fix(ci): Prefer go.work for toolchain info#3285
fix(ci): Prefer go.work for toolchain info#3285dmihalcik-virtru wants to merge 6 commits intomainfrom
Conversation
github-actions
bot
added
comp:ci
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request refines how Go toolchain versions are managed within the CI pipeline. By centralizing the toolchain definition in the workspace file and ensuring it is preserved during automated workspace regeneration, the changes ensure consistent Go version usage across various CI tasks. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. The workspace shifts and changes form, / To keep the build safe from the storm. / The toolchain stays, a steady guide, / With versions locked, side by side. Footnotes
|
📝 WalkthroughWalkthroughPreserve and restore the Go Changes
Sequence Diagram(s)sequenceDiagram
participant Script as Work-init.sh
participant File as go.work
participant GoCLI as go CLI
Script->>File: read toolchain directive (if present)
Script->>Script: store ORIG_TOOLCHAIN
Script->>File: delete/regenerate go.work and go.work.sum
Script->>GoCLI: run workspace init/rebuild commands
alt ORIG_TOOLCHAIN non-empty
Script->>GoCLI: run `go work edit -toolchain="$ORIG_TOOLCHAIN"`
GoCLI-->>File: write toolchain entry
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
X-Test Failure Report |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request removes the 'toolchain' directive from various 'go.mod' files and updates the '.github/scripts/work-init.sh' script to preserve and restore the toolchain directive during workspace regeneration. I have suggested an improvement to the toolchain extraction logic using a more efficient 'awk' command and noted that the restoration logic should be scoped to avoid redundant operations on leaf packages.
There was a problem hiding this comment.
Pull request overview
This PR centralizes Go toolchain/version selection in go.work (instead of repeating toolchain directives across module go.mod files) and updates CI to read the version from go.work, keeping patch-level toolchain configuration in one place.
Changes:
- Remove
toolchain go1.25.8directives from modulego.modfiles. - Update CI workflows to use
go-version-file: go.workfor Go setup / govulncheck execution. - Update
.github/scripts/work-init.shto preserve and restore thetoolchaindirective when regeneratinggo.workin release-branch validation flows.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| tests-bdd/go.mod | Removes per-module toolchain directive to rely on workspace toolchain configuration. |
| test/integration/go.mod | Removes per-module toolchain directive to rely on workspace toolchain configuration. |
| service/go.mod | Removes per-module toolchain directive to rely on workspace toolchain configuration. |
| sdk/go.mod | Removes per-module toolchain directive to rely on workspace toolchain configuration. |
| protocol/go/go.mod | Removes per-module toolchain directive to rely on workspace toolchain configuration. |
| lib/ocrypto/go.mod | Removes per-module toolchain directive to rely on workspace toolchain configuration. |
| lib/identifier/go.mod | Removes per-module toolchain directive to rely on workspace toolchain configuration. |
| lib/flattening/go.mod | Removes per-module toolchain directive to rely on workspace toolchain configuration. |
| lib/fixtures/go.mod | Removes per-module toolchain directive to rely on workspace toolchain configuration. |
| examples/go.mod | Removes per-module toolchain directive to rely on workspace toolchain configuration. |
| .github/workflows/sonarcloud.yml | Switches Go setup to read version from go.work. |
| .github/workflows/checks.yaml | Switches govulncheck to read Go version from go.work. |
| .github/scripts/work-init.sh | Preserves/restores toolchain in regenerated go.work to keep CI version selection stable. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/scripts/work-init.sh:
- Around line 75-76: The script currently runs go work edit
-toolchain="$ORIG_TOOLCHAIN" and immediately echoes a success message; update
the block that invokes go work edit to check the command exit status (or use set
-e around it) and only echo "[INFO] Restored toolchain ${ORIG_TOOLCHAIN} in
go.work" when go work edit succeeds; if it fails, emit an error like "[ERROR]
Failed to restore toolchain ${ORIG_TOOLCHAIN}: <error>" and exit with a non-zero
status so CI fails instead of continuing with a wrong Go version.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: a9916964-10dc-4d38-923a-1a7526e6596a
📒 Files selected for processing (1)
.github/scripts/work-init.sh
| go work edit -toolchain="$ORIG_TOOLCHAIN" | ||
| echo "[INFO] Restored toolchain ${ORIG_TOOLCHAIN} in go.work" |
There was a problem hiding this comment.
Handle go work edit failures before logging success.
At Line 75, a failed go work edit still prints the success message at Line 76 and returns success from the block. That can silently run CI with the wrong Go version.
Suggested fix
if [[ -n "${ORIG_TOOLCHAIN:-}" && -f go.work ]]; then
- go work edit -toolchain="$ORIG_TOOLCHAIN"
- echo "[INFO] Restored toolchain ${ORIG_TOOLCHAIN} in go.work"
+ if ! go work edit -toolchain="$ORIG_TOOLCHAIN"; then
+ echo "[ERROR] failed to restore toolchain ${ORIG_TOOLCHAIN} in go.work" >&2
+ exit 1
+ fi
+ echo "[INFO] Restored toolchain ${ORIG_TOOLCHAIN} in go.work"
fi📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| go work edit -toolchain="$ORIG_TOOLCHAIN" | |
| echo "[INFO] Restored toolchain ${ORIG_TOOLCHAIN} in go.work" | |
| if [[ -n "${ORIG_TOOLCHAIN:-}" && -f go.work ]]; then | |
| if ! go work edit -toolchain="$ORIG_TOOLCHAIN"; then | |
| echo "[ERROR] failed to restore toolchain ${ORIG_TOOLCHAIN} in go.work" >&2 | |
| exit 1 | |
| fi | |
| echo "[INFO] Restored toolchain ${ORIG_TOOLCHAIN} in go.work" | |
| fi |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/scripts/work-init.sh around lines 75 - 76, The script currently runs
go work edit -toolchain="$ORIG_TOOLCHAIN" and immediately echoes a success
message; update the block that invokes go work edit to check the command exit
status (or use set -e around it) and only echo "[INFO] Restored toolchain
${ORIG_TOOLCHAIN} in go.work" when go work edit succeeds; if it fails, emit an
error like "[ERROR] Failed to restore toolchain ${ORIG_TOOLCHAIN}: <error>" and
exit with a non-zero status so CI fails instead of continuing with a wrong Go
version.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Leaf packages (lib/*, protocol/go) skip workspace regeneration, so the toolchain restore logic should not run either. Exit early to avoid touching go.work unnecessarily. Addresses Gemini review feedback on PR #3285. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/scripts/work-init.sh (1)
75-77:⚠️ Potential issue | 🟠 MajorHandle
go work editfailure before logging success.Line 76 can fail, but Line 77 always logs success. That can silently leave CI using the wrong toolchain state.
Suggested fix
if [[ -n "${ORIG_TOOLCHAIN:-}" ]]; then - go work edit -toolchain="$ORIG_TOOLCHAIN" + if ! go work edit -toolchain="$ORIG_TOOLCHAIN"; then + echo "[ERROR] failed to restore toolchain ${ORIG_TOOLCHAIN} in go.work" >&2 + exit 1 + fi echo "[INFO] Restored toolchain ${ORIG_TOOLCHAIN} in go.work" fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/scripts/work-init.sh around lines 75 - 77, The script currently runs go work edit -toolchain="$ORIG_TOOLCHAIN" and immediately echoes a success message; change it to check the command's exit status (e.g., using if ! go work edit -toolchain="$ORIG_TOOLCHAIN"; then ...) so that on failure you log an error describing the failed go work edit (include $ORIG_TOOLCHAIN in the message) and exit non‑zero, otherwise log the restored-toolchain success; reference the ORIG_TOOLCHAIN variable and the go work edit invocation when locating the code to modify.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/scripts/work-init.sh:
- Around line 75-77: The script currently runs go work edit
-toolchain="$ORIG_TOOLCHAIN" and immediately echoes a success message; change it
to check the command's exit status (e.g., using if ! go work edit
-toolchain="$ORIG_TOOLCHAIN"; then ...) so that on failure you log an error
describing the failed go work edit (include $ORIG_TOOLCHAIN in the message) and
exit non‑zero, otherwise log the restored-toolchain success; reference the
ORIG_TOOLCHAIN variable and the go work edit invocation when locating the code
to modify.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5a47575e-3ac1-4409-91b5-e32c4e2c484c
📒 Files selected for processing (7)
.github/scripts/work-init.sh.github/workflows/checks.yaml.github/workflows/sonarcloud.ymllib/fixtures/go.modlib/flattening/go.modlib/identifier/go.modlib/ocrypto/go.mod
💤 Files with no reviewable changes (4)
- lib/ocrypto/go.mod
- lib/flattening/go.mod
- lib/identifier/go.mod
- lib/fixtures/go.mod
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
|
Proposed Changes
govulncheckgo.workfile lets us keep everything up to date while only editing one fileChecklist
Testing Instructions
Summary by CodeRabbit