ci: add scheduled go toolchain update workflow#429
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Code Review
This pull request introduces a new Python script hack/go-toolchain.py to manage and align the Go toolchain baseline across go.mod, Dockerfiles, and GitHub Actions workflows. The review feedback highlights several improvement opportunities: making the workflow regexes more robust to avoid matching commented-out lines, replacing str.removeprefix to maintain compatibility with Python versions older than 3.9, improving the toolchain removal regex to handle pre-release suffixes, and extending workflow verification to support both .yml and .yaml file extensions.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| SETUP_GO_RE = re.compile(r"uses:[ \t]*actions/setup-go@") | ||
| GO_VERSION_RE = re.compile(r"\bgo-version[ \t]*:") | ||
| GO_VERSION_FILE_RE = re.compile(r"\bgo-version-file[ \t]*:[ \t]*go\.mod\b") |
There was a problem hiding this comment.
The current regular expressions for detecting setup-go and its configuration options match any occurrence of the keywords, even if they are commented out (e.g., # go-version:). This can lead to false positives during verification.
We can make these regexes more robust by ensuring they only match active YAML keys (i.e., starting with optional whitespace at the beginning of a line, and not preceded by a comment character #).
| SETUP_GO_RE = re.compile(r"uses:[ \t]*actions/setup-go@") | |
| GO_VERSION_RE = re.compile(r"\bgo-version[ \t]*:") | |
| GO_VERSION_FILE_RE = re.compile(r"\bgo-version-file[ \t]*:[ \t]*go\.mod\b") | |
| SETUP_GO_RE = re.compile(r"^[ \\t]*uses:[ \\t]*actions/setup-go@", re.MULTILINE) | |
| GO_VERSION_RE = re.compile(r"^[ \\t]*go-version[ \\t]*:", re.MULTILINE) | |
| GO_VERSION_FILE_RE = re.compile(r"^[ \\t]*go-version-file[ \\t]*:[ \\t]*go\\.mod\\b", re.MULTILINE) |
|
|
||
| for release in releases: | ||
| if release.get("stable"): | ||
| return str(release["version"]).removeprefix("go") |
There was a problem hiding this comment.
Using str.removeprefix will raise an AttributeError on Python versions older than 3.9 (such as Python 3.8, which is still common in some legacy CI runners or developer environments).
To ensure maximum compatibility across different environments, we can use a standard slice or startswith check instead.
| return str(release["version"]).removeprefix("go") | |
| version = str(release["version"]) | |
| return version[2:] if version.startswith("go") else version |
| raise ValueError("go.mod does not contain a parseable go directive") | ||
|
|
||
| content = GO_DIRECTIVE_RE.sub(f"go {version}", content, count=1) | ||
| content = re.sub(r"\ntoolchain[ \t]+go[0-9]+\.[0-9]+(?:\.[0-9]+)?[ \t]*\n", "\n", content) |
There was a problem hiding this comment.
The current regex for removing the toolchain directive relies on matching a specific Go version pattern. If the toolchain directive contains a pre-release suffix (e.g., go1.21rc1) or any other non-standard version format, the regex will fail to match and remove it, potentially leaving a malformed or outdated toolchain directive in go.mod.
We can make this much more robust by matching any line starting with toolchain using re.MULTILINE, which removes the entire line regardless of the version format.
| content = re.sub(r"\ntoolchain[ \t]+go[0-9]+\.[0-9]+(?:\.[0-9]+)?[ \t]*\n", "\n", content) | |
| content = re.sub(r"^toolchain[ \\t]+\\S+[ \\t]*\\r?\\n", "", content, flags=re.MULTILINE) |
| errors: list[str] = [] | ||
| workflows = repo / ".github" / "workflows" | ||
|
|
||
| for path in sorted(workflows.glob("*.yml")): |
There was a problem hiding this comment.
GitHub Actions workflows can be named with either .yml or .yaml extensions. Currently, verify_workflows only checks files ending in *.yml. If a workflow file is added with a .yaml extension, it will be silently ignored during verification.
We can update the glob search to find and sort both extensions to ensure all workflow files are verified.
| for path in sorted(workflows.glob("*.yml")): | |
| workflow_files = list(workflows.glob("*.yml")) + list(workflows.glob("*.yaml")) | |
| for path in sorted(workflow_files): |
There was a problem hiding this comment.
Pull request overview
Adds a repo-owned mechanism to keep AgentCube’s Go toolchain baseline (as defined in go.mod and mirrored in docker/Dockerfile* builder images) up to date via a scheduled GitHub Actions workflow, generating a focused PR only when an update is needed.
Changes:
- Introduce
hack/go-toolchain.pyto read/verify/update the Go version ingo.modanddocker/Dockerfile*, and to validateactions/setup-gousage across workflows. - Add a scheduled workflow (
.github/workflows/go-toolchain-update.yml) that checks the latest stable Go release weekly and opens/updates a PR branch when the repo baseline is behind. - Run validation steps in the creator workflow (including
go mod tidy, baseline verification, and diff checks) to compensate for limited downstream-trigger behavior fromGITHUB_TOKEN-created PRs.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
hack/go-toolchain.py |
New CLI tool to manage/verify Go baseline alignment across go.mod, Docker builder images, and workflow setup-go configuration. |
.github/workflows/go-toolchain-update.yml |
New scheduled workflow that detects new stable Go releases and creates/updates a PR with the baseline bump (no auto-merge). |
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #429 +/- ##
===========================================
+ Coverage 47.57% 58.50% +10.93%
===========================================
Files 30 36 +6
Lines 2819 3463 +644
===========================================
+ Hits 1341 2026 +685
+ Misses 1338 1228 -110
- Partials 140 209 +69
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Signed-off-by: ranxi2001 <ranxi169@163.com>
733bb4b to
b6a3156
Compare
|
Thanks, updated in the latest push. I tightened the workflow matching to ignore commented YAML keys while keeping valid |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
Adds a repository-owned Go toolchain maintenance workflow and helper script.
The scheduled workflow checks the latest stable Go release from the official Go release feed once per week and opens a focused, reviewable PR only when the project baseline is behind. It does not auto-merge.
The schedule is aligned with the existing Dependabot weekly cadence: Monday 00:00 UTC.
This keeps Docker Dependabot focused on runtime base images while preventing
golang:*builder images from drifting away from the project Go baseline.Which issue(s) this PR fixes:
NONE
Special notes for your reviewer:
GITHUB_TOKENmay not recursively trigger every downstream workflow, so the creator workflow keeps its own validation steps.go run github.com/rhysd/actionlint/cmd/actionlint@latest .github/workflows/go-toolchain-update.ymlpython3 hack/go-toolchain.py verify --check-latestgit diff --check upstream/main...HEAD733bb4b: 9/9 checks passed.Does this PR introduce a user-facing change?: