paketo-bot appears to have stopped upgrading go since 1.24.6

[shrzaf]

Hello,

Through unsolved CVEs reported by trivy (in images built by jammy-tiny), I noticed that go was stuck at version 1.24.6 for a few months, even though 1.24.7 and later versions have been available since at least September. I'm no expert in go or Paketo tooling by any means, but digging a bit deeper I came across this commit:

paketo-buildpacks/builder-jammy-tiny@61247fe

This change was made on August 14 while the go version was last updated on August 11. Which leads me to the following theory: since setting the go-version-file parameter, the version from the existing go.md is parsed by the checkout action, as opposed to the latest go release checked out by the previous configuration, leading to no new versions being discovered.

Posting this here instead of opening an issue/PR since 1. this affects multiple (possibly all?) projects and is not specific to any one builder and 2. it seems to be an issue in paketo-bot for which I could not find a public repository.

[dmikusa]

That link you sent shouldn't matter in terms of the containers that get built. That go version is just for tests & tooling.

You're right those should auto update though. The dependabot should send PRs, but it doesn't look like it's running. 🤔

For any scanner reports, you need to include the report from the scanner as it will tell us which files it's complaining about. If you can include that I can tell you more.