Conversation
WalkthroughIntroduces automated release management for the Go SDK using Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Codecov Report✅ All modified and coverable lines are covered by tests. ❌ Your project status has failed because the head coverage (33.85%) is below the target coverage (80.00%). You can increase the head coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## main #291 +/- ##
=======================================
Coverage 33.85% 33.85%
=======================================
Files 115 115
Lines 9854 9854
=======================================
Hits 3336 3336
Misses 6248 6248
Partials 270 270 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
|
One or more co-authors of this pull request were not found. You must specify co-authors in commit message trailer via: Supported
Alternatively, if the co-author should not be included, remove the Please update your commit message(s) by doing |
There was a problem hiding this comment.
Pull request overview
Adds repository-level release automation via release-please, including configuration, a release workflow, and supporting documentation so the Go SDK version/changelog can be managed through GitHub Actions.
Changes:
- Introduce a
release-pleaseGitHub Actions workflow (push + manual dispatch) for creating/merging release PRs and tagging releases. - Add release-please config + manifest, and wire version updates into the SDK constants file.
- Document the release process and troubleshooting steps in
RELEASE.md.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
RELEASE.md |
New release process documentation and troubleshooting guide. |
release-please-config.json |
Release-please configuration (Go release type, changelog sections, extra-files). |
internal/constants/constants.go |
Adds release-please version marker to SdkVersion for automated bumps. |
.release-please-manifest.json |
Initializes the manifest with the current version. |
.github/workflows/release-please.yml |
Adds the release-please workflow wiring to a reusable workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| SdkVersion = "0.7.5" // x-release-please-version | ||
|
|
||
| // UserAgent is the user agent used in HTTP requests. | ||
| UserAgent = "openfga-sdk go/0.7.5" |
There was a problem hiding this comment.
UserAgent hard-codes the version string separately from SdkVersion. Since release-please will update only the SdkVersion line (via the x-release-please-version marker), the user agent can drift and report the wrong SDK version. Consider deriving UserAgent from SdkVersion (or add a release-please version marker/update rule for the user agent string) so they stay in sync automatically.
| UserAgent = "openfga-sdk go/0.7.5" | |
| UserAgent = "openfga-sdk go/" + SdkVersion |
|
|
||
| jobs: | ||
| release: | ||
| uses: openfga/sdk-generator/.github/workflows/release-please.yml@main |
There was a problem hiding this comment.
This workflow references a reusable workflow with @main. To avoid unexpected breakages and reduce supply-chain risk, pin the reusable workflow reference to an immutable ref (tag or commit SHA), consistent with the rest of the repo’s workflows.
| uses: openfga/sdk-generator/.github/workflows/release-please.yml@main | |
| uses: openfga/sdk-generator/.github/workflows/release-please.yml@3f2a1b4c5d6e7f8901234567890abcdef1234567 |
| bump-type: ${{ inputs.bump-type || 'auto' }} | ||
| release-version: ${{ inputs.release-version || '' }} |
There was a problem hiding this comment.
This workflow runs on both push and workflow_dispatch, but inputs.* is only available for workflow_dispatch events. On push runs, these expressions can fail to evaluate. Use a context that exists for all events (e.g., github.event.inputs.*) with defaults, or gate the with: values based on github.event_name.
| bump-type: ${{ inputs.bump-type || 'auto' }} | |
| release-version: ${{ inputs.release-version || '' }} | |
| bump-type: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs['bump-type'] || 'auto' }} | |
| release-version: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs['release-version'] || '' }} |
| This project uses [release-please](https://github.com/googleapis/release-please) via a | ||
| `workflow_dispatch`-triggered GitHub Actions workflow. This document explains how to cut | ||
| a release and what to watch out for. |
There was a problem hiding this comment.
The intro says the project uses a workflow_dispatch-triggered workflow, but .github/workflows/release-please.yml is also triggered on push to main. Consider rewording to reflect that releases are created on push (after merging the release PR) and that workflow_dispatch is used to initiate the release PR.
| fix: correct retry logic for transient errors → Fixed | ||
| docs: update API reference → Documentation | ||
| perf: cache DNS lookups → Changed | ||
| refactor: extract auth helper → (hidden) |
There was a problem hiding this comment.
The changelog mapping examples mark refactor: commits as “(hidden)”, but release-please-config.json currently sets the refactor section to hidden: false (so they will show up). Align the documentation example and the release-please config so contributors don’t get surprised by what appears in the changelog.
| refactor: extract auth helper → (hidden) | |
| refactor: extract auth helper → Changed |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
internal/constants/constants.go (1)
17-20: Avoid duplicated version literals betweenSdkVersionandUserAgent.With release automation now anchored on
SdkVersion,UserAgentshould be derived from it to prevent future version drift in headers.♻️ Proposed fix
- UserAgent = "openfga-sdk go/0.7.5" + UserAgent = "openfga-sdk go/" + SdkVersion🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@internal/constants/constants.go` around lines 17 - 20, Replace the duplicated version literal by deriving UserAgent from SdkVersion: change the UserAgent constant to be constructed using the SdkVersion identifier (e.g., "openfga-sdk go/"+SdkVersion) so the header always reflects SdkVersion; update the comment if needed and ensure only SdkVersion holds the single source-of-truth version string.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/release-please.yml:
- Line 34: Replace the mutable branch ref in the reusable workflow usage "uses:
openfga/sdk-generator/.github/workflows/release-please.yml@main" with a full
commit SHA; locate the line that contains that exact uses string and update the
suffix after the "@" to a full-length commit SHA from the openfga/sdk-generator
repository (obtain via git log or the repo's commit UI), commit the change, and
optionally add a Dependabot or automation plan to rotate the pinned SHA
regularly.
In `@RELEASE.md`:
- Around line 64-66: The two fenced code blocks in RELEASE.md (the one
containing "0.8.0-beta.1 → explicit: 0.8.0-beta.2 → explicit: 0.8.0" and the
one listing changelog lines like "feat: add support for batch check → Added",
"fix: correct retry logic..." etc.) are missing language identifiers; update
both opening fences from ``` to ```text so they become ```text (e.g., change the
version block and the changelog block opening fences to ```text) to satisfy
markdownlint MD040.
- Around line 80-81: The RELEASE.md changelog shows the "refactor" entry as
hidden but release-please-config.json currently sets the "refactor" release
type's "hidden" flag to false; decide which should be authoritative and make
them consistent by either updating RELEASE.md to show "refactor: extract auth
helper" as visible (remove the "→ (hidden)" marker) or updating the "refactor"
object in release-please-config.json to "hidden": true so it matches the doc;
ensure you update the "refactor" identifier in whichever file you change.
---
Nitpick comments:
In `@internal/constants/constants.go`:
- Around line 17-20: Replace the duplicated version literal by deriving
UserAgent from SdkVersion: change the UserAgent constant to be constructed using
the SdkVersion identifier (e.g., "openfga-sdk go/"+SdkVersion) so the header
always reflects SdkVersion; update the comment if needed and ensure only
SdkVersion holds the single source-of-truth version string.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 262d3c31-b870-41e0-8b18-272660bdec07
📒 Files selected for processing (5)
.github/workflows/release-please.yml.release-please-manifest.jsonRELEASE.mdinternal/constants/constants.gorelease-please-config.json
|
|
||
| jobs: | ||
| release: | ||
| uses: openfga/sdk-generator/.github/workflows/release-please.yml@main |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/release-please.yml | head -40Repository: openfga/go-sdk
Length of output: 1381
🌐 Web query:
GitHub Actions reusable workflow security best practices pinning SHA vs main branch
💡 Result:
For GitHub Actions reusable workflows, the security best practice is to pin to a full-length commit SHA rather than using a branch like 'main'. This prevents supply chain attacks where a malicious actor with repository access could push malicious changes to the branch, causing all callers to execute compromised code. Pinning to SHA ensures immutability: the specific workflow version at that commit is used, and changes require generating a SHA-1 collision, which is computationally infeasible. Using branches or tags is riskier because they are mutable—branches receive new commits, and tags can be retargeted or deleted by repository owners. Official GitHub documentation explicitly states the same principles for reusable workflows as for actions: "The same principles described above for using third-party actions also apply to using third-party workflows" (where "above" includes "Pin actions to a full-length commit SHA"). It also notes: "If you use a commit SHA when referencing the reusable workflow, you can ensure that everyone who reuses that workflow will always be using the same YAML code. However, if you reference a reusable workflow by a tag or branch, be sure that you can trust that version of the workflow." Syntax examples: - SHA pin (recommended): uses: org/repo/.github/workflows/my-workflow.yml@abc123... - Branch (avoid for security): uses: org/repo/.github/workflows/my-workflow.yml@main Additional best practices: - Use Dependabot or Renovate to automate updates to new pinned SHAs. - For same-repo reusable workflows, ./.github/workflows/my-workflow.yml uses the same ref as the caller (safe for internal use). - Enforce SHA pinning via GitHub's "allowed actions and reusable workflows" policies at repo/org/enterprise level (new feature as of Aug 2025). - Audit reusable workflow source code and limit permissions. This aligns with GitHub's security hardening guide and recent policy updates supporting SHA enforcement for both actions and reusable workflows.
Citations:
- 1: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
- 2: https://docs.github.com/en/actions/reference/security/secure-use
- 3: https://docs.github.com/en/actions/concepts/workflows-and-actions/reusing-workflow-configurations
- 4: https://docs.github.com/en/actions/reference/reusable-workflows-reference
- 5: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
- 6: https://docs.github.com/actions/reference/security/secure-use
- 7: https://wellarchitected.github.com/library/application-security/recommendations/actions-security/
Pin reusable workflow to a commit SHA instead of @main.
Using a mutable branch reference for release automation introduces supply-chain risk. GitHub's security hardening guide recommends pinning reusable workflows to a full-length commit SHA to prevent malicious changes. Pin to a specific SHA and rotate intentionally via automation (e.g., Dependabot).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/release-please.yml at line 34, Replace the mutable branch
ref in the reusable workflow usage "uses:
openfga/sdk-generator/.github/workflows/release-please.yml@main" with a full
commit SHA; locate the line that contains that exact uses string and update the
suffix after the "@" to a full-length commit SHA from the openfga/sdk-generator
repository (obtain via git log or the repo's commit UI), commit the change, and
optionally add a Dependabot or automation plan to rotate the pinned SHA
regularly.
| ``` | ||
| 0.8.0-beta.1 → explicit: 0.8.0-beta.2 → explicit: 0.8.0 | ||
| ``` |
There was a problem hiding this comment.
Add language identifiers to fenced code blocks.
Two fenced blocks are missing language tags, which triggers markdownlint (MD040).
📝 Proposed fix
-```
+```text
0.8.0-beta.1 → explicit: 0.8.0-beta.2 → explicit: 0.8.0...
- +text
feat: add support for batch check → Added
fix: correct retry logic for transient errors → Fixed
docs: update API reference → Documentation
perf: cache DNS lookups → Changed
refactor: extract auth helper → (hidden)
chore: bump dependencies → (hidden)
Also applies to: 75-82
🧰 Tools
🪛 markdownlint-cli2 (0.22.0)
[warning] 64-64: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@RELEASE.md` around lines 64 - 66, The two fenced code blocks in RELEASE.md
(the one containing "0.8.0-beta.1 → explicit: 0.8.0-beta.2 → explicit:
0.8.0" and the one listing changelog lines like "feat: add support for batch
check → Added", "fix: correct retry logic..." etc.) are missing language
identifiers; update both opening fences from ``` to ```text so they become
```text (e.g., change the version block and the changelog block opening fences
to ```text) to satisfy markdownlint MD040.
| refactor: extract auth helper → (hidden) | ||
| chore: bump dependencies → (hidden) |
There was a problem hiding this comment.
Changelog example is out of sync with actual config for refactor.
This doc says refactor is hidden, but release-please-config.json (Line 15) sets "hidden": false. Please align one of them to avoid operator confusion.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@RELEASE.md` around lines 80 - 81, The RELEASE.md changelog shows the
"refactor" entry as hidden but release-please-config.json currently sets the
"refactor" release type's "hidden" flag to false; decide which should be
authoritative and make them consistent by either updating RELEASE.md to show
"refactor: extract auth helper" as visible (remove the "→ (hidden)" marker) or
updating the "refactor" object in release-please-config.json to "hidden": true
so it matches the doc; ensure you update the "refactor" identifier in whichever
file you change.
Description
What problem is being solved?
How is it being solved?
What changes are made to solve it?
References
Review Checklist
mainSummary by CodeRabbit
Documentation
Chores