Upgrade github.com/google/ko to v0.18.1#9939
Conversation
Summary of ChangesHello @ChrisGe4, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request primarily focuses on enhancing security and maintaining up-to-date dependencies. It includes a critical upgrade of the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request upgrades github.com/google/ko to v0.18.1 and numerous other dependencies, which is crucial for addressing CVE-2025-66564 and maintaining the project's security and health. The update of Go versions in example modules is also a good step.
A significant change in this PR is the removal of a large number of vendored files, which suggests a move away from vendoring dependencies. This is a positive change for modernizing dependency management. However, this major change is not mentioned in the pull request description. For better maintainability and easier reviews in the future, I recommend providing a more comprehensive description that outlines all major changes, including dependency management strategy shifts and the full scope of dependency upgrades.
| module github.com/GoogleContainerTools/skaffold/v2/integration/examples/grpc-e2e-tests/service | ||
|
|
||
| go 1.19 | ||
| go 1.23.0 |
There was a problem hiding this comment.
| module github.com/GoogleContainerTools/skaffold/v2/integration/examples/grpc-e2e-tests/service | ||
|
|
||
| go 1.19 | ||
| go 1.23.0 |
There was a problem hiding this comment.
Similar to the other example module, upgrading the Go version from 1.19 to 1.23.0 is a significant jump. This could introduce breaking changes, for instance, the change in for loop variable semantics in Go 1.22. Please ensure that the example code is compatible with Go 1.23 and that all related tests are passing.
* Upgrade github.com/google/ko to v0.18.1 * Upgrade github.com/google/ko to v0.18.1 continue * fix a issue in docker/auth.go * fix go version issue in test * revert go version changes in test * update docker cli vendor files * Trigger GitHub Actions
* chore: bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#9917) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.43.0 to 0.45.0. - [Commits](golang/crypto@v0.43.0...v0.45.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump the github-actions group across 1 directory with 3 updates (#9934) Bumps the github-actions group with 3 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [actions/cache](https://github.com/actions/cache) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/checkout` from 5 to 6 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v5...v6) Updates `actions/cache` from 4 to 5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v4...v5) Updates `actions/upload-artifact` from 5 to 6 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/cache dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: disabling kaniko integration tests due to kaniko service account permissions issue and fix github workflow (#9943) disabling kaniko integration tests due to kaniko service accountpermissioning issue and fix github workflow Co-authored-by: Darien-Lin <darienl@google.com> * chore: upgrade golang to 1.25.5 (#9944) * Upgrade github.com/google/ko to v0.18.1 (#9939) * Upgrade github.com/google/ko to v0.18.1 * Upgrade github.com/google/ko to v0.18.1 continue * fix a issue in docker/auth.go * fix go version issue in test * revert go version changes in test * update docker cli vendor files * Trigger GitHub Actions --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Darien Lin <lind3686@gmail.com> Co-authored-by: Darien-Lin <darienl@google.com> Co-authored-by: Chris <chris.ge@live.com>
* Upgrade github.com/google/ko to v0.18.1 * Upgrade github.com/google/ko to v0.18.1 continue * fix a issue in docker/auth.go * fix go version issue in test * revert go version changes in test * update docker cli vendor files * Trigger GitHub Actions
Description
Upgrade github.com/google/ko to v0.18.1 to update the indirect dependency github.com/sigstore/timestamp-authority to v2.0.3 and address CVE-2025-66564.