Release v2.23.0 action runs v2.22.11 container instead of v2.23.0 #1498
Description
Summary
When running the GitHub Action for GoSec using the v2.23.0 release, the workflow downloads and executes the v2.22.11 container image instead of v2.23.0.
Action configuration (from [radius-project/radius]/.github/workflows/codeql.yml):
- name: Perform GoSec Analysis
if: matrix.language == 'custom-gosec'
uses: securego/gosec@398ad549bbf1a51dc978fd966169f660c59774de # v2.23.0
with:
args: -no-fail -fmt sarif -out gosec-results.sarif ./...
continue-on-error: true
Log output:
Status: Downloaded newer image for securego/gosec:2.22.11
docker.io/securego/gosec:2.22.11
- The commit ref matches the v2.23.0 release (action version).
- Expectation is that the v2.23.0 Docker image would be used.
- Attempting to run the most recent commit (with what appears to be v2.23.0 Dockerfile), we instead experienced panics during analysis.
Steps to Reproduce
- Run the GitHub Action using v2.23.0.
- Observe that the "Perform GoSec Analysis" step downloads and runs the 2.22.11 image instead of 2.23.0.
Expected Behavior
The workflow should use the v2.23.0 Docker container.
Actual Behavior
The v2.22.11 container is downloaded and used, leading to a version mismatch between the action and the container.
Notes
- There may be a publishing or tagging issue for the Docker image associated with v2.23.0.
- Attempting to run the HEAD commit 1b7e1e9, which appears to use the v2.23.0 container image, resulted in panics (details available upon request).
I'm happy to assist with debugging the issues. Thank you for providing this excellent tool. ❤️