From 25740750a5730cc684480d5e757f82e04d5c8e3e Mon Sep 17 00:00:00 2001 From: Dave Mihalcik Date: Wed, 8 Apr 2026 15:52:43 -0400 Subject: [PATCH 1/6] fix(ci): Prefer go.work for toolchain info --- .github/scripts/work-init.sh | 11 +++++++++++ .github/workflows/checks.yaml | 2 +- .github/workflows/sonarcloud.yml | 2 +- examples/go.mod | 2 -- lib/fixtures/go.mod | 2 -- lib/flattening/go.mod | 2 -- lib/identifier/go.mod | 2 -- lib/ocrypto/go.mod | 2 -- protocol/go/go.mod | 2 -- sdk/go.mod | 2 -- service/go.mod | 2 -- test/integration/go.mod | 2 -- tests-bdd/go.mod | 2 -- 13 files changed, 13 insertions(+), 22 deletions(-) diff --git a/.github/scripts/work-init.sh b/.github/scripts/work-init.sh index 878f7fd6ef..80f7cecef8 100755 --- a/.github/scripts/work-init.sh +++ b/.github/scripts/work-init.sh @@ -36,6 +36,11 @@ if ! cd "$ROOT_DIR"; then exit 1 fi +# Preserve the toolchain directive from the original go.work so that CI steps +# reading go-version-file: go.work (e.g. govulncheck) continue to use the +# correct Go version after the workspace is regenerated. +ORIG_TOOLCHAIN=$(grep "^toolchain " go.work 2>/dev/null | awk '{print $2}') + echo "[INFO] Rebuilding partial go.work for [${component}]" case $component in lib/ocrypto | lib/fixtures | lib/flattening | lib/identifier | protocol/go) @@ -64,3 +69,9 @@ examples) exit 1 ;; esac + +# Restore the toolchain directive if it was present in the original go.work. +if [[ -n "${ORIG_TOOLCHAIN:-}" && -f go.work ]]; then + go work edit -toolchain="$ORIG_TOOLCHAIN" + echo "[INFO] Restored toolchain ${ORIG_TOOLCHAIN} in go.work" +fi diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 6ec4dc1442..e4b18673b8 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -74,7 +74,7 @@ jobs: continue-on-error: true uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 with: - go-version-input: "1.25.7" + go-version-file: go.work work-dir: ${{ matrix.directory }} - if: steps.govulncheck.outcome == 'failure' run: echo "$MODULE_DIR" > "/tmp/govulncheck-failure-${JOB_INDEX}.txt" diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 94043c16d8..348747e555 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -26,7 +26,7 @@ jobs: - name: "Setup Go" uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version: "1.25.7" + go-version-file: go.work check-latest: false cache-dependency-path: | service/go.sum diff --git a/examples/go.mod b/examples/go.mod index 9da02faf7f..6525994e8e 100644 --- a/examples/go.mod +++ b/examples/go.mod @@ -2,8 +2,6 @@ module github.com/opentdf/platform/examples go 1.25.0 -toolchain go1.25.8 - require ( connectrpc.com/connect v1.19.1 github.com/opentdf/platform/lib/ocrypto v0.10.0 diff --git a/lib/fixtures/go.mod b/lib/fixtures/go.mod index 517a1d0696..82d94983ce 100644 --- a/lib/fixtures/go.mod +++ b/lib/fixtures/go.mod @@ -2,8 +2,6 @@ module github.com/opentdf/platform/lib/fixtures go 1.25.0 -toolchain go1.25.8 - require github.com/Nerzal/gocloak/v13 v13.9.0 require ( diff --git a/lib/flattening/go.mod b/lib/flattening/go.mod index c2d3d36534..7e709fd35a 100644 --- a/lib/flattening/go.mod +++ b/lib/flattening/go.mod @@ -2,8 +2,6 @@ module github.com/opentdf/platform/lib/flattening go 1.25.0 -toolchain go1.25.8 - require github.com/stretchr/testify v1.11.1 require ( diff --git a/lib/identifier/go.mod b/lib/identifier/go.mod index a98dc19662..f8bac60c76 100644 --- a/lib/identifier/go.mod +++ b/lib/identifier/go.mod @@ -2,8 +2,6 @@ module github.com/opentdf/platform/lib/identifier go 1.25.0 -toolchain go1.25.8 - require github.com/stretchr/testify v1.11.1 require ( diff --git a/lib/ocrypto/go.mod b/lib/ocrypto/go.mod index dd05482470..86593c3483 100644 --- a/lib/ocrypto/go.mod +++ b/lib/ocrypto/go.mod @@ -2,8 +2,6 @@ module github.com/opentdf/platform/lib/ocrypto go 1.25.0 -toolchain go1.25.8 - require ( github.com/stretchr/testify v1.11.1 golang.org/x/crypto v0.49.0 diff --git a/protocol/go/go.mod b/protocol/go/go.mod index 03c0ad01c8..554c209411 100644 --- a/protocol/go/go.mod +++ b/protocol/go/go.mod @@ -2,8 +2,6 @@ module github.com/opentdf/platform/protocol/go go 1.25.0 -toolchain go1.25.8 - require ( buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.1-20240508200655-46a4cf4ba109.1 connectrpc.com/connect v1.19.1 diff --git a/sdk/go.mod b/sdk/go.mod index d65fd7510c..7838ef7e39 100644 --- a/sdk/go.mod +++ b/sdk/go.mod @@ -2,8 +2,6 @@ module github.com/opentdf/platform/sdk go 1.25.0 -toolchain go1.25.8 - require ( connectrpc.com/connect v1.19.1 github.com/Masterminds/semver/v3 v3.4.0 diff --git a/service/go.mod b/service/go.mod index 2f9ec2ffa5..ebbc1ffc89 100644 --- a/service/go.mod +++ b/service/go.mod @@ -2,8 +2,6 @@ module github.com/opentdf/platform/service go 1.25.0 -toolchain go1.25.8 - require ( buf.build/go/protovalidate v1.0.0 connectrpc.com/connect v1.19.1 diff --git a/test/integration/go.mod b/test/integration/go.mod index cc526ed60f..1407190263 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -2,8 +2,6 @@ module github.com/opentdf/platform/test/integration go 1.25.0 -toolchain go1.25.8 - replace ( github.com/opentdf/platform/lib/fixtures => ../../lib/fixtures github.com/opentdf/platform/lib/ocrypto => ../../lib/ocrypto diff --git a/tests-bdd/go.mod b/tests-bdd/go.mod index 6c74763606..b2281d3689 100644 --- a/tests-bdd/go.mod +++ b/tests-bdd/go.mod @@ -2,8 +2,6 @@ module github.com/opentdf/platform/tests-bdd go 1.25.5 -toolchain go1.25.8 - require ( github.com/cucumber/godog v0.15.0 github.com/google/uuid v1.6.0 From e3eece77aee38137a4ea948ce46bdca55557b0a4 Mon Sep 17 00:00:00 2001 From: Dave Mihalcik Date: Wed, 8 Apr 2026 15:57:35 -0400 Subject: [PATCH 2/6] fix(core): Update toolchain to 1.25.9 --- go.work | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.work b/go.work index 235792dad9..0f3e4d2cf7 100644 --- a/go.work +++ b/go.work @@ -1,6 +1,6 @@ go 1.25.5 -toolchain go1.25.8 +toolchain go1.25.9 use ( ./examples From 0daf354ab49f3ebfb6e670a8270202b0f295dd60 Mon Sep 17 00:00:00 2001 From: Dave Mihalcik Date: Wed, 8 Apr 2026 16:08:22 -0400 Subject: [PATCH 3/6] explicit value required here --- .github/workflows/checks.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index e4b18673b8..ec2aef3888 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -74,6 +74,7 @@ jobs: continue-on-error: true uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 with: + go-version-input: "" go-version-file: go.work work-dir: ${{ matrix.directory }} - if: steps.govulncheck.outcome == 'failure' From bf17f00b4d939d0fd0fc15a3c422ae05b4705b0b Mon Sep 17 00:00:00 2001 From: Dave Mihalcik Date: Wed, 8 Apr 2026 16:39:22 -0400 Subject: [PATCH 4/6] Apply suggestions from code review Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- .github/scripts/work-init.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/scripts/work-init.sh b/.github/scripts/work-init.sh index 80f7cecef8..0e6d501754 100755 --- a/.github/scripts/work-init.sh +++ b/.github/scripts/work-init.sh @@ -39,7 +39,7 @@ fi # Preserve the toolchain directive from the original go.work so that CI steps # reading go-version-file: go.work (e.g. govulncheck) continue to use the # correct Go version after the workspace is regenerated. -ORIG_TOOLCHAIN=$(grep "^toolchain " go.work 2>/dev/null | awk '{print $2}') +ORIG_TOOLCHAIN=$(awk '/^toolchain / {print $2; exit}' go.work 2>/dev/null) echo "[INFO] Rebuilding partial go.work for [${component}]" case $component in From 268aace67568914325fc15a181105ef3b48ba950 Mon Sep 17 00:00:00 2001 From: Dave Mihalcik Date: Wed, 8 Apr 2026 16:46:04 -0400 Subject: [PATCH 5/6] fix(ci): exit early for leaf packages in work-init.sh Leaf packages (lib/*, protocol/go) skip workspace regeneration, so the toolchain restore logic should not run either. Exit early to avoid touching go.work unnecessarily. Addresses Gemini review feedback on PR #3285. Co-Authored-By: Claude Opus 4.6 (1M context) Signed-off-by: Dave Mihalcik --- .github/scripts/work-init.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/scripts/work-init.sh b/.github/scripts/work-init.sh index 0e6d501754..4a410c0e99 100755 --- a/.github/scripts/work-init.sh +++ b/.github/scripts/work-init.sh @@ -45,6 +45,7 @@ echo "[INFO] Rebuilding partial go.work for [${component}]" case $component in lib/ocrypto | lib/fixtures | lib/flattening | lib/identifier | protocol/go) echo "[INFO] skipping for leaf package" + exit 0 ;; sdk) rm -f go.work go.work.sum && @@ -71,7 +72,7 @@ examples) esac # Restore the toolchain directive if it was present in the original go.work. -if [[ -n "${ORIG_TOOLCHAIN:-}" && -f go.work ]]; then +if [[ -n "${ORIG_TOOLCHAIN:-}" ]]; then go work edit -toolchain="$ORIG_TOOLCHAIN" echo "[INFO] Restored toolchain ${ORIG_TOOLCHAIN} in go.work" fi From cee1312a054db86b8c3f1eff9983426bddbfacf0 Mon Sep 17 00:00:00 2001 From: Dave Mihalcik Date: Wed, 15 Apr 2026 11:05:31 -0400 Subject: [PATCH 6/6] fixup coderabbitai suggestion --- .github/scripts/work-init.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/scripts/work-init.sh b/.github/scripts/work-init.sh index 4a410c0e99..5d77b6cfdf 100755 --- a/.github/scripts/work-init.sh +++ b/.github/scripts/work-init.sh @@ -73,6 +73,9 @@ esac # Restore the toolchain directive if it was present in the original go.work. if [[ -n "${ORIG_TOOLCHAIN:-}" ]]; then - go work edit -toolchain="$ORIG_TOOLCHAIN" + if ! go work edit -toolchain="$ORIG_TOOLCHAIN"; + echo "[ERROR] unable to restore original toolchain [${ORIG_TOOLCHAIN}] in go.work" + exit 1 + fi echo "[INFO] Restored toolchain ${ORIG_TOOLCHAIN} in go.work" fi