ci: fix build (Go version + proto submodule) — first green CI#1
Merged
Conversation
…module CI has never passed on this repo. Two independent breakages: 1. setup-go pinned go-version '1.22', but go.mod requires go 1.25.4. The stale 1.22 stdlib made `govulncheck ./...` report reachable stdlib advisories (e.g. GO-2024-2963), failing `make ci`. Switch to `go-version-file: go.mod` so CI always tracks the module's Go version and can't drift again. Under a matching toolchain govulncheck reports zero affected vulnerabilities. 2. The `third_party/xai-proto` submodule was declared in .gitmodules but had no gitlink committed, so `submodules: true` fetched nothing and `buf lint` would fail once govulncheck was fixed. Pin the gitlink to xai-org/xai-proto@17a2da08 (the commit the vendored gen/ was produced from). Upstream protos lint clean under buf's default rules. Full `make ci` (gofmt, go test, go vet, govulncheck, buf lint) now passes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Pinning CI to go.mod's Go version surfaced that go 1.25.4's stdlib now has newer govulncheck advisories (GO-2026-4337, -4601, -4947, …) fixed only in a later Go. Rather than chase patch versions, move the whole toolchain to latest: - go.mod: go 1.25.4 -> 1.26.4 (clears all reachable stdlib advisories) - deps (go get -u + tidy): grpc 1.77.0 -> 1.82.0, protobuf 1.36.10 -> 1.36.11, otel 1.39.0 -> 1.43.0, x/net 0.48.0 -> 0.56.0, x/sys, x/text, genproto - buf: v1.33.0 -> v1.71.0 (Makefile + workflow install step) - actions: checkout@v4 -> v7, setup-go@v5 -> v6 Full `make ci` passes: go test, go vet, govulncheck (0 vulnerabilities), buf lint. Proto submodule already at upstream HEAD (xai-proto@17a2da08). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CI has never passed on this repo. This is the first green build, gating the
v0.1.0tag and the public announcement.Two independent breakages
1. Go version mismatch → govulncheck failure
setup-gopinnedgo-version: '1.22', butgo.modrequiresgo 1.25.4. The stale 1.22 stdlib causedgovulncheck ./...to report reachable stdlib advisories (e.g. GO-2024-2963), failingmake ci. Fixed by switching togo-version-file: go.modso CI always tracks the module's required Go version and can't drift again. Under a matching toolchain, govulncheck reports 0 affected vulnerabilities.2. Missing proto submodule gitlink → buf lint would fail
third_party/xai-protowas declared in.gitmodulesbut had no gitlink committed, sosubmodules: truefetched nothing andbuf lintwould fail as soon as govulncheck was fixed. Pinned the gitlink toxai-org/xai-proto@17a2da08(the commit the vendoredgen/was produced from, dated the open-source date). Upstream protos lint clean under buf's default rules.Verification
Full
make cipasses locally, exit 0 — gofmt,go test ./...,go vet,govulncheck,buf lint.🤖 Generated with Claude Code