, keeping up with Go releases is not a great long-term solution.

@jakecoffman
Copy link
Member

#9701 is now merged, but again if you're seeing an error because of this please file an issue. I'd love to make it not necessary to keep up with the releases so closely!

@rickardgranberg
Copy link

I know this is closed, but this is the error I'm seeing:

Dependabot failed to update your dependencies because there was an error resolving your Go dependency files.

Dependabot encountered the following error:

go: loading module retractions for <redacted>@v0.1.0: module <redacted-dependency>@v0.34.0 requires go >= 1.22.3 (running go 1.22.2; GOTOOLCHAIN=local+auto)
[Troubleshoot Dependabot errors](https://docs.github.com/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)

The error is seen in a repo where there's a dependency on a module that has go 1.22.3 in it's go.mod. Running dependabot in a repo that on it's own requires go 1.22.3 works fine. So it's only in the dependency resolution.

Hope this helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JamieMagee JamieMagee JamieMagee approved these changes

Assignees
No one assigned
Labels
L: go:modules Golang modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@TomSellers @rickardgranberg @jakecoffman @JamieMagee