Conversation
Reference: core/api/LICENCE. Co-Authored-By: Cladius Maximus <cladius@lethean.io>
…block) - git submodule update on external/* to current dev tips - go.work paths fixed for Phase 1 /go/ subtree layout where stale - go.work go-version bumped 1.26.0 → 1.26.2 to match submodule floor Workspace-mode build (`go build ./...`) is the verification path. Some repos may surface transitive dep issues (api/go.sum checksum drift, etc.) which are separate cascade tickets — not blocking this metadata refresh. Co-Authored-By: Cladius Maximus <cladius@lethean.io>
Brings this repo into the managed canonical set per audit-sweep discovery filter (.core + go markers required). Module path + go version discovered from go/go.mod. After this, audit-sweep includes the repo in its run; dispatch tooling treats it as a first-class Lethean Go repo. Co-Authored-By: Cladius Maximus <cladius@lethean.io>
Co-Authored-By: Virgil <virgil@lethean.io> Co-Authored-By: Hephaestus <hephaestus@lthn.ai>
Advance external/go workspace submodule to v0.10.4 so dev (GOWORK on) and standalone (GOWORK=off) builds resolve the same core/go. Co-Authored-By: Virgil <virgil@lethean.io>
📝 WalkthroughWalkthroughAdds a ChangesRepository canon and dependency infrastructure
Suggested labels: dependencies, ci, documentation Suggested reviewers: dAppCore maintainers 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Warning Billing warning: we have not been able to collect payment for this subscription for more than 72 hours. Please update the payment method or pay any pending invoices in Billing to avoid service interruption. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Opens/updates a single deps issue for dappco.re/* deps with a newer release. Co-Authored-By: Virgil <virgil@lethean.io>
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
.github/workflows/deps.yml (1)
32-42: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winConsider adding
timeout-minutesto bound the job.No timeout is set on the
depsjob; if the third-party action hangs (e.g. on a network call), the job could run until the default 6-hour GitHub Actions limit.♻️ Proposed fix
deps: runs-on: ubuntu-latest + timeout-minutes: 15 env:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/deps.yml around lines 32 - 42, Add a timeout to the deps job in the workflows definition so it can’t run indefinitely if the dAppCore/build/actions/deps@dev step hangs. Update the deps job block to include a timeout-minutes value alongside runs-on/env/steps, using the job name deps as the anchor for the change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deps.yml:
- Line 37: The checkout step in the deps workflow is persisting credentials
unnecessarily, leaving the GITHUB_TOKEN available to later steps such as the
deps action. Update the existing actions/checkout usage in the workflow to set
persist-credentials to false so the token is not stored in git config, keeping
the job credential-minimal since no push or commit occurs.
- Around line 39-42: The deps workflow step using
dAppCore/build/actions/deps@dev with go-mod-dir: go is missing the required CI
Go overrides, so add explicit environment settings for GOWORK, GOPROXY, GOSUMDB,
and GOFLAGS on that step or surrounding job to force reproducible, isolated
module resolution. Keep the change scoped to the workflow action invocation so
the CI path consistently runs with GOWORK=off, GOPROXY=direct, GOSUMDB=off, and
GOFLAGS=-mod=mod.
- Around line 39-42: Pin the reusable action used in the deps workflow to a
specific commit SHA instead of dAppCore/build/actions/deps@dev, and update it
only through an intentional review process. Locate the action reference in the
workflow job using the deps action and replace the mutable dev tag with an
immutable commit identifier so the scheduled run cannot pick up unreviewed
changes.
---
Nitpick comments:
In @.github/workflows/deps.yml:
- Around line 32-42: Add a timeout to the deps job in the workflows definition
so it can’t run indefinitely if the dAppCore/build/actions/deps@dev step hangs.
Update the deps job block to include a timeout-minutes value alongside
runs-on/env/steps, using the job name deps as the anchor for the change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ce6f066c-5899-477f-a4f2-ad6b97e3e9a5
⛔ Files ignored due to path filters (3)
go.workis excluded by!**/*.workgo.work.sumis excluded by!**/*.sumgo/go.sumis excluded by!**/*.sum
📒 Files selected for processing (8)
.core/go.yaml.github/workflows/deps.ymlLICENCEexternal/configexternal/goexternal/ioexternal/loggo/go.mod
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - uses: actions/checkout@v4 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Set persist-credentials: false on checkout.
By default actions/checkout persists the GITHUB_TOKEN in the local git config, which remains available to subsequent steps (including the third-party deps action). Since no git push/commit is performed by this job, credentials don't need to persist.
🔒️ Proposed fix
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v4 | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 37-37: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/deps.yml at line 37, The checkout step in the deps
workflow is persisting credentials unnecessarily, leaving the GITHUB_TOKEN
available to later steps such as the deps action. Update the existing
actions/checkout usage in the workflow to set persist-credentials to false so
the token is not stored in git config, keeping the job credential-minimal since
no push or commit occurs.
Source: Linters/SAST tools
| - uses: dAppCore/build/actions/deps@dev | ||
| with: | ||
| go-mod-dir: go | ||
| dry-run: ${{ github.event.inputs.dry-run || 'false' }} |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win
Add explicit Go environment overrides for CI mode.
The go-mod-dir: go action presumably runs Go tooling against go/go.mod. Per coding guidelines, CI workflows under .github/workflows/** should use explicit overrides GOWORK=off GOPROXY=direct GOSUMDB=off GOFLAGS=-mod=mod for stable behaviour and strict cache isolation, but no such env is configured here.
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GOWORK: off
+ GOPROXY: direct
+ GOSUMDB: off
+ GOFLAGS: -mod=modAs per coding guidelines, "In Repro/CI mode, use explicit override: GOWORK=off GOPROXY=direct GOSUMDB=off GOFLAGS=-mod=mod for stable behavior and strict cache isolation."
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: dAppCore/build/actions/deps@dev | |
| with: | |
| go-mod-dir: go | |
| dry-run: ${{ github.event.inputs.dry-run || 'false' }} | |
| - uses: dAppCore/build/actions/deps@dev | |
| with: | |
| go-mod-dir: go | |
| dry-run: ${{ github.event.inputs.dry-run || 'false' }} | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GOWORK: off | |
| GOPROXY: direct | |
| GOSUMDB: off | |
| GOFLAGS: -mod=mod |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/deps.yml around lines 39 - 42, The deps workflow step
using dAppCore/build/actions/deps@dev with go-mod-dir: go is missing the
required CI Go overrides, so add explicit environment settings for GOWORK,
GOPROXY, GOSUMDB, and GOFLAGS on that step or surrounding job to force
reproducible, isolated module resolution. Keep the change scoped to the workflow
action invocation so the CI path consistently runs with GOWORK=off,
GOPROXY=direct, GOSUMDB=off, and GOFLAGS=-mod=mod.
Source: Coding guidelines
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
set -euo pipefail
printf '\n== deps workflow ==\n'
cat -n .github/workflows/deps.yml
printf '\n== repo files referencing dAppCore/build/actions/deps ==\n'
rg -n "dAppCore/build/actions/deps@|persist-credentials|timeout-minutes|GOWORK|GOPROXY|GOSUMDB|GOFLAGS" .github/workflows -S || trueRepository: dAppCore/app
Length of output: 2033
Pin the reusable action to a commit SHA instead of @dev.
dAppCore/build/actions/deps@dev is mutable, so this scheduled workflow can pick up unreviewed changes while running with issues: write and GITHUB_TOKEN. Use a fixed commit and update it deliberately.
🔒 Proposed fix
- - uses: dAppCore/build/actions/deps@dev
+ - uses: dAppCore/build/actions/deps@<pinned-sha>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/deps.yml around lines 39 - 42, Pin the reusable action
used in the deps workflow to a specific commit SHA instead of
dAppCore/build/actions/deps@dev, and update it only through an intentional
review process. Locate the action reference in the workflow job using the deps
action and replace the mutable dev tag with an immutable commit identifier so
the scheduled run cannot pick up unreviewed changes.
This pull request introduces several important updates to the repository’s Go project structure, dependencies, and licensing. The main changes include updating the Go module and workspace configuration to support a new project layout, updating to a newer version of a core dependency, and adding a license file. Additionally, several external dependencies have been updated or restructured.
Project structure and configuration:
.core/go.yamlto mark this repository as a managed canonical Go repo, specifying project metadata and Go module details.go.workto reference new subpaths for external modules (external/config/go,external/io/go,external/log/go) instead of their previous paths, reflecting a reorganization of external dependencies.Dependency management:
dappco.re/godependency ingo/go.modfromv0.9.0tov0.10.4, bringing in the latest features and fixes from the core library.go.work.sumto reflect new and updated dependencies, ensuring reproducible builds.external/config,external/go,external/io, andexternal/logto newer commits, aligning with the new project structure and dependency versions. [1] [2] [3] [4]Licensing:
LICENCEfile, clarifying the legal terms under which the project is distributed.Summary by CodeRabbit
New Features
Documentation
Chores