Bump Go v1.24.4 to fix CVEs

[VietND96]

• Bumped up Go to v1.24.4 for GHSA-62jj-gr2r-5c34 , GHSA-jw54-c8rr-pjpq and GHSA-6f52-wpx2-hvf2
• Add workflow to create tag and release (instead of doing that from local and push)

Checkout result: https://github.com/NDViet/envsubst/actions/runs/16096050069

• Workflow release binaries can be triggered by giving a release tag.

Checkout result: https://github.com/NDViet/envsubst/actions/runs/16096060363

[VietND96]

@a8m FYI

[uristernik]

Can we merge this? @VietND96 ?

[a8m]

Thanks for the contribution, @VietND96.

[uristernik]

Thanks for the contribution, @VietND96.

Toda Raba!

[Copilot]

Pull request overview

This pull request aims to address security vulnerabilities by bumping the Go version and introduces automated GitHub Actions workflows for creating releases and building binaries across multiple platforms. However, there's a critical mismatch between the PR title (mentioning Go v1.24.4) and the actual changes (updating to nonexistent Go v1.25.5).

Key Changes:

• Go version update in go.mod and test workflow (though to nonexistent versions)
• New create-release.yml workflow for automated tag and release creation
• Enhanced binaries.yml workflow with manual trigger support and improved checkout logic

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
go.mod	Updates Go version from 1.24 to 1.25.5 (version does not exist)
.github/workflows/test.yml	Updates test matrix to include Go 1.25 (version does not exist)
.github/workflows/create-release.yml	Adds new workflow for creating GitHub releases and tags via manual dispatch
.github/workflows/binaries.yml	Enhances binary release workflow with manual trigger support and tag-based checkout
README.md	Adds comprehensive documentation for the new release workflows and procedures

Critical Issues Found:

• The Go versions specified (1.25.5 and 1.25) do not exist as of January 2025. The latest stable versions are in the 1.23.x series.
• Several outdated GitHub Actions are used (actions/checkout@v2, actions/create-release@v1).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The documentation states "Binary Building: Automatically triggers binary builds for all platforms" but according to the workflow changes, the binaries.yml workflow needs to be manually triggered via workflow_dispatch or automatically triggers only when a release is created/published. The wording suggests it always automatically triggers, which could be misleading. Consider clarifying: "Binary Building: Automatically triggers when a release is created, or can be manually triggered to build binaries for all platforms".

Suggested change

	3. **Binary Building**: Automatically triggers binary builds for all platforms:
	3. **Binary Building**: Automatically triggers when a release is created, or can be manually triggered to build binaries for all platforms:

[Copilot]

The actions/create-release@v1 action is deprecated and unmaintained. GitHub recommends using the GitHub CLI (gh release create) or the REST API instead. Consider replacing this with:

- name: Create Release
  run: |
    gh release create "${{ inputs.tag_name }}" \
      --title "${{ inputs.release_title || inputs.tag_name }}" \
      --notes "${{ inputs.release_body }}" \
      ${draft:+--draft} \
      ${prerelease:+--prerelease}
  env:
    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  continue-on-error: true

Suggested change

	id: create_release
	uses: actions/create-release@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	tag_name: ${{ inputs.tag_name }}
	release_name: ${{ inputs.release_title || inputs.tag_name }}
	body: ${{ inputs.release_body }}
	draft: false
	prerelease: false
	run: |
	gh release create "${{ inputs.tag_name }}" \
	--title "${{ inputs.release_title || inputs.tag_name }}" \
	--notes "${{ inputs.release_body }}" \
	--draft=false \
	--prerelease=false
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

[Copilot]

Using actions/checkout@v2 is outdated. Consider upgrading to actions/checkout@v4 for better performance, security updates, and Node.js 20 support (v2 uses the deprecated Node.js 12). This applies to all checkout actions in this file.

[Copilot]

Using actions/checkout@v2 is outdated. Consider upgrading to actions/checkout@v4 for better performance, security updates, and Node.js 20 support (v2 uses the deprecated Node.js 12).

[Copilot]

Using actions/checkout@v2 is outdated. Consider upgrading to actions/checkout@v4 for better performance, security updates, and Node.js 20 support (v2 uses the deprecated Node.js 12).

[Copilot]

Using actions/checkout@v2 is outdated. Consider upgrading to actions/checkout@v4 for better performance, security updates, and Node.js 20 support (v2 uses the deprecated Node.js 12).

[Copilot]

Using actions/checkout@v2 is outdated. Consider upgrading to actions/checkout@v4 for better performance, security updates, and Node.js 20 support (v2 uses the deprecated Node.js 12).

[Copilot]

The packages: write permission is not needed for this workflow. It's only used for publishing packages to GitHub Packages. This workflow only creates releases and tags, which only requires contents: write. Consider removing this unnecessary permission to follow the principle of least privilege.

Suggested change

packages: write

[VietND96]

@a8m, it is good to go. Since this is used in my fork to deploy a few recent releases https://github.com/NDViet/envsubst/releases

[wildGecko]

@a8m, hello! Can you tell me when the fix will be released?