Open
Description
govulncheck version
golang/govulncheck-action@v1.0.4
Does this issue reproduce at the latest version of golang.org/x/vuln?
- Yes.
Output of go env
in your module/workspace:
-
What did you do?
- uses: golang/govulncheck-action@v1.0.4
with:
go-version-file: go.mod
go-package: ./...
What did you see happen?
Warning: Both go-version and go-version-file inputs are specified, only go-version will be used
What did you expect to see?
No warning as go-version-file: go.mod
has been defined. If this is the case, then the code should omit go-version and only use the version that is defined in the go.mod file. Now it is using another Golang version, while another version is defined in the go.mod file.
Metadata
Metadata
Assignees
Labels
Type
Projects
Relationships
Development
No branches or pull requests
Activity
gabyhelp commentedon Oct 25, 2024
Related Issues and Documentation
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
cagedmantis commentedon Oct 29, 2024
cc @golang/vulndb
waliseddiqi commentedon Nov 8, 2024
I am having same issue
reproduction:
I wanted to pass
go-version-file
which is1.23.2
in my go.mod project but the action assigned the go version as1.23.3
Warning: Both go-version and go-version-file inputs are specified, only go-version will be used
jasonwashburn commentedon May 2, 2025
Looks like the issue was likely introduced here. By giving
go-version-input
a default value, it guarantees that the setup-go action will be provided a 'go-version' input even when the user does not specify one and the a user-specifiedgo-version-file
will be ignored by setup-go