From ec4397827eb8310d89c48e59e89ef037bf63e312 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Mon, 8 Jun 2026 11:21:48 +0200
Subject: [PATCH 1/4] ci: set default permissions to contents: read

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 .github/workflows/ci.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index defb94c..8d838ba 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
 
   build:
@@ -35,6 +38,7 @@ jobs:
       with:
         path: src/github.com/containerd/typeurl
         fetch-depth: 25
+        persist-credentials: false
 
     - name: Project Checks
       uses: containerd/project-checks@v1.1.0

From 0e65e04129163bf3f08b63e65bf0a535ff472835 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Mon, 8 Jun 2026 11:23:49 +0200
Subject: [PATCH 2/4] ci: update actions

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 .github/workflows/ci.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8d838ba..871a16d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,7 +23,7 @@ jobs:
     steps:
 
     - name: Set up Go ${{ matrix.go }}
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6.4.0
       with:
         go-version: ${{ matrix.go }}
 
@@ -34,14 +34,14 @@ jobs:
         echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
 
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6.0.3
       with:
         path: src/github.com/containerd/typeurl
         fetch-depth: 25
         persist-credentials: false
 
     - name: Project Checks
-      uses: containerd/project-checks@v1.1.0
+      uses: containerd/project-checks@v1.2.2
       with:
         working-directory: src/github.com/containerd/typeurl
 

From 79dc74bf9650cb474b064318afacb14445cf8cfe Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Mon, 8 Jun 2026 11:27:41 +0200
Subject: [PATCH 3/4] ci: pin actions by sha

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 .github/workflows/ci.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 871a16d..34ddcc0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,7 +23,7 @@ jobs:
     steps:
 
     - name: Set up Go ${{ matrix.go }}
-      uses: actions/setup-go@v6.4.0
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
         go-version: ${{ matrix.go }}
 
@@ -34,14 +34,14 @@ jobs:
         echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
 
     - name: Check out code
-      uses: actions/checkout@v6.0.3
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       with:
         path: src/github.com/containerd/typeurl
         fetch-depth: 25
         persist-credentials: false
 
     - name: Project Checks
-      uses: containerd/project-checks@v1.2.2
+      uses: containerd/project-checks@d7751f3c375b8fe4a84c02a068184ee4c1f59bc4 # v1.2.2
       with:
         working-directory: src/github.com/containerd/typeurl
 

From 8843157b31366811d75cfef80290c936288df7ad Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Mon, 8 Jun 2026 11:34:43 +0200
Subject: [PATCH 4/4] ci: test against go.mod (minimum), oldstable, stable

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 .github/workflows/ci.yml | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 34ddcc0..f3bebc0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,23 +9,37 @@ on:
 permissions:
   contents: read
 
+env:
+  GOTOOLCHAIN: local
+
 jobs:
 
   build:
     strategy:
       fail-fast: false
       matrix:
-        go: ['1.21.x', '1.22.x', '1.23.x']
+        go-version:
+          - "" # leave empty to use go-version-file (use go.mod); see https://github.com/actions/setup-go/issues/450#issuecomment-3620402646
+          - oldstable
+          - stable
 
-    name: Typeurl CI
+    name: ${{ matrix.go-version || 'minimum' }}
     runs-on: ubuntu-24.04
     timeout-minutes: 5
     steps:
 
-    - name: Set up Go ${{ matrix.go }}
+    - name: Check out code
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      with:
+        path: src/github.com/containerd/typeurl
+        fetch-depth: 25
+        persist-credentials: false
+
+    - name: Set up Go
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
-        go-version: ${{ matrix.go }}
+        go-version: ${{ matrix.go-version }}
+        go-version-file: src/github.com/containerd/typeurl/go.mod # used when go-version is empty.
 
     - name: Setup Go binary path
       shell: bash
@@ -33,13 +47,6 @@ jobs:
         echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV
         echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
 
-    - name: Check out code
-      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-      with:
-        path: src/github.com/containerd/typeurl
-        fetch-depth: 25
-        persist-credentials: false
-
     - name: Project Checks
       uses: containerd/project-checks@d7751f3c375b8fe4a84c02a068184ee4c1f59bc4 # v1.2.2
       with: