fix(deps): update all non-major dependencies in .github/workflows/tinygo.yml#1432
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update all non-major dependencies in .github/workflows/tinygo.yml#1432renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
added
dependencies
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
cd01a80 to
3d8a2c1
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
3d8a2c1 to
d76a36a
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
d76a36a to
d5b609b
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
d5b609b to
ee6bb50
Compare
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
ee6bb50 to
3427da9
Compare
Contributor
📝 WalkthroughWalkthroughMultiple GitHub Actions workflows were updated with newer pinned commit SHAs for standard actions. The Go toolchain was upgraded from version 1.25 to 1.26 across the project, and several Go dependencies were bumped to newer versions including go-mockdns, jsonschema, and go-httpbin. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related issues
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Member
|
The problem is that jsonschema is requiring latest 1.26 |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (3)
.github/workflows/fuzz.yml (1)
20-22: Prefer pinning fuzz Go version to1.26.xinstead of a broad range.
>=1.25.0is less reproducible and can drift; pinning to1.26.xkeeps this job aligned withgo.mod.Suggested change
- go-version: ">=1.25.0" + go-version: "1.26.x"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/fuzz.yml around lines 20 - 22, Update the GitHub Actions step using actions/setup-go to pin the Go version to "1.26.x" instead of the broad range ">=1.25.0"; locate the step referencing actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c and change the with: go-version value to "1.26.x" so the fuzz job is reproducible and matches go.mod.go.mod (1)
23-27: Document rationale for the dependencies touched in this update.Please extend the dependency notes so the newly bumped/introduced entries are explicitly justified (especially
jsonschema,go-httpbin/v2, and newly introduced indirect JSON/i18n chain deps).As per coding guidelines, "go.mod: Document why each dependency is needed".
Also applies to: 38-45
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@go.mod` around lines 23 - 27, Add clear rationale comments for each of the recently changed dependencies—specifically github.com/kaptinlin/jsonschema, github.com/mccutchen/go-httpbin/v2, and any newly introduced indirect JSON/i18n chain packages—explaining why each is required (what functionality or feature uses it), whether it is a direct or indirect dependency, and why the chosen version was bumped (bugfix/security/perf/API changes). Update the go.mod (or a nearby DEPENDENCIES.md if you prefer project convention) to include a one-line justification for each of these packages and for the other bumped entries (github.com/foxcpp/go-mockdns, github.com/jcchavezs/mergefs, github.com/magefile/mage), referencing the import sites or features (e.g., the code paths or commands that import jsonschema, go-httpbin/v2, or the i18n libs) so reviewers can see who uses them.testing/coreruleset/go.mod (1)
6-8: Add brief dependency-purpose notes for this module’s updated dependencies.Please document why these updated direct/indirect dependencies are needed in this
go.modas well, to keep maintenance context local to the module.As per coding guidelines, "go.mod: Document why each dependency is needed".
Also applies to: 22-25, 31-34
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@testing/coreruleset/go.mod` around lines 6 - 8, Add short inline comments in go.mod describing why each updated dependency is required: annotate the github.com/bmatcuk/doublestar/v4 entry to state it’s used for glob/path matching in tests or rule loading, annotate github.com/corazawaf/coraza-coreruleset/v4 to state it provides the official Core Rule Set for integration tests, and annotate github.com/corazawaf/coraza/v3 to state it’s the WAF engine used by the module; apply the same style of brief comments to the other dependency blocks mentioned (lines referenced 22-25 and 31-34) so future maintainers see the purpose of each dependency next to its module name.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/regression.yml:
- Around line 61-64: Update the GitHub Actions Go test matrix and the base Go
version env var to match the module minimum (go 1.26): change the matrix entry
matrix.go-version from "1.25.x" to "1.26.x" and update the repository base Go
environment variable (e.g., GO_VERSION or whichever env var is used to set the
workflow's default Go version) from "1.25.x" to "1.26.x" so the actions/setup-go
go-version and the matrix are consistent with go.mod's "go 1.26".
In @.github/workflows/tinygo.yml:
- Around line 39-42: The TinyGo CI matrix is pinned to Go 1.25.x but the module
requires go 1.26; update the workflow matrix entry that sets matrix.go-version
(and the uses: actions/setup-go step if it references that) to 1.26.x so the
TinyGo job uses Go 1.26 and matches the root go.mod requirement, ensuring the
actions/setup-go invocation still consumes the updated matrix value.
---
Nitpick comments:
In @.github/workflows/fuzz.yml:
- Around line 20-22: Update the GitHub Actions step using actions/setup-go to
pin the Go version to "1.26.x" instead of the broad range ">=1.25.0"; locate the
step referencing actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c and
change the with: go-version value to "1.26.x" so the fuzz job is reproducible
and matches go.mod.
In `@go.mod`:
- Around line 23-27: Add clear rationale comments for each of the recently
changed dependencies—specifically github.com/kaptinlin/jsonschema,
github.com/mccutchen/go-httpbin/v2, and any newly introduced indirect JSON/i18n
chain packages—explaining why each is required (what functionality or feature
uses it), whether it is a direct or indirect dependency, and why the chosen
version was bumped (bugfix/security/perf/API changes). Update the go.mod (or a
nearby DEPENDENCIES.md if you prefer project convention) to include a one-line
justification for each of these packages and for the other bumped entries
(github.com/foxcpp/go-mockdns, github.com/jcchavezs/mergefs,
github.com/magefile/mage), referencing the import sites or features (e.g., the
code paths or commands that import jsonschema, go-httpbin/v2, or the i18n libs)
so reviewers can see who uses them.
In `@testing/coreruleset/go.mod`:
- Around line 6-8: Add short inline comments in go.mod describing why each
updated dependency is required: annotate the github.com/bmatcuk/doublestar/v4
entry to state it’s used for glob/path matching in tests or rule loading,
annotate github.com/corazawaf/coraza-coreruleset/v4 to state it provides the
official Core Rule Set for integration tests, and annotate
github.com/corazawaf/coraza/v3 to state it’s the WAF engine used by the module;
apply the same style of brief comments to the other dependency blocks mentioned
(lines referenced 22-25 and 31-34) so future maintainers see the purpose of each
dependency next to its module name.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 8d222b82-5f01-4ad5-9a32-e5a43f4155b3
⛔ Files ignored due to path filters (2)
go.sumis excluded by!**/*.sumtesting/coreruleset/go.sumis excluded by!**/*.sum
📒 Files selected for processing (8)
.github/workflows/close-issues.yml.github/workflows/codeql-analysis.yml.github/workflows/fuzz.yml.github/workflows/lint.yml.github/workflows/regression.yml.github/workflows/tinygo.ymlgo.modtesting/coreruleset/go.mod
Comment on lines
+61
to
64
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 | ||
| with: | ||
| go-version: ${{ matrix.go-version }} | ||
| cache: true |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Root module go version:"
sed -n 's/^go //p' go.mod
echo
echo "Regression workflow go settings:"
rg -n 'go-version:\s*\[|GOLANG_BASE_VERSION' .github/workflows/regression.ymlRepository: corazawaf/coraza
Length of output: 509
Align regression Go matrix with module minimum (go 1.26).
Line 28 defines the test matrix as go-version: [1.25.x], but go.mod requires go 1.26. This mismatch will cause test failures. Update both the matrix and the base version environment variable to 1.26.x:
Required changes
- go-version: [1.25.x]
+ go-version: [1.26.x]
@@
- GOLANG_BASE_VERSION: "1.25.x"
+ GOLANG_BASE_VERSION: "1.26.x"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/regression.yml around lines 61 - 64, Update the GitHub
Actions Go test matrix and the base Go version env var to match the module
minimum (go 1.26): change the matrix entry matrix.go-version from "1.25.x" to
"1.26.x" and update the repository base Go environment variable (e.g.,
GO_VERSION or whichever env var is used to set the workflow's default Go
version) from "1.25.x" to "1.26.x" so the actions/setup-go go-version and the
matrix are consistent with go.mod's "go 1.26".
Comment on lines
+39
to
42
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 | ||
| with: | ||
| go-version: ${{ matrix.go-version }} | ||
| cache: true |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Check the Go version matrix in tinygo.yml
cat -n .github/workflows/tinygo.yml | head -60Repository: corazawaf/coraza
Length of output: 2024
🏁 Script executed:
# Check the root go.mod to see Go version requirement
cat go.mod | head -20Repository: corazawaf/coraza
Length of output: 417
TinyGo job matrix is pinned to Go 1.25.x but the module requires Go 1.26.
Line 27 sets the matrix to go-version: [1.25.x], which conflicts with the go 1.26 requirement in the root go.mod. This will cause the TinyGo CI job to fail at the dependency or build stages.
Update the matrix to use Go 1.26.x to align with the module requirement.
Suggested fix
- go-version: [1.25.x]
+ go-version: [1.26.x]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/tinygo.yml around lines 39 - 42, The TinyGo CI matrix is
pinned to Go 1.25.x but the module requires go 1.26; update the workflow matrix
entry that sets matrix.go-version (and the uses: actions/setup-go step if it
references that) to 1.26.x so the TinyGo job uses Go 1.26 and matches the root
go.mod requirement, ensuring the actions/setup-go invocation still consumes the
updated matrix value.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
a783357→27d5ce71af3b93→de0fac24469467→4a360113a9db7e→eb5cf3a57e3a13→e79a696v4.9.1→v4.10.0v3.3.3→v3.7.0v2.1.0→v2.2.0v2.4.0(+1)v1.1.0→v1.2.0v0.4.6→v0.7.13v0.7.15(+1)v1.17.0→v1.17.2v2.18.3→v2.22.1v2.23.0v1.35.0→v1.35.1v1.18.0→v1.19.0e296a93→7211b7c1.25.x→1.26.xRelease Notes
bmatcuk/doublestar (github.com/bmatcuk/doublestar/v4)
v4.10.0: Added WithNoHidden optionCompare Source
Added support for a
WithNoHiddenoption to ignore hidden files in patterns that might unintentionally match them. For example, a.configdirectory would not be matched by*or recursed into by**, but would be matched by.*or recursed by.config/**.Thanks to @lukasngl for the initial PR and idea!
What's Changed
New Contributors
Full Changelog: bmatcuk/doublestar@v4.9.2...v4.10.0
v4.9.2: Fixed Handling of Paths With Meta Chars Using AltsCompare Source
@toga4 submitted a PR that fixed a small bug with the way paths were handled when the pattern used
{alts}: if some part of the on-disk path that came before the{alt}included meta characters (say, a directory name that included the character?), these meta characters were not escaped when they were passed back through the globbing routines. This caused doublestar to interpret them as actual meta characters, rather than a fixed-string path as it should have. Nice find, @toga4 !What's Changed
New Contributors
Full Changelog: bmatcuk/doublestar@v4.9.1...v4.9.2
corazawaf/coraza (github.com/corazawaf/coraza/v3)
v3.7.0Compare Source
What's Changed
🆕 Features
Fixes
coraza.conf-recommendedby @M4tteoP in #1588🚀 Performance enhancements
Other changes
New Contributors
Full Changelog: v3.6.0...v3.7.0
v3.6.0Compare Source
What's Changed
New feature (compilation flag)
Fixes
Others
Full Changelog: v3.5.0...v3.6.0
v3.5.0Compare Source
What's Changed
Important
New Features
Fixes
Full Changelog: v3.4.0...v3.5.0
v3.4.0Compare Source
What's Changed
Features
*_NAMEScollections by @blotus in #1143Fixes
Hshould populate also with error logs. by @M4tteoP in #1310coraza.conf-recommended, stricter parsing actions by @M4tteoP in #135278acbafin go.mod by @renovate[bot] in #1375\""by @trgalho in #1394Tests
Chores and Other
1b549b9in .github/workflows/codeql-analysis.yml by @renovate[bot] in #1335coraza.conf-recommendedcomments by @M4tteoP in #133418283e0in .github/workflows/regression.yml by @renovate[bot] in #1359ff0a06ein .github/workflows/codeql-analysis.yml by @renovate[bot] in #136139edc49in .github/workflows/codeql-analysis.yml by @renovate[bot] in #1380181d5eein .github/workflows/codeql-analysis.yml by @renovate[bot] in #1382d6bbdefin .github/workflows/codeql-analysis.yml by @renovate[bot] in #13904e828ffin .github/workflows/codeql-analysis.yml by @renovate[bot] in #139151f7732in .github/workflows/codeql-analysis.yml by @renovate[bot] in #13930400d5fin .github/workflows/tinygo.yml by @renovate[bot] in #139676621b6in .github/workflows/codeql-analysis.yml by @renovate[bot] in #1398df55935in .github/workflows/codeql-analysis.yml by @renovate[bot] in #140396f518ain .github/workflows/codeql-analysis.yml by @renovate[bot] in #1407fdcc847in .github/workflows/regression.yml by @renovate[bot] in #14083c3833ein .github/workflows/codeql-analysis.yml by @renovate[bot] in #1410New Contributors
Full Changelog: v3.3.3...v3.4.0
coreruleset/go-ftw (github.com/coreruleset/go-ftw/v2)
v2.2.0Compare Source
What's Changed
⭐ New features
🧰 Other changes
New Contributors
Full Changelog: coreruleset/go-ftw@v2.1.2...v2.2.0
v2.1.2Compare Source
What's Changed
🛠 Fixes
🧰 Other changes
Full Changelog: coreruleset/go-ftw@v2.1.1...v2.1.2
v2.1.1Compare Source
What's Changed
⚙️ Dependency updates
3dfff04in go.mod by @renovate[bot] in #6047ab1446in go.mod by @renovate[bot] in #615746e56fin go.mod by @renovate[bot] in #623🧰 Other changes
Full Changelog: coreruleset/go-ftw@v2.1.0...v2.1.1
foxcpp/go-mockdns (github.com/foxcpp/go-mockdns)
v1.2.0Compare Source
What's Changed
New Contributors
Full Changelog: foxcpp/go-mockdns@v1.1.0...v1.2.0
kaptinlin/jsonschema (github.com/kaptinlin/jsonschema)
v0.7.13Compare Source
v0.7.12Compare Source
v0.7.11Compare Source
v0.7.10Compare Source
v0.7.9Compare Source
v0.7.8Compare Source
v0.7.7Compare Source
v0.7.6Compare Source
v0.7.5Compare Source
v0.7.4Compare Source
v0.7.3Compare Source
v0.7.2Compare Source
v0.7.1Compare Source
v0.7.0Compare Source
v0.6.15Compare Source
v0.6.14Compare Source
v0.6.13Compare Source
v0.6.12Compare Source
v0.6.11Compare Source
v0.6.10Compare Source
v0.6.9Compare Source
v0.6.8Compare Source
v0.6.7Compare Source
v0.6.6Compare Source
v0.6.5Compare Source
v0.6.4Compare Source
v0.6.3Compare Source
v0.6.2Compare Source
v0.6.1Compare Source
v0.6.0Compare Source
v0.5.2Compare Source
v0.5.1Compare Source
v0.5.0Compare Source
v0.4.15Compare Source
v0.4.14Compare Source
v0.4.13Compare Source
v0.4.12Compare Source
v0.4.11Compare Source
v0.4.10Compare Source
v0.4.9Compare Source
v0.4.8Compare Source
v0.4.7Compare Source
magefile/mage (github.com/magefile/mage)
v1.17.2: - Tab CompletionCompare Source
What's New
Tab completion is now available by running
mage -install <shell>where the currenConfiguration
📅 Schedule: (UTC)
* 0-3 * * *)🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.