Master sync

[AsamaSumer]

Overview

What this PR does / why we need it

Special notes for your reviewer

Summary by CodeRabbit

• New Features

  • Added support for recursive LDAP group membership resolution, allowing detection of nested and circular group memberships.
  • Introduced a configuration option to allow the server to start even if some connectors fail to initialize.

• Bug Fixes

  • Clarified error messages when connector initialization fails.
  • Fixed form submission method in device authorization template.

• Dependency Updates

  • Updated Go version to 1.24 and refreshed many direct and indirect dependencies.
  • Upgraded base images and tooling in Docker and build workflows.

• Chores

  • Simplified logger initialization in tests for improved maintainability.
  • Improved documentation structure and added new adopter entries.
  • Enhanced CI and Dependabot configurations for improved automation and grouping.

[coderabbitai]

Walkthrough

This update introduces recursive group membership support in the LDAP connector, adds a feature flag enabling server startup even if some connectors fail, and upgrades Go and major dependencies across the project. Numerous GitHub Actions and Docker-related files are updated for newer versions. Logger initialization in tests is simplified throughout the codebase.

Changes

Files / Groups	Change Summary
connector/ldap/ldap.go, connector/ldap/ldap_test.go, connector/ldap/testdata/schema.ldif	Adds recursive group membership logic and tests to LDAP connector; updates test data for nested/circular groups
server/server.go, server/server_test.go, pkg/featureflags/set.go, cmd/dex/serve.go	Adds feature flag and logic to allow server startup with partial connector failures; adds comprehensive tests
go.mod, api/v2/go.mod, examples/go.mod, flake.nix, Makefile, Dockerfile	Updates Go version to 1.24 and bumps multiple dependencies and tool versions
.github/workflows/*.yaml, .github/dependabot.yaml	Upgrades GitHub Actions versions, adds dependabot grouping for etcd, no workflow logic changes
*.go (various *_test.go files)	Simplifies logger setup in tests by switching to slog.DiscardHandler and removing io imports
storage/ent/db/runtime/runtime.go, storage/ent/generate.go	Updates ent codegen version and generation command
storage/kubernetes/storage.go	Changes internal method call for custom resource listing
server/handlers.go	Refines error messages and parameter setting order in OAuth2 response handling
ADOPTERS.md	Reorganizes adopters into Companies and Projects, adds/updates entries
web/templates/device.html	Fixes form method attribute to use only POST
.dockerignore	Stops ignoring .github/ and .gitpod.yml in Docker builds

Sequence Diagram(s)

LDAP Recursive Group Membership Resolution

sequenceDiagram
    participant User
    participant LDAPConnector
    participant LDAPServer

    User->>LDAPConnector: Authenticate
    LDAPConnector->>LDAPServer: Search for user
    LDAPServer-->>LDAPConnector: Return user entry
    loop For each UserMatcher
        LDAPConnector->>LDAPServer: Search for groups (direct membership)
        LDAPServer-->>LDAPConnector: Return group entries
        alt RecursionGroupAttr is set
            loop While new parent groups found
                LDAPConnector->>LDAPServer: Search for parent groups (recursion)
                LDAPServer-->>LDAPConnector: Return parent group entries
            end
        end
    end
    LDAPConnector-->>User: Return all group memberships (including nested)

Loading

Server Startup with ContinueOnConnectorFailure

sequenceDiagram
    participant Admin
    participant Server
    participant Connector1
    participant Connector2

    Admin->>Server: Start with connectors and flag
    Server->>Connector1: Initialize
    alt Connector1 fails
        Server->>Server: Log error
        alt ContinueOnConnectorFailure enabled
            Server->>Connector2: Initialize
            alt Connector2 succeeds
                Server-->>Admin: Startup succeeds, only working connectors loaded
            else Connector2 fails
                Server-->>Admin: Startup fails (all connectors failed)
            end
        else
            Server-->>Admin: Startup fails immediately
        end
    else Connector1 succeeds
        Server->>Connector2: Initialize
        Server-->>Admin: Startup succeeds
    end

Loading

Poem

(\(\
( -.-) A rabbit hops through fields anew,
With nested groups and flags in view.
Connectors may stumble, but onward we go,
With logs now discarded, our tests run like snow.
Go and friends are fresher, dependencies in line—
This patch, like a carrot, is simply divine!

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch master

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🔭 Outside diff range comments (1)

connector/ldap/ldap.go (1)

593-676: Potential duplicate groups across different UserMatchers and performance concern.

The implementation correctly handles recursive group search with circular reference detection. However, there are two concerns:

1. The groupNames slice is shared across all UserMatchers iterations, but duplicate detection only happens within each matcher's recursive search. This could lead to duplicate group names in the final result if different matchers discover the same groups.

2. The duplicate detection uses a linear search which is O(n) for each group, resulting in O(n²) complexity for large group hierarchies.

Consider using a map for efficient duplicate detection across all matchers:

-	var groupNames []string
+	groupMap := make(map[string]struct{})

 	for _, matcher := range c.GroupSearch.UserMatchers {
 		// ... existing code ...
 
-				// Prevent duplicates and circular references.
-				duplicate := false
-				for _, existingName := range groupNames {
-					if name == existingName {
-						c.logger.Debug("Found duplicate group", "name", name)
-						duplicate = true
-						break
-					}
-				}
-				if duplicate {
+				// Prevent duplicates and circular references.
+				if _, exists := groupMap[name]; exists {
+					c.logger.Debug("Found duplicate group", "name", name)
 					continue
 				}
 
-				groupNames = append(groupNames, name)
+				groupMap[name] = struct{}{}
 
 		// ... rest of the code ...
 	}
-	return groupNames, nil
+	
+	// Convert map to slice
+	groupNames := make([]string, 0, len(groupMap))
+	for name := range groupMap {
+		groupNames = append(groupNames, name)
+	}
+	return groupNames, nil

🧹 Nitpick comments (5)

ADOPTERS.md (3)

9-9: Align punctuation across list items

Only the Ericsson bullet ends with a period, while all other list items omit terminal punctuation. To keep formatting consistent, drop the trailing period.

-- [Ericsson](https://www.ericsson.com) is using Dex to authenticate access to Kubernetes API server in [Cloud Container Distribution](https://www.ericsson.com/en/portfolio/cloud-software-and-services/cloud-core/cloud-infrastructure/nfvi/cloud-container-distribution).
+- [Ericsson](https://www.ericsson.com) is using Dex to authenticate access to Kubernetes API server in [Cloud Container Distribution](https://www.ericsson.com/en/portfolio/cloud-software-and-services/cloud-core/cloud-infrastructure/nfvi/cloud-container-distribution)

---

12-12: Trim wordiness

The phrase “in conjunction with” is verbose. A shorter alternative improves readability.

-- [Pusher](https://pusher.com) uses Dex for authenticating users across their Kubernetes infrastructure (using Kubernetes OIDC support) in conjunction with the [OAuth2 Proxy](https://github.com/pusher/oauth2_proxy) for protecting web UIs.
+- [Pusher](https://pusher.com) uses Dex for authenticating users across their Kubernetes infrastructure (using Kubernetes OIDC support) alongside the [OAuth2 Proxy](https://github.com/pusher/oauth2_proxy) to protect web UIs.

---

19-19: Remove filler wording

The expression “a variety of” is unnecessary; dropping it keeps the sentence concise.

- … K10 is widely used by a variety of customers including large enterprises, financial services, design firms, and IT companies.
+ … K10 is widely used by customers including large enterprises, financial services, design firms, and IT companies.

connector/ldap/ldap_test.go (1)

528-577: Consider making the test more robust by checking group membership without relying on order.

The test implementation correctly validates the recursive group membership feature. However, the test relies on a specific order of groups in the results, which could make it brittle if the implementation changes how groups are discovered or sorted.

Consider using a helper function to assert group membership regardless of order:

+import "sort"
+
+func assertGroupsEqual(t *testing.T, expected, actual []string) {
+    if len(expected) != len(actual) {
+        t.Errorf("expected %d groups, got %d", len(expected), len(actual))
+        return
+    }
+    sort.Strings(expected)
+    sort.Strings(actual)
+    for i := range expected {
+        if expected[i] != actual[i] {
+            t.Errorf("group mismatch at index %d: expected %q, got %q", i, expected[i], actual[i])
+        }
+    }
+}

Then update the test expectations to use sorted slices or the helper function.

connector/ldap/ldap.go (1)

65-67: Improve the comment to better explain the RecursionGroupAttr field.

The current comment "Look for parent groups" is too brief. Consider expanding it to explain how this field enables recursive group membership resolution.

-	// Look for parent groups
+	// RecursionGroupAttr enables recursive group membership resolution.
+	// When set, the connector will recursively search for parent groups
+	// where the current group's DN matches this attribute.
	RecursionGroupAttr string `json:"recursionGroupAttr"`

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 47f1d62 and 7651cb1.

⛔ Files ignored due to path filters (9)

• api/api.pb.go is excluded by !**/*.pb.go
• api/api_grpc.pb.go is excluded by !**/*.pb.go
• api/v2/api.pb.go is excluded by !**/*.pb.go
• api/v2/api_grpc.pb.go is excluded by !**/*.pb.go
• api/v2/go.sum is excluded by !**/*.sum
• examples/go.sum is excluded by !**/*.sum
• flake.lock is excluded by !**/*.lock
• go.sum is excluded by !**/*.sum
• server/internal/types.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (46)

• .dockerignore (0 hunks)
• .github/dependabot.yaml (1 hunks)
• .github/workflows/analysis-scorecard.yaml (1 hunks)
• .github/workflows/artifacts.yaml (5 hunks)
• .github/workflows/ci.yaml (3 hunks)
• .github/workflows/trivydb-cache.yaml (2 hunks)
• ADOPTERS.md (1 hunks)
• Dockerfile (2 hunks)
• Makefile (1 hunks)
• api/v2/go.mod (1 hunks)
• cmd/dex/logger.go (1 hunks)
• cmd/dex/serve.go (2 hunks)
• connector/atlassiancrowd/atlassiancrowd_test.go (1 hunks)
• connector/authproxy/authproxy_test.go (1 hunks)
• connector/github/github_test.go (1 hunks)
• connector/google/google_test.go (1 hunks)
• connector/ldap/ldap.go (4 hunks)
• connector/ldap/ldap_test.go (2 hunks)
• connector/ldap/testdata/schema.ldif (1 hunks)
• connector/oauth/oauth_test.go (1 hunks)
• connector/oidc/oidc_test.go (1 hunks)
• connector/openshift/openshift_test.go (1 hunks)
• connector/saml/saml_test.go (2 hunks)
• examples/go.mod (1 hunks)
• flake.nix (1 hunks)
• go.mod (1 hunks)
• pkg/featureflags/set.go (1 hunks)
• server/api_test.go (9 hunks)
• server/handlers.go (5 hunks)
• server/rotation_test.go (2 hunks)
• server/server.go (2 hunks)
• server/server_test.go (2 hunks)
• storage/ent/db/runtime/runtime.go (1 hunks)
• storage/ent/generate.go (1 hunks)
• storage/ent/mysql_test.go (1 hunks)
• storage/ent/postgres_test.go (1 hunks)
• storage/ent/sqlite_test.go (1 hunks)
• storage/etcd/etcd_test.go (1 hunks)
• storage/kubernetes/client_test.go (1 hunks)
• storage/kubernetes/storage.go (1 hunks)
• storage/kubernetes/storage_test.go (3 hunks)
• storage/memory/memory_test.go (1 hunks)
• storage/memory/static_test.go (3 hunks)
• storage/sql/config_test.go (1 hunks)
• storage/sql/migrate_test.go (1 hunks)
• web/templates/device.html (1 hunks)

💤 Files with no reviewable changes (1)

• .dockerignore

🧰 Additional context used

🧬 Code Graph Analysis (12)

storage/ent/sqlite_test.go (1)

storage/memory/memory.go (1)

• New (17-30)

storage/etcd/etcd_test.go (1)

storage/memory/memory.go (1)

• New (17-30)

connector/authproxy/authproxy_test.go (1)

storage/memory/memory.go (1)

• New (17-30)

storage/ent/postgres_test.go (1)

storage/memory/memory.go (1)

• New (17-30)

storage/memory/memory_test.go (1)

storage/memory/memory.go (1)

• New (17-30)

cmd/dex/serve.go (3)

pkg/featureflags/set.go (1)

• ContinueOnConnectorFailure (16-16)

server/server.go (1)

• Config (65-126)

cmd/dex/config.go (2)

• Config (26-54)
• OAuth2 (139-152)

storage/memory/static_test.go (1)

storage/memory/memory.go (1)

• New (17-30)

storage/ent/mysql_test.go (1)

storage/memory/memory.go (1)

• New (17-30)

server/rotation_test.go (1)

storage/memory/memory.go (1)

• New (17-30)

connector/saml/saml_test.go (1)

storage/memory/memory.go (1)

• New (17-30)

server/server.go (1)

pkg/featureflags/set.go (1)

• ContinueOnConnectorFailure (16-16)

connector/google/google_test.go (1)

storage/memory/memory.go (1)

• New (17-30)

🪛 LanguageTool

ADOPTERS.md

[style] ~12-~12: ‘in conjunction with’ might be wordy. Consider a shorter alternative.
Context: ...ructure (using Kubernetes OIDC support) in conjunction with the [OAuth2 Proxy](https://github.com/p...

(EN_WORDINESS_PREMIUM_IN_CONJUNCTION_WITH)

---

[style] ~19-~19: Consider using a more concise synonym.
Context: ...tes applications. K10 is widely used by a variety of customers including large enterprises, ...

(A_VARIETY_OF)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Artifacts / Container images (distroless)
• GitHub Check: Artifacts / Container images (alpine)
• GitHub Check: Test

🔇 Additional comments (69)

cmd/dex/logger.go (1)

65-67: LGTM! Fixes handler type consistency.

This change correctly wraps the result of h.handler.WithGroup(name) in a new requestContextHandler struct, ensuring that the returned handler maintains the custom wrapper behavior. This aligns with the existing pattern in the WithAttrs method and prevents loss of request context functionality when using WithGroup.

connector/ldap/ldap_test.go (1)

619-619: Good simplification of logger initialization.

Using slog.DiscardHandler directly is cleaner and more idiomatic than creating a text handler that writes to io.Discard.

connector/ldap/testdata/schema.ldif (1)

448-508: Well-structured test data for nested group scenarios.

The LDIF entries correctly model both nested group hierarchies and circular group references, providing comprehensive test coverage for the recursive group membership feature.

connector/ldap/ldap.go (2)

204-207: Correct implementation for backward compatibility.

The function properly includes the RecursionGroupAttr field when constructing a UserMatcher from deprecated configuration fields.

---

678-713: Well-implemented helper method for group queries.

The queryGroups method is cleanly implemented with proper error handling, logging, and returns useful debugging information.

web/templates/device.html (1)

5-5: LGTM: Correct form method for authentication.

The form correctly uses POST method for submitting the user code, which is appropriate for authentication flows to avoid exposing sensitive parameters in URLs.

storage/sql/migrate_test.go (1)

21-21: LGTM: Simplified logger initialization.

Using slog.DiscardHandler directly is more idiomatic and eliminates the need for the io package import. This change improves code clarity and reduces boilerplate.

storage/etcd/etcd_test.go (1)

58-58: LGTM: Consistent logger simplification.

The change to use slog.DiscardHandler directly is consistent with the broader refactoring effort across test files and improves code maintainability.

connector/oauth/oauth_test.go (1)

273-273: LGTM: Consistent test logger simplification.

The logger initialization follows the same improvement pattern used across other test files, using slog.DiscardHandler directly for cleaner and more maintainable code.

storage/kubernetes/client_test.go (1)

55-55: LGTM: Completes consistent logger refactoring.

This change aligns with the logger simplification pattern applied across all test files in this PR, using slog.DiscardHandler for cleaner and more maintainable test code.

connector/google/google_test.go (1)

54-54: Excellent logger simplification.

The change to use slog.DiscardHandler directly is cleaner and more idiomatic than the previous approach of creating a text handler that writes to io.Discard. This also eliminates the need for the io package import.

connector/authproxy/authproxy_test.go (1)

25-25: Clean logger initialization improvement.

Using slog.DiscardHandler directly is more concise and appropriate than the previous text handler approach. This change improves code readability and removes the unnecessary io package dependency.

connector/openshift/openshift_test.go (1)

40-40: Consistent logger simplification.

The change aligns with the broader refactoring effort to use slog.DiscardHandler directly. This is a good improvement that reduces complexity while maintaining the same test behavior.

storage/sql/config_test.go (1)

49-49: Good logger refactoring.

The change to use slog.DiscardHandler is consistent with the codebase-wide improvement and simplifies the logger setup without changing functionality.

storage/memory/memory_test.go (1)

12-12: Appropriate logger simplification.

The change to use slog.DiscardHandler is part of the consistent refactoring effort across test files. This simplifies the logger creation while maintaining the same discard behavior needed for testing.

.github/workflows/analysis-scorecard.yaml (1)

31-31: LGTM: Routine GitHub Actions version updates

The updates to ossf/scorecard-action (v2.4.0 → v2.4.2), actions/upload-artifact (v4.6.0 → v4.6.2), and github/codeql-action/upload-sarif (v3.28.8 → v3.29.0) are appropriate patch version updates that typically include bug fixes and security improvements. The commit hashes are properly pinned for security.

Also applies to: 38-38, 45-45

connector/atlassiancrowd/atlassiancrowd_test.go (1)

152-152: LGTM: Logger initialization simplification

The change from slog.New(slog.NewTextHandler(io.Discard, &slog.HandlerOptions{})) to slog.New(slog.DiscardHandler) is a good simplification that uses the built-in discard handler directly, eliminating the need for the "io" package import while maintaining the same functionality.

server/api_test.go (1)

62-62: LGTM: Consistent logger initialization cleanup

The systematic replacement of slog.New(slog.NewTextHandler(io.Discard, &slog.HandlerOptions{})) with slog.New(slog.DiscardHandler) across all test functions is a beneficial cleanup that simplifies the code and eliminates the need for the "io" package import while maintaining identical functionality.

Also applies to: 171-171, 224-224, 333-333, 499-499, 549-549, 617-617, 661-661, 701-701

connector/saml/saml_test.go (1)

423-423: LGTM: Logger initialization simplification

The simplification from slog.New(slog.NewTextHandler(io.Discard, &slog.HandlerOptions{})) to slog.New(slog.DiscardHandler) in both the test runner and TestConfigCAData function is consistent with the broader cleanup effort across the codebase. This change reduces verbosity while maintaining the same discarding behavior for test logs.

Also applies to: 457-457

.github/workflows/trivydb-cache.yaml (1)

15-15: LGTM: Routine GitHub Actions version updates

The updates to oras-project/setup-oras (v1.2.2 → v1.2.3) and actions/cache/save (v4.2.0 → v4.2.3) are appropriate patch version updates with properly pinned commit hashes for security. These routine maintenance updates help ensure the workflow uses the latest bug fixes and security improvements.

Also applies to: 36-36

storage/memory/static_test.go (1)

15-15: LGTM! Logger initialization simplification improves code clarity.

The change from slog.NewTextHandler(io.Discard, ...) to slog.DiscardHandler directly achieves the same result with less code complexity and removes the unnecessary io package dependency.

Also applies to: 99-99, 208-208

connector/github/github_test.go (1)

453-453: LGTM! Consistent logger initialization simplification.

The change to use slog.DiscardHandler directly aligns with the codebase-wide refactoring effort to simplify logger setup in tests.

connector/oidc/oidc_test.go (1)

836-836: LGTM! Logger initialization improvement in test helper function.

The simplified logger initialization using slog.DiscardHandler directly improves code clarity and consistency across the test suite.

server/rotation_test.go (1)

71-71: LGTM! Consistent logger initialization simplification.

The change to use slog.DiscardHandler directly removes boilerplate code and eliminates the io package dependency, making the test setup cleaner and more consistent.

Also applies to: 103-103

storage/ent/sqlite_test.go (1)

12-12: LGTM! Logger initialization simplified effectively.

The change from slog.New(slog.NewTextHandler(io.Discard, &slog.HandlerOptions{})) to slog.New(slog.DiscardHandler) is a good simplification that removes the dependency on the io package while achieving the same result of discarding logs during tests. This follows Go's standard library best practices.

storage/ent/mysql_test.go (1)

44-44: LGTM! Consistent logger simplification.

The logger initialization has been properly simplified to use slog.DiscardHandler, consistent with the pattern applied across other test files. This improves code maintainability and readability.

storage/ent/postgres_test.go (1)

39-39: LGTM! Logger initialization standardized.

The logger initialization has been simplified to use slog.DiscardHandler, maintaining consistency with the standardization effort across all storage test files. This change improves code quality and maintainability.

.github/dependabot.yaml (1)

10-13: LGTM! Etcd dependency grouping improves PR management.

The addition of the "etcd" group to bundle all go.etcd.io/* dependencies into single PRs is a good practice that will reduce PR noise while keeping related dependency updates together. This aligns well with the broader dependency update strategy.

storage/ent/generate.go (1)

3-3: LGTM! Improved tool management approach.

The change from go run -mod=mod to go tool for the Ent code generation represents a better approach to tool management. This aligns with the tool directive addition in go.mod and should improve build consistency and reliability.

flake.nix (2)

23-23: Good cleanup of unused parameters.

Removing the unused lib, system, and variadic ... parameters improves code clarity and follows best practices.

---

30-30: Go version update looks good.

The upgrade from Go 1.23 to 1.24 is consistent with the project-wide Go version updates mentioned in the summary.

storage/ent/db/runtime/runtime.go (1)

8-9: Ent version update looks good.

The version bump from v0.14.0 to v0.14.4 with the corresponding checksum update is consistent with the broader dependency upgrades across the project.

storage/kubernetes/storage.go (1)

159-159: Good optimization for resource existence check.

Adding the limit parameter 1 to listN improves efficiency when checking for existing custom resources, as we only need to verify existence rather than retrieve all instances.

pkg/featureflags/set.go (1)

15-16: Well-implemented feature flag addition.

The ContinueOnConnectorFailure flag follows the established pattern with clear naming, appropriate default value (false to maintain current behavior), and good documentation. This addresses a practical operational need.

.github/workflows/ci.yaml (3)

72-74: GitHub Actions and Go version updates look good.

The actions/setup-go update from v5.3.0 to v5.5.0 and Go version update from 1.23 to 1.24 are consistent with the project-wide upgrades.

---

143-145: Consistent version updates in lint job.

The action and Go version updates match those in the test job, maintaining consistency across the workflow.

---

178-178: Dependency review action update is appropriate.

The update from v4.5.0 to v4.7.1 likely includes improvements and bug fixes for dependency scanning.

cmd/dex/serve.go (3)

38-38: LGTM: Clean import addition

The featureflags package import is properly positioned and follows Go conventions.

---

284-286: LGTM: Clean feature flag implementation

The feature flag checking and logging is implemented correctly and follows expected patterns.

---

309-309: LGTM: Proper server config integration

The ContinueOnConnectorFailure field is correctly set using the feature flag's state, maintaining consistency with the server.Config struct definition.

storage/kubernetes/storage_test.go (3)

60-60: LGTM: Simplified logger initialization

The change to use slog.DiscardHandler is cleaner and more idiomatic than the previous complex setup for test logging.

---

252-252: LGTM: Consistent logger simplification

The logger initialization in the test helper function is consistently simplified using slog.DiscardHandler.

---

309-309: LGTM: Consistent test logger pattern

The logger initialization in the test function follows the same simplified pattern as the rest of the file.

api/v2/go.mod (4)

3-3: Verify Go 1.24.0 compatibility across the project

The Go version upgrade looks good and aligns with the project-wide upgrade. Ensure all build systems and CI/CD pipelines are updated accordingly.

---

6-6: Verify gRPC API compatibility

The gRPC upgrade from v1.69.4 to v1.73.0 spans multiple versions. Ensure that the API changes don't break existing functionality.

---

7-7: LGTM: Safe protobuf upgrade

The protobuf upgrade from v1.35.1 to v1.36.6 is a conservative update that should be backward compatible.

---

11-14: LGTM: Expected indirect dependency updates

The indirect dependency updates are consistent with the main dependency upgrades and are managed automatically by Go's dependency resolution.

Makefile (4)

20-20: LGTM: Conservative GolangCI-Lint update

The GolangCI-Lint version update from 1.63.4 to 1.64.5 is a safe patch update that should maintain compatibility.

---

23-23: Verify protobuf compiler compatibility

The protobuf compiler upgrade from 24.4 to 29.3 is significant. Ensure compatibility with the updated Go protobuf plugins and generated code.

---

24-24: LGTM: Consistent protobuf Go plugin update

The protobuf Go plugin update from 1.32.0 to 1.36.5 is consistent with the protobuf library upgrades in the go.mod files.

---

25-25: LGTM: Consistent gRPC plugin update

The protobuf Go gRPC plugin update from 1.3.0 to 1.5.1 is consistent with the gRPC library upgrades in the go.mod files.

Dockerfile (6)

5-5: LGTM: Consistent Go builder image update

The Go builder image update from 1.23.6 to 1.24.3 aligns with the Go version upgrades in the go.mod files and includes the correct SHA256 digest.

---

38-38: LGTM: Alpine base image security update

The Alpine base image update from 3.21.2 to 3.22.0 provides security updates and bug fixes with the correct SHA256 digest.

---

44-44: LGTM: Consistent Alpine base image update

The Alpine base image update maintains consistency with other stages and uses the same correct SHA256 digest.

---

50-50: LGTM: Conservative Gomplate patch update

The Gomplate version update from v4.3.0 to v4.3.2 is a safe patch update that includes bug fixes and improvements.

---

57-57: LGTM: Consistent Alpine base image for Dependabot

The Alpine base image update maintains consistency across all stages and provides the same security updates.

---

58-58: LGTM: Security-focused distroless image update

The distroless image SHA256 digest update provides security patches while maintaining the minimal attack surface.

examples/go.mod (2)

3-3: LGTM: Go version update to 1.24.0

The Go version update is consistent with the broader project modernization mentioned in the summary.

---

6-22: LGTM: Dependency updates look reasonable

All dependency updates appear to be minor or patch version increments, which is appropriate for routine maintenance. The updates align with the broader project modernization mentioned in the summary.

server/handlers.go (3)

226-226: LGTM: Improved error message clarity

The error message change from "Requested resource does not exist" to "Connector failed to initialize" provides better context for debugging connector issues. This aligns with the new connector failure handling feature mentioned in the summary.

---

353-353: LGTM: Consistent error message improvement

The error message change maintains consistency with the similar improvement in handleConnectorLogin and provides clearer feedback about connector initialization failures.

---

731-761: LGTM: Code organization improvements

The changes improve code organization by:

• Moving variable declarations closer to their usage
• Making access token parameters conditional on non-empty accessToken
• Reordering parameter setting for better logical flow

These changes maintain the same functionality while improving readability and preventing unnecessary empty parameter settings.

server/server.go (3)

123-125: LGTM: Well-documented configuration field

The new ContinueOnConnectorFailure field is clearly documented and serves a legitimate operational need. This allows for graceful degradation when some connectors are misconfigured while keeping the service available with working connectors.

---

332-342: LGTM: Robust connector failure handling

The implementation properly handles connector failures by:

• Tracking failed connector count
• Logging errors when continuing despite failures
• Maintaining backward compatibility when the flag is disabled
• Providing clear error messages for debugging

The conditional logic is well-structured and maintains the existing behavior as the default.

---

344-346: LGTM: Important safety check

This safety check ensures that the server won't start if all connectors fail, even with ContinueOnConnectorFailure enabled. This prevents a completely non-functional server from starting while providing an informative error message with the failure count.

server/server_test.go (2)

79-79: Good simplification of logger initialization!

The change from slog.New(slog.NewTextHandler(io.Discard, &slog.HandlerOptions{})) to slog.New(slog.DiscardHandler) is a nice improvement that uses the more concise slog API for discarding logs in tests.

---

1820-2020: Excellent comprehensive test for connector failure handling!

This test function thoroughly covers the new ContinueOnConnectorFailure feature flag with well-structured test cases that validate:

• Success scenarios with all connectors working (flag enabled/disabled)
• Partial failure scenarios (flag enabled should continue, disabled should fail)
• Complete failure scenarios (both should fail but with different error messages)
• Edge case of no connectors

The test logic correctly verifies both error conditions and successful connector loading states. The assertions are appropriate and the test data is well-organized.

go.mod (2)

114-115: Good use of the new tool directive

Recording entgo.io/ent/cmd/ent via the tool directive is the recommended modern way to track dev-tools—nice improvement.

---

6-41: Verify compatibility after the bulk dependency bumps

Major upgrades (grpc v1.73, etcd v3.6, x/crypto v0.39, etc.) can introduce subtle breaking changes.

Action items:
• Ensure CI runners & Docker images use Go 1.24.
• Run go test ./... -race and integration suites.
• Double-check TLS defaults and context handling where grpc/etcd are used.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

LGTM! GitHub Actions version updates for improved security and reliability.

The version bumps for various GitHub Actions (QEMU setup, Docker Buildx, Cosign, metadata, login, build-push, attestation, caching, Trivy scanning, and upload actions) are routine maintenance updates that should improve security and reliability.

Please verify that these are the latest stable versions of the respective actions:

Also applies to: 60-60, 63-63, 66-66, 74-74, 104-104, 112-112, 120-120, 180-180, 187-187, 201-201, 208-208, 228-228, 236-236

---

🏁 Script executed:

#!/bin/bash
# Description: Verify the latest versions of key GitHub Actions used in the workflow

actions=(
  "docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392" # v3.6.0
  "docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435" # v3.11.1
  "sigstore/cosign-installer@fb28c2b6339dcd94da6e4cbcbc5e888961f6f8c3" # v3.9.0
  "docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804" # v5.7.0
  "docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83" # v6.18.0
  "aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37" # 0.31.0
)

for action in "${actions[@]}"; do
  echo "Checking $action"
  # Extract owner/repo from action
  owner_repo=$(echo "$action" | cut -d'@' -f1)
  
  # Get latest release info
  gh api repos/$owner_repo/releases/latest --jq '.tag_name' || echo "Failed to get latest release for $owner_repo"
done

Length of output: 2809

---

Update outdated GitHub Action versions

Most of the workflow’s actions are already pinned to the latest stable releases. However, two can be bumped:

• .github/workflows/artifacts.yaml (sigstore/cosign-installer)
  Current:

  uses: sigstore/cosign-installer@fb28c2b6339dcd94da6e4cbcbc5e888961f6f8c3  # v3.9.0

  Latest: v3.9.1

• .github/workflows/artifacts.yaml (aquasecurity/trivy-action)
  Current:

  uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37  # v0.31.0

  Latest: v0.32.0

Suggested diff snippets:

– uses: sigstore/cosign-installer@fb28c2b6339dcd94da6e4cbcbc5e888961f6f8c3  # v3.9.0
+ uses: sigstore/cosign-installer@v3.9.1

– uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37  # v0.31.0
+ uses: aquasecurity/trivy-action@v0.32.0

All other pinned actions (setup-qemu, setup-buildx, metadata, build-push, etc.) match their latest release tags. Please apply these two bumps to keep the workflow fully up to date.

🤖 Prompt for AI Agents

In .github/workflows/artifacts.yaml at line 57, update the versions of the
sigstore/cosign-installer and aquasecurity/trivy-action GitHub Actions to their
latest stable releases. Change sigstore/cosign-installer from v3.9.0 to v3.9.1
and aquasecurity/trivy-action from v0.31.0 to v0.32.0 by modifying the commit
hashes or tags accordingly to keep the workflow up to date.

[coderabbitai]

🛠️ Refactor suggestion

replace pointing to a local path will break downstream users

The directive

replace github.com/dexidp/dex/api/v2 => ./api/v2

prevents external consumers from resolving the module. Move this into a go.work, guard it behind a build flag, or drop it before publishing a release/tag.

🤖 Prompt for AI Agents

In go.mod at lines 112 to 113, the replace directive points to a local path
which breaks downstream users. Remove this local replace directive from go.mod
before publishing the release or tag. Instead, move this replace directive into
a go.work file or conditionally include it behind a build flag to avoid
impacting external consumers.

[coderabbitai]

⚠️ Potential issue

Invalid go directive — patch component not allowed

go.mod must specify the Go version as major.minor only. The tooling will error with “invalid go version” when it encounters 1.24.0.

-go 1.24.0
+go 1.24

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	go 1.24.0
	-go 1.24.0
	+go 1.24

🤖 Prompt for AI Agents

In go.mod at line 3, the Go version is incorrectly specified as "1.24.0" which
includes a patch component. Change this to "1.24" to comply with the required
major.minor format and avoid the "invalid go version" error.