Bump golangci/golangci-lint-action from 8 to 9

[dependabot]

Bumps golangci/golangci-lint-action from 8 to 9.

Release notes

Sourced from golangci/golangci-lint-action's releases.

v9.0.0

In the scope of this release, we change Nodejs runtime from node20 to node24 (https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/).

What's Changed

Changes

• feat: add install-only option by @​ldez in golangci/golangci-lint-action#1305
• feat: support Module Plugin System by @​ldez in golangci/golangci-lint-action#1306

Full Changelog: golangci/golangci-lint-action@v8.0.0...v9.0.0

Commits

• 0a35821 docs: update readme
• 043b1b8 feat: support Module Plugin System (#1306)
• a66d26a feat: add install-only option (#1305)
• 7fe1b22 build(deps): bump the dependencies group with 2 updates (#1303)
• 14973f1 build(deps-dev): bump the dev-dependencies group with 2 updates (#1299)
• 8c2d575 build(deps): bump @​types/node from 24.8.1 to 24.9.1 in the dependencies group...
• b002b6e build(deps): bump actions/setup-node from 5 to 6 (#1296)
• c13f4ed build(deps): bump @​types/node from 24.7.2 to 24.8.1 in the dependencies group...
• b68d21b docs: improve readme
• 06188a2 build(deps): bump github/codeql-action from 3 to 4 (#1293)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dryrunsecurity]

This pull request introduces a GitHub Actions workflow that uses the third-party action golangci/golangci-lint-action@v9 without pinning to a specific commit SHA and sets its input version to "latest", creating supply‑chain and reproducibility risks; consider pinning the action to a fixed commit and specifying a vetted golangci-lint version.

Code Policy: GitHub Action Policy

Policy

GitHub Action Policy

Result

Identified GitHub Actions Risks - [Line 16] Use of a third-party action: "golangci/golangci-lint-action@v9". While version-tagged, it is not pinned to a specific commit SHA. Tags are mutable, and third-party actions increase supply-chain risk. Consider pinning to a verified commit SHA. - [Line 18] The action input "version: latest" introduces a mutable dependency (the golangci-lint binary version). Using "latest" can pull unvetted updates or compromised releases, and undermines reproducibility. Prefer a specific, vetted version. - No use of run: commands, permissions changes, secrets exposure, or pull_request_target trigger are visible in this patch segment.

go-sdk/.github/workflows/test.yml

Lines 17 to 18 in ee32d59

	version: latest
	go-test:

---

All finding details can be found in the DryRun Security Dashboard.