release: v2025.1.7

[rustatian]

Reason for This PR

• stable release cycle

Description of Changes

• CVE in Go: [🐛 BUG]: CVE-2025-61726 #2286
• Bump Go version to 1.26

License Acceptance

By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.

PR Checklist

[Author TODO: Meet these criteria.]
[Reviewer TODO: Verify that these criteria are met. Request changes if not]

• All commits in this PR are signed (git commit -s).
• The reason for this PR is clearly provided (issue no. or explanation).
• The description of changes is clear and encompassing.
• Any required documentation changes (code and docs) are included in this PR.
• Any user-facing changes are mentioned in CHANGELOG.md.
• All added/changed functionality is tested.

Summary by CodeRabbit

• Chores
  • Standardized CI/CD workflow configurations and formatting for consistency.
  • Improved build process efficiency through consolidated build flags.
  • Enhanced security scanning with stricter severity thresholds.
  • Expanded package metadata for improved distribution compatibility across platforms.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request standardizes GitHub Actions workflow files across the repository. Changes include YAML array formatting normalization, consolidation of linker flags into single lines, removal of the GOEXPERIMENT=greenteagc environment variable, expansion of Debian package metadata, addition of archiver error handling, and enhancement of Trivy security scan options.

Changes

Cohort / File(s)	Summary
YAML Formatting Standardization ..github/workflows/codeql-analysis.yml	Normalized inline array spacing to remove extraneous spaces in on.push.branches, on.pull_request.branches, and matrix.language entries.
Build & Release Workflow Consolidation ..github/workflows/release.yml, release_dep.yml, release_dep_aarch64.yml, release_grpc.yml	Consolidated YAML arrays and linker flags (LDflags/LDFLAGS) into single lines; removed GOEXPERIMENT environment variable; expanded Debian package control file metadata (Version, Section, Priority, Architecture, Maintainer, Description); added explicit Go architecture bindings (GOARCH, CC) and default error handling for archive type validation; removed redundant packaging steps.
CI Pipeline Enhancement ..github/workflows/dependency-review.yml, tests.yml	Removed explicit permissions block in dependency-review workflow; extended Trivy scan step with format (table), severity filters (HIGH,CRITICAL), and exit-code enforcement (1).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• roadrunner-server/roadrunner#2240: Removes GOEXPERIMENT=greenteagc from release.yml workflows, directly overlapping with this PR's environment variable cleanup.
• roadrunner-server/roadrunner#2170: Modifies the same GitHub Actions workflow files with overlapping changes to LDflags formatting and GOEXPERIMENT handling across release workflows.
• roadrunner-server/roadrunner#2234: Affects the same release.yml workflow around the GOEXPERIMENT=greenteagc setting (adds where this PR removes).

Suggested labels

R-stable

Suggested reviewers

• wolfy-j

Poem

🐰 A rabbit hops through workflows with care,
Tidying arrays, consolidating with flair,
GOEXPERIMENT gone, flags now combined,
Debian metadata perfectly aligned,
GitHub Actions now bright and refined! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'release: v2025.1.7' is a version release identifier that aligns with the PR's purpose as a stable release, though it does not explicitly describe the technical changes (Go version bump, CVE fix, workflow formatting).
Description check	✅ Passed	The PR description follows the required template structure with all sections completed: Reason for PR, Description of Changes, License Acceptance, and PR Checklist with all items checked off.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch release/v2025.1.7

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/release_dep.yml (1)

63-69: ⚠️ Potential issue | 🟠 Major

The Package field in DEBIAN/control is malformed.

The Package field should contain only the package name (e.g., roadrunner), not the version, architecture, or .deb extension. Those are conveyed by the separate Version and Architecture fields. Including them in Package violates Debian packaging policy and can cause issues with package managers like apt.

🐛 Proposed fix

-          echo "Package: roadrunner-${{ steps.values.outputs.version }}-linux-amd64.deb" >> dist/ubuntu/roadrunner-${{ steps.values.outputs.version }}-linux-amd64/DEBIAN/control
+          echo "Package: roadrunner" >> dist/ubuntu/roadrunner-${{ steps.values.outputs.version }}-linux-amd64/DEBIAN/control

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release_dep.yml around lines 63 - 69, The DEBIAN/control
construction is writing a malformed Package field; change the echo that builds
the Package line (the command currently echoing "Package: roadrunner-${{
steps.values.outputs.version }}-linux-amd64.deb") to emit only the package name
(e.g., "Package: roadrunner") so Package contains just the name while leaving
the existing Version and Architecture echo lines intact; update the echo
invocation that references the package name to use the plain name "roadrunner"
instead of including version, architecture, or .deb extension.

.github/workflows/release_dep_aarch64.yml (1)

63-69: ⚠️ Potential issue | 🟠 Major

Same Package field issue as in release_dep.yml.

The Package field should be just roadrunner, not roadrunner-$VERSION-linux-arm64.deb.

🐛 Proposed fix

-          echo "Package: roadrunner-${{ steps.values.outputs.version }}-linux-arm64.deb" >> dist/ubuntu/roadrunner-${{ steps.values.outputs.version }}-linux-arm64/DEBIAN/control
+          echo "Package: roadrunner" >> dist/ubuntu/roadrunner-${{ steps.values.outputs.version }}-linux-arm64/DEBIAN/control

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release_dep_aarch64.yml around lines 63 - 69, The Debian
control file is incorrectly setting the Package field to "roadrunner-${{
steps.values.outputs.version }}-linux-arm64.deb"; update the echo that writes
the Package line (the command building dist/ubuntu/roadrunner-${{
steps.values.outputs.version }}-linux-arm64/DEBIAN/control) to use just
"roadrunner" as the Package value instead of the versioned filename so the
package metadata uses the canonical package name.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/release_dep_aarch64.yml:
- Around line 63-69: The Debian control file is incorrectly setting the Package
field to "roadrunner-${{ steps.values.outputs.version }}-linux-arm64.deb";
update the echo that writes the Package line (the command building
dist/ubuntu/roadrunner-${{ steps.values.outputs.version
}}-linux-arm64/DEBIAN/control) to use just "roadrunner" as the Package value
instead of the versioned filename so the package metadata uses the canonical
package name.

In @.github/workflows/release_dep.yml:
- Around line 63-69: The DEBIAN/control construction is writing a malformed
Package field; change the echo that builds the Package line (the command
currently echoing "Package: roadrunner-${{ steps.values.outputs.version
}}-linux-amd64.deb") to emit only the package name (e.g., "Package: roadrunner")
so Package contains just the name while leaving the existing Version and
Architecture echo lines intact; update the echo invocation that references the
package name to use the plain name "roadrunner" instead of including version,
architecture, or .deb extension.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 35.37%. Comparing base (a10a71f) to head (7648df0).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2290   +/-   ##
=======================================
  Coverage   35.37%   35.37%           
=======================================
  Files          18       18           
  Lines         851      851           
=======================================
  Hits          301      301           
  Misses        511      511           
  Partials       39       39           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR updates the repository’s GitHub Actions workflows for the v2025.1.7 release cycle, primarily by normalizing workflow YAML and adjusting build environment/settings in CI and release pipelines.

Changes:

• Normalize YAML formatting across CI/release workflows (spacing, inline lists, blank lines).
• Remove GOEXPERIMENT: greenteagc from build steps and collapse LDFLAGS definitions into single-line values.
• Minor workflow hygiene tweaks (e.g., needs list formatting, CodeQL branch list formatting).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
.github/workflows/tests.yml	CI formatting cleanup; build env changes (removes GOEXPERIMENT, compacts LDFLAGS).
.github/workflows/release.yml	Release workflow formatting cleanup; removes GOEXPERIMENT; introduces extra blank lines inside folded run: > blocks.
.github/workflows/release_grpc.yml	gRPC release workflow formatting cleanup; introduces extra blank lines inside folded run: > blocks.
.github/workflows/release_dep.yml	Debian release workflow formatting cleanup; removes GOEXPERIMENT; compacts LDFLAGS.
.github/workflows/release_dep_aarch64.yml	ARM64 Debian release workflow formatting cleanup; removes GOEXPERIMENT; compacts LDFLAGS.
.github/workflows/dependency-review.yml	Whitespace-only formatting cleanup.
.github/workflows/codeql-analysis.yml	Formatting cleanup for branch/language lists.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The build matrix job also uses go-version: stable, which can drift away from the Go version in go.mod (go 1.26) and make build artifacts non-reproducible. Prefer go-version-file: go.mod (or pin to 1.26.x).

[Copilot]

These added blank lines inside a run: > folded scalar make the generated shell script harder to read and can subtly change how the command is passed to the runner (blank lines are preserved as newlines). Consider removing the blank lines, or switch to run: | if you intend this to be a multi-line script.

[Copilot]

This workflow still uses go-version: stable, which can drift over time and stop matching the Go version declared in go.mod (currently go 1.26). To make CI reproducible and ensure the intended Go bump is actually exercised, switch to go-version-file: go.mod (or pin go-version to 1.26.x).

[Copilot]

This workflow uses go-version: stable, which may not match the Go version required by the main repo (go 1.26 in go.mod) and can change build output over time. Prefer go-version-file: go.mod (or a pinned 1.26.x) for reproducible releases.

Suggested change

	go-version: stable
	go-version-file: protoc_plugins/go.mod

[Copilot]

go-version: stable can drift from the project’s declared Go version (go.mod currently specifies go 1.26), which can make release artifacts non-reproducible. Prefer go-version-file: go.mod (or pin to 1.26.x).

Suggested change

	go-version: stable
	go-version-file: go.mod

[Copilot]

go-version: stable can drift from the project’s declared Go version (go.mod currently specifies go 1.26), which can make release artifacts non-reproducible. Prefer go-version-file: go.mod (or pin to 1.26.x).

Suggested change

	go-version: stable
	go-version-file: go.mod

[Copilot]

The newly introduced blank lines inside this run: > folded scalar reduce readability and can affect how the shell receives the script (blank lines are preserved as newlines). Consider removing the blank lines or using run: | for an explicit multi-line script.

[Copilot]

go-version: stable here can pick up a newer Go release than the one declared in go.mod (go 1.26), which makes release builds non-reproducible and may unintentionally change build behavior. Prefer go-version-file: go.mod (or pin to 1.26.x).

Suggested change

	go-version: stable
	go-version-file: go.mod

[Copilot]

Same concern as above: this setup-go step uses go-version: stable, which can diverge from the Go version declared in go.mod (go 1.26). Consider switching all setup-go usages in this workflow to go-version-file: go.mod for consistent CI behavior.