Skip to content

chore(make): drop broken recipes, pin dev tools, add ci to .PHONY#1245

Open
cristim wants to merge 2 commits into
mainfrom
fix/hyg-05-hyg-11-fix
Open

chore(make): drop broken recipes, pin dev tools, add ci to .PHONY#1245
cristim wants to merge 2 commits into
mainfrom
fix/hyg-05-hyg-11-fix

Conversation

@cristim

@cristim cristim commented Jun 11, 2026

Copy link
Copy Markdown
Member

Problem

Review findings HYG-05 and HYG-11 (docs/reviews/codebase-review-2026-06-10.md):

  • make cost-estimate (Makefile) and make -f Makefile.terraform profile-new invoke scripts/cost-estimate.sh and scripts/generate-profile.sh, which never existed in repo history (git log --all over both paths returns nothing), so both advertised targets fail immediately with "No such file or directory".
  • .PHONY omits ci, so a file named ci at the repo root silently masks make ci.
  • install-dev-tools installed golangci-lint/gosec/staticcheck/gocyclo/migrate at @latest, contradicting the project's CI pinning practice and causing "passes locally, fails in CI" drift.
  • The docker-compose v1 part of HYG-11 was already fixed on main by 5f45f5c (ci: use docker compose v2 instead of docker-compose v1); nothing left to do there.

Fix

  • Remove the cost-estimate and profile-new targets, their .PHONY entries and help lines, plus the stale references in docs/DEVELOPMENT.md and terraform/profiles/README.md (which advertised the nonexistent generate-profile.sh, including a fictional source listing).
  • Add ci to .PHONY.
  • Pin install-dev-tools to the CI versions via overridable Make variables: golangci-lint v2.10.1 (matching ci.yml, switched to the /v2 module path required by v2), gosec v2.22.4 (pre-commit.yml), gocyclo v0.6.0 (ci.yml/pre-commit.yml), golang-migrate v4.19.1 (ci.yml/database-migration.yml). staticcheck has no CI pin and is only consumed by scripts/security-scan.sh; pinned to the latest stable v0.7.0.
  • Point the "not installed" hints in lint/complexity/complexity-report/security-scan-go at make install-dev-tools instead of per-tool @latest go install commands, so the pins cannot be bypassed by following the hint.

Test evidence

  • make -n passes on every touched/adjacent target: ci, install-dev-tools, help, lint, complexity, complexity-report, security-scan-go, docker-compose-test, pre-commit, and Makefile.terraform help/profile-list/profile-show/deploy/plan.
  • Removed targets now fail loudly at make level: make -n cost-estimate and make -f Makefile.terraform -n profile-new both return "No rule to make target".
  • Phony regression check: with a file named ci present, make -n ci still runs the recipe (pre-fix it would report "up to date").
  • Every pinned module version resolves: go list -m confirms golangci-lint/v2 v2.10.1, gosec/v2 v2.22.4, gocyclo v0.6.0, migrate/v4 v4.19.1, honnef.co/go/tools v0.7.0.
  • No remaining @latest in the Makefile; no remaining repo references to cost-estimate/profile-new/generate-profile.sh outside docs/reviews.

Closes #1174, Closes #1181

Summary by CodeRabbit

  • Chores

    • Development tools now pinned to specific versions for consistency.
    • Removed obsolete cost-estimate and profile-new make targets.
  • Documentation

    • Updated profile creation guidance to use copy-from-example approach instead of automated generation.

@cristim cristim added triaged Item has been triaged priority/p3 Polish / idea / may never ship severity/low Minor harm urgency/eventually No deadline impact/internal Team-internal only effort/xs Trivial / one-liner type/chore Maintenance / non-user-visible labels Jun 11, 2026
@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@cristim, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 44 minutes and 24 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 14f8e23c-dc67-44a4-8ba6-e9a16412facb

📥 Commits

Reviewing files that changed from the base of the PR and between a71d26a and a9a8c14.

📒 Files selected for processing (4)
  • Makefile
  • Makefile.terraform
  • docs/DEVELOPMENT.md
  • terraform/profiles/README.md
📝 Walkthrough

Walkthrough

The PR consolidates dev tool installation into a centralized Makefile mechanism with pinned versions and removes two broken Makefile targets (cost-estimate and profile-new) that invoked non-existent scripts. Error messages now direct users to make install-dev-tools, and documentation is updated to remove references to the removed targets.

Changes

Dev Tool Pinning and Broken Target Removal

Layer / File(s) Summary
Centralized tool installation with version pinning
Makefile
Version variables added for golangci-lint, gosec, gocyclo, migrate, and staticcheck. Error messages across lint, complexity, and security targets now direct users to make install-dev-tools instead of manual go install. The install-dev-tools target is reworked to install these pinned versions.
Remove non-existent script targets and update documentation
Makefile, Makefile.terraform, docs/DEVELOPMENT.md, terraform/profiles/README.md
cost-estimate target removed from Makefile and its help text. profile-new target removed from Makefile.terraform .PHONY list. All documentation references to make cost-estimate and profile generator scripts are deleted or updated.

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Pinned versions in place, scripts that don't run now gone,
Tools install as one, no drifting when dawn breaks upon—
Broken targets removed, helpers outdated cast aside,
Makefile's heart beats strong with version-locked pride! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore(make): drop broken recipes, pin dev tools, add ci to .PHONY' accurately describes the three main changes: removing broken make targets, pinning tool versions, and adding ci to .PHONY.
Linked Issues check ✅ Passed All coding requirements from #1174 and #1181 are met: broken targets (cost-estimate, profile-new) and their references removed [#1174], ci added to .PHONY, and install-dev-tools pinned to specific tool versions [#1181].
Out of Scope Changes check ✅ Passed All changes are directly scoped to the linked issues: Makefile and Makefile.terraform modifications, documentation updates to remove broken target references, and no extraneous changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/hyg-05-hyg-11-fix

Comment @coderabbitai help to get the list of available commands.

@cristim

cristim commented Jun 11, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Full review finished.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
terraform/profiles/README.md (1)

63-71: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix profile paths in the new copy-from-example commands.

The commands use profiles/..., but this README is for terraform/profiles, so from repo root these examples should reference terraform/profiles/... to avoid copy/paste failure.

Suggested docs fix
-# Copy example profile
-cp profiles/aws/dev.tfvars profiles/aws/my-profile.tfvars
+# Copy example profile
+cp terraform/profiles/aws/dev.tfvars terraform/profiles/aws/my-profile.tfvars

 # Edit with your settings
-vim profiles/aws/my-profile.tfvars
+vim terraform/profiles/aws/my-profile.tfvars

 # Use it
 terraform apply -var-file="../../../profiles/aws/my-profile.tfvars"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@terraform/profiles/README.md` around lines 63 - 71, Update the example shell
commands in the README so the paths point to terraform/profiles instead of
profiles (e.g., change occurrences of "profiles/aws/..." to
"terraform/profiles/aws/...") so users copying the commands from repo root will
find the correct files; update the three commands shown (cp, vim, terraform
apply -var-file) to use the corrected path.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@terraform/profiles/README.md`:
- Around line 63-71: Update the example shell commands in the README so the
paths point to terraform/profiles instead of profiles (e.g., change occurrences
of "profiles/aws/..." to "terraform/profiles/aws/...") so users copying the
commands from repo root will find the correct files; update the three commands
shown (cp, vim, terraform apply -var-file) to use the corrected path.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1805f2f0-1545-4904-ba92-41eaefb5cc0b

📥 Commits

Reviewing files that changed from the base of the PR and between 4108e51 and a71d26a.

📒 Files selected for processing (4)
  • Makefile
  • Makefile.terraform
  • docs/DEVELOPMENT.md
  • terraform/profiles/README.md
💤 Files with no reviewable changes (1)
  • docs/DEVELOPMENT.md

Fixes review findings HYG-05 and HYG-11:

- Remove the cost-estimate (Makefile) and profile-new
  (Makefile.terraform) targets: they invoke scripts/cost-estimate.sh
  and scripts/generate-profile.sh, which never existed in repo
  history, so both targets fail immediately. Drop their help lines
  and the stale references in docs/DEVELOPMENT.md and
  terraform/profiles/README.md.
- Add ci to .PHONY so a file named "ci" cannot mask the target.
- Pin install-dev-tools to the CI versions instead of @latest:
  golangci-lint v2.10.1 (v2 module path), gosec v2.22.4, gocyclo
  v0.6.0, golang-migrate v4.19.1. staticcheck has no CI pin and is
  only used by scripts/security-scan.sh; pinned to v0.7.0.
- Point "not installed" hints at make install-dev-tools instead of
  per-tool @latest go install commands.

The docker-compose v1 part of HYG-11 was already fixed on main by
5f45f5c (ci: use docker compose v2 instead of docker-compose v1).

Verified with make -n on every touched target in both Makefiles and
go list -m on each pinned module version.

Closes #1174, Closes #1181
@cristim cristim force-pushed the fix/hyg-05-hyg-11-fix branch from a71d26a to 367dee1 Compare June 19, 2026 21:48
@cristim

cristim commented Jun 19, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Rate Limit Exceeded

@cristim have exceeded the limit for the number of chat messages per hour. Please wait 5 minutes and 33 seconds before sending another message.

CodeRabbit flagged: cp/vim under "Copy from Example" used
profiles/aws/... but the dir is terraform/profiles/aws/...,
so users running the commands from repo root hit
"file not found".

Add the missing terraform/ prefix, annotate the intended cwd for
each block (repo root for cp/vim; the env dir for terraform apply),
and add the explicit `cd terraform/environments/aws/dev` step that
the Quick Deployment section already uses, so the relative
../../../profiles/... path actually resolves.
@cristim

cristim commented Jun 26, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@cristim

cristim commented Jun 26, 2026

Copy link
Copy Markdown
Member Author

Adversarial review (PR #1245)

Reviewed against the five risk surfaces from the brief; the Make and docs changes are sound, with one stale-doc finding from CR's earlier pass that I just addressed.

Verified

  • "Broken recipes" claim: scripts/cost-estimate.sh and scripts/generate-profile.sh never existed in repo history (git log --all --diff-filter=A -- '*cost-estimate*' '*generate-profile*' is empty), so make cost-estimate and make -f Makefile.terraform profile-new always failed immediately. Removal is correct; nothing was silently no-oping or doing useful work. make -n cost-estimate and make -n -f Makefile.terraform profile-new now exit with "No rule to make target", consistent with the PR description. ✓
  • Pinned versions match the CI pins they cite:
    • golangci-lint v2.10.1 — matches ci.yml:50 (version: v2.10.1). v2 module path (github.com/golangci/golangci-lint/v2/cmd/golangci-lint) verified live on proxy.golang.org. ✓
    • gocyclo v0.6.0 — matches ci.yml:57 and pre-commit.yml:104. ✓
    • migrate v4.19.1 — matches database-migration.yml:156,232,298 and ci.yml:161. ✓
    • staticcheck v0.7.0 — no CI pin (only scripts/security-scan.sh consumes it); pinning to latest stable is reasonable. ✓
    • gosec v2.22.4 — matches pre-commit.yml:97 as the PR description claims, but ci.yml:321 actually uses securego/gosec@4a3bd8af... # v2.26.1 (Docker Action, bumped by PR sec(ci): pin all GitHub Actions to commit SHAs #536 / 3380eec). pre-commit.yml's own anchor comment ("Pinned to the same version ci.yml's securego/gosec Action uses") is stale. Filed #1297 to clean this up cross-file; out of scope here since the Makefile is consistent with what pre-commit.yml ships.
  • .PHONY completeness: cross-checked every target in Makefile against the .PHONY list. All 33 targets (including the new ci) are declared phony. Same check on Makefile.terraform: every recipe with a non-file name is in the .PHONY list, and profile-new is correctly removed from both the recipe and the .PHONY entry. ✓
  • No release/CI pipeline invokes the removed recipes: grep -rE '\bmake\b' .github/workflows/*.yml returns only sudo make -C /tmp/git-secrets install (external) — no workflow calls the deleted targets. No .goreleaser.yml exists. ✓
  • Documentation sweep: removed references in docs/DEVELOPMENT.md:321 (correct) and terraform/profiles/README.md (correct). The ## Cost Estimates heading in docs/DEPLOYMENT.md:475 is a cost-of-running-the-deployed-stack section (Lambda/Fargate $/month), not the removed infracost target — keep. README.md mentions "cost estimates" only in product-feature copy. ✓
  • Canonical-target semantics unchanged: ci: fmt vet complexity test-unit security-scan terraform-validate, pre-commit: fmt vet complexity test-unit, build: go build -o cudly ./cmd, test: test-unit — none of these were touched. ✓
  • @latest audit: zero remaining @latest in the Makefile. ✓

Fixes pushed

  • terraform/profiles/README.md "Copy from Example" block — CR flagged that cp profiles/aws/dev.tfvars and vim profiles/aws/my-profile.tfvars resolve incorrectly from repo root since the actual location is terraform/profiles/aws/.... Pushed (a9a8c14e4): added terraform/ prefix, plus a cd terraform/environments/aws/dev step so the ../../../profiles/aws/my-profile.tfvars apply path actually resolves (matches the pattern already used in the Quick Deployment section above).

Follow-up filed

  • ci: align gosec pin across ci.yml, pre-commit.yml, and Makefile #1297ci: align gosec pin across ci.yml, pre-commit.yml, and Makefile. Three-way version drift: ci.yml uses v2.26.1 (Docker Action), pre-commit.yml and now Makefile pin v2.22.4 (go-install). The Makefile's "keep in sync with the CI pins in ci.yml, pre-commit.yml and database-migration.yml" comment is only half-true while this drift exists. Triage: type/chore, priority/p3, severity/low, urgency/eventually, impact/internal, effort/xs, triaged.

UNSTABLE state

Failing checks are pre-existing on main (last 5 CI - Build & Test runs on main are all failure):

  • Security Scanning: govulncheck step (Walk every module independently and fail on any HIGH/CRITICAL) exits 1 — unrelated to the Makefile diff (no govulncheck is wired through install-dev-tools).
  • Integration Tests: RDS DescribeDBMajorEngineVersions fails with "no EC2 IMDS role found" — the CI runner lacks AWS credentials for an SDK call introduced elsewhere. Pure docs/Make PR cannot have caused it.
  • Lint Code: pre-existing on main per the recent review history.
  • CI Success: aggregator failure tracking the above.

None are caused by this PR. Not blocking.

Verdict

LGTM. CR re-ping posted (@coderabbitai review).

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Tip

For best results, initiate chat on the files or code changes.

@cristim Thanks for the thorough adversarial pass — this is very helpful.

Agreed on the outcome: the Make/docs changes look sound, the README path fix addresses the stale-doc issue I raised, and the gosec version drift you isolated is best handled separately in #1297 rather than blocking this PR.

Good catch as well on docs/DEPLOYMENT.md: that ## Cost Estimates section is clearly about deployed-stack operating cost, not the removed Make target, so it should stay.

(•ᴗ•)🐇


✏️ Learnings added
Learnt from: cristim
URL: https://github.com/LeanerCloud/CUDly/pull/1245

Timestamp: 2026-06-26T15:28:43.336Z
Learning: In repository `LeanerCloud/CUDly`, `docs/DEPLOYMENT.md` contains a `## Cost Estimates` section that documents runtime operating costs of the deployed stack (for example Lambda/Fargate monthly costs) and is unrelated to the removed `make cost-estimate` target. Do not flag that section as stale when reviewing Makefile cleanup for the deleted infracost recipe.

Learnt from: cristim
URL: https://github.com/LeanerCloud/CUDly/pull/1245

Timestamp: 2026-06-26T15:28:43.336Z
Learning: In repository `LeanerCloud/CUDly`, there is known cross-file `gosec` version drift tracked in GitHub issue `#1297`: `.github/workflows/ci.yml` uses the `securego/gosec` Docker Action at v2.26.1, while `.github/pre-commit.yml` and `Makefile` pin `gosec` v2.22.4 for `go install`. Treat this as an existing follow-up item rather than a regression introduced by PR `#1245`.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

effort/xs Trivial / one-liner impact/internal Team-internal only priority/p3 Polish / idea / may never ship severity/low Minor harm triaged Item has been triaged type/chore Maintenance / non-user-visible urgency/eventually No deadline

Projects

None yet

1 participant