chore(ci): add workflow to automate Go version updates (#1924)

* chore(ci): add workflow to automate Go version updates Add GitHub Actions workflow using StefMa/Upgrade-Go-Action to automatically check for new Go releases and create PRs to update the go directive in go.mod. This addresses the limitation that Dependabot cannot update the Go version itself (only module dependencies), which means stdlib CVEs that are fixed in newer Go patch releases are not automatically detected. Workflow runs: - Weekly on Mondays at 8am UTC - Manually via workflow_dispatch When a new Go version is available, the action will: 1. Update the go directive in go.mod 2. Run go mod tidy 3. Create a pull request with the changes Related: https://github.com/replicated-collab/git-guardian-kots/issues/287 Dependabot limitation: https://github.com/dependabot/dependabot-core/issues/9527 * test: add push trigger to test workflow * chore: remove temporary push trigger * test: add custom token and push trigger for testing * test: trigger workflow again after cleaning up old branch * chore: remove temporary push trigger --------- Co-authored-by: Andrew Lavery <laverya@umich.edu>
2026-02-14 10:19:54 +00:00 · 2025-11-20 17:34:48 -06:00
parent 52d910f615
commit aa13c2e31e
1 changed files with 24 additions and 0 deletions
--- a/.github/workflows/upgrade-go.yaml
+++ b/.github/workflows/upgrade-go.yaml
@@ -0,0 +1,24 @@
+name: Upgrade Go Version
+
+on:
+  # Run manually when needed
+  workflow_dispatch:
+  # Run weekly on Mondays at 8am UTC
+  schedule:
+    - cron: "0 8 * * MON"
+
+jobs:
+  upgrade-go:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Check for Go updates
+        uses: StefMa/Upgrade-Go-Action@v1
+        with:
+          base-branch: 'main'
+          gh-token: ${{ secrets.TROUBLESHOOT_GH_PAT }}