ci: bump actions + dynamic go version + auto-release + badge fix#14
Conversation
- actions/checkout v4 → v6 - actions/setup-go v5 → v6, go-version-file: go.mod (was hard-pinned 1.22) - actions/setup-node v4 → v6, node 20 → 22 LTS (Node 20 deprecated on runners) - actions/cache v4 → v5 - actions/upload-artifact v4 → v7 - actions/download-artifact v4 → v8 Go version is now driven by go.mod (currently 1.25.0) so bumping go.mod is the single source of truth — no more drift between pipeline and code. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- New release.yml: every push to main finds the latest v0.0.0-beta.N tag, increments N, pushes the tag, and creates a prerelease with auto- generated notes. Concurrency-guarded so two rapid merges don't race. - README Release badge adds ?include_prereleases&sort=semver — tracks the latest beta.N correctly (the bare badge was stuck on v0.0.0-beta because shields.io couldn't find a stable release). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthroughUpdates CI workflow action versions and toolchain configurations, adds a new automated beta release workflow triggered on main branch pushes that computes and creates semantic beta tags, and updates the Release badge URL to include prereleases with semantic versioning. Changes
Sequence DiagramsequenceDiagram
participant GHA as GitHub Actions
participant Git as Git Repository
participant API as GitHub API
GHA->>Git: Checkout full history
GHA->>Git: Query existing tags (v0.0.0-beta.*)
GHA->>GHA: Sort tags semantically
GHA->>GHA: Compute next beta tag
GHA->>Git: Create new tag
GHA->>Git: Push tag to remote
GHA->>API: Create prerelease via gh CLI
API-->>GHA: Prerelease created
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)
69-72: Avoid double-caching Go dependencies/build artifactsLine 69 and Line 120 use
actions/setup-go@v6, which enables caching by default. Keeping explicitactions/cache@v5(Line 78 and Line 125) likely duplicates cache work and can slow CI.♻️ Suggested minimal fix (keep your custom cache keys)
- uses: actions/setup-go@v6 with: go-version-file: go.mod + cache: false ... - uses: actions/setup-go@v6 with: go-version-file: go.mod + cache: falseAlso applies to: 78-87, 120-123, 125-131
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ci.yml around lines 69 - 72, The workflow currently double-caches Go artifacts by using actions/setup-go@v6 (which enables caching by default) together with explicit actions/cache@v5 steps; pick one approach: either remove the explicit actions/cache@v5 steps (the custom cache steps) or disable setup-go's built-in cache by adding cache: "false" to the actions/setup-go@v6 steps, and preserve your custom cache keys if you keep actions/cache@v5; update the steps referencing actions/setup-go@v6 and actions/cache@v5 accordingly so caching is only handled once.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/release.yml:
- Around line 12-14: The workflow-level concurrency group "release-main" causes
newer queued runs to replace older pending runs; to ensure every main push
produces a release, make the concurrency key unique per run (e.g. change group
to include a run-specific expression like release-${{ github.sha }} or
release-${{ github.run_id }}) while keeping cancel-in-progress as needed; update
the concurrency block (symbols: concurrency, group, cancel-in-progress) so each
push has its own group and won't be skipped.
- Line 21: Replace the mutable action reference "actions/checkout@v6" with a
pinned full commit SHA for the actions/checkout step in the release workflow;
locate the "uses: actions/checkout@v6" entry in the release.yml and update it to
"uses: actions/checkout@<full-commit-sha>" (the latest verified commit for
actions/checkout) so the workflow that has contents: write permission is not
using a mutable tag.
---
Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 69-72: The workflow currently double-caches Go artifacts by using
actions/setup-go@v6 (which enables caching by default) together with explicit
actions/cache@v5 steps; pick one approach: either remove the explicit
actions/cache@v5 steps (the custom cache steps) or disable setup-go's built-in
cache by adding cache: "false" to the actions/setup-go@v6 steps, and preserve
your custom cache keys if you keep actions/cache@v5; update the steps
referencing actions/setup-go@v6 and actions/cache@v5 accordingly so caching is
only handled once.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 11df5269-ea22-4cca-afa6-c350ea2ed88e
📒 Files selected for processing (3)
.github/workflows/ci.yml.github/workflows/release.ymlREADME.md
| concurrency: | ||
| group: release-main | ||
| cancel-in-progress: false |
There was a problem hiding this comment.
Fixed concurrency group can skip releases for intermediate pushes
Line 13 uses a single workflow-level concurrency key. With GitHub Actions concurrency semantics, older pending runs in the same group are replaced by newer queued runs, so not every main push will get a prerelease.
In GitHub Actions workflow-level concurrency, does a new queued run replace an existing pending run in the same concurrency group when cancel-in-progress is false?
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/release.yml around lines 12 - 14, The workflow-level
concurrency group "release-main" causes newer queued runs to replace older
pending runs; to ensure every main push produces a release, make the concurrency
key unique per run (e.g. change group to include a run-specific expression like
release-${{ github.sha }} or release-${{ github.run_id }}) while keeping
cancel-in-progress as needed; update the concurrency block (symbols:
concurrency, group, cancel-in-progress) so each push has its own group and won't
be skipped.
| name: auto-tag + release | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Verify mutable action refs in workflow files
fd -p '.github/workflows/*.yml' | xargs rg -nP 'uses:\s*[^@]+@v[0-9]+'
# Expected after hardening: no matchesRepository: RandomCodeSpace/docsiq
Length of output: 332
🏁 Script executed:
cat -n .github/workflows/release.yml | head -30Repository: RandomCodeSpace/docsiq
Length of output: 874
🏁 Script executed:
cat -n .github/workflows/release.ymlRepository: RandomCodeSpace/docsiq
Length of output: 1701
Pin action to a commit SHA in this write-scoped workflow
Line 21 uses a mutable major tag (actions/checkout@v6) in a workflow with contents: write permissions (line 10). Pinning to a full commit SHA reduces supply-chain risk.
🔒 Suggested hardening
- - uses: actions/checkout@v6
+ - uses: actions/checkout@dcd71f646680f2efd8db4ead08a20234aee33c24📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v6 | |
| - uses: actions/checkout@dcd71f646680f2efd8db4ead08a20234aee33c24 |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/release.yml at line 21, Replace the mutable action
reference "actions/checkout@v6" with a pinned full commit SHA for the
actions/checkout step in the release workflow; locate the "uses:
actions/checkout@v6" entry in the release.yml and update it to "uses:
actions/checkout@<full-commit-sha>" (the latest verified commit for
actions/checkout) so the workflow that has contents: write permission is not
using a mutable tag.
Summary
Three CI hygiene items in one PR.
1. Action bumps
2. Dynamic Go version
`setup-go` now reads `go-version-file: go.mod` (currently `go 1.25.0`) instead of a hard-pinned `1.22`. Bumping `go.mod` is the single source of truth — no pipeline drift.
Node 20 → 22 LTS (runner warned about deprecation).
3. Release automation
Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit
Chores
New Features
Documentation