sync(ci): update GitHub Actions and tool versions (#291)

mrz1836 · web-flow · commit 0f6c607080fb · 2026-03-07T09:36:17.000-05:00
diff --git a/.github/actions/parse-env/action.yml b/.github/actions/parse-env/action.yml
@@ -36,12 +36,11 @@ runs:
     # --------------------------------------------------------------------
     - name: 🔧 Parse environment variables
       shell: bash
+      env:
+        ENV_JSON: ${{ inputs.env-json }}
       run: |
         echo "📋 Setting environment variables..."
 
-        # Get the input JSON
-        ENV_JSON='${{ inputs.env-json }}'
-
         # Validate JSON format before processing
         if ! echo "$ENV_JSON" | jq empty 2>/dev/null; then
           echo "❌ ERROR: Invalid JSON format in env-json input!" >&2
diff --git a/.github/actions/setup-go-with-cache/action.yml b/.github/actions/setup-go-with-cache/action.yml
@@ -454,17 +454,14 @@ runs:
     - name: 🔐 Configure private module authentication
       if: ${{ inputs.github-token != '' && env.GOPRIVATE != '' }}
       shell: bash
+      env:
+        PRIVATE_MODULE_TOKEN: ${{ inputs.github-token }}
       run: |
         echo "🔐 Configuring git authentication for private Go modules..."
         echo "📋 GOPRIVATE=$GOPRIVATE"
 
         # Configure git to use the token for HTTPS URLs
-        git config --global url."https://x-access-token:${{ inputs.github-token }}@github.com/".insteadOf "https://github.com/"
-
-        # Set GONOSUMCHECK to match GOPRIVATE if not explicitly set
-        if [ -z "$GONOSUMCHECK" ]; then
-          echo "GONOSUMCHECK=$GOPRIVATE" >> $GITHUB_ENV
-        fi
+        git config --global url."https://x-access-token:${PRIVATE_MODULE_TOKEN}@github.com/".insteadOf "https://github.com/"
 
         # Set GONOSUMDB to match GOPRIVATE if not explicitly set
         if [ -z "$GONOSUMDB" ]; then
diff --git a/.github/env/00-core.env b/.github/env/00-core.env
@@ -29,7 +29,7 @@ GO_PRIMARY_VERSION=1.24.x
 GO_SECONDARY_VERSION=1.24.x
 
 # Govulncheck-specific Go version for vulnerability scanning
-GOVULNCHECK_GO_VERSION=1.26.0
+GOVULNCHECK_GO_VERSION=1.26.1
 
 # ================================================================================================
 # 📦 GO MODULE CONFIGURATION
diff --git a/.github/env/10-mage-x.env b/.github/env/10-mage-x.env
@@ -61,7 +61,7 @@ MAGE_X_FORMAT_EXCLUDE_PATHS=vendor,node_modules,.git,.idea
 
 MAGE_X_GITLEAKS_VERSION=8.30.0
 MAGE_X_GOFUMPT_VERSION=v0.9.2
-MAGE_X_GOLANGCI_LINT_VERSION=v2.10.1
+MAGE_X_GOLANGCI_LINT_VERSION=v2.11.1
 MAGE_X_GORELEASER_VERSION=v2.14.1
 MAGE_X_GOVULNCHECK_VERSION=v1.1.4
 MAGE_X_GO_SECONDARY_VERSION=1.24.x
diff --git a/.github/env/10-pre-commit.env b/.github/env/10-pre-commit.env
@@ -52,7 +52,7 @@ GO_PRE_COMMIT_ALL_FILES=true
 # 🛠️ TOOL VERSIONS
 # ================================================================================================
 
-GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.10.1
+GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.11.1
 GO_PRE_COMMIT_FUMPT_VERSION=v0.9.2
 GO_PRE_COMMIT_GOIMPORTS_VERSION=latest
 GO_PRE_COMMIT_GITLEAKS_VERSION=v8.30.0
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -46,7 +46,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,7 +57,7 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+        uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
       #    uses a compiled language
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
diff --git a/.github/workflows/fortress-security-scans.yml b/.github/workflows/fortress-security-scans.yml
@@ -99,7 +99,6 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
-          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
@@ -298,7 +297,6 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
-          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
@@ -508,6 +506,7 @@ jobs:
     if: ${{ inputs.enable-gitleaks }}
     permissions:
       contents: read
+      pull-requests: write
     steps:
       # --------------------------------------------------------------------
       # Checkout code (required for local actions)
@@ -563,7 +562,7 @@ jobs:
         continue-on-error: true
         uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
         env:
-          GITHUB_TOKEN: ${{ secrets.github-token }}
+          GITHUB_TOKEN: ${{ github.token }}
           GITLEAKS_LICENSE: ${{ secrets.gitleaks-license }}
           GITLEAKS_NOTIFY_USER_LIST: ${{ env.GITLEAKS_NOTIFY_USER_LIST }}
           GITLEAKS_ENABLE_COMMENTS: "true"
diff --git a/.github/workflows/fortress.yml b/.github/workflows/fortress.yml
@@ -167,6 +167,7 @@ jobs:
       needs.setup.outputs.is-fork-pr != 'true'
     permissions:
       contents: read # Read repository content for security scanning
+      pull-requests: write # Required: gitleaks needs to create PR comments
     uses: ./.github/workflows/fortress-security-scans.yml
     with:
       env-json: ${{ needs.load-env.outputs.env-json }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -77,6 +77,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable the upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           sarif_file: results.sarif
