chore: bump OpenFGA to v1.10.4 & other direct dependencies

[rhamzeh]

Description

What problem is being solved?

This bumps OpenFGA to the newly released v1.10.4 and bumps the other direct dependencies

How is it being solved?

What changes are made to solve it?

References

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• Chores
  • Updated OpenFGA to v1.10.4 and refreshed dependencies including gRPC, telemetry, and other libraries for compatibility and maintenance.

[coderabbitai]

Walkthrough

Dependencies updated across go.mod, with OpenFGA bumped from v1.10.3 to v1.10.4 and related packages (protobuf API, language package, and indirect dependencies like gRPC, telemetry, and standard library packages) also updated to compatible versions. Changelog entry added to document the OpenFGA version bump.

Changes

Cohort / File(s)	Change Summary
Dependency Updates CHANGELOG.md, go.mod	OpenFGA upgraded from v1.10.3 to v1.10.4; related protobuf API and language packages updated; indirect dependencies (gRPC, telemetry, standard libraries) updated to compatible versions; changelog entry added for bundled OpenFGA update

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Verify compatibility between OpenFGA v1.10.4 and the updated indirect dependencies (grpc v1.76.0, telemetry packages)
• Confirm no breaking changes in OpenFGA v1.10.4 that would affect this CLI

Possibly related PRs

• release: v0.7.4 #563: Both PRs update bundled OpenFGA dependency version and corresponding changelog entries
• chore(deps): bump deps #557: Both PRs are dependency-bump changes to go.mod that update OpenFGA and related modules

Suggested reviewers

• evansims
• sergiught
• ewanharris

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping OpenFGA to v1.10.4 and updating other dependencies, which matches the CHANGELOG and go.mod modifications.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/bump-openfga

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c803c9 and 406be71.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• CHANGELOG.md (1 hunks)
• go.mod (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Socket Security: Pull Request Alerts
• GitHub Check: Test Release Process
• GitHub Check: Tests
• GitHub Check: Analyze (go)

🔇 Additional comments (2)

CHANGELOG.md (1)

18-19: Changelog entry is well-formed.

The OpenFGA v1.10.4 bump is properly documented with a direct link to the release notes. The entry follows the existing changelog format and is correctly placed under the Unreleased → Changed section.

go.mod (1)

15-18: Verify whether OpenFGA PostgreSQL datastore is used; note that v1.10.4 contains a breaking change.

OpenFGA v1.10.4 includes a confirmed breaking change: migration from database/sql to pgxpool for PostgreSQL, which changes configuration environment variables (OPENFGA_DATASTORE_MIN_IDLE_CONNS, OPENFGA_DATASTORE_MIN_OPEN_CONNS) and Postgres metrics collection. This breaking change is critical only if your codebase uses OpenFGA with a PostgreSQL datastore.

Additionally, mango-pflag is pinned to v0.2.0 (line 57, indirect dependency) but does not appear in official package sources, suggesting this version may be non-standard or unreleased.

Note: The original review comment contains incorrect line number references; verify all cited locations before acting on other suggestions.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR updates multiple dependencies in the Go project, with the primary focus being the upgrade of the bundled OpenFGA to v1.10.4. The changes consist of updating both direct and indirect dependencies to their latest versions.

Key changes:

• Updates OpenFGA core dependency from v1.10.3 to v1.10.4
• Updates various direct dependencies (API proto, language package)
• Updates numerous indirect dependencies across gRPC, OpenTelemetry, golang.org/x, and other libraries
• Documents the OpenFGA version update in the CHANGELOG

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File	Description
go.mod	Updates direct dependencies (OpenFGA packages) and indirect dependencies (grpc-gateway, mango-pflag, locafero, auto/sdk, golang.org/x packages, google.golang.org packages)
go.sum	Adds checksums for new dependency versions and updates existing dependency checksums
CHANGELOG.md	Documents the OpenFGA v1.10.4 update in a new "Changed" section

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.