Skip to content

release: v0.4.3 — consolidates #89, #92, #94#97

Merged
nayrosk merged 10 commits into
mainfrom
develop
Jun 1, 2026
Merged

release: v0.4.3 — consolidates #89, #92, #94#97
nayrosk merged 10 commits into
mainfrom
develop

Conversation

@nayrosk

@nayrosk nayrosk commented Jun 1, 2026

Copy link
Copy Markdown
Member

Description

Release v0.4.3 promotes develop → main, consolidating dependency updates from three merged Dependabot PRs:

Transitive updates to aws-sdk-go-v2 core and credentials are included via #92.

Closes #96

Type of change

  • chore / release consolidation

Changes

Testing

Breaking changes

None. This is a patch release; all changes are dependency updates with no breaking changes to public APIs.

Step 14: Hypothesis Check

Root assumption

Release workflow tags v* commits and attests artifacts on push to main, per existing CI release pipeline (.github/workflows/release.yml).

Pre-merge validation

Post-merge validation plan

  1. Tag verification: After merge and tag creation, CEO runs git tag -v v0.4.3 to confirm GPG signature valid
  2. SLSA provenance: Verify attestations attached to binaries: gh attestation verify ./pebblify-<arch>-<os>
  3. OCI image attestation: Verify image attestation: gh attestation verify oci://ghcr.io/dockermint/pebblify:v0.4.3
  4. SBOM attestations: Confirm SBOM attestations present on all release assets (GitHub release page)
  5. Release assets: Verify all four architectures (linux/amd64, linux/arm64, darwin/amd64, darwin/arm64) binaries present

Rollback contingency

No rollback needed. Dependency-only patch release, fully backwards compatible. If post-merge validation discovers missing attestations or broken binaries:

  1. Delete tag v0.4.3 locally and remote: git tag -d v0.4.3 && git push origin :refs/tags/v0.4.3
  2. Revert PR (merge revert commit to main)
  3. Re-tag and push once CI artifacts are verified complete

All users remain on v0.4.2 until validated release is available.

Summary by CodeRabbit

  • Chores
    • Updated core dependencies to latest stable versions for improved stability and security.
    • Bumped Go toolchain to a newer release version.

nayrosk and others added 9 commits May 12, 2026 11:32
chore: back-merge main into develop after v0.4.2 release
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.50.0 to 0.52.0.
- [Commits](golang/crypto@v0.50.0...v0.52.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.52.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.32.17 to 1.32.20.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@config/v1.32.17...config/v1.32.20)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-version: 1.32.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
…golang.org/x/crypto-0.52.0

deps(deps): bump golang.org/x/crypto from 0.50.0 to 0.52.0
…github.com/aws/aws-sdk-go-v2/config-1.32.20

deps(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.17 to 1.32.20
Bumps [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) from 1.101.0 to 1.102.2.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@service/s3/v1.101.0...service/s3/v1.102.2)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-version: 1.102.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
…github.com/aws/aws-sdk-go-v2/service/s3-1.102.2

deps(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.101.0 to 1.102.2
@coderabbitai

coderabbitai Bot commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • CHANGELOG.md is excluded by !**/*.md

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f85202ad-b886-4f2f-9b3a-12b1202361da

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

The go.mod file is updated to consolidate dependency versions from merged Dependabot PRs. Direct AWS SDK v2 modules and golang.org/x/crypto receive minor/patch updates. Indirect dependencies across AWS SDK v2 transitive modules and system libraries are also advanced to newer versions.

Changes

Dependency consolidation for v0.4.3

Layer / File(s) Summary
Direct dependency updates
go.mod
AWS SDK v2 modules (aws-sdk-go-v2, config, credentials, service/s3) and golang.org/x/crypto are bumped to newer patch/minor versions in the primary require block.
Indirect and transitive dependency updates
go.mod
AWS SDK v2 transitive dependencies (protocol/eventstream, EC2 IMDS, internal config/endpoints, S3 helpers, SSO/STS), smithy-go, golang.org/x/sys, and golang.org/x/text are advanced to newer versions in the indirect require block.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 With twitchy nose and nimble paws,
I hop through versions without pause,
AWS SDK and crypto too,
All dependencies fresh and new!
v0.4.3 hops along today,
Dependencies dance the safer way! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly identifies this as a release PR for v0.4.3 and specifically references the consolidated Dependabot PRs (#89, #92, #94) that are the primary focus of the changeset.
Linked Issues check ✅ Passed The PR successfully addresses all coding requirements from issue #96: go.mod/go.sum updated with specified dependency versions (golang.org/x/crypto 0.50.0→0.52.0, aws-sdk-go-v2/config 1.32.17→1.32.20, aws-sdk-go-v2/service/s3 1.101.0→1.102.2), transitive updates included, and CHANGELOG.md updated.
Out of Scope Changes check ✅ Passed All changes are directly aligned with the stated objectives: dependency version bumps in go.mod, go.sum updates, and CHANGELOG.md release notes—no unrelated modifications detected.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch develop

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot previously requested changes Jun 1, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 7-10: The PR illegally modifies go.mod/go.sum by adding specific
AWS SDK versions (e.g., github.com/aws/aws-sdk-go-v2,
github.com/aws/aws-sdk-go-v2/config, github.com/aws/aws-sdk-go-v2/credentials,
github.com/aws/aws-sdk-go-v2/service/s3); revert those edits from go.mod and
remove any go.sum changes so dependency files remain untouched, then re-run go
tooling locally if needed but do not re-commit dependency updates — instead open
an issue or request for `@lead-dev` to apply approved dependency version updates
(or obtain explicit written approval from `@lead-dev` before re-adding/updating
these module lines).
- Around line 7-10: The go.mod entries for AWS SDK modules
(github.com/aws/aws-sdk-go-v2, github.com/aws/aws-sdk-go-v2/config,
github.com/aws/aws-sdk-go-v2/credentials,
github.com/aws/aws-sdk-go-v2/service/s3) are pinned to exact patch versions
(v1.41.9, v1.32.20, v1.19.19, v1.102.2); change these to stable v1.x constraints
(e.g., github.com/aws/aws-sdk-go-v2 v1.41, github.com/aws/aws-sdk-go-v2/config
v1.32, github.com/aws/aws-sdk-go-v2/credentials v1.19,
github.com/aws/aws-sdk-go-v2/service/s3 v1.102) unless you intend to keep exact
pins—if so, add a brief comment justifying exact pinning; after updating, re-run
the dependency/version check (and go mod tidy / go get -u as needed) to ensure
consistency with other pins such as golang.org/x/crypto (currently v0.52.0) and
resolve any mismatches before finalizing.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 090793ab-21d9-40a2-a8d4-40c714ed9a06

📥 Commits

Reviewing files that changed from the base of the PR and between 60b49a2 and 2361f7c.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum, !go.sum
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod
@nayrosk nayrosk dismissed coderabbitai[bot]’s stale review June 1, 2026 17:55

Dependency state audited and APPROVED by @lead-dev: go mod verify + govulncheck PASS, zero tidy diff. CodeRabbit findings A (authorship — Dependabot-originated) and B (relax pins — invalid Go practice) ruled non-issues. See inline thread replies for full rationale.

@nayrosk nayrosk merged commit 811a0a4 into main Jun 1, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Release v0.4.3 — dependency updates

1 participant