Conversation
chore: back-merge main into develop after v0.4.2 release
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.50.0 to 0.52.0. - [Commits](golang/crypto@v0.50.0...v0.52.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.52.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.32.17 to 1.32.20. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.32.17...config/v1.32.20) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-version: 1.32.20 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…golang.org/x/crypto-0.52.0 deps(deps): bump golang.org/x/crypto from 0.50.0 to 0.52.0
…github.com/aws/aws-sdk-go-v2/config-1.32.20 deps(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.17 to 1.32.20
Bumps [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) from 1.101.0 to 1.102.2. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.101.0...service/s3/v1.102.2) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/s3 dependency-version: 1.102.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…github.com/aws/aws-sdk-go-v2/service/s3-1.102.2 deps(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.101.0 to 1.102.2
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughThe ChangesDependency consolidation for v0.4.3
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Around line 7-10: The PR illegally modifies go.mod/go.sum by adding specific
AWS SDK versions (e.g., github.com/aws/aws-sdk-go-v2,
github.com/aws/aws-sdk-go-v2/config, github.com/aws/aws-sdk-go-v2/credentials,
github.com/aws/aws-sdk-go-v2/service/s3); revert those edits from go.mod and
remove any go.sum changes so dependency files remain untouched, then re-run go
tooling locally if needed but do not re-commit dependency updates — instead open
an issue or request for `@lead-dev` to apply approved dependency version updates
(or obtain explicit written approval from `@lead-dev` before re-adding/updating
these module lines).
- Around line 7-10: The go.mod entries for AWS SDK modules
(github.com/aws/aws-sdk-go-v2, github.com/aws/aws-sdk-go-v2/config,
github.com/aws/aws-sdk-go-v2/credentials,
github.com/aws/aws-sdk-go-v2/service/s3) are pinned to exact patch versions
(v1.41.9, v1.32.20, v1.19.19, v1.102.2); change these to stable v1.x constraints
(e.g., github.com/aws/aws-sdk-go-v2 v1.41, github.com/aws/aws-sdk-go-v2/config
v1.32, github.com/aws/aws-sdk-go-v2/credentials v1.19,
github.com/aws/aws-sdk-go-v2/service/s3 v1.102) unless you intend to keep exact
pins—if so, add a brief comment justifying exact pinning; after updating, re-run
the dependency/version check (and go mod tidy / go get -u as needed) to ensure
consistency with other pins such as golang.org/x/crypto (currently v0.52.0) and
resolve any mismatches before finalizing.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 090793ab-21d9-40a2-a8d4-40c714ed9a06
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum,!go.sum
📒 Files selected for processing (1)
go.mod
docs(changelog): release v0.4.3
Dependency state audited and APPROVED by @lead-dev: go mod verify + govulncheck PASS, zero tidy diff. CodeRabbit findings A (authorship — Dependabot-originated) and B (relax pins — invalid Go practice) ruled non-issues. See inline thread replies for full rationale.
Description
Release v0.4.3 promotes develop → main, consolidating dependency updates from three merged Dependabot PRs:
Transitive updates to aws-sdk-go-v2 core and credentials are included via #92.
Closes #96
Type of change
Changes
Testing
Breaking changes
None. This is a patch release; all changes are dependency updates with no breaking changes to public APIs.
Step 14: Hypothesis Check
Root assumption
Release workflow tags v* commits and attests artifacts on push to main, per existing CI release pipeline (
.github/workflows/release.yml).Pre-merge validation
Post-merge validation plan
git tag -v v0.4.3to confirm GPG signature validgh attestation verify ./pebblify-<arch>-<os>gh attestation verify oci://ghcr.io/dockermint/pebblify:v0.4.3Rollback contingency
No rollback needed. Dependency-only patch release, fully backwards compatible. If post-merge validation discovers missing attestations or broken binaries:
git tag -d v0.4.3 && git push origin :refs/tags/v0.4.3All users remain on v0.4.2 until validated release is available.
Summary by CodeRabbit