Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport PR #2769 to release/v1.7 for refactor merge docker and github actions workflow gen logic #2774

Conversation

vdaas-ci
Copy link
Collaborator

Description

SSIA

Related Issue

Versions

  • Vald Version: v1.7.14
  • Go Version: v1.23.3
  • Rust Version: v1.82.0
  • Docker Version: v27.3.1
  • Kubernetes Version: v1.31.2
  • Helm Version: v3.16.2
  • NGT Version: v2.3.4
  • Faiss Version: v1.9.0

Checklist

Special notes for your reviewer

Summary by CodeRabbit

Release Notes

  • New Features

    • Introduced new Docker images for multiple components, including Agent NGT, Agent sidecar, Discoverers, Gateways, Index Manager, and Helm Operator.
    • Added an example-client Docker image.
    • Implemented job templates with affinity, a job for deleting expired indexes, and QUIC support.
    • Enhanced gRPC client and server configurations to support additional interceptors, including MetricInterceptor.
  • Bug Fixes

    • Resolved issues related to the update dependencies workflow, double-free error in the GetGraphStatistics API, and installation command corrections for ARM64 architecture.
  • Dependency Updates

    • Updated various software components, including Go, Rust, Helm, and Kubernetes versions, as well as other libraries and tools.
  • Documentation

    • Updated links to GoDoc and Helm Chart references for the new version.
  • Chores

    • Refactored Dockerfiles and updated .gitattributes.

Copy link

cloudflare-workers-and-pages bot commented Dec 11, 2024

Deploying vald with  Cloudflare Pages  Cloudflare Pages

Latest commit: a44ff90
Status: ✅  Deploy successful!
Preview URL: https://1850c793.vald.pages.dev
Branch Preview URL: https://backport-release-v1-7-refact-ij8m.vald.pages.dev

View logs

Copy link
Contributor

coderabbitai bot commented Dec 11, 2024

📝 Walkthrough

Walkthrough

The pull request includes significant file deletions and modifications across various directories within the project repository. Key files removed include several Go source files, Kubernetes configuration files, and multiple Dockerfiles. Additionally, the changes involve updates to GitHub Actions workflows, primarily focused on refining trigger paths and updating dependency versions in configuration files. The modifications reflect a restructuring and cleanup effort, with no major alterations to the existing logic or control flow of the codebase.

Changes

File Path Change Summary
.gitfiles Deleted files: hack/actions/gen/main.go, hack/actions/gen/main_test.go, k8s/index/job/deletion/configmap.yaml, k8s/index/job/deletion/cronjob.yaml.
.github/ISSUE_TEMPLATE/bug_report.md Updated version numbers for Vald, Go, Rust, Docker, Kubernetes, Helm, and NGT.
.github/ISSUE_TEMPLATE/security_issue_report.md Updated version numbers for Vald, Go, Rust, Docker, Kubernetes, Helm, and NGT.
.github/PULL_REQUEST_TEMPLATE.md Updated version numbers for Vald, Go, Rust, Docker, Kubernetes, Helm, and NGT.
.github/workflows/coverage.yaml Updated Codecov action version from v4 to v5.
.github/workflows/*.yaml Multiple workflows modified to adjust event paths, add exclusions for mock/test files, and update comments for source file locations.
.github/workflows/dockers-index-deletion.yaml Deleted workflow file for building a Docker image related to index deletion.
CHANGELOG.md Documented release notes for version v1.7.15, including new features, bug fixes, and improvements.
Makefile Updated .PHONY: workflow target command from generating a workflow to generating a Dockerfile.
Makefile.d/functions.mk Removed gen-workflow function definition.
charts/vald-benchmark-operator/crds/*.yaml Updated schema definitions and properties for various CRDs.
charts/vald-helm-operator/crds/valdhelmoperatorrelease.yaml Updated schema definitions and properties for ValdHelmOperatorRelease.
dockers/**/*.Dockerfile Added newlines at the end of multiple Dockerfiles; some Dockerfiles modified for clarity.
example/client/go.mod, go.mod, hack/go.mod.default Updated Go version and various dependencies to newer versions.
internal/file/file.go Introduced a constant for the path separator and updated functions for consistent usage.
internal/strings/strings.go Removed Title function from exported declarations.
rust/rust-toolchain, rust/rust-toolchain.toml Updated Rust toolchain version from 1.82.0 to 1.83.0.
versions/BUF_VERSION Updated version from v1.46.0 to v1.47.2.

Possibly related PRs

Suggested labels

priority/low, type/refactoring, size/XXXL, area/makefile, actions/backport/release/v1.7

Suggested reviewers

  • vankichi
  • kmrmt

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR. (Experiment)
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 15

🧹 Outside diff range and nitpick comments (22)
charts/vald-helm-operator/crds/valdhelmoperatorrelease.yaml (1)

117-136: Consider adding more standard logging levels

While the current logging levels (debug, info, error) cover basic needs, consider adding other standard levels like 'warn' and 'fatal' for more granular control.

 level:
   enum:
     - debug
     - info
+    - warn
     - error
+    - fatal
   type: string
 stacktraceLevel:
   enum:
     - debug
     - info
+    - warn
     - error
+    - fatal
   type: string
internal/file/file.go (4)

39-41: Consider using filepath.Separator instead of defining a new constant.

The filepath package already provides filepath.Separator as a built-in constant for OS-specific path separators. Using the standard library constant would be more idiomatic.

-const (
-	sep = string(os.PathSeparator)
-)

483-484: Simplify path handling using filepath.Clean.

Instead of manually appending separators, consider using filepath.Clean to normalize the path. This would handle all path separator cases more robustly.

-	if fi.Mode().IsDir() && !strings.HasSuffix(path, sep) {
-		path += sep
-	}
+	if fi.Mode().IsDir() {
+		path = filepath.Clean(path)
+	}

Line range hint 545-559: Fix potential race conditions and unnecessary filesystem access.

The current implementation has several issues:

  1. Unnecessary filesystem access with Exists checks
  2. Race condition between existence check and file operations
  3. Inconsistent behavior based on file existence

Consider simplifying the logic to always return clean paths without filesystem checks:

-	if filepath.IsAbs(path) || !Exists(path) {
-		return filepath.Clean(path)
-	}
-
-	root, err := os.Getwd()
-	if err != nil {
-		err = errors.ErrFailedToGetAbsPath(err, path)
-		log.Warn(err)
-		return filepath.Clean(path)
-	}
-	abs := joinFilePaths(root, path)
-	if !Exists(abs) {
-		return filepath.Clean(path)
-	}
-	return filepath.Clean(abs)
+	if filepath.IsAbs(path) {
+		return filepath.Clean(path)
+	}
+	if abs, err := filepath.Abs(path); err == nil {
+		return filepath.Clean(abs)
+	}
+	return filepath.Clean(path)

Line range hint 39-572: Consider refactoring path handling to use standard library functions consistently.

The file handling utilities would benefit from a more consistent approach to path handling:

  1. Use filepath package functions (Clean, Join, Abs) instead of custom implementations
  2. Remove path existence checks where not strictly necessary
  3. Document clear contracts for path handling behavior
  4. Add unit tests for edge cases (Windows paths, symbolic links, etc.)

This would improve maintainability and reduce potential bugs.

.github/workflows/dockers-readreplica-rotate-image.yaml (1)

29-30: LGTM: Enhanced version tag patterns

The addition of v*.*.*-* pattern properly supports pre-release versions (e.g., v1.0.0-alpha), aligning with semantic versioning practices.

Consider updating the release documentation to reflect the supported version tag patterns.

k8s/operator/helm/crds/valdhelmoperatorrelease.yaml (3)

124-136: Consider adding support for additional logging formats

The logging configuration schema is well-structured with appropriate enums for format, level, and stacktraceLevel. However, you might want to consider supporting additional common logging formats like:

  • logfmt
  • yaml
  • text

This would provide more flexibility for different logging environments.


225-225: Consider adding schema validation for toleration fields

While using x-kubernetes-preserve-unknown-fields: true provides flexibility, consider adding explicit schema validation for common toleration fields (key, operator, value, effect) to catch configuration errors early.

Example schema addition:

items:
  type: object
  properties:
    key:
      type: string
    operator:
      type: string
      enum: [Exists, Equal]
    value:
      type: string
    effect:
      type: string
      enum: [NoSchedule, PreferNoSchedule, NoExecute]

Line range hint 1-228: Well-structured CRD with room for enhancement

The CustomResourceDefinition is well-structured and follows Kubernetes best practices. Consider the following architectural improvements:

  1. Add OpenAPI v3 validation markers for:

    • Resource limits and requests
    • Port number ranges
    • String patterns for names and identifiers
  2. Consider implementing a conversion webhook for future schema versions, as this CRD might need to evolve with new features.

  3. Document the CRD's status subresource conditions in the schema to improve observability.

.github/workflows/dockers-binfmt-image.yaml (2)

Line range hint 22-23: Review build frequency necessity

The workflow runs hourly (0 * * * *). Consider if this frequency is necessary and its impact on GitHub Actions usage quotas.

Consider reducing frequency if builds are not time-critical.


17-17: Consider workflow generation documentation

The comment indicates these files are generated. Consider adding documentation about:

  1. The workflow generation process
  2. How to modify the generator instead of the workflows
  3. Validation steps for generated workflows

Would you like help creating a documentation template for the workflow generation process?

charts/vald-benchmark-operator/crds/valdbenchmarkscenario.yaml (1)

98-102: Consider adding more structure to jobs schema

While preserving unknown fields provides flexibility, consider if some common job properties could be explicitly defined to provide better validation and documentation.

jobs:
  items:
    type: object
    properties:
      name:
        type: string
        minLength: 1
      replicas:
        type: integer
        minimum: 1
      resources:
        type: object
        properties:
          limits:
            type: object
          requests:
            type: object
    required:
      - name
    x-kubernetes-preserve-unknown-fields: true
.github/workflows/dockers-loadtest-image.yaml (1)

40-119: Consider using pattern matching to reduce path maintenance.

The extensive list of individual paths might make maintenance challenging. Consider using pattern matching to simplify the configuration.

Example simplification:

- internal/backoff/*.go
- internal/cache/*.go
- internal/cache/cacher/*.go
- ... (many individual paths)
+ internal/**/*.go

Also applies to: 130-209

.github/workflows/dockers-index-save-image.yaml (1)

17-17: Consider implementing a workflow template system.

Since these workflow files are generated, consider implementing a template system to reduce code duplication and improve maintainability across all Docker image workflows.

This could be achieved by:

  1. Creating a base template with common configurations
  2. Using variables for image-specific paths and configurations
  3. Generating workflows from these templates
.github/workflows/dockers-index-deletion-image.yaml (1)

33-134: Consider optimizing path monitoring patterns

The extensive list of monitored paths in the pull_request section might trigger unnecessary builds. Consider:

  1. Grouping related paths using wildcards
  2. Focusing on paths directly related to the index-deletion functionality

Example optimization:

  pull_request:
    paths:
      - "!**/*_mock.go"
      - "!**/*_test.go"
      - .github/workflows/dockers-index-deletion-image.yaml
      - Makefile*
-     - internal/backoff/*.go
-     - internal/cache/*.go
-     - internal/cache/cacher/*.go
+     - internal/{backoff,cache,cache/cacher}/*.go
      # ... continue grouping related paths
.github/workflows/dockers-index-correction-image.yaml (1)

59-60: Review the database dependency implications

The workflow monitors changes in both pogreb and redis database implementations. Consider:

  1. Documenting the use case for each database type
  2. Ensuring consistent error handling across different database implementations

Consider adding comments in the workflow file to explain:

  • When each database type should be used
  • Impact on the index correction process
  • Failover strategies between database types

Also applies to: 167-168

.github/workflows/dockers-gateway-lb-image.yaml (1)

33-34: Review security implications of test file exclusions

The explicit exclusion of mock and test files (*_mock.go, *_test.go) from both PR and PR target triggers could potentially miss critical test-related changes.

Consider:

  1. Adding separate workflows for test file changes
  2. Including test files for critical components

Also applies to: 146-147

.github/workflows/dockers-benchmark-operator-image.yaml (1)

33-143: Reduce duplication in path configurations

The paths under pull_request and pull_request_target are identical, which introduces maintenance overhead.

Consider extracting the shared paths into a reusable anchor using YAML aliases:

shared_paths: &shared_paths
  - "!**/*_mock.go"
  - "!**/*_test.go"
  # ... rest of the paths ...

pull_request:
  paths: *shared_paths

pull_request_target:
  paths: *shared_paths

Also applies to: 144-251

.github/workflows/dockers-agent-faiss-image.yaml (1)

40-144: Optimize path triggers for FAISS-specific components.

The path triggers include many internal packages. Consider organizing FAISS-specific paths into a separate configuration file for better maintainability.

Create a new file .github/workflow-paths/faiss-paths.yaml and reference it:

# .github/workflow-paths/faiss-paths.yaml
paths:
  - internal/core/algorithm/faiss/**
  - pkg/agent/core/faiss/**
  # Add other FAISS-specific paths
.github/workflows/dockers-agent-ngt-image.yaml (1)

17-17: Consider adding workflow metadata for better maintainability.

All three workflow files are generated. Consider adding metadata about the generation process.

Add generation metadata as YAML comments:

# DO_NOT_EDIT this workflow file is generated by https://github.com/vdaas/vald/blob/main/hack/docker/gen/main.go
# Generated at: <timestamp>
# Generator version: <version>
# Template version: <version>
CHANGELOG.md (2)

Line range hint 1563-1574: Consider grouping changes by type for better readability

The changes in this section could be better organized by grouping them into categories like:

  • Features
  • Bug fixes
  • Documentation
  • Dependencies
  • Others

This would make it easier for users to quickly find relevant changes.

### Changes

+ ### Features
- bugfix remove api return wrong error of non exsiting replicas (#1318)
+ ### Bug Fixes
+ - bugfix remove api return wrong error of non exsiting replicas (#1318)
+ ### Dependencies
- update go modules and update go version to 1.16.5 from 1.16.4 (#1306)
+ - update go modules and update go version to 1.16.5 from 1.16.4 (#1306)

Line range hint 1-3: Add timestamp information to version headers

Consider adding release dates to each version header to help users track when changes were made.

- # CHANGELOG
+ # CHANGELOG
+ 
+ All notable changes to this project are documented in this file.
+ 
+ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between b738904 and a44ff90.

⛔ Files ignored due to path filters (25)
  • apis/grpc/v1/agent/core/agent.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/agent/sidecar/sidecar.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/discoverer/discoverer.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/filter/egress/egress_filter.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/filter/ingress/ingress_filter.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/meta/meta.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/mirror/mirror.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/payload/payload.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/rpc/errdetails/error_details.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/vald/filter.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/vald/flush.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/vald/index.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/vald/insert.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/vald/object.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/vald/remove.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/vald/search.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/vald/update.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • apis/grpc/v1/vald/upsert.pb.go is excluded by !**/*.pb.go, !**/*.pb.go
  • example/client/go.sum is excluded by !**/*.sum
  • go.sum is excluded by !**/*.sum
  • hack/actions/gen/main.go is excluded by !**/gen/**
  • hack/actions/gen/main_test.go is excluded by !**/gen/**
  • hack/docker/gen/main.go is excluded by !**/gen/**
  • hack/license/gen/main.go is excluded by !**/gen/**
  • rust/Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (82)
  • .gitfiles (0 hunks)
  • .github/ISSUE_TEMPLATE/bug_report.md (1 hunks)
  • .github/ISSUE_TEMPLATE/security_issue_report.md (1 hunks)
  • .github/PULL_REQUEST_TEMPLATE.md (1 hunks)
  • .github/workflows/coverage.yaml (1 hunks)
  • .github/workflows/dockers-agent-faiss-image.yaml (2 hunks)
  • .github/workflows/dockers-agent-image.yaml (2 hunks)
  • .github/workflows/dockers-agent-ngt-image.yaml (2 hunks)
  • .github/workflows/dockers-agent-sidecar-image.yaml (2 hunks)
  • .github/workflows/dockers-benchmark-job-image.yaml (2 hunks)
  • .github/workflows/dockers-benchmark-operator-image.yaml (2 hunks)
  • .github/workflows/dockers-binfmt-image.yaml (2 hunks)
  • .github/workflows/dockers-buildbase-image.yaml (2 hunks)
  • .github/workflows/dockers-buildkit-image.yaml (2 hunks)
  • .github/workflows/dockers-buildkit-syft-scanner-image.yaml (2 hunks)
  • .github/workflows/dockers-ci-container-image.yaml (2 hunks)
  • .github/workflows/dockers-dev-container-image.yaml (2 hunks)
  • .github/workflows/dockers-discoverer-k8s-image.yaml (2 hunks)
  • .github/workflows/dockers-example-client-image.yaml (2 hunks)
  • .github/workflows/dockers-gateway-filter-image.yaml (2 hunks)
  • .github/workflows/dockers-gateway-lb-image.yaml (2 hunks)
  • .github/workflows/dockers-gateway-mirror-image.yaml (2 hunks)
  • .github/workflows/dockers-helm-operator-image.yaml (2 hunks)
  • .github/workflows/dockers-index-correction-image.yaml (2 hunks)
  • .github/workflows/dockers-index-creation-image.yaml (2 hunks)
  • .github/workflows/dockers-index-deletion-image.yaml (2 hunks)
  • .github/workflows/dockers-index-deletion.yaml (0 hunks)
  • .github/workflows/dockers-index-operator-image.yaml (2 hunks)
  • .github/workflows/dockers-index-save-image.yaml (2 hunks)
  • .github/workflows/dockers-loadtest-image.yaml (2 hunks)
  • .github/workflows/dockers-manager-index-image.yaml (2 hunks)
  • .github/workflows/dockers-readreplica-rotate-image.yaml (2 hunks)
  • .github/workflows/unit-test.yaml (1 hunks)
  • CHANGELOG.md (1 hunks)
  • Makefile (1 hunks)
  • Makefile.d/functions.mk (0 hunks)
  • charts/vald-benchmark-operator/crds/valdbenchmarkjob.yaml (27 hunks)
  • charts/vald-benchmark-operator/crds/valdbenchmarkoperatorrelease.yaml (27 hunks)
  • charts/vald-benchmark-operator/crds/valdbenchmarkscenario.yaml (1 hunks)
  • charts/vald-benchmark-operator/schemas/job-values.schema.json (1 hunks)
  • charts/vald-benchmark-operator/schemas/job-values.yaml (1 hunks)
  • charts/vald-benchmark-operator/values.yaml (2 hunks)
  • charts/vald-helm-operator/crds/valdhelmoperatorrelease.yaml (5 hunks)
  • charts/vald/crds/valdmirrortarget.yaml (1 hunks)
  • charts/vald/values.yaml (1 hunks)
  • dockers/agent/core/agent/Dockerfile (1 hunks)
  • dockers/agent/core/faiss/Dockerfile (1 hunks)
  • dockers/agent/core/ngt/Dockerfile (1 hunks)
  • dockers/agent/sidecar/Dockerfile (1 hunks)
  • dockers/binfmt/Dockerfile (1 hunks)
  • dockers/buildbase/Dockerfile (1 hunks)
  • dockers/buildkit/Dockerfile (1 hunks)
  • dockers/buildkit/syft/scanner/Dockerfile (1 hunks)
  • dockers/ci/base/Dockerfile (1 hunks)
  • dockers/dev/Dockerfile (1 hunks)
  • dockers/discoverer/k8s/Dockerfile (1 hunks)
  • dockers/example/client/Dockerfile (1 hunks)
  • dockers/gateway/filter/Dockerfile (1 hunks)
  • dockers/gateway/lb/Dockerfile (1 hunks)
  • dockers/gateway/mirror/Dockerfile (1 hunks)
  • dockers/index/job/correction/Dockerfile (1 hunks)
  • dockers/index/job/creation/Dockerfile (1 hunks)
  • dockers/index/job/deletion/Dockerfile (1 hunks)
  • dockers/index/job/readreplica/rotate/Dockerfile (1 hunks)
  • dockers/index/job/save/Dockerfile (1 hunks)
  • dockers/index/operator/Dockerfile (1 hunks)
  • dockers/manager/index/Dockerfile (1 hunks)
  • dockers/operator/helm/Dockerfile (1 hunks)
  • dockers/tools/benchmark/job/Dockerfile (1 hunks)
  • dockers/tools/benchmark/operator/Dockerfile (1 hunks)
  • dockers/tools/cli/loadtest/Dockerfile (1 hunks)
  • example/client/go.mod (1 hunks)
  • example/client/go.mod.default (2 hunks)
  • go.mod (18 hunks)
  • hack/go.mod.default (1 hunks)
  • hack/helm/schema/crd/main.go (1 hunks)
  • internal/file/file.go (4 hunks)
  • internal/strings/strings.go (0 hunks)
  • k8s/operator/helm/crds/valdhelmoperatorrelease.yaml (5 hunks)
  • rust/rust-toolchain (1 hunks)
  • rust/rust-toolchain.toml (1 hunks)
  • versions/BUF_VERSION (1 hunks)
⛔ Files not processed due to max files limit (26)
  • versions/CMAKE_VERSION
  • versions/DOCKER_VERSION
  • versions/GOLANGCILINT_VERSION
  • versions/GO_VERSION
  • versions/HELM_VERSION
  • versions/K3S_VERSION
  • versions/KUBECTL_VERSION
  • versions/NGT_VERSION
  • versions/OPERATOR_SDK_VERSION
  • versions/PROMETHEUS_STACK_VERSION
  • versions/PROTOBUF_VERSION
  • versions/REVIEWDOG_VERSION
  • versions/RUST_VERSION
  • versions/TELEPRESENCE_VERSION
  • versions/USEARCH_VERSION
  • versions/YQ_VERSION
  • versions/actions/ACTIONS_CACHE
  • versions/actions/ACTIONS_SETUP_GO
  • versions/actions/CODECOV_CODECOV_ACTION
  • versions/actions/GITHUB_CODEQL_ACTION_ANALYZE
  • versions/actions/GITHUB_CODEQL_ACTION_AUTOBUILD
  • versions/actions/GITHUB_CODEQL_ACTION_INIT
  • versions/actions/GITHUB_CODEQL_ACTION_UPLOAD_SARIF
  • versions/actions/GITHUB_ISSUE_METRICS
  • versions/actions/REVIEWDOG_ACTION_HADOLINT
  • versions/actions/SOFTPROPS_ACTION_GH_RELEASE
💤 Files with no reviewable changes (4)
  • .github/workflows/dockers-index-deletion.yaml
  • internal/strings/strings.go
  • .gitfiles
  • Makefile.d/functions.mk
✅ Files skipped from review due to trivial changes (34)
  • dockers/agent/core/ngt/Dockerfile
  • dockers/gateway/lb/Dockerfile
  • rust/rust-toolchain
  • dockers/binfmt/Dockerfile
  • dockers/agent/core/agent/Dockerfile
  • dockers/buildbase/Dockerfile
  • dockers/tools/cli/loadtest/Dockerfile
  • dockers/example/client/Dockerfile
  • dockers/index/job/creation/Dockerfile
  • dockers/index/operator/Dockerfile
  • dockers/ci/base/Dockerfile
  • dockers/agent/sidecar/Dockerfile
  • dockers/tools/benchmark/operator/Dockerfile
  • rust/rust-toolchain.toml
  • dockers/gateway/filter/Dockerfile
  • dockers/agent/core/faiss/Dockerfile
  • dockers/index/job/deletion/Dockerfile
  • dockers/discoverer/k8s/Dockerfile
  • example/client/go.mod.default
  • .github/ISSUE_TEMPLATE/security_issue_report.md
  • hack/go.mod.default
  • Makefile
  • .github/ISSUE_TEMPLATE/bug_report.md
  • .github/PULL_REQUEST_TEMPLATE.md
  • versions/BUF_VERSION
  • dockers/buildkit/syft/scanner/Dockerfile
  • dockers/buildkit/Dockerfile
  • dockers/manager/index/Dockerfile
  • dockers/tools/benchmark/job/Dockerfile
  • dockers/gateway/mirror/Dockerfile
  • dockers/index/job/save/Dockerfile
  • dockers/index/job/readreplica/rotate/Dockerfile
  • dockers/index/job/correction/Dockerfile
  • dockers/operator/helm/Dockerfile
🔇 Additional comments (61)
charts/vald-helm-operator/crds/valdhelmoperatorrelease.yaml (4)

85-90: LGTM: Image configuration schema improvements

The explicit type definitions and enum values for pullPolicy follow Kubernetes best practices for CRD schemas.


212-214: LGTM: Service type constraints properly defined

The service type enum values correctly match the standard Kubernetes service types.


214-220: LGTM: ServiceAccount schema properly structured

The serviceAccount configuration follows standard Kubernetes patterns with proper type definitions.


222-225: LGTM: Tolerations schema properly defined

The tolerations schema correctly uses array of objects with preserved fields, following Kubernetes best practices.

Let's verify that the toleration fields match the standard Kubernetes toleration schema:

✅ Verification successful

Schema definition for tolerations is appropriate and flexible

The current schema definition is correct and follows Kubernetes best practices by:

  1. Defining tolerations as an array (type: array)
  2. Specifying items as objects (items.type: object)
  3. Using x-kubernetes-preserve-unknown-fields: true to allow all standard Kubernetes toleration fields without strict validation

This flexible approach ensures compatibility with all valid Kubernetes toleration configurations while maintaining structural validation.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify toleration fields against Kubernetes schema
# Get Kubernetes toleration schema for comparison
kubectl explain pod.spec.tolerations --recursive | grep -A 10 "FIELDS:"

Length of output: 169


Script:

#!/bin/bash
# Let's check the actual schema definition in the CRD file
cat charts/vald-helm-operator/crds/valdhelmoperatorrelease.yaml | grep -A 20 "tolerations:"

Length of output: 362

.github/workflows/dockers-buildkit-syft-scanner-image.yaml (4)

31-32: LGTM: Version tag pattern supports pre-release versions

The addition of v*.*.*-* pattern allows for pre-release version tags (e.g., v1.7.0-beta), which is good for development workflows.


Line range hint 60-65: LGTM: Well-structured job configuration

The job configuration follows best practices by:

  • Using a reusable workflow template for consistency
  • Supporting multiple platforms (amd64, arm64)

35-36: Verify the impact of excluding test files

The exclusion of test and mock files from triggers is generally good for efficiency, but we should verify that no critical test-related changes would be missed.

Also applies to: 48-49

✅ Verification successful

Let me check the content of these test files to understand their relationship with the Docker build process.


After analyzing the test files, I can now generate the final response:

Excluding test files is safe in this workflow

The test files found are not critical to the Docker build process:

  • internal/config/server_test.go contains unit tests for server configuration
  • tests/performance/max_vector_dim_test.go contains performance tests for vector dimensions

These test files:

  • Don't contain any Docker build configurations
  • Don't affect the build process or image generation
  • Are purely for testing application functionality
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any test files that might affect the Docker build

# Look for test files that import or use Docker-related packages
rg -g "*_test.go" -l "docker" .

# Check for any Docker-related test utilities
rg -g "*_test.go" -l "buildkit|syft|scanner" .

Length of output: 156


Script:

#!/bin/bash
# Check the content of the identified test files
echo "=== Content of internal/config/server_test.go ==="
cat internal/config/server_test.go

echo -e "\n=== Content of tests/performance/max_vector_dim_test.go ==="
cat tests/performance/max_vector_dim_test.go

Length of output: 48834


17-17: Verify the workflow generator script

Since this is a generated file, we should verify that the generator script is working as expected.

✅ Verification successful

Generated workflow file is consistent with the codebase

The verification confirms that:

  • The workflow file is correctly generated by the script at hack/docker/gen/main.go
  • The generator script contains the necessary configuration for the buildkit-syft-scanner image
  • The same generation pattern is consistently applied across all Docker image workflows (25+ files)
  • All generated workflow files contain the same DO_NOT_EDIT header with the correct source reference
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the workflow generator script and its output

# Check if the generator script exists and contains workflow generation logic
rg -A 5 "buildkit-syft-scanner" hack/docker/gen/main.go

# Verify other generated workflow files for consistency
fd -e yaml -e yml . .github/workflows/ --exec grep -l "buildkit-syft-scanner"

Length of output: 455


Script:

#!/bin/bash
# Let's verify the generator script and its output more thoroughly

# Check if the generator script is being used in any workflow
rg -l "hack/docker/gen/main.go" .github/workflows/

# Check the generator script's workflow generation logic
rg -A 10 "func generate" hack/docker/gen/main.go

# Look for any other files that might be related to workflow generation
fd -e go . hack/docker/gen/ --exec grep -l "workflow"

# Check if there are any other generated workflow files with similar patterns
rg "DO_NOT_EDIT.*generated" .github/workflows/

Length of output: 5790

.github/workflows/dockers-readreplica-rotate-image.yaml (5)

33-34: LGTM: Efficient build triggers with test file exclusions

The exclusion of mock and test files (**/*_mock.go and **/*_test.go) prevents unnecessary builds, improving CI efficiency.


136-235: LGTM: Consistent path specifications

The path specifications are correctly duplicated for pull_request_target, maintaining security best practices while ensuring consistent behavior across different PR scenarios.


Line range hint 237-242: LGTM: Well-structured job configuration

The job configuration follows best practices:

  • Uses reusable workflow for consistency
  • Properly handles secrets inheritance

17-17: Verify the workflow generator location

The workflow generator has been moved from hack/actions/gen/main.go to hack/docker/gen/main.go. This change appears to better organize Docker-related tooling.

✅ Verification successful

Generator path change is consistent and properly implemented

The workflow generator has been successfully moved to hack/docker/gen/main.go and all Docker-related workflow files have been updated to reference the new location. The generator file exists and contains appropriate licensing headers. All 23 Docker workflow files consistently reference the new path in their headers and path triggers.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the existence and consistency of the workflow generator

# Check if the new generator exists
if [ -f "hack/docker/gen/main.go" ]; then
  echo "New generator exists at hack/docker/gen/main.go"
else
  echo "ERROR: New generator not found at hack/docker/gen/main.go"
  exit 1
fi

# Check if there are any remaining references to the old path
rg "hack/actions/gen/main.go" .github/workflows/

Length of output: 190


Script:

#!/bin/bash
# Let's verify the content of the generator file and check for any other workflow files referencing it

# Check the content of the generator file
echo "=== Content of hack/docker/gen/main.go ==="
head -n 20 hack/docker/gen/main.go

# Check all workflow files for the new path reference
echo -e "\n=== Checking workflow files for new path reference ==="
rg "hack/docker/gen/main.go" .github/workflows/

# List all workflow files to see the scope
echo -e "\n=== All workflow files ==="
fd "\.ya?ml$" .github/workflows/

Length of output: 12416


42-132: Consider reviewing component dependencies

The extensive list of internal package dependencies might indicate tight coupling. Consider:

  1. Evaluating if all these dependencies are necessary
  2. Identifying opportunities to reduce coupling through better abstraction
  3. Grouping common dependencies into shared modules
k8s/operator/helm/crds/valdhelmoperatorrelease.yaml (3)

85-90: LGTM: Image configuration schema is well-defined

The image property schema correctly defines the pullPolicy enum with all valid Kubernetes values and proper type definitions.


228-228: LGTM: Spec type is correctly defined

The spec type is properly defined as an object, which is essential for a valid CustomResourceDefinition.


212-214: Verify if ExternalName service type support is needed

The service configuration schema correctly defines the common service types (ClusterIP, LoadBalancer, NodePort). However, Kubernetes also supports the 'ExternalName' service type.

Let's check if there are any existing uses of ExternalName service type in the codebase:

.github/workflows/dockers-dev-container-image.yaml (2)

38-41: Verify the impact of new path monitoring

The addition of apis/proto/**, hack/** broadens the trigger scope significantly. Verify that these changes are intentional and necessary.

✅ Verification successful

Let me analyze the paths and generate additional verification scripts to understand the relationship between these files and the Docker development container.


Let me check one more thing to understand if the Docker generator script actually uses these paths.


Based on the analysis of the code and outputs, I can now provide a final response:

The path monitoring changes are intentional and necessary

The addition of apis/proto/** and hack/** to the dev container workflow triggers is correct because:

  1. The dev container's Dockerfile is generated by hack/docker/gen/main.go
  2. The dev container includes tools for protobuf development and requires access to the proto files
  3. The container includes development tools and scripts from the hack directory that are used during development
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for related files that might be affected
fd -t f . apis/proto hack | grep -v "_test.go" | grep -v "_mock.go"

Length of output: 3216


Script:

#!/bin/bash
# Check the Dockerfile to understand its dependencies on proto and hack directories
cat dockers/dev/Dockerfile | grep -E "apis/proto|hack"

# Check if there are any build or generation scripts in hack directory that might be used during development
fd -t f . hack | grep -E "gen|build|make"

# Check if there are any references to proto files in the development tools
rg -l "apis/proto" hack/

Length of output: 685


Script:

#!/bin/bash
# Check the content of the Docker generator script
cat hack/docker/gen/main.go

Length of output: 38642


42-52: ⚠️ Potential issue

Review security implications of pull_request_target usage

The workflow uses pull_request_target which runs with repository secrets against PR's modified files. This could pose security risks if not properly configured, especially with the expanded path monitoring.

Please ensure:

  1. No untrusted code execution occurs during the workflow
  2. Proper checks are in place before accessing sensitive resources
✅ Verification successful

Let me check the actual content of the workflow file to verify the security implications.


Let me also check the workflow that uses pull_request_target to verify its complete configuration.


Security measures for pull_request_target are properly implemented

The workflow configuration is secure because:

  1. The reusable workflow (_docker-image.yaml) has proper security checks in the if condition that only allows the workflow to run when:
    • PR is from a non-fork repository, or
    • PR is from a fork but has the 'ci/approved' label and uses pull_request_target
  2. No untrusted code is executed directly from the PR as:
    • All actions used are either official actions (checkout, docker/*) or local repository actions
    • The build process uses controlled Docker buildx configuration
    • Image scanning is only performed on tagged releases
  3. The workflow inherits secrets securely through the secrets: inherit directive
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the workflow doesn't execute untrusted code
rg -l "run:|uses:" .github/workflows/_docker-image.yaml

Length of output: 94


Script:

#!/bin/bash
# Check the content of the reusable workflow
cat .github/workflows/_docker-image.yaml

Length of output: 4523


Script:

#!/bin/bash
# Check the content of the workflow using pull_request_target
cat .github/workflows/dockers-dev-container-image.yaml

Length of output: 1758

.github/workflows/dockers-ci-container-image.yaml (1)

Line range hint 56-58: Verify platform constraints

The workflow explicitly limits builds to linux/amd64. Confirm this is intentional and doesn't conflict with the project's multi-architecture support strategy.

✅ Verification successful

Based on the search results, I can generate the final response as we have clear evidence about platform specifications across different workflows.

Platform specification is consistent with similar utility containers

The linux/amd64 platform constraint for the CI container aligns with other utility-focused containers in the project:

  • loadtest-image
  • release-branch-image

While some infrastructure containers (buildkit, buildbase) support multiple architectures, CI-focused containers are intentionally limited to linux/amd64. This is a common pattern as CI environments typically run on amd64 architecture.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check platform specifications across workflows
rg "platforms:" .github/workflows/dockers-*-image.yaml

Length of output: 2136

.github/workflows/dockers-binfmt-image.yaml (1)

35-36: Verify test file exclusions

The addition of !**/*_mock.go and !**/*_test.go exclusions is good for efficiency, but verify no critical test configurations are missed.

Also applies to: 48-49

✅ Verification successful

Let me check the content of these test configuration files to ensure they are not being used in the Docker build context.


Test file exclusions are safe to implement

The exclusions !**/*_mock.go and !**/*_test.go in the Docker build workflow are safe. The discovered test-related YAML files are:

  • Load test configurations used for performance testing
  • Chaos test charts for Kubernetes chaos engineering
  • None of these files are build-time dependencies or critical test configurations needed for the Docker image build process

These test configurations are used for runtime testing scenarios and are not required in the Docker build context.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for any potentially important test configurations
fd -t f . -e yaml -e yml | grep -i "test" | grep -v "_test.go"

Length of output: 449


Script:

#!/bin/bash
# Check the content of the workflow file to understand the context
cat .github/workflows/dockers-binfmt-image.yaml

# Then check contents of some key test configuration files
echo "=== Sample Load Test Config ==="
cat cmd/tools/cli/loadtest/sample.yaml || true
echo -e "\n=== Chaos Test Chart ==="
cat tests/chaos/chart/Chart.yaml || true

Length of output: 4813

.github/workflows/dockers-buildkit-image.yaml (2)

35-36: LGTM: Optimized workflow triggers

Good optimization by excluding mock and test files from triggering the workflow in both PR and PR target events.

Also applies to: 48-49


17-17: Verify the workflow generator path and version tag patterns

The workflow is now generated from hack/docker/gen/main.go and includes additional version tag patterns. Let's verify the generator exists and the tag patterns are consistent across workflows.

Also applies to: 31-32

✅ Verification successful

Generator exists and tag patterns are consistent across workflows

The verification confirms:

  • The workflow generator file exists at hack/docker/gen/main.go
  • The version tag patterns are consistent across all Docker image workflows, following the pattern:
    • *.*.*
    • *.*.*-*
    • v*.*.*
    • v*.*.*-*
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify workflow generator exists and check tag patterns
if [ ! -f "hack/docker/gen/main.go" ]; then
  echo "Error: Generator file not found"
  exit 1
fi

# Check tag pattern consistency across workflow files
echo "Checking tag pattern consistency across workflows:"
rg -l "tags:" .github/workflows/dockers-*-image.yaml | xargs rg "tags:" -A 4

Length of output: 10162

.github/workflows/dockers-buildbase-image.yaml (1)

Line range hint 17-57: Verify workflow consistency with buildkit template

The changes mirror those in the buildkit workflow, which is expected as they're generated from the same source. Let's verify the consistency of the changes across all docker image workflows.

✅ Verification successful

Let me verify the specific paths in the buildbase workflow to ensure complete consistency.


Workflow structure and paths are consistent with the template

The buildbase workflow maintains perfect consistency with the buildkit template:

  • Both have identical trigger structure (schedule, push, pull_request, pull_request_target)
  • Path patterns are identical, with only the workflow-specific file name and Dockerfile path appropriately changed
  • All other monitored paths (mock exclusions, action.yaml, proto, go.mod, etc.) remain the same
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Compare structure of all docker image workflows
echo "Comparing workflow structures:"
for f in .github/workflows/dockers-*-image.yaml; do
  echo "=== $f ==="
  # Extract and compare key sections (on, paths, etc.)
  rg "^on:|^  schedule:|^  push:|^  pull_request:|^  pull_request_target:" "$f" -A 2
done

Length of output: 12736


Script:

#!/bin/bash
# Compare the full paths section between buildkit and buildbase workflows
echo "=== buildkit paths ==="
rg "^  pull_request:|^  pull_request_target:" .github/workflows/dockers-buildkit-image.yaml -A 10
echo -e "\n=== buildbase paths ==="
rg "^  pull_request:|^  pull_request_target:" .github/workflows/dockers-buildbase-image.yaml -A 10

Length of output: 1586

example/client/go.mod (1)

11-18: Verify security implications of dependency updates

Multiple core dependencies have been updated. Let's verify there are no known vulnerabilities in the new versions.

✅ Verification successful

Let me check the vulnerabilities for other updated dependencies as well.


Dependencies are updated to secure versions

After analyzing the vulnerabilities data for the updated dependencies:

  • golang.org/x/crypto v0.30.0 is well above all vulnerable versions, with the latest known vulnerability requiring v0.17.0
  • golang.org/x/net v0.32.0 is above all vulnerable versions, including the recent HTTP/2 issues that required v0.23.0
  • google.golang.org/grpc v1.68.1 is above all vulnerable versions, including the HTTP/2 Stream Cancellation (v1.58.3) and Rapid Reset (v1.58.3) fixes

The updated versions are secure and include patches for all known vulnerabilities.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for known vulnerabilities in updated dependencies
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "golang.org/x/crypto") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}
'

Length of output: 2849


Script:

#!/bin/bash
# Check for known vulnerabilities in other updated dependencies
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "golang.org/x/net") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}
'

gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "google.golang.org/grpc") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier}
    }
  }
}
'

Length of output: 4797

.github/workflows/dockers-example-client-image.yaml (3)

17-17: LGTM: Updated generator path reflects the refactored structure

The change from hack/actions/gen/main.go to hack/docker/gen/main.go aligns with the PR objective of refactoring the workflow generation logic.


38-39: LGTM: Added Makefile-related triggers

The addition of Makefile and Makefile.d/** as trigger paths is appropriate since these files might affect the Docker build process.

Also applies to: 54-55


29-30: Verify the impact of new tag patterns and exclusions

The changes include:

  1. New version tag patterns: v*.*.* and v*.*.*-*
  2. New exclusions for mock and test files

These changes appear to make the workflow more precise, but we should verify they don't break existing processes.

Also applies to: 33-34

✅ Verification successful

Version tag patterns and test file exclusions are safe to use

The verification confirms:

  • All existing tags follow the new pattern format (v*.*.* or v*.*.*-*)
  • No test functions exist outside of _test.go files in the example/client directory
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if any existing tags might be missed by the new patterns
git tag | grep -vE '^v[0-9]+\.[0-9]+\.[0-9]+(-.*)?$' || echo "All existing tags match new patterns"

# Verify that excluding test files won't miss important changes
rg -l "^func.*Test.*testing\.T" example/client/ | grep -v "_test.go" || echo "No test functions outside _test.go files"

Length of output: 297

.github/workflows/coverage.yaml (1)

57-57: Verify compatibility with Codecov Action v5

The upgrade from codecov/codecov-action@v4 to @v5 should be verified for breaking changes.

✅ Verification successful

Codecov Action v5 upgrade appears safe

The workflow configuration shows a standard coverage upload setup with no custom configuration that could be affected by breaking changes. The action is used with basic parameters (token and file), which are supported across versions. The coverage file format (.out) is standard for Go projects and remains compatible.

  • Only one workflow file (coverage.yaml) uses the codecov action
  • The workflow successfully uploads coverage to both Codecov and DeepSource
  • No custom codecov configuration file exists that might conflict with v5
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if there are any existing coverage reports that might be affected
find . -name "coverage.out" -o -name "cover.out" | while read -r file; do
  echo "Found coverage file: $file"
  head -n 1 "$file" || echo "Empty or unreadable file"
done

# Check the current codecov configuration
find . -name "codecov.yml" -o -name ".codecov.yml" | while read -r file; do
  echo "Found Codecov config: $file"
  cat "$file" || echo "Empty or unreadable file"
done

Length of output: 125


Script:

#!/bin/bash
# Let's check the workflow file to understand the coverage setup
cat .github/workflows/coverage.yaml

# Also check for any other workflow files that might be using codecov
fd -e yml -e yaml . .github/workflows --exec grep -l "codecov"

Length of output: 2242

.github/workflows/dockers-agent-image.yaml (1)

17-17: LGTM: Generator path change is consistent

The update to hack/docker/gen/main.go matches the changes in other workflow files, maintaining consistency across the codebase.

.github/workflows/dockers-helm-operator-image.yaml (3)

29-30: LGTM: Enhanced tag pattern coverage

Added v*.*.* and v*.*.*-* patterns while maintaining existing patterns, ensuring comprehensive version tag coverage.


17-17: Verify the new workflow generator path

The workflow generator has moved from hack/actions/gen/main.go to hack/docker/gen/main.go, which aligns with the PR objective of refactoring Docker workflow generation logic.

✅ Verification successful

Generator path change is valid and functional

The new generator at hack/docker/gen/main.go contains the complete helm-operator workflow generation logic, including:

  • Proper configuration for the helm-operator container build
  • Chart paths and values handling
  • Watch file generation
  • Required preprocessing steps
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the existence and content of the new generator
if [ -f "hack/docker/gen/main.go" ]; then
  echo "New generator exists"
  # Check if it contains workflow generation logic
  rg -l "helm-operator" hack/docker/gen/main.go
else
  echo "ERROR: New generator not found"
  exit 1
fi

Length of output: 157


Script:

#!/bin/bash
# Let's verify the workflow generation logic in detail
rg -A 5 "helm-operator" hack/docker/gen/main.go

Length of output: 1703


36-45: Verify path triggers are comprehensive

The workflow trigger paths have been updated to include Makefile and chart-related files while removing the old generator path. These changes appear in both pull_request and pull_request_target sections.

Also applies to: 52-61

✅ Verification successful

Path triggers are correctly configured and comprehensive

All specified paths in the workflow trigger configuration exist in the repository:

  • All directories (Makefile.d, charts/vald-helm-operator/templates, charts/vald/templates) are present
  • All individual files (Chart.yaml, values.yaml files, Dockerfile, and main.go) are verified to exist

The trigger paths are comprehensive and accurately reflect the files and directories that could affect the helm operator image build.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the existence of new trigger paths
for path in "Makefile" "charts/vald/Chart.yaml" "charts/vald/values.yaml" "dockers/operator/helm/Dockerfile"; do
  if [ ! -f "$path" ]; then
    echo "WARNING: Trigger path $path does not exist"
  fi
done

Length of output: 600


Script:

#!/bin/bash
# Let's verify all paths mentioned in the workflow trigger
# First, check if the directories exist
echo "=== Checking directories ==="
for dir in "Makefile.d" "charts/vald-helm-operator/templates" "charts/vald/templates"; do
  if [ -d "$dir" ]; then
    echo "Directory exists: $dir"
  else
    echo "Missing directory: $dir"
  fi
done

echo -e "\n=== Checking files ==="
# Then check individual files
for file in "charts/vald-helm-operator/Chart.yaml" "charts/vald-helm-operator/values.yaml" "charts/vald/Chart.yaml" "charts/vald/values.yaml" "dockers/operator/helm/Dockerfile" "hack/docker/gen/main.go"; do
  if [ -f "$file" ]; then
    echo "File exists: $file"
  else
    echo "Missing file: $file"
  fi
done

Length of output: 2827

.github/workflows/unit-test.yaml (1)

26-26: LGTM: Updated workflow path reference

The trigger paths have been updated to reference the renamed workflow file (unit-test.yaml instead of test.yaml), maintaining consistency across the workflow configuration.

Also applies to: 34-34

charts/vald/crds/valdmirrortarget.yaml (2)

99-100: LGTM: Enhanced schema clarity

Added explicit type: object declarations for spec and target fields, improving the CRD schema clarity and following Kubernetes best practices.


91-95: Verify the removal of host field constraint

The minLength: 1 constraint has been removed from the host field while port constraints are maintained. This could potentially allow empty host values.

Consider whether allowing empty host values aligns with the intended behavior of ValdMirrorTarget resources. If empty hosts should be invalid, the minLength: 1 constraint should be restored.

charts/vald-benchmark-operator/crds/valdbenchmarkscenario.yaml (2)

69-97: LGTM: Dataset schema constraints are well-defined

The dataset property schema has been properly structured with appropriate validation rules:

  • String fields have minLength constraints
  • Numeric fields have minimum value constraints
  • Required fields are explicitly listed

103-115: LGTM: Target schema constraints are appropriate

The target property schema is well-defined with:

  • Host validation (minLength: 1)
  • Port range validation (0-65535)
  • Required fields properly specified
.github/workflows/dockers-loadtest-image.yaml (1)

29-29: LGTM: Version tag patterns and test file exclusions are appropriate.

The added version tag patterns correctly handle semantic versioning with pre-release tags, and the exclusion of test and mock files is a good practice to prevent unnecessary builds.

Also applies to: 33-34

.github/workflows/dockers-index-save-image.yaml (2)

Line range hint 241-245: LGTM: Job configuration is clean and reusable.

The job configuration correctly uses workflow reuse by referencing _docker-image.yaml and passing the appropriate target and secrets.


17-17: Verify the workflow generator script location.

The comment references a generator script at hack/docker/gen/main.go. Let's verify its existence and accessibility.

✅ Verification successful

Generator script exists and is accessible as referenced

The workflow generator script exists at the specified location hack/docker/gen/main.go and appears to be a properly licensed Go source file, confirming the accuracy of the comment in the workflow file.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the existence of the workflow generator script
if [ -f "hack/docker/gen/main.go" ]; then
    echo "Generator script exists"
    head -n 10 hack/docker/gen/main.go
else
    echo "Generator script not found at specified location"
fi

Length of output: 505

.github/workflows/dockers-index-deletion-image.yaml (1)

17-17: Verify the generator script relocation

The workflow generator script has been moved from hack/actions/gen/main.go to hack/docker/gen/main.go. This change should be consistent across all workflow files.

✅ Verification successful

Generator script path is correctly updated across all workflow files

All workflow files consistently reference the new generator script path hack/docker/gen/main.go, and the script exists at the specified location. The relocation appears to be complete and consistent.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the consistency of generator script references across workflow files
# and ensure the new path exists and is executable

# Check if the new generator exists
fd -t f "main.go" hack/docker/gen/

# Check for any remaining references to the old path
rg -l "hack/actions/gen/main.go" .github/workflows/

Length of output: 110


Script:

#!/bin/bash
# Let's verify all generator script references in workflow files
rg -l "generated by.*hack" .github/workflows/

# Then check the content of these files to see the exact references
rg "generated by.*hack.*main.go" .github/workflows/

Length of output: 5663

.github/workflows/dockers-index-creation-image.yaml (1)

Line range hint 1-239: LGTM - Changes consistent with index-deletion workflow

The modifications follow the same pattern as the index-deletion workflow, maintaining consistency across the codebase.

.github/workflows/dockers-index-correction-image.yaml (1)

17-17: Verify workflow generation consistency

These changes are part of a broader refactoring of the Docker and GitHub Actions workflow generation logic. Ensure that:

  1. All workflows are regenerated using the new generator
  2. The generator produces consistent output across all components
✅ Verification successful

Workflow generation is consistent across all Docker image workflows

All Docker image workflow files are consistently generated using the same generator at hack/docker/gen/main.go. The files:

  • Share identical copyright headers
  • Have consistent "DO_NOT_EDIT" notices pointing to the same generator
  • Follow the same generation pattern across all 26 Docker workflow files
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify workflow consistency across all components

# Check for workflows not generated by the new generator
rg -l "DO_NOT_EDIT.*hack/actions/gen/main.go" .github/workflows/

# Verify all workflow files follow the same structure
fd -e yaml . .github/workflows/dockers- -x diff -U0 .github/workflows/dockers-index-deletion-image.yaml {}

Length of output: 291


Script:

#!/bin/bash
# Check for all workflow files and their generator sources
echo "=== Checking workflow files ==="
fd -e yaml . .github/workflows/

echo -e "\n=== Checking generator references ==="
rg -l "DO_NOT_EDIT.*gen/main.go" .github/workflows/

echo -e "\n=== Checking file content patterns ==="
for f in $(fd -e yaml . .github/workflows/dockers-); do
    echo "=== $f ==="
    head -n 1 "$f"
done

Length of output: 4584


Script:

#!/bin/bash
# Check content of specific docker workflow files
echo "=== Checking docker workflow headers ==="
for file in .github/workflows/dockers-*-image.yaml; do
    echo "=== $file ==="
    head -n 3 "$file"
    echo
done

echo "=== Checking generator paths ==="
rg "DO_NOT_EDIT.*?(hack|github).*?gen/main.go" .github/workflows/dockers-*-image.yaml

Length of output: 14375

.github/workflows/dockers-gateway-lb-image.yaml (1)

29-29: Verify tag pattern changes impact on release workflow

The addition of v*.*.*-* pattern enables pre-release versions. Ensure this aligns with the project's versioning strategy and doesn't trigger unintended builds.

✅ Verification successful

Let me gather more information about the versioning strategy by checking the repository's documentation and other workflow files.


Based on the gathered information, I can now provide a final response:

Pre-release tag pattern aligns with project's versioning strategy

The addition of v*.*.* pattern in the gateway-lb workflow is consistent with the project's semantic versioning strategy. The documentation confirms that:

  1. The project follows semantic versioning
  2. The standard tag formats are vX.X.X for released versions
  3. No pre-release tags are currently in use, which is expected as the pattern change is proactive
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check existing tags to understand impact
git tag | grep -E "v[0-9]+\.[0-9]+\.[0-9]+-.*" || echo "No pre-release tags found"

Length of output: 109


Script:

#!/bin/bash
# Check README and other docs for versioning strategy
fd -e md | xargs rg -i "version|tag" -A 2

# Check other workflow files for tag patterns
fd workflow -e yaml -e yml | xargs rg "tags:|v\*\.\*\.\*"

Length of output: 67735

.github/workflows/dockers-gateway-filter-image.yaml (1)

17-17: Standardize workflow generation comment

The generator script path has been updated consistently across all workflow files. This improves maintainability and clarity.

.github/workflows/dockers-benchmark-operator-image.yaml (1)

144-251: Consider security implications of pull_request_target trigger

The pull_request_target event runs workflows with repository secrets against PR code. This could pose security risks if the workflow modifies its behavior based on PR content.

Consider these security measures:

  1. Ensure the workflow doesn't check out or execute PR code
  2. Add explicit conditions to prevent running on forks
  3. Consider using pull_request instead if repository secrets aren't needed
✅ Verification successful

Security concerns with pull_request_target are properly mitigated

The workflow implementation is secure because:

  1. It has explicit fork protection: only runs on non-fork PRs or fork PRs with 'ci/approved' label
  2. Uses explicit SHA checkout instead of PR ref
  3. The reusable workflow inherits secrets but has proper conditional checks before using them
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if the workflow uses any dangerous patterns with pull_request_target
rg -l 'checkout.*ref.*pull' .github/workflows/

Length of output: 48


Script:

#!/bin/bash
# Let's check the actual checkout action usage in the workflow
rg -A 5 'uses:.*actions/checkout' .github/workflows/dockers-benchmark-operator-image.yaml

# Also check for any other potentially risky actions in pull_request_target section
rg -B 2 -A 10 'pull_request_target:' .github/workflows/dockers-benchmark-operator-image.yaml

Length of output: 604


Script:

#!/bin/bash
# Let's check the entire workflow file content to understand the complete context
cat .github/workflows/dockers-benchmark-operator-image.yaml

Length of output: 9485


Script:

#!/bin/bash
# Let's check the reusable workflow to see how it handles the checkout
cat .github/workflows/_docker-image.yaml

Length of output: 4523

.github/workflows/dockers-gateway-mirror-image.yaml (1)

107-120: Well-structured observability configuration

The workflow correctly includes all necessary observability-related paths, properly organized by component (metrics, tracing, etc.).

The comprehensive coverage ensures that changes to any observability component will trigger the workflow appropriately.

Also applies to: 221-234

.github/workflows/dockers-manager-index-image.yaml (2)

28-30: Verify tag pattern changes for version control.

The addition of v*.*.*-* pattern allows for pre-release versions. Ensure this aligns with your versioning strategy.

✅ Verification successful

Let me gather more information about the versioning strategy by checking the repository's tags and related documentation.


Let me check the version.go file and README.md for versioning information.


Based on the gathered information, I can now provide the final response:

Tag patterns are correctly aligned with the project's versioning strategy

The tag patterns in the workflow file follow the project's versioning scheme which supports both release versions (v*.*.*) and pre-release versions (v*.*.*-*). This is consistent with:

  • The semantic versioning implementation in internal/version/version.go
  • The documented versioning format in README.md (vX.X.X for released versions)
  • The standard pre-release version format commonly used with semantic versioning
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check existing tags to ensure they match the new pattern
git tag | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+-.*$" || echo "No pre-release tags found"

Length of output: 111


Script:

#!/bin/bash
# Check all existing tags to understand current versioning pattern
git tag

# Check if there's any documentation about versioning
fd README.md
fd VERSIONING.md
fd VERSION

# Look for semantic version related configurations
fd "package.json|version.go|VERSION"

Length of output: 2768


Script:

#!/bin/bash
# Check version.go for versioning strategy
cat internal/version/version.go

# Check main README for version information
cat README.md | grep -A 10 -i "version\|release"

# Check the workflow file itself for more context
cat .github/workflows/dockers-manager-index-image.yaml

Length of output: 13273


33-34: Consider security implications of mock and test file exclusions.

The exclusion of mock and test files is good for efficiency, but verify that no critical test configurations are missed.

✅ Verification successful

Mock and test file exclusions are safe in this context

The exclusion of mock and test files from the Docker build is appropriate and secure because:

  1. The test file (main_test.go) contains only a commented-out test template without any sensitive configurations
  2. The Docker build process correctly includes only the necessary production code and configuration
  3. The sample configuration is explicitly copied from a known location (cmd/manager/index/sample.yaml)
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for critical configurations in test files
rg -g "**/*_test.go" -g "**/*_mock.go" "(?i)(config|secret|credential)" cmd/manager/index/

Length of output: 92


Script:

#!/bin/bash
# Let's first check if there are any test or mock files in the directory
fd "_test.go|_mock.go" cmd/manager/index/

# Let's also check the workflow file to understand the context better
cat .github/workflows/dockers-manager-index-image.yaml

# Let's see what kind of files are being included in this Docker build
rg -A 5 -B 5 "!\\*\\*/\\*_mock.go" .github/workflows/dockers-manager-index-image.yaml

Length of output: 10414


Script:

#!/bin/bash
# Let's check the content of the test file to verify if it contains any sensitive configurations
cat cmd/manager/index/main_test.go

# Let's also check the Dockerfile to understand what's being included in the image
cat dockers/manager/index/Dockerfile

Length of output: 5820

.github/workflows/dockers-agent-ngt-image.yaml (1)

146-147: Verify version compatibility between Go and NGT.

The workflow depends on both GO_VERSION and NGT_VERSION. Ensure version compatibility is maintained.

Also applies to: 265-266

.github/workflows/dockers-agent-sidecar-image.yaml (1)

33-34: Good practice: Excluding test and mock files.

The exclusion of mock and test files using !**/*_mock.go and !**/*_test.go is a good practice to avoid unnecessary builds.

charts/vald-benchmark-operator/crds/valdbenchmarkoperatorrelease.yaml (1)

74-74: Excellent improvement in CRD schema validation.

The addition of explicit type definitions and enums enhances the schema validation and provides better documentation of the expected data types. This change follows Kubernetes best practices for CRD definitions.

Key improvements:

  1. Explicit type: object for nested structures
  2. Proper array type definitions with items
  3. Enum definitions for constrained fields
  4. Consistent type definitions across similar properties

Also applies to: 88-88, 112-112, 129-129, 142-144, 153-153, 169-169, 178-178, 199-199, 211-212, 219-219, 240-240, 243-243, 247-247, 252-252, 255-255, 260-260, 266-266, 268-268, 272-272, 281-281, 290-290, 298-298, 302-303, 309-309, 315-315, 325-325, 332-332, 334-334, 340-340, 344-344, 347-347, 350-350, 354-354, 364-364, 378-378, 400-400, 409-409, 413-413, 430-430, 444-444, 467-467, 470-470, 474-474, 476-476, 485-485, 498-498, 508-508, 524-524, 538-538, 561-561, 564-564, 568-568, 570-570, 577-577, 590-590, 599-600, 602-602, 613-613, 637-638, 655-655, 666-666, 680-680, 705-705, 708-708, 712-712, 714-714, 723-723, 740-740, 754-754, 777-777, 780-780, 784-786, 788-788, 792-792, 796-796, 800-800, 804-804, 814-814, 822-823

charts/vald-benchmark-operator/crds/valdbenchmarkjob.yaml (1)

73-73: Consistent schema improvements across CRDs.

The changes maintain consistency with the operator release CRD, including:

  1. Explicit type definitions
  2. Well-defined constraints for numeric fields (min/max values)
  3. Proper enum definitions for constrained fields

This consistency across CRDs is crucial for maintainability and user experience.

Also applies to: 90-90, 107-107, 120-120, 142-144, 153-153, 169-169, 178-178, 199-199, 211-212, 219-219, 240-240, 243-243, 247-247, 252-252, 255-255, 260-260, 266-266, 268-268, 272-272, 281-281, 290-290, 298-298, 302-303, 309-309, 315-315, 325-325, 332-332, 334-334, 340-340, 344-344, 347-347, 350-350, 354-354, 364-364, 378-378, 400-400, 409-409, 413-413, 430-430, 444-444, 467-467, 470-470, 474-474, 476-476, 485-485, 498-498, 508-508, 524-524, 538-538, 561-561, 564-564, 568-568, 570-570, 577-577, 590-590, 599-600, 602-602, 613-613, 637-638, 655-655, 666-666, 680-680, 705-705, 708-708, 712-712, 714-714, 723-723, 740-740, 754-754, 777-777, 780-780, 784-786, 788-788, 792-792, 796-796, 800-800, 804-804, 814-814, 822-823

go.mod (3)

297-298: Review security-related package updates.

Critical security packages have been updated:

  • golang.org/x/crypto v0.30.0
  • golang.org/x/exp v0.0.0-20241210194714-1829a127f884

Ensure these versions address any known vulnerabilities.

Also applies to: 525-525

✅ Verification successful

The updated crypto package version v0.30.0 is secure and not affected by known vulnerabilities

Based on the GitHub Security Advisory data, the most recent vulnerability (Terrapin attack) affects versions < 0.17.0, and all other reported vulnerabilities affect much older versions. The updated version v0.30.0 is well above these vulnerable versions, making it secure against all known vulnerabilities.

Let me verify the exp package as well:


Both security package updates are verified as secure

The security verification shows:

  • golang.org/x/crypto v0.30.0 is well above the version that patches the latest known vulnerability (Terrapin attack, which requires v0.17.0+)
  • golang.org/x/exp has no known security vulnerabilities in the GitHub Security Advisory database
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for security advisories for crypto package
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "golang.org/x/crypto") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Length of output: 1721


Script:

#!/bin/bash
# Check for security advisories for exp package
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "golang.org/x/exp") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Length of output: 348


48-68: Verify AWS SDK version compatibility.

Multiple AWS SDK components have been updated to maintain version synchronization:

  • aws-sdk-go-v2 updated to v1.32.6
  • All related AWS packages updated to matching versions

Ensure all AWS SDK components are compatible with each other.

✅ Verification successful

Let me run another script to check for actual AWS SDK usage in the code to better understand the implementation details.


Let me try one more search with a different pattern to find AWS SDK imports in the codebase.


AWS SDK version updates are safe to proceed

The codebase is actually using aws-sdk-go v1 (not v2) in its implementation. The updates in go.mod for aws-sdk-go-v2 appear to be dependency requirements from other modules, but the codebase itself is not directly using these v2 packages. The version synchronization in the replace directives ensures consistent versions across all v2 components, which is a good practice for indirect dependencies.

  • The only AWS SDK usage found is in internal/db/storage/blob/s3/sdk/s3/ which uses the v1 SDK (github.com/aws/aws-sdk-go)
  • No direct usage of aws-sdk-go-v2 was found in the codebase
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for AWS SDK usage patterns that might be affected
rg -g '!go.mod' 'github.com/aws/aws-sdk-go-v2'

Length of output: 6730


Script:

#!/bin/bash
# Check for actual AWS SDK usage in code files
rg -g '*.go' -B 2 -A 2 'aws-sdk-go-v2' --no-filename

Length of output: 52


Script:

#!/bin/bash
# Search for AWS service imports
rg -g '*.go' '^import.*aws' -B 1 -A 3

Length of output: 729


3-3: Verify Go version compatibility with the project.

The Go version has been updated from 1.23.3 to 1.23.4. While this is a minor version update, ensure all CI/CD pipelines and build environments are updated accordingly.

✅ Verification successful

The previous search didn't yield results, so let's try a broader approach to:

  1. Check Go files for version-specific headers
  2. Look for Go version specifications in Dockerfiles
  3. Check GitHub workflows for Go-related configurations

This will help us understand the Go environment requirements across the project.


Let's try a more focused search to find:

  1. CI/CD configurations that specify Go versions
  2. Docker build configurations that might specify Go versions
  3. Go build constraints that might indicate version requirements

This will help us understand if there are any version-specific dependencies or requirements in the project.


The Go version update appears to be safe to proceed

The minor version update from 1.23.3 to 1.23.4 is a patch release that typically contains bug fixes and security updates. Our analysis found no version-specific code constraints or dependencies that would be affected by this change.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for any Go version constraints in the codebase
rg -g '!go.mod' '(?i)go1\.(23|24)'

# Check for any version-specific Go features
ast-grep --pattern 'go:build go1.23'

Length of output: 75


Script:

#!/bin/bash
# Check for Go-related files and build configurations
fd -e go -x head -n 5 {}
fd -g '*dockerfile*' -i -x grep -i 'go' {}
find . -name ".github" -type d -exec find {} -type f -exec grep -l "go" {} \;

Length of output: 65753


Script:

#!/bin/bash
# Check GitHub workflows for Go version configurations
fd -t f -e yml -e yaml . .github/workflows -x grep -l "go-version"

# Check Dockerfiles for Go version specifications
fd -t f -g '*dockerfile*' -x grep -i "go version" {}

# Check for any build constraints or version-specific code
rg -g '*.go' '//\s*\+build' -A 1

Length of output: 158

charts/vald-benchmark-operator/values.yaml (1)

174-174: Enhancement: Added MetricInterceptor support.

The gRPC interceptor configuration has been enhanced to support metrics collection:

  • Client config: Added MetricInterceptor option
  • Server config: Added MetricInterceptor to the list of available interceptors

This change improves observability capabilities.

Also applies to: 410-410

charts/vald-benchmark-operator/schemas/job-values.schema.json (1)

137-140: Schema updated to support MetricInterceptor.

The JSON schema has been updated to include MetricInterceptor in the allowed interceptors enum, maintaining consistency with the values.yaml changes.

charts/vald-benchmark-operator/schemas/job-values.yaml (1)

270-270: LGTM: Schema update for gRPC client interceptors

The addition of "MetricInterceptor" to the allowed interceptors is a backward-compatible enhancement that enables metrics collection capability at the gRPC client level.

✅ Verification successful

Schema update for MetricInterceptor is properly integrated

The schema change is correctly implemented and the values.yaml file is properly configured with an empty array as default, allowing users to optionally enable either TraceInterceptor or MetricInterceptor as needed. The change is backward compatible and well-structured.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the schema usage in values files
# Test: Search for any values files using this schema
rg -l "client_config.dial_option.interceptors.*MetricInterceptor" charts/

Length of output: 173


Script:

#!/bin/bash
# Check the actual usage in values.yaml to ensure it's properly configured
rg -A 5 "client_config.dial_option.interceptors" charts/vald-benchmark-operator/values.yaml

Length of output: 568

charts/vald/values.yaml (1)

821-821: LGTM: Configuration update for gRPC client interceptors

The addition of "MetricInterceptor" to the allowed interceptors maintains consistency with the schema definition. The empty default array is a safe choice that requires explicit opt-in for metrics collection.

✅ Verification successful

The search results provide comprehensive evidence about the interceptor configuration across the codebase. The key findings show:

  1. The MetricInterceptor is properly defined in the schema and used in various configuration files
  2. The interceptors array is empty by default in values.yaml, which is the intended behavior
  3. The MetricInterceptor is listed as a valid option in the schema definition alongside TraceInterceptor
  4. The configuration is consistent with the observability patterns seen in dev-observability.yaml and other configuration files

LGTM: Schema update correctly defines MetricInterceptor as an optional interceptor

The addition of MetricInterceptor to the schema's enum list is properly implemented and follows the existing pattern for optional interceptors. The empty default array maintains backward compatibility while allowing users to explicitly enable metric collection when needed.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the configuration usage in deployment files
# Test: Search for any deployment files using this configuration
rg -l "interceptors.*MetricInterceptor" deploy/

Length of output: 97


Script:

#!/bin/bash
# Let's first check if there are any deployment-related files in the repository
fd -t f "values.yaml|deployment.yaml"

# Then search for MetricInterceptor usage across all files
rg -l "MetricInterceptor"

# Check for any existing interceptor configurations
rg "interceptors.*:" -A 2

Length of output: 82362

CHANGELOG.md (1)

Line range hint 1-1: LGTM! The changelog follows a consistent format

The changelog follows a clear and consistent format with proper sections for Docker images, documents, and changes for each version.

internal/file/file.go Show resolved Hide resolved
internal/file/file.go Show resolved Hide resolved
example/client/go.mod Show resolved Hide resolved
example/client/go.mod Show resolved Hide resolved
.github/workflows/dockers-agent-image.yaml Show resolved Hide resolved
Comment on lines +40 to +44
- apis/grpc/v1/filter/egress/*.go
- apis/grpc/v1/filter/ingress/*.go
- apis/grpc/v1/payload/*.go
- apis/grpc/v1/rpc/errdetails/*.go
- apis/grpc/v1/vald/*.go
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Missing coverage for some filter-related paths in workflow

The workflow patterns need to be updated to include these uncovered paths:

  • apis/grpc/v1/vald/*.go - missing coverage for filter-related protobuf files
  • internal/config/*.go - missing coverage for filter configuration
  • internal/errors/*.go - missing coverage for filter errors
  • pkg/gateway/filter/handler/*.go - missing coverage for base handler directory
🔗 Analysis chain

Verify filter-related gRPC paths

The addition of filter-specific gRPC paths indicates proper component isolation. Ensure all filter-related paths are properly covered.

Also applies to: 153-157


Let me verify the paths in the workflow file more thoroughly to understand if there are any actual gaps in coverage.


Let me try a simpler approach to verify the coverage.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for any missed filter-related files
fd -e go . | grep -i "filter" | grep -v -E "(_mock.go|_test.go)$" | sort > /tmp/filter_files
grep "filter" .github/workflows/dockers-gateway-filter-image.yaml | grep "\.go" | sort > /tmp/filter_paths
diff /tmp/filter_files /tmp/filter_paths || echo "Potential missing filter paths found"

Length of output: 2145


Script:

#!/bin/bash
# Check if the wildcard patterns in workflow cover all filter-related files
while IFS= read -r file; do
  covered=false
  while IFS= read -r pattern; do
    pattern=$(echo "$pattern" | sed 's/[[:space:]]*-[[:space:]]*//' | sed 's/\*/.*/')
    if [[ $file =~ $pattern ]]; then
      covered=true
      break
    fi
  done < <(grep "\.go" .github/workflows/dockers-gateway-filter-image.yaml | grep "filter")
  
  if [[ "$covered" == "false" ]]; then
    echo "Not covered: $file"
  fi
done < <(fd -e go . | grep -i "filter" | grep -v -E "(_mock.go|_test.go)$")

Length of output: 178


Script:

#!/bin/bash
# List all filter-related files and check their paths against workflow patterns
echo "=== Files in apis/grpc/v1/filter/ ==="
fd -e go . apis/grpc/v1/filter/ | grep -v -E "(_mock.go|_test.go)$"

echo -e "\n=== Files in apis/grpc/v1/vald/ with 'filter' ==="
fd -e go . apis/grpc/v1/vald/ | grep -i "filter" | grep -v -E "(_mock.go|_test.go)$"

echo -e "\n=== Workflow patterns ==="
grep "\.go" .github/workflows/dockers-gateway-filter-image.yaml | grep "filter" | sort | uniq

echo -e "\n=== Other filter-related files ==="
fd -e go . internal/ pkg/ cmd/ | grep -i "filter" | grep -v -E "(_mock.go|_test.go)$"

Length of output: 2026

Comment on lines +57 to +60
- internal/db/kvs/redis/*.go
- internal/db/nosql/cassandra/*.go
- internal/db/rdb/mysql/*.go
- internal/db/rdb/mysql/dbr/*.go
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Missing database implementations in workflow triggers

The workflow's path triggers are missing several database implementations found in the codebase:

  • internal/db/kvs/bbolt/*
  • internal/db/kvs/pogreb/*
  • internal/db/storage/blob/* (includes cloud storage and S3)

These paths should be added to ensure the workflow runs when any database-related code changes.

🔗 Analysis chain

Verify database-related dependencies

The workflow includes paths for multiple database implementations (Redis, Cassandra, MySQL). Ensure all necessary database-related files are included in the path triggers.

Also applies to: 171-174

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for any missed database-related files
fd -e go -p "internal/db" | grep -v "_test.go" | grep -v "_mock.go"

Length of output: 1932

Comment on lines 147 to +259
- apis/proto/**
- cmd/manager/index/*.go
- dockers/manager/index/Dockerfile
- go.mod
- go.sum
- hack/docker/gen/main.go
- internal/backoff/*.go
- internal/cache/*.go
- internal/cache/cacher/*.go
- internal/cache/gache/*.go
- internal/circuitbreaker/*.go
- internal/client/v1/client/*.go
- internal/client/v1/client/agent/core/*.go
- internal/client/v1/client/discoverer/*.go
- internal/client/v1/client/vald/*.go
- internal/config/*.go
- internal/conv/*.go
- internal/db/kvs/redis/*.go
- internal/db/nosql/cassandra/*.go
- internal/db/rdb/mysql/*.go
- internal/db/rdb/mysql/dbr/*.go
- internal/encoding/json/*.go
- internal/errors/*.go
- internal/file/*.go
- internal/info/*.go
- internal/io/*.go
- internal/k8s/*.go
- internal/log/*.go
- internal/log/format/*.go
- internal/log/glg/*.go
- internal/log/level/*.go
- internal/log/logger/*.go
- internal/log/nop/*.go
- internal/log/retry/*.go
- internal/log/zap/*.go
- internal/net/*.go
- internal/net/control/*.go
- internal/net/grpc/*.go
- internal/net/grpc/admin/*.go
- internal/net/grpc/codes/*.go
- internal/net/grpc/credentials/*.go
- internal/net/grpc/errdetails/*.go
- internal/net/grpc/health/*.go
- internal/net/grpc/interceptor/client/metric/*.go
- internal/net/grpc/interceptor/client/trace/*.go
- internal/net/grpc/interceptor/server/logging/*.go
- internal/net/grpc/interceptor/server/metric/*.go
- internal/net/grpc/interceptor/server/recover/*.go
- internal/net/grpc/interceptor/server/trace/*.go
- internal/net/grpc/keepalive/*.go
- internal/net/grpc/logger/*.go
- internal/net/grpc/pool/*.go
- internal/net/grpc/proto/*.go
- internal/net/grpc/reflection/*.go
- internal/net/grpc/status/*.go
- internal/net/grpc/types/*.go
- internal/net/http/dump/*.go
- internal/net/http/json/*.go
- internal/net/http/metrics/*.go
- internal/net/http/middleware/*.go
- internal/net/http/rest/*.go
- internal/net/http/routing/*.go
- internal/net/quic/*.go
- internal/observability/*.go
- internal/observability/attribute/*.go
- internal/observability/exporter/*.go
- internal/observability/exporter/otlp/*.go
- internal/observability/metrics/*.go
- internal/observability/metrics/backoff/*.go
- internal/observability/metrics/circuitbreaker/*.go
- internal/observability/metrics/grpc/*.go
- internal/observability/metrics/manager/index/*.go
- internal/observability/metrics/mem/*.go
- internal/observability/metrics/runtime/cgo/*.go
- internal/observability/metrics/runtime/goroutine/*.go
- internal/observability/metrics/version/*.go
- internal/observability/trace/*.go
- internal/os/*.go
- internal/params/*.go
- internal/rand/*.go
- internal/runner/*.go
- internal/safety/*.go
- internal/servers/*.go
- internal/servers/server/*.go
- internal/servers/starter/*.go
- internal/strings/*.go
- internal/sync/*.go
- internal/sync/errgroup/*.go
- internal/sync/semaphore/*.go
- internal/sync/singleflight/*.go
- internal/timeutil/*.go
- internal/timeutil/location/*.go
- internal/tls/*.go
- internal/version/*.go
- pkg/manager/index/config/*.go
- pkg/manager/index/handler/grpc/*.go
- pkg/manager/index/handler/rest/*.go
- pkg/manager/index/router/*.go
- pkg/manager/index/service/*.go
- pkg/manager/index/usecase/*.go
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Review security implications of pull_request_target event.

The pull_request_target event runs with repository secrets. Ensure proper security measures are in place when accessing external PRs.

Consider adding these security measures:

  1. Add explicit checks for fork PRs
  2. Limit secret access to trusted contexts
  3. Add conditions before accessing sensitive resources

Example implementation:

pull_request_target:
  paths-ignore:
    - '**/*.md'
  # Add security checks
  if: github.event.pull_request.head.repo.full_name == github.repository

Comment on lines +40 to +160
- internal/db/nosql/cassandra/*.go
- internal/db/rdb/mysql/*.go
- internal/db/rdb/mysql/dbr/*.go
- internal/db/storage/blob/*.go
- internal/db/storage/blob/cloudstorage/*.go
- internal/db/storage/blob/cloudstorage/urlopener/*.go
- internal/db/storage/blob/s3/*.go
- internal/db/storage/blob/s3/reader/*.go
- internal/db/storage/blob/s3/reader/io/*.go
- internal/db/storage/blob/s3/sdk/s3/*.go
- internal/db/storage/blob/s3/sdk/s3/s3iface/*.go
- internal/db/storage/blob/s3/sdk/s3/s3manager/*.go
- internal/db/storage/blob/s3/session/*.go
- internal/db/storage/blob/s3/writer/*.go
- internal/encoding/json/*.go
- internal/errors/*.go
- internal/file/*.go
- internal/file/watch/*.go
- internal/info/*.go
- internal/io/*.go
- internal/k8s/*.go
- internal/log/*.go
- internal/log/format/*.go
- internal/log/glg/*.go
- internal/log/level/*.go
- internal/log/logger/*.go
- internal/log/nop/*.go
- internal/log/retry/*.go
- internal/log/zap/*.go
- internal/net/*.go
- internal/net/control/*.go
- internal/net/grpc/*.go
- internal/net/grpc/admin/*.go
- internal/net/grpc/codes/*.go
- internal/net/grpc/credentials/*.go
- internal/net/grpc/errdetails/*.go
- internal/net/grpc/health/*.go
- internal/net/grpc/interceptor/client/metric/*.go
- internal/net/grpc/interceptor/client/trace/*.go
- internal/net/grpc/interceptor/server/logging/*.go
- internal/net/grpc/interceptor/server/metric/*.go
- internal/net/grpc/interceptor/server/recover/*.go
- internal/net/grpc/interceptor/server/trace/*.go
- internal/net/grpc/keepalive/*.go
- internal/net/grpc/logger/*.go
- internal/net/grpc/pool/*.go
- internal/net/grpc/proto/*.go
- internal/net/grpc/reflection/*.go
- internal/net/grpc/status/*.go
- internal/net/grpc/types/*.go
- internal/net/http/client/*.go
- internal/net/http/dump/*.go
- internal/net/http/json/*.go
- internal/net/http/metrics/*.go
- internal/net/http/middleware/*.go
- internal/net/http/rest/*.go
- internal/net/http/routing/*.go
- internal/net/http/transport/*.go
- internal/net/quic/*.go
- internal/observability/*.go
- internal/observability/attribute/*.go
- internal/observability/exporter/*.go
- internal/observability/exporter/otlp/*.go
- internal/observability/metrics/*.go
- internal/observability/metrics/agent/sidecar/*.go
- internal/observability/metrics/grpc/*.go
- internal/observability/metrics/mem/*.go
- internal/observability/metrics/runtime/cgo/*.go
- internal/observability/metrics/runtime/goroutine/*.go
- internal/observability/metrics/version/*.go
- internal/observability/trace/*.go
- internal/os/*.go
- internal/params/*.go
- internal/rand/*.go
- internal/runner/*.go
- internal/safety/*.go
- internal/servers/*.go
- internal/servers/server/*.go
- internal/servers/starter/*.go
- internal/strings/*.go
- internal/sync/*.go
- internal/sync/errgroup/*.go
- internal/sync/semaphore/*.go
- internal/sync/singleflight/*.go
- internal/timeutil/*.go
- internal/timeutil/location/*.go
- internal/tls/*.go
- internal/unit/*.go
- internal/version/*.go
- pkg/agent/internal/metadata/*.go
- pkg/agent/sidecar/config/*.go
- pkg/agent/sidecar/handler/grpc/*.go
- pkg/agent/sidecar/handler/rest/*.go
- pkg/agent/sidecar/router/*.go
- pkg/agent/sidecar/service/observer/*.go
- pkg/agent/sidecar/service/restorer/*.go
- pkg/agent/sidecar/service/storage/*.go
- pkg/agent/sidecar/usecase/*.go
- pkg/agent/sidecar/usecase/initcontainer/*.go
- pkg/agent/sidecar/usecase/sidecar/*.go
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider refactoring to reduce path duplication.

The paths are duplicated between the pull_request and pull_request_target events. This duplication makes maintenance harder and increases the risk of inconsistencies.

Consider:

  1. Moving the paths to a reusable workflow file
  2. Using GitHub Actions composite actions
  3. Using YAML anchors and aliases

Example approach using a composite action:

# Create .github/actions/workflow-paths/action.yaml
+name: 'Workflow Paths'
+description: 'Provides common path patterns for workflows'
+outputs:
+  paths:
+    description: 'Common path patterns'
+    value: |
+      - "!**/*_mock.go"
+      - "!**/*_test.go"
+      - .github/actions/docker-build/action.yaml
+      # ... rest of the paths

# Update current workflow
-    paths:
-      - "!**/*_mock.go"
-      - "!**/*_test.go"
-      # ... duplicate paths
+    paths: ${{ fromJSON(steps.paths.outputs.paths) }}

Also applies to: 171-291

Comment on lines +29 to 30
- v*.*.*
- v*.*.*-*
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Version tag patterns need adjustment - redundant patterns detected

The repository consistently uses the v prefix for all releases (e.g., v1.7.15, v1.7.14). The current configuration includes redundant patterns without the v prefix (*.*.* and *.*.*-*) which are unnecessary and could potentially cause unintended triggers.

  • Remove the following redundant patterns from lines 26-27:
        - "*.*.*"
        - "*.*.*-*"
    Keep only:
        - v*.*.*
        - v*.*.*-*
🔗 Analysis chain

Version tag patterns look good but verify compatibility.

The version tag patterns v*.*.* and v*.*.*-* are correctly added to trigger the workflow for both regular releases and pre-releases.

Let's verify the tag patterns match existing tags:


Looking at the workflow file, I can see that there are actually four tag patterns in the tags section:

    tags:
      - "*.*.*"
      - "*.*.*-*"
      - v*.*.*
      - v*.*.*-*

This shows that the workflow is configured to handle both versioning schemes - with and without the 'v' prefix. Let's check the repository's release history to see which scheme is actually used:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify version tag patterns match existing tags
git tag | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z-]+)?$'

Length of output: 64


Script:

#!/bin/bash
# Let's check if there are any tags in the repository and their patterns
git tag

# Also check the workflow file to see the complete context
cat .github/workflows/dockers-agent-sidecar-image.yaml

Length of output: 11034


Script:

#!/bin/bash
# Check the latest releases to understand the versioning scheme
gh release list --limit 5

Length of output: 263

USER root:root
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [hadolint] <DL3002> reported by reviewdog 🐶
Last USER should not be root

@vdaas-ci
Copy link
Collaborator Author

[CHATOPS:HELP] ChatOps commands.

  • 🙆‍♀️ /approve - approve
  • 🍱 /format - format codes and add licenses
  • /gen-test - generate test codes
  • 🏷️ /label - add labels
  • 🔚 2️⃣ 🔚 /label actions/e2e-deploy - run E2E deploy & integration test

Copy link

codecov bot commented Dec 11, 2024

Codecov Report

Attention: Patch coverage is 0% with 284 lines in your changes missing coverage. Please review.

Please upload report for BASE (release/v1.7@b738904). Learn more about missing BASE report.

Files with missing lines Patch % Lines
hack/docker/gen/main.go 0.00% 275 Missing ⚠️
internal/file/file.go 0.00% 9 Missing ⚠️
Additional details and impacted files
@@               Coverage Diff               @@
##             release/v1.7    #2774   +/-   ##
===============================================
  Coverage                ?   23.93%           
===============================================
  Files                   ?      546           
  Lines                   ?    54544           
  Branches                ?        0           
===============================================
  Hits                    ?    13054           
  Misses                  ?    40704           
  Partials                ?      786           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@kpango kpango merged commit cfdb7c1 into release/v1.7 Dec 12, 2024
216 of 223 checks passed
@kpango kpango deleted the backport/release/v1.7/refactor/docker-actions/standardization-generation-logic branch December 12, 2024 01:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment