Skip to content

chore(deps): bump golang from 1.23.3-alpine3.20 to 1.24.0-alpine3.20 #641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Apr 29, 2025
Merged

chore(deps): bump golang from 1.23.3-alpine3.20 to 1.24.0-alpine3.20 #641

merged 6 commits into from
Apr 29, 2025

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 1, 2025
edited
Loading

Bumps golang from 1.23.3-alpine3.20 to 1.24.0-alpine3.20.

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @linki.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
chore(deps): bump golang from 1.23.3-alpine3.20 to 1.24.0-alpine3.20
3a69f65 
Bumps golang from 1.23.3-alpine3.20 to 1.24.0-alpine3.20.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file docker Pull requests that update Docker code labels Mar 1, 2025
@dependabot dependabot bot mentioned this pull request Mar 1, 2025
Closed
@linki
Copy link
Owner

linki commented Mar 3, 2025

@dependabot merge

@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 3, 2025

One of your CI runs failed on this pull request, so Dependabot won't merge it.

Dependabot will still automatically merge this pull request if you amend it and your tests pass.

@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Apr 1, 2025

A newer version of golang exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

@linki
Copy link
Owner

linki commented Apr 22, 2025

@dependabot rebase

@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Apr 22, 2025

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@reneleonhardt
Copy link

You disabled discussions and close suggestions without a reply...
For what it's worth, you build with the old 1.24.0-alpine3.21 instead of the current 1.24.2-alpine3.21 (= 1.24-alpine) which contains 2 months of security fixes.
https://go.dev/doc/devel/release#go1.24.minor
And go.mod wasn't updated either with the latest fixes...

@linki
Copy link
Owner

linki commented Apr 22, 2025

Right, it's been a while since I checked on this PR. I'll probably rely on @dependabot to bump the versions once again once this is merged.

Currently, I'm merely trying to get the tests to pass for Golang 1.24.x which changed the way the randomness is setup and the tests unfortunately make some assumptions there. 🙈

@reneleonhardt
Copy link

If it's a problem, why not disable it for the time being:
https://stackoverflow.com/questions/49746992/generate-random-float64-numbers-in-specific-range-using-golang

GODEBUG=randseednop=0

@linki
Copy link
Owner

linki commented Apr 23, 2025

Good idea, I'll give it a try.

But it looks like this just restores the old behaviour of Seed not being a no-op. So, eventually this probably needs to be changed again.

image

@reneleonhardt
Copy link

Don't kill the messenger, maybe there is no easy or permanent fix to this behavior change... eventually everyone affected will have to workaround or adapt 😅

@linki linki force-pushed the dependabot/docker/golang-1.24.0-alpine3.20 branch from 9bfe201 to e26dd37 Compare April 29, 2025 13:28
@linki
Copy link
Owner

linki commented Apr 29, 2025

@dependabot merge

@reneleonhardt
Copy link

@linki Just to be sure, you removed the toolchain on purpose?

@dependabot dependabot bot merged commit 2a9e46a into master Apr 29, 2025
1 check passed
@dependabot dependabot bot deleted the dependabot/docker/golang-1.24.0-alpine3.20 branch April 29, 2025 14:30
@linki
Copy link
Owner

linki commented Apr 29, 2025

@reneleonhardt Yeah, kind of. I ran go mod tidy locally using Go 1.24.2 which removes it. I didn't check closer. Usually it does the right thing.

Do you know of any best practices for this thing?

@reneleonhardt
Copy link

Hehe, you're asking the wrong person, usually when I contribute updates it adds the toolchain 😄
From what I saw most projects don't use it, I guess using goreleaser is a better way to ensure a clean build.

Those who do have a toolchain seem never to update it even if they enable Dependabot, that's the worst of course because all builds (including goreleaser) will respect the old version and produce probably insecure builds 😞

So the easiest way to "force" / enable the latest go version is to only provide the go 1.23 directive without patch and toolchain.
But then you maybe would have to trigger new builds manually after Go released security patches.
Of course you could schedule them in your workflows, but a "normal" Dependabot PR -> Merge -> Publish workflows seems easier to me.
I mean if you duplicate your workflow only to publish Go patch updates, you could just auto-merge them 😅
https://nicolasiensen.github.io/2022-07-23-automating-dependency-updates-with-dependabot-github-auto-merge-and-github-actions/

@reneleonhardt
Copy link

And regarding release artifacts and Docker images it's even worse, I would always recommend using the latest Go version (and OS version) to build binaries (even if they try to stay API compatible to go 1.23) if possible, but most projects never update them automatically, so it takes a long time until all those (security) fixes and improvements reach their users 😞

@BrewTestBot BrewTestBot mentioned this pull request Apr 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file docker Pull requests that update Docker code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@linki @reneleonhardt