Skip to content

chore: bump gomplate to v3.24.84#319

Open
flankbot wants to merge 1 commit into
masterfrom
bump-gomplate-auto-pr
Open

chore: bump gomplate to v3.24.84#319
flankbot wants to merge 1 commit into
masterfrom
bump-gomplate-auto-pr

Conversation

@flankbot

@flankbot flankbot commented May 31, 2026

Copy link
Copy Markdown
Contributor

Automated changes by create-pull-request GitHub action

@flankbot flankbot added the dependencies Pull requests that update a dependency file label May 31, 2026
@flankbot flankbot enabled auto-merge (squash) May 31, 2026 12:22
@coderabbitai

coderabbitai Bot commented May 31, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@flankbot, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 57 minutes and 46 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c2dcfbc7-98c8-4d97-ac22-ce7cd6f18ae7

📥 Commits

Reviewing files that changed from the base of the PR and between 8cbd173 and 93ec483.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

Walkthrough

go.mod is updated to Go 1.26.0, bumps github.com/flanksource/gomplate/v3 and github.com/flanksource/is-healthy to newer patch versions, upgrades k8s.io/* indirect dependencies from v0.35.2 to v0.36.1, and advances google.golang.org/protobuf to a pseudo-version.

Changes

Dependency and Go version updates

Layer / File(s) Summary
Go directive and all dependency bumps
go.mod
Go directive changed from 1.25.1 to 1.26.0. github.com/flanksource/gomplate/v3 bumped to 3.24.83 and github.com/flanksource/is-healthy to 1.0.88. Six k8s.io/* indirect packages upgraded from v0.35.2 to v0.36.1 (including klog/v2 and kube-openapi). google.golang.org/protobuf advanced from v1.36.11 to pseudo-version v1.36.12-0.20260120151049-f2248ac996af.

Possibly related PRs

  • flanksource/commons#303: Also bumps github.com/flanksource/gomplate/v3 in go.mod, from v3.24.74 to v3.24.76.
  • flanksource/commons#307: Directly overlaps with a github.com/flanksource/gomplate/v3 version bump in go.mod.
  • flanksource/commons#315: Also updates github.com/flanksource/gomplate/v3 in go.mod, overlapping with this PR's gomplate bump.

Suggested labels

released

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title correctly identifies the gomplate dependency bump, which is the main change in this PR.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch bump-gomplate-auto-pr
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch bump-gomplate-auto-pr

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented May 31, 2026

Copy link
Copy Markdown

Gavel crashed before producing results

Exit code: 1
Error: gavel exited 1 before writing results

Last lines of gavel.log

go: downloading github.com/x448/float16 v0.8.4 # github.com/flanksource/commons/context # [github.com/flanksource/commons/context] context/context.go:328:42: non-constant format string in call to (...

Full gavel.log, JSON stub, and HTML stub are in the workflow artifact.

View full results

@flankbot flankbot force-pushed the bump-gomplate-auto-pr branch from 995a639 to 8cbd173 Compare June 23, 2026 14:02
@flankbot flankbot changed the title chore: bump gomplate to v3.24.82 chore: bump gomplate to v3.24.83 Jun 23, 2026
@socket-security

socket-security Bot commented Jun 23, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: golang k8s.io/client-go is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/flanksource/clicky@v1.21.1golang/k8s.io/client-go@v0.36.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/k8s.io/client-go@v0.36.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 191: In the go.mod file, locate the google.golang.org/protobuf dependency
which is currently pinned to the pseudo-version
v1.36.12-0.20260120151049-f2248ac996af. Replace this pseudo-version with the
stable release version v1.36.11, which is the latest officially released version
available. Pseudo-versions representing development snapshots should not be used
in production dependencies unless absolutely necessary for a specific unreleased
fix.
- Line 3: Update the Go directive to 1.26.0 and then verify the codebase is
compatible with that toolchain. Check build tags and any platform-specific code
paths for removed 32-bit windows/arm support, scan for dependencies on removed
tools like cmd/doc, and review any reverse proxy logic that may still rely on
ReverseProxy.Director or permissive URL parsing with colons in paths. Use the
relevant build-constraint files and any reverse proxy or URL parsing symbols in
the diff to locate and confirm the affected code, then run the test suite under
Go 1.26.0.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a18a2620-8fb6-487a-a153-d9897589759b

📥 Commits

Reviewing files that changed from the base of the PR and between 340276a and 8cbd173.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod
module github.com/flanksource/commons

go 1.25.1
go 1.26.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify Go version and check if there are any version-specific constraints in the codebase.

# Check if build/test constraints reference Go 1.25 or earlier versions
rg '//go:build.*go1\.' --type go | grep -E 'go1\.(2[0-4]|1[0-9])' || echo "No old Go version constraints found"

# Look for deprecated API usage or compat wrappers
rg 'deprecated|TODO.*Go 1\.26|FIXME.*version' --type go | head -20

Repository: flanksource/commons

Length of output: 1990


🌐 Web query:

Go 1.26.0 release version compatibility

💡 Result:

Go 1.26 maintains the Go 1 compatibility promise, meaning almost all existing Go programs will continue to compile and run unchanged [1]. As with all Go releases, this commitment ensures that source-level compatibility is preserved for the lifetime of the Go 1 specification [2]. Key aspects of Go 1.26 compatibility and version management include: Module Compatibility: When you run go mod init, Go 1.26 defaults to specifying a lower Go version (go 1.25.0) in new go.mod files to encourage the creation of modules compatible with currently supported Go releases [1][3]. Toolchain Enforcement: The go version specified in a go.mod file acts as a mandatory minimum requirement for the toolchain [4][5]. A Go 1.26 toolchain will refuse to build code that requires a newer version (e.g., go 1.27) [5]. Bootstrapping Requirements: Go 1.26 requires Go 1.24.6 or later for bootstrapping [1]. OS Compatibility: Go 1.26 is the final release to support macOS 12 (Monterey); subsequent releases (starting with Go 1.27) will require macOS 13 (Ventura) or later [1][3]. GODEBUG Settings: Go 1.26 continues the practice of using GODEBUG settings to manage behavioral changes [6]. If a program's go.mod file specifies an older Go version, the toolchain will default to the behavior associated with that older version for GODEBUG-controlled features [6]. As of June 23, 2026, the latest release in the 1.26 branch is Go 1.26.4, released on June 2, 2026 [7][8][3]. Minor releases such as 1.26.x are fully compatible with each other and primarily contain security and bug fixes [7].

Citations:


🌐 Web query:

Go 1.25.1 to 1.26 breaking changes upgrade

💡 Result:

Upgrading from Go 1.25.1 to Go 1.26 (latest version as of June 23, 2026, is Go 1.26.4) is generally straightforward due to the Go 1 compatibility promise [1][2][3]. Most existing programs will continue to compile and run without modification [1][4]. Key Changes and Potential Impact Areas While the release is mostly additive, developers should be aware of the following changes: Tooling and Commands - The go doc tool (cmd/doc) has been removed [1][5]. Developers should use go doc directly, which replaces the former command with identical behavior [1][4]. - The go fix command has been completely rewritten to use the Go analysis framework [2][5]. Historical, obsolete fixers have been replaced by a suite of modernizers designed to suggest idiomatic updates to your code [2][5]. Library and Behavioral Changes - URL Parsing: The url.Parse function now rejects malformed URLs containing colons in the path subcomponent, such as http://host/path:with:colon [1]. - HTTP Proxy: The ReverseProxy.Director configuration field is now deprecated in favor of ReverseProxy.Rewrite [1]. - Go Module Init: The go mod init command now defaults to a lower Go version in new go.mod files to encourage broader compatibility [1][6]. For a toolchain version 1.N.X, it defaults to go 1.(N-1).0 [1][5]. Platform Support - Bootstrap Requirement: Go 1.26 requires Go 1.24.6 or later for bootstrapping [5][6]. - macOS Support: Go 1.26 is the final release supporting macOS 12 Monterey; Go 1.27 will require macOS 13 Ventura or later [6]. - Port Removal: The 32-bit windows/arm port (GOOS=windows, GOARCH=arm), which was previously marked as broken, has been removed [6]. For a complete list of updates, including new packages (such as crypto/hpke) and performance improvements (such as the enabled-by-default Green Tea garbage collector), refer to the official Go 1.26 Release Notes [1][2].

Citations:


Update Go version to 1.26.0 and verify build constraints and platform-specific code.

Updating the Go directive from 1.25.1 to 1.26.0 is generally safe due to the Go 1 compatibility promise; however, verify that:

  • The codebase does not target the removed 32-bit windows/arm platform
  • Code does not rely on removed tools like cmd/doc
  • Any HTTP reverse proxy code does not depend on the deprecated ReverseProxy.Director field
  • URL parsing does not depend on accepting malformed URLs with colons in paths

Run tests with Go 1.26.0 to confirm all functionality works as expected. The coding guidelines' requirement for Go 1.23.0+ is satisfied.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 3, Update the Go directive to 1.26.0 and then verify the
codebase is compatible with that toolchain. Check build tags and any
platform-specific code paths for removed 32-bit windows/arm support, scan for
dependencies on removed tools like cmd/doc, and review any reverse proxy logic
that may still rely on ReverseProxy.Director or permissive URL parsing with
colons in paths. Use the relevant build-constraint files and any reverse proxy
or URL parsing symbols in the diff to locate and confirm the affected code, then
run the test suite under Go 1.26.0.

Comment thread go.mod
golang.org/x/text v0.34.0 // indirect
golang.org/x/tools v0.42.0 // indirect
google.golang.org/protobuf v1.36.11 // indirect
google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the latest released version of google.golang.org/protobuf?

💡 Result:

The latest released version of the google.golang.org/protobuf module is v1.36.11 [1][2][3]. This version was published on December 12, 2025 [1][3].

Citations:


🌐 Web query:

google.golang.org/protobuf v1.36.12 release status 2026

💡 Result:

As of June 23, 2026, there is no official release of google.golang.org/protobuf version v1.36.12 [1]. While various pseudo-versions (e.g., v1.36.12-0.20260120151049-f2248ac996af) exist in the Go module proxy ecosystem, these are development snapshots or commit-based tags rather than an official stable release [2][3][4]. The most recent official stable release listed in the project's repository is v1.36.11, published on December 12, 2025 [4][1]. The lack of an official v1.36.12 release has been noted by the community, with inquiries regarding its status appearing in official issue trackers as recently as April 2026 [5].

Citations:


Use the stable release v1.36.11 instead of the pseudo-version for google.golang.org/protobuf.

Line 191 pins google.golang.org/protobuf to v1.36.12-0.20260120151049-f2248ac996af, a pseudo-version representing an unreleased development snapshot. No official v1.36.12 release exists; the latest stable version is v1.36.11 (released December 12, 2025). Pseudo-versions should be avoided in production dependencies unless there is a specific fix required from the development code that is not available in a stable release. Replace with v1.36.11 or the actual release version needed.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 191, In the go.mod file, locate the
google.golang.org/protobuf dependency which is currently pinned to the
pseudo-version v1.36.12-0.20260120151049-f2248ac996af. Replace this
pseudo-version with the stable release version v1.36.11, which is the latest
officially released version available. Pseudo-versions representing development
snapshots should not be used in production dependencies unless absolutely
necessary for a specific unreleased fix.

@flankbot flankbot force-pushed the bump-gomplate-auto-pr branch from 8cbd173 to 93ec483 Compare June 24, 2026 07:20
@flankbot flankbot changed the title chore: bump gomplate to v3.24.83 chore: bump gomplate to v3.24.84 Jun 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants