ci go improvements

[flavio]

This PR does some improvements to some GHA that deal with Go.

We now install the same version of go that is mentioned inside of the go.mod file. Moreover, we intruct govulncheck to look also at the go.mod.

[Copilot]

Pull request overview

This PR updates GitHub Actions workflows for Go to derive the Go toolchain version from go.mod and ensures the govulncheck workflow also runs when go.mod changes.

Changes:

• Update govulncheck workflow triggers to include go.mod changes.
• Switch Go installation in govulncheck and CI jobs from a hard-coded version to go-version-file: go.mod.
• Remove check-latest: true from Go setup steps in the main CI workflow.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/govulncheck.yml	Trigger govulncheck on go.mod changes and install Go based on go.mod.
.github/workflows/ci.yml	Install Go based on go.mod across Go-related CI jobs (tests/lint/manifests).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

actions/setup-go is now driven by go.mod, but this step no longer sets check-latest: true. That can lead to CI running a different (and potentially older) Go patch level than other workflows (e.g. govulncheck still forces the latest patch). Consider re-adding check-latest: true here (or alternatively pin via a toolchain go1.x.y directive in go.mod if you want deterministic patch selection).

[Copilot]

This setup-go invocation switched to go-version-file, but dropped check-latest: true. If the intent is still “latest patch for the declared Go version”, re-add check-latest: true so e2e tests don’t run against a different patch than other Go jobs.

Suggested change

	go-version-file: "go.mod"
	go-version-file: "go.mod"
	check-latest: true

[Copilot]

Same as other Go jobs: after switching to go-version-file, check-latest: true was removed. Unless you intentionally want to test an older cached patch, re-add check-latest: true to keep linting aligned with the patch level used elsewhere.

[Copilot]

This job also switched to go-version-file without check-latest: true. If the goal is “use Go version from go.mod but always get the newest patch”, add check-latest: true here to avoid running controller-gen/manifests generation on a different patch level than other Go checks.

Suggested change

	go-version-file: "go.mod"
	go-version-file: "go.mod"
	check-latest: true

[viccuad]

Oh, this is nice. We should do the same for the policies repos.

I'm ok with removing check-latest: true, I prefer to pin the version from go.mod.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.46%. Comparing base (2a6b879) to head (f70bb67).
⚠️ Report is 33 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1631      +/-   ##
==========================================
- Coverage   80.48%   80.46%   -0.03%     
==========================================
  Files         127      127              
  Lines       16411    16411              
==========================================
- Hits        13209    13205       -4     
- Misses       3202     3206       +4     

Flag	Coverage Δ
rust-tests	80.46% <ø> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jvanz]

We do not need this step. govulncheck-action already install go. You can define the go.mod file in its inputs as well

Considering the action has the check-latest as true by default. I suspect that means the go lang version will be update under the hood. That's what copilot is warning us. Therefore, I would say to remove the setup-go step here and move this configuration to the govulncheck-action instead.

[flavio]

I think I need to remove the chack-latest, then the govulncheck is going to use the version cached by this step (hence the one we have inside of go.mod:

The precedence for inputs go-version-input, go-version-file, check-latest, cache, and cache-dependency-path specifying Go version and caches is inherited from actions/setup-go

From the README of the project.

What do you think?

[jvanz]

Ah, I just saw the check-latest in this setup-go action. But I think you cannot remove the input. Actually, we need to keep the go version configuration in sync with the govulncheck input values. Otherwise, you will install a go version here and govulncheck may update the version before run.

[jvanz]

I think we need to do a little change. See my comment in the govulncheck.yml file

[flavio]

@jvanz ready for review again

[jvanz]

Thanks for the changes! But I think we need to consider the copilot comments. Just to ensure that we are run the same go version in all CI jobs. Maybe we can follow the suggestion from its first comment and define the version including the patch version.

[jvanz]

I would include the input to disable patch version updates

https://github.com/golang/govulncheck-action/blob/31f7c5463448f83528bd771c2d978d940080c9fd/action.yml#L8-L11