Skip to content

Upgrade GitHub and GitLab API dependencies to latest versions #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
creativeprojects merged 1 commit into from
Sep 2, 2025
Merged

Upgrade GitHub and GitLab API dependencies to latest versions #48

creativeprojects merged 1 commit into from
Sep 2, 2025

Conversation

@creativeprojects
Copy link
Owner

@creativeprojects creativeprojects commented Sep 2, 2025
edited by coderabbitai bot
Loading

Upgrade GitHub and GitLab API dependencies to latest versions

This PR updates the project's core dependencies to their latest stable versions:

Dependency Updates:

  • github.com/google/go-github/v30v74.0.0
  • github.com/xanzy/go-gitlabgitlab.com/gitlab-org/api/client-go v0.142.6
  • github.com/ulikunitz/xz v0.5.14v0.5.15

CI/CD Updates:

  • GitHub Actions workflows updated to use latest action versions
  • actions/checkout@v4v5
  • codecov/codecov-action@v4v5
  • sonarsource/sonarqube-scan-action@v4v5

These updates ensure compatibility with the latest API features and security patches while maintaining backward compatibility for existing functionality.

Summary by CodeRabbit

  • Chores
    • Upgraded CI workflows to use latest v5 GitHub Actions, including updated Codecov inputs.
    • Updated GitHub and GitLab API client dependencies to current major versions for improved compatibility and maintenance.
    • Applied a minor patch update to a compression library.
    • Removed deprecated GitLab client dependency in favor of the official client.
    • No changes to public APIs or user-facing behavior expected.

@coderabbitai
Copy link

coderabbitai bot commented Sep 2, 2025
edited
Loading

Walkthrough

CI workflow actions were upgraded to v5 and Codecov input renamed from file to files. Go dependencies were updated: google/go-github moved from v30 to v74; GitLab client switched from github.com/xanzy/go-gitlab to gitlab.com/gitlab-org/api/client-go; xz bumped to v0.5.15. Source imports adjusted accordingly.

Changes

Cohort / File(s) Summary
CI workflow updates
.github/workflows/build.yml		 Bump actions to v5 (checkout, download-artifact, codecov, SonarQube scan). Codecov input renamed from file→files. No other logic changes.
GitHub API client migration
github_release.go, github_source.go, go.mod		 Update go-github import from v30 to v74 and adjust module in go.mod. No code changes beyond import paths.
GitLab API client migration
gitlab_release.go, gitlab_source.go, go.mod		 Replace github.com/xanzy/go-gitlab with gitlab.com/gitlab-org/api/client-go, alias as gitlab; update go.mod accordingly.
Other dependency bump
go.mod		 Update github.com/ulikunitz/xz from v0.5.14 to v0.5.15.

Sequence Diagram(s)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Poem

A bunny nibbles docs with gentle might,
Hops through versions, keeps the builds alight.
GitHub to seventy-four, GitLab’s path anew,
Pipelines polished, artifacts in view.
With tidy mods and carrots bright,
Release me softly into night. 🥕✨

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.2.2)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/product/migration-guide for migration instructions

✨ Finishing Touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch upgrade-packages

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@codecov
Copy link

codecov bot commented Sep 2, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.07%. Comparing base (fbb2732) to head (19b7c4e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #48   +/-   ##
=======================================
  Coverage   77.07%   77.07%           
=======================================
  Files          28       28           
  Lines        1435     1435           
=======================================
  Hits         1106     1106           
  Misses        279      279           
  Partials       50       50
Flag Coverage Δ
unittests 77.07% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

coderabbitai[bot]
coderabbitai bot reviewed Sep 2, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (9)
.github/workflows/build.yml (4)

22-22: Checkout v5: good; add least-privilege permissions.

Explicitly set minimal permissions for the job.

Example outside this range:

jobs:
  build:
    permissions:
      contents: read

(forge.tourmentine.com)

48-55: Codecov v5 switch is correct; set env for tags and prefer OIDC.

  • env_vars OS/GO won’t populate unless you export them.
  • Use OIDC to avoid secrets not available on PRs from forks.

Apply within this step:

-      - name: Code coverage with codecov
-        uses: codecov/codecov-action@v5
+      - name: Code coverage with codecov
+        uses: codecov/codecov-action@v5
         with:
           env_vars: OS,GO
-          files: ./coverage.txt
+          files: ./coverage.txt
           flags: unittests
           fail_ci_if_error: false
-          verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
+          verbose: true
+          use_oidc: true
+        env:
+          OS: ${{ matrix.os }}
+          GO: ${{ matrix.go_version }}

And outside this range (job/workflow level):

permissions:
  id-token: write

(github.com)

75-79: Download artifacts: narrow and merge for determinism.

Download only coverage artifacts and merge them to one folder.

-      - name: Download code coverage results
-        uses: actions/download-artifact@v5
+      - name: Download code coverage results
+        uses: actions/download-artifact@v5
+        with:
+          pattern: code-coverage-report-*
+          merge-multiple: true

(github.blog)

81-86: Sonar scan v5: OK; consider wiring coverage path.

For Go coverage ingestion, pass the report path (downloads to workspace).

-      - name: Analyze with SonarCloud
-        uses: sonarsource/sonarqube-scan-action@v5
+      - name: Analyze with SonarCloud
+        uses: sonarsource/sonarqube-scan-action@v5
+        with:
+          args: >
+            -Dsonar.go.coverage.reportPaths=**/coverage.txt
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Note: SONAR_HOST_URL is not required for SonarCloud. (github.com)

github_source.go (3)

44-65: Optional: simplify auth using Client.WithAuthToken (drop oauth2 client plumbing)

go-github v74 exposes Client.WithAuthToken, which removes the need to build a custom oauth2 client. This reduces deps and makes both public and Enterprise flows consistent.

Example refactor (illustrative only):

- hc := newHTTPClient(token)
-
- if config.EnterpriseBaseURL == ""
- {
-   // public (or private) repository on standard GitHub offering
-   client := github.NewClient(hc)
-   return &GitHubSource{ api: client }, nil
- }
+ var client *github.Client
+ if config.EnterpriseBaseURL == "" {
+   client = github.NewClient(nil)
+ } else {
+   u := config.EnterpriseUploadURL
+   if u == "" {
+     u = config.EnterpriseBaseURL
+   }
+   c, err := github.NewEnterpriseClient(config.EnterpriseBaseURL, u, nil)
+   if err != nil {
+     return nil, fmt.Errorf("cannot parse GitHub enterprise URL: %w", err)
+   }
+   client = c
+ }
+ if token != "" {
+   client = client.WithAuthToken(token)
+ }
  return &GitHubSource{
-   api: client,
+   api: client,
  }, nil

Note: if you take this path, remove the oauth2 import and the now-unused newHTTPClient helper.
(github.com)

67-88: “ListReleases returns all available releases” — currently only returns first page

To fulfill the comment/contract, paginate through all pages.

- rels, res, err := s.api.Repositories.ListReleases(ctx, owner, repo, nil)
+ opt := &github.ListOptions{PerPage: 100}
+ var relsAll []*github.RepositoryRelease
+ for {
+   rels, res, err := s.api.Repositories.ListReleases(ctx, owner, repo, opt)
+   if err != nil {
+     if res != nil && res.StatusCode == http.StatusNotFound {
+       log.Print("Repository or release not found")
+       return nil, nil
+     }
+     log.Printf("API returned an error response: %s", err)
+     return nil, err
+   }
+   relsAll = append(relsAll, rels...)
+   if res.NextPage == 0 {
+     break
+   }
+   opt.Page = res.NextPage
+ }
- if err != nil {
-   if res != nil && res.StatusCode == http.StatusNotFound {
-     // repository not found or release not found. It's not an error here.
-     log.Print("Repository or release not found")
-     return nil, nil
-   }
-   log.Printf("API returned an error response: %s", err)
-   return nil, err
- }
- releases := make([]SourceRelease, len(rels))
- for i, rel := range rels {
+ releases := make([]SourceRelease, len(relsAll))
+ for i, rel := range relsAll {
   releases[i] = NewGitHubRelease(rel)
 }
 return releases, nil

Pagination approach per upstream docs (ListOptions + NextPage). (github.com)

100-107: Add an HTTP timeout when following asset redirects

Using http.DefaultClient risks hanging downloads. Set a bounded timeout.

- client := http.DefaultClient
+ client := &http.Client{Timeout: 60 * time.Second}

Add to imports:

import "time"
gitlab_source.go (2)

88-114: Harden asset download: add timeout and status check

Default client has no timeouts, and non-2xx responses currently flow to callers.

- client := http.DefaultClient
+ client := &http.Client{Timeout: 60 * time.Second}
@@
- response, err := client.Do(req)
+ response, err := client.Do(req)
  if err != nil {
    log.Print(err)
    return nil, err
  }
-
- return response.Body, nil
+ if response.StatusCode < 200 || response.StatusCode >= 300 {
+   // ensure body is closed on error paths
+   _ = response.Body.Close()
+   return nil, fmt.Errorf("download failed: status %d for %s", response.StatusCode, downloadUrl)
+ }
+ return response.Body, nil

Add to imports:

import "time"

96-105: Note on GitLab tokened downloads for release links

Some release “links” resolve to uploads URLs that historically didn’t accept PRIVATE-TOKEN for direct download (redirects to sign-in). If you hit 302/404 on private assets, consider storing artifacts in Generic Packages and linking those, which do support token headers reliably.

References: discussion of uploads behavior and a working Packages approach. (gitlab.com, stackoverflow.com, docs.gitlab.com)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between fbb2732 and 19b7c4e.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (6)
  • .github/workflows/build.yml (3 hunks)
  • github_release.go (1 hunks)
  • github_source.go (1 hunks)
  • gitlab_release.go (1 hunks)
  • gitlab_source.go (1 hunks)
  • go.mod (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Build and test (1.24, macos-latest)
  • GitHub Check: Build and test (1.24, windows-latest)
🔇 Additional comments (8)
go.mod (1)

8-11: Manual API compatibility review required
The project builds successfully with the updated dependencies (go-github v74, GitLab client v0.142.6, xz v0.5.15) and no missing symbols were detected. However, the major version bump of the GitHub client (v30→v74) and the GitLab client migration may include behavioral or API surface changes—please manually review all critical API usages for breaking changes.

gitlab_release.go (1)

6-6: LGTM - Consistent migration to official GitLab client.

The import change aligns with the package migration and maintains the same alias and API usage patterns as gitlab_source.go.

github_release.go (1)

6-6: LGTM - GitHub client upgrade properly implemented.

The version upgrade from v30 to v74 is consistent with the change in github_source.go and maintains identical API usage patterns.

.github/workflows/build.yml (1)

70-74: Checkout v5 in Sonar job: looks good.

(forge.tourmentine.com)

github_source.go (2)

10-10: Go-GitHub import bumped to v74 — looks good

Import path matches the latest major-versioned module and aligns with upstream guidance. No other changes required here.

(github.com)

3-12: Imports are up-to-date: All go-github imports use v74 and there are no xanzy/go-gitlab imports remaining.

gitlab_source.go (2)

10-10: Switch to official GitLab client-go import — looks correct

New import path and alias are accurate for gitlab.com/gitlab-org/api/client-go.

(pkg.go.dev)

61-70: LGTM on ListReleases call shape

Signature matches client-go: ListReleases(pid any, opt *ListReleasesOptions, options ...RequestOptionFunc). Passing nil options with gitlab.WithContext(ctx) is valid.

(pkg.go.dev)

@creativeprojects creativeprojects merged commit 905c00d into main Sep 2, 2025
7 checks passed
@creativeprojects creativeprojects deleted the upgrade-packages branch September 2, 2025 20:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@creativeprojects