Golang govulncheck-action: Warning: Both go-version and go-version-file inputs are specified, only go-version will be used while only 'go-version-file: go.mod' is specified

govulncheck version

golang/govulncheck-action@v1.0.4

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes.

Output of `go env` in your module/workspace:

What did you do?

- uses: golang/govulncheck-action@v1.0.4
  with:
    go-version-file: go.mod
    go-package: ./...

What did you see happen?

Warning: Both go-version and go-version-file inputs are specified, only go-version will be used

What did you expect to see?

No warning as go-version-file: go.mod has been defined. If this is the case, then the code should omit go-version and only use the version that is defined in the go.mod file. Now it is using another Golang version, while another version is defined in the go.mod file.

Comment From: gabyhelp

Related Issues and Documentation

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

Comment From: cagedmantis

cc @golang/vulndb

Comment From: waliseddiqi

I am having same issue

reproduction: I wanted to pass go-version-file which is 1.23.2 in my go.mod project but the action assigned the go version as 1.23.3

Warning: Both go-version and go-version-file inputs are specified, only go-version will be used

Comment From: jasonwashburn

Looks like the issue was likely introduced here. By giving go-version-input a default value, it guarantees that the setup-go action will be provided a 'go-version' input even when the user does not specify one and the a user-specified go-version-file will be ignored by setup-go

Comment From: jqdurham

Just adding a +1 to this issue. We build off the Go version our go.mod which is problematic if govulncheck is not aligned.