Skip to content

Add EUPL-1.2 LICENSE and refresh Go workspace configuration#6

Open
Snider wants to merge 6 commits into
mainfrom
dev
Open

Add EUPL-1.2 LICENSE and refresh Go workspace configuration#6
Snider wants to merge 6 commits into
mainfrom
dev

Conversation

@Snider

@Snider Snider commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This pull request introduces several important updates to the repository’s Go project structure, dependencies, and licensing. The main changes include updating the Go module and workspace configuration to support a new project layout, updating to a newer version of a core dependency, and adding a license file. Additionally, several external dependencies have been updated or restructured.

Project structure and configuration:

  • Added .core/go.yaml to mark this repository as a managed canonical Go repo, specifying project metadata and Go module details.
  • Updated go.work to reference new subpaths for external modules (external/config/go, external/io/go, external/log/go) instead of their previous paths, reflecting a reorganization of external dependencies.

Dependency management:

  • Updated dappco.re/go dependency in go/go.mod from v0.9.0 to v0.10.4, bringing in the latest features and fixes from the core library.
  • Added and updated entries in go.work.sum to reflect new and updated dependencies, ensuring reproducible builds.
  • Updated submodule references for external/config, external/go, external/io, and external/log to newer commits, aligning with the new project structure and dependency versions. [1] [2] [3] [4]

Licensing:

  • Added the full text of the European Union Public Licence (EUPL) v1.2 in the new LICENCE file, clarifying the legal terms under which the project is distributed.

Summary by CodeRabbit

  • New Features

    • Added Go project metadata and repository management setup for the codebase.
    • Introduced automated dependency tracking via a new scheduled and manual workflow.
  • Documentation

    • Added a repository licence file.
  • Chores

    • Updated several external components and refreshed the Go module version.

Snider and others added 5 commits May 1, 2026 08:33
Reference: core/api/LICENCE.

Co-Authored-By: Cladius Maximus <cladius@lethean.io>
…block)

- git submodule update on external/* to current dev tips
- go.work paths fixed for Phase 1 /go/ subtree layout where stale
- go.work go-version bumped 1.26.0 → 1.26.2 to match submodule floor

Workspace-mode build (`go build ./...`) is the verification path. Some
repos may surface transitive dep issues (api/go.sum checksum drift, etc.)
which are separate cascade tickets — not blocking this metadata refresh.

Co-Authored-By: Cladius Maximus <cladius@lethean.io>
Brings this repo into the managed canonical set per audit-sweep
discovery filter (.core + go markers required). Module path + go
version discovered from go/go.mod.

After this, audit-sweep includes the repo in its run; dispatch
tooling treats it as a first-class Lethean Go repo.

Co-Authored-By: Cladius Maximus <cladius@lethean.io>
Co-Authored-By: Virgil <virgil@lethean.io>
Co-Authored-By: Hephaestus <hephaestus@lthn.ai>
Advance external/go workspace submodule to v0.10.4 so dev (GOWORK on) and standalone (GOWORK=off) builds resolve the same core/go.

Co-Authored-By: Virgil <virgil@lethean.io>
@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a .core/go.yaml canon metadata file, a EUPL v1.2 LICENCE file, and a new "Deps" GitHub Actions workflow for dependency-bump tracking. Updates submodule pointers for external/config, external/go, external/io, and external/log, and bumps dappco.re/go from v0.9.0 to v0.10.4 in go/go.mod.

Changes

Repository canon and dependency infrastructure

Layer / File(s) Summary
Canon metadata and licence files
.core/go.yaml, LICENCE
Adds canon schema metadata identifying the repo as a Go project with module path dappco.re/go/app and pinned Go version 1.26.0, plus the full EUPL v1.2 licence text.
Dependency-bump tracking workflow
.github/workflows/deps.yml
Adds a "Deps" workflow triggered by cron, manual dispatch, and repository_dispatch, running the dAppCore/build/actions/deps@dev action against the go module directory with configurable dry-run.
Submodule and module dependency bumps
external/config, external/go, external/io, external/log, go/go.mod
Updates pinned commit references for four external submodules and bumps the dappco.re/go dependency version from v0.9.0 to v0.10.4.

Suggested labels: dependencies, ci, documentation

Suggested reviewers: dAppCore maintainers

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main changes: adding the EUPL-1.2 licence and updating Go workspace-related configuration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Warning

Billing warning: we have not been able to collect payment for this subscription for more than 72 hours. Please update the payment method or pay any pending invoices in Billing to avoid service interruption.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Opens/updates a single deps issue for dappco.re/* deps with a newer release.

Co-Authored-By: Virgil <virgil@lethean.io>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
.github/workflows/deps.yml (1)

32-42: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Consider adding timeout-minutes to bound the job.

No timeout is set on the deps job; if the third-party action hangs (e.g. on a network call), the job could run until the default 6-hour GitHub Actions limit.

♻️ Proposed fix
   deps:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     env:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deps.yml around lines 32 - 42, Add a timeout to the deps
job in the workflows definition so it can’t run indefinitely if the
dAppCore/build/actions/deps@dev step hangs. Update the deps job block to include
a timeout-minutes value alongside runs-on/env/steps, using the job name deps as
the anchor for the change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deps.yml:
- Line 37: The checkout step in the deps workflow is persisting credentials
unnecessarily, leaving the GITHUB_TOKEN available to later steps such as the
deps action. Update the existing actions/checkout usage in the workflow to set
persist-credentials to false so the token is not stored in git config, keeping
the job credential-minimal since no push or commit occurs.
- Around line 39-42: The deps workflow step using
dAppCore/build/actions/deps@dev with go-mod-dir: go is missing the required CI
Go overrides, so add explicit environment settings for GOWORK, GOPROXY, GOSUMDB,
and GOFLAGS on that step or surrounding job to force reproducible, isolated
module resolution. Keep the change scoped to the workflow action invocation so
the CI path consistently runs with GOWORK=off, GOPROXY=direct, GOSUMDB=off, and
GOFLAGS=-mod=mod.
- Around line 39-42: Pin the reusable action used in the deps workflow to a
specific commit SHA instead of dAppCore/build/actions/deps@dev, and update it
only through an intentional review process. Locate the action reference in the
workflow job using the deps action and replace the mutable dev tag with an
immutable commit identifier so the scheduled run cannot pick up unreviewed
changes.

---

Nitpick comments:
In @.github/workflows/deps.yml:
- Around line 32-42: Add a timeout to the deps job in the workflows definition
so it can’t run indefinitely if the dAppCore/build/actions/deps@dev step hangs.
Update the deps job block to include a timeout-minutes value alongside
runs-on/env/steps, using the job name deps as the anchor for the change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ce6f066c-5899-477f-a4f2-ad6b97e3e9a5

📥 Commits

Reviewing files that changed from the base of the PR and between d766687 and c4854f8.

⛔ Files ignored due to path filters (3)
  • go.work is excluded by !**/*.work
  • go.work.sum is excluded by !**/*.sum
  • go/go.sum is excluded by !**/*.sum
📒 Files selected for processing (8)
  • .core/go.yaml
  • .github/workflows/deps.yml
  • LICENCE
  • external/config
  • external/go
  • external/io
  • external/log
  • go/go.mod

env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Set persist-credentials: false on checkout.

By default actions/checkout persists the GITHUB_TOKEN in the local git config, which remains available to subsequent steps (including the third-party deps action). Since no git push/commit is performed by this job, credentials don't need to persist.

🔒️ Proposed fix
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 37-37: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deps.yml at line 37, The checkout step in the deps
workflow is persisting credentials unnecessarily, leaving the GITHUB_TOKEN
available to later steps such as the deps action. Update the existing
actions/checkout usage in the workflow to set persist-credentials to false so
the token is not stored in git config, keeping the job credential-minimal since
no push or commit occurs.

Source: Linters/SAST tools

Comment on lines +39 to +42
- uses: dAppCore/build/actions/deps@dev
with:
go-mod-dir: go
dry-run: ${{ github.event.inputs.dry-run || 'false' }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Add explicit Go environment overrides for CI mode.

The go-mod-dir: go action presumably runs Go tooling against go/go.mod. Per coding guidelines, CI workflows under .github/workflows/** should use explicit overrides GOWORK=off GOPROXY=direct GOSUMDB=off GOFLAGS=-mod=mod for stable behaviour and strict cache isolation, but no such env is configured here.

     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GOWORK: off
+      GOPROXY: direct
+      GOSUMDB: off
+      GOFLAGS: -mod=mod

As per coding guidelines, "In Repro/CI mode, use explicit override: GOWORK=off GOPROXY=direct GOSUMDB=off GOFLAGS=-mod=mod for stable behavior and strict cache isolation."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: dAppCore/build/actions/deps@dev
with:
go-mod-dir: go
dry-run: ${{ github.event.inputs.dry-run || 'false' }}
- uses: dAppCore/build/actions/deps@dev
with:
go-mod-dir: go
dry-run: ${{ github.event.inputs.dry-run || 'false' }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOWORK: off
GOPROXY: direct
GOSUMDB: off
GOFLAGS: -mod=mod
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deps.yml around lines 39 - 42, The deps workflow step
using dAppCore/build/actions/deps@dev with go-mod-dir: go is missing the
required CI Go overrides, so add explicit environment settings for GOWORK,
GOPROXY, GOSUMDB, and GOFLAGS on that step or surrounding job to force
reproducible, isolated module resolution. Keep the change scoped to the workflow
action invocation so the CI path consistently runs with GOWORK=off,
GOPROXY=direct, GOSUMDB=off, and GOFLAGS=-mod=mod.

Source: Coding guidelines


🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

set -euo pipefail
printf '\n== deps workflow ==\n'
cat -n .github/workflows/deps.yml

printf '\n== repo files referencing dAppCore/build/actions/deps ==\n'
rg -n "dAppCore/build/actions/deps@|persist-credentials|timeout-minutes|GOWORK|GOPROXY|GOSUMDB|GOFLAGS" .github/workflows -S || true

Repository: dAppCore/app

Length of output: 2033


Pin the reusable action to a commit SHA instead of @dev.

dAppCore/build/actions/deps@dev is mutable, so this scheduled workflow can pick up unreviewed changes while running with issues: write and GITHUB_TOKEN. Use a fixed commit and update it deliberately.

🔒 Proposed fix
-      - uses: dAppCore/build/actions/deps@dev
+      - uses: dAppCore/build/actions/deps@<pinned-sha>
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deps.yml around lines 39 - 42, Pin the reusable action
used in the deps workflow to a specific commit SHA instead of
dAppCore/build/actions/deps@dev, and update it only through an intentional
review process. Locate the action reference in the workflow job using the deps
action and replace the mutable dev tag with an immutable commit identifier so
the scheduled run cannot pick up unreviewed changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant