Update gh workflow

[rfabriciors]

Summary by CodeRabbit

• Chores
  • Split CI/CD into separate build (CI) and deploy (CD) stages with explicit job dependency.
  • Added automated deployment orchestration with remote job launches and selectable target host pool.
  • Upgraded Go toolchain and a broad set of dependencies across networking, telemetry, and P2P stacks.
  • Updated lint workflow to a newer action and refreshed the Go build base image.
  • No user-facing functionality changes.

[coderabbitai]

Walkthrough

Splits the release workflow into separate CI and CD jobs (CI builds and pushes Docker images; CD runs AWX-driven deployment via Twingate/Python), upgrades Go toolchain to 1.25 and many Go module versions, updates golangci-lint action, and bumps the Go Dockerfile base image.

Changes

Cohort / File(s)	Summary
Workflow restructure: CI / CD .github/workflows/create_release.yml	Replaces single build workflow with two jobs: CI (checkout, custom Go setup, Docker login, build & push image tags using Dockerfile.golang) and CD (depends on CI; checkout, Twingate setup, Python 3.11, install AWX CLI, launch AWX job template with extra_vars including docker image tag and host pool).
Lint action update .github/workflows/golangci-lint.yml	Updates golangci-lint action from golangci/golangci-lint-action@v3 to golangci/golangci-lint-action@v8; removes --print-issued-lines from args.
Go toolchain & dependency upgrades go.mod	Bumps Go toolchain from 1.22.1 to 1.25 and upgrades numerous direct and indirect modules (e.g., klever-go, testify, libp2p/IPFS/quic-go/otel/protobuf stacks). No public API signature changes detected in this diff.
Go Dockerfile base image update Dockerfile.golang	Updates build-stage base image from golang:1.24.5-alpine3.22 to golang:1.25.3-alpine3.22; no other Dockerfile changes.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant REG as Docker Registry
  participant TW as Twingate
  participant PY as Python Env
  participant AWX as AWX Controller

  Dev->>GH: Push tag / trigger workflow

  rect rgb(215,230,255)
    note right of GH: CI job — build & push
    GH->>GH: Checkout repo
    GH->>GH: Setup Go (action)
    GH->>REG: Docker login
    GH->>REG: Build image (Dockerfile.golang)
    GH->>REG: Push image (commit-SHA and latest)
    REG-->>GH: Push confirmation
  end

  GH-->>GH: CI completes

  rect rgb(220,255,225)
    note right of GH: CD job — deployment
    GH->>GH: Checkout & set envs/inputs
    GH->>TW: Configure Twingate
    GH->>PY: Setup Python 3.11 & install awxkit
    GH->>AWX: Launch AWX job template (env + extra_vars including image tag, TARGET_HOST_POOL)
    AWX-->>GH: Job launch response/status
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

I tunneled from branch to build tonight,
Split the work into CI and CD light.
Go grew wiser, Docker donned a new cap,
Twingate and AWX finished the lap.
A rabbit cheered — releases snap 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Update gh workflow" correctly highlights that the GitHub workflows have been modified but does not capture additional important changes such as dependency upgrades, lint action updates, and Dockerfile adjustments, making it only partially descriptive of the full scope of this PR.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/ci

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9bab5f0 and 0917e2c.

📒 Files selected for processing (1)

• .github/workflows/create_release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: golangci linter
• GitHub Check: Unit & Integration

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• JIRA integration encountered authorization issues. Please disconnect and reconnect the integration in the CodeRabbit UI.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b321e85 and 07d3cf7.

📒 Files selected for processing (1)

• .github/workflows/create_release.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/create_release.yml

40-40: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (2)

.github/workflows/create_release.yml (2)

27-27: Verify GitHub environment configuration for dynamic branch names.

The workflow uses ${{ github.ref_name }} as the environment name, which dynamically maps to the branch name from which the workflow is dispatched. Ensure that:

1. The corresponding GitHub environment exists in repository settings
2. The environment has the necessary secrets and variables configured (TWINGATE_SERVICE_ACCOUNT, AWX_HOST, AWX_USER, AWX_PASS, AWX_TEMPLATE_NAME, ENV_NETWORK)
3. Appropriate environment protection rules are in place to prevent unintended deployments

---

49-54: Fix variable expansion in extra_vars JSON and handle login errors.

Two critical issues in the AWX template launch:

1. Variable expansion will fail: The extra_vars JSON uses single quotes, which prevents GitHub Actions from expanding ${{ vars.ENV_NETWORK }} and ${{ github.sha }}. These will be passed as literal strings.

2. Login output is unused: The awx login command output is captured but never checked, so authentication failures will go unnoticed.

Apply this diff to fix both issues:

     - name: Launch template on AWX
       run: |
         export TOWER_HOST="${{ vars.AWX_HOST }}"
         export TOWER_USERNAME="${{ vars.AWX_USER }}"
         export TOWER_PASSWORD="${{ secrets.AWX_PASS }}"
-        LOGIN_OUTPUT=$(awx login)
-        awx job_templates launch "${{ vars.AWX_TEMPLATE_NAME }}" --extra_vars '{"vm_name":"${{ vars.ENV_NETWORK }}","docker_image_tag":"kleverapp/klv-bridge:${{ github.sha }}"}' --job_tags update
+        awx login || { echo "AWX login failed"; exit 1; }
+        VM_NAME="${{ vars.ENV_NETWORK }}"
+        IMAGE_TAG="kleverapp/klv-bridge:${{ github.sha }}"
+        awx job_templates launch "${{ vars.AWX_TEMPLATE_NAME }}" --extra_vars "{\"vm_name\":\"${VM_NAME}\",\"docker_image_tag\":\"${IMAGE_TAG}\"}" --job_tags update

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 07d3cf7 and 748abb8.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (9 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.2.2)

go.mod

[HIGH] 76-76: github.com/golang-jwt/jwt/v4 4.5.0: Improper error handling in ParseWithClaims and bad documentation may cause dangerous situations in github.com/golang-jwt/jwt

(GO-2024-3250)

---

[HIGH] 76-76: github.com/golang-jwt/jwt/v4 4.5.0: Excessive memory allocation during header parsing in github.com/golang-jwt/jwt

(GO-2025-3553)

---

[HIGH] 76-76: github.com/golang-jwt/jwt/v4 4.5.0: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations

(GHSA-29wx-vh33-7x7r)

---

[HIGH] 76-76: github.com/golang-jwt/jwt/v4 4.5.0: jwt-go allows excessive memory allocation during header parsing

(GHSA-mh63-6h87-95cp)

🔇 Additional comments (5)

go.mod (5)

163-181: Approve coordinated Pion dependency updates

No direct Pion/WebRTC imports or API usage found in the codebase; all listed modules are indirect and the upgrade can be merged.

---

216-219: Confirm OpenTelemetry upgrade compatibility
The bumped modules (auto/sdk v1.1.0, otel v1.34.0, otel/metric v1.34.0, otel/trace v1.34.0) are all indirect dependencies and no direct calls to otel APIs (e.g., SetTracerProvider, Meter) were found in the Go sources—manually verify that your auto-instrumentation or any explicit tracing/metrics setup still functions correctly after this upgrade.

---

3-3: No action required for Go version update: Go 1.25 is a valid, stable release (released August 2025).

---

94-122: Manual verification of P2P and IPFS integration required. Only libp2p usage was found in integrationTests/testscommon.go and cmd/bridge/main.go; no IPFS or multiaddr references detected. Run integration and bridge tests to confirm networking functionality remains intact:

go test ./integrationTests/... -timeout 5m
go test ./cmd/bridge/... -timeout 1m

---

12-12: Direct dependency updates look reasonable.

The upgrades to klever-go v1.7.14 and testify v1.11.1 appear straightforward. Ensure these versions are compatible with your codebase and that no breaking changes were introduced.

Run the following script to verify the build works with the updated dependencies:

Also applies to: 21-21

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 85226a0 and 635e444.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (9 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.2.3)

go.mod

[HIGH] 190-190: github.com/quic-go/quic-go 0.54.0: quic-go: Panic occurs when queuing undecryptable packets after handshake completion

(GHSA-47m2-4cr7-mhcw)

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 54eb49d and 913f4f1.

📒 Files selected for processing (1)

• .github/workflows/create_release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: CI
• GitHub Check: Unit & Integration
• GitHub Check: golangci linter