*: update third-party dependencies#4467
Conversation
ti-chi-bot
bot
added
the
release-note
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request performs routine maintenance by updating the Go language version and several third-party Go module dependencies. These updates ensure the project benefits from the latest improvements, bug fixes, and security patches in its foundational tools and libraries, contributing to overall stability and maintainability. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
ActivityUsing Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
ti-chi-bot
bot
added
the
size/M
📝 WalkthroughWalkthroughGo toolchain version updated from 1.25.5 to 1.25.8 across documentation, Dockerfiles, and multiple go.mod files. Indirect dependency Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Go version and several third-party dependencies across the repository. While the dependency updates in go.mod files seem appropriate, I've found critical issues in the documentation and Dockerfiles. The specified Go version 1.25.7 is not an official release, and the provided download links are invalid, which will break the build process for both developers trying to contribute and for CI/CD pipelines. These issues need to be addressed to ensure the project remains buildable.
README.md
Outdated
| Install GoLang 1.25.7 | ||
|
|
||
| ```bash | ||
| # Linux | ||
| wget https://go.dev/dl/go1.25.5.linux-amd64.tar.gz | ||
| sudo tar -C /usr/local -xzf go1.25.5.linux-amd64.tar.gz | ||
| wget https://go.dev/dl/go1.25.7.linux-amd64.tar.gz | ||
| sudo tar -C /usr/local -xzf go1.25.7.linux-amd64.tar.gz | ||
|
|
||
| # MacOS | ||
| curl -O https://go.dev/dl/go1.25.5.darwin-amd64.tar.gz | ||
| sudo tar -C /usr/local -xzf go1.25.5.darwin-amd64.tar.gz | ||
| curl -O https://go.dev/dl/go1.25.7.darwin-amd64.tar.gz | ||
| sudo tar -C /usr/local -xzf go1.25.7.darwin-amd64.tar.gz |
There was a problem hiding this comment.
The Go versions 1.25.5 and 1.25.7 mentioned here do not exist as official Go releases, and the download URLs (e.g., https://go.dev/dl/go1.25.7.linux-amd64.tar.gz) will result in a 404 error. This will prevent users from being able to build the project from source by following these instructions.
If the intention is to use Go's toolchain management feature (available since Go 1.21), the instructions should be updated to guide users to install a recent, valid Go version and let the toolchain download the specific version mentioned in go.mod. Alternatively, if a specific Go version is required, it should be a valid and downloadable one.
| ENV GOLANG_VERSION 1.25.7 | ||
| ENV GOLANG_DOWNLOAD_URL https://dl.google.com/go/go$GOLANG_VERSION.linux-amd64.tar.gz | ||
| RUN curl -fsSL "$GOLANG_DOWNLOAD_URL" -o golang.tar.gz \ |
There was a problem hiding this comment.
The Go version 1.25.7 is not a valid official Go release. The download from https://dl.google.com/go/go1.25.7.linux-amd64.tar.gz will fail with a 404 error, causing the Docker build to fail. Please use a valid and available Go version.
| ENV GOLANG_VERSION 1.25.7 | ||
| ENV GOLANG_DOWNLOAD_URL https://dl.google.com/go/go$GOLANG_VERSION.linux-amd64.tar.gz | ||
| RUN curl -fsSL "$GOLANG_DOWNLOAD_URL" -o golang.tar.gz \ |
There was a problem hiding this comment.
The Go version 1.25.7 is not an official Go release, and the download URL will result in a 404 error. This will cause the Docker build to fail. Please use a valid and available Go version.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (2)
README.md (1)
108-109: Clarify macOS architecture in install instructions.The macOS snippet is amd64-specific; consider adding ARM64 (Apple Silicon) or labeling this as Intel-only.
📝 Suggested docs diff
# MacOS curl -O https://go.dev/dl/go1.25.7.darwin-amd64.tar.gz sudo tar -C /usr/local -xzf go1.25.7.darwin-amd64.tar.gz + +# MacOS (Apple Silicon / ARM64) +curl -O https://go.dev/dl/go1.25.7.darwin-arm64.tar.gz +sudo tar -C /usr/local -xzf go1.25.7.darwin-arm64.tar.gz🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@README.md` around lines 108 - 109, Update the macOS install snippet to clarify CPU architecture by labeling the existing commands as "Intel (x86_64) macOS" and add the Apple Silicon alternative using the darwin-arm64 tarball (e.g., replace or add the filename go1.25.7.darwin-amd64.tar.gz with go1.25.7.darwin-arm64.tar.gz for ARM64), or explicitly state these commands are Intel-only; ensure the README shows both curl/tar examples and a short note telling users to choose the appropriate tarball for their Mac (darwin-amd64 vs darwin-arm64).deployments/integration-test.Dockerfile (1)
32-36: Add checksum verification for the Go tarball download.The version bump is correct, but extracting an unverified archive weakens build integrity guarantees.
🔒 Suggested hardening diff
ENV GOLANG_VERSION 1.25.7 ENV GOLANG_DOWNLOAD_URL https://dl.google.com/go/go$GOLANG_VERSION.linux-amd64.tar.gz +ARG GOLANG_SHA256 RUN curl -fsSL "$GOLANG_DOWNLOAD_URL" -o golang.tar.gz \ + && echo "${GOLANG_SHA256} golang.tar.gz" | sha256sum -c - \ && tar -C /usr/local -xzf golang.tar.gz \ && rm golang.tar.gz🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@deployments/integration-test.Dockerfile` around lines 32 - 36, The Dockerfile currently downloads and extracts Go using GOLANG_VERSION and GOLANG_DOWNLOAD_URL without verifying the archive; update the RUN step that fetches "$GOLANG_DOWNLOAD_URL" to also fetch the corresponding checksum (derived from GOLANG_VERSION/GOLANG_DOWNLOAD_URL or a known checksum URL), verify golang.tar.gz against that checksum (e.g., using sha256sum -c or equivalent) and abort the build on mismatch before extracting; ensure the verification step is tied to the same variables (GOLANG_VERSION, GOLANG_DOWNLOAD_URL) so the build fails if the checksum check does not pass.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@deployments/integration-test.Dockerfile`:
- Around line 32-36: The Dockerfile currently downloads and extracts Go using
GOLANG_VERSION and GOLANG_DOWNLOAD_URL without verifying the archive; update the
RUN step that fetches "$GOLANG_DOWNLOAD_URL" to also fetch the corresponding
checksum (derived from GOLANG_VERSION/GOLANG_DOWNLOAD_URL or a known checksum
URL), verify golang.tar.gz against that checksum (e.g., using sha256sum -c or
equivalent) and abort the build on mismatch before extracting; ensure the
verification step is tied to the same variables (GOLANG_VERSION,
GOLANG_DOWNLOAD_URL) so the build fails if the checksum check does not pass.
In `@README.md`:
- Around line 108-109: Update the macOS install snippet to clarify CPU
architecture by labeling the existing commands as "Intel (x86_64) macOS" and add
the Apple Silicon alternative using the darwin-arm64 tarball (e.g., replace or
add the filename go1.25.7.darwin-amd64.tar.gz with go1.25.7.darwin-arm64.tar.gz
for ARM64), or explicitly state these commands are Intel-only; ensure the README
shows both curl/tar examples and a short note telling users to choose the
appropriate tarball for their Mac (darwin-amd64 vs darwin-arm64).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: a2b590b9-afd0-4eb7-991b-5d06ec8c3508
⛔ Files ignored due to path filters (2)
go.sumis excluded by!**/*.sumtools/workload/go.sumis excluded by!**/*.sum
📒 Files selected for processing (7)
README.mddeployments/integration-test.Dockerfiledeployments/next-gen-local-integration-test.Dockerfilego.modtests/integration_tests/debezium01/go.modtools/check/go.modtools/workload/go.mod
ti-chi-bot
bot
added
needs-1-more-lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 3AceShowHand, wlwilliamx The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ti-chi-bot
bot
added
lgtm
and removed
needs-1-more-lgtm
[LGTM Timeline notifier]Timeline:
|
|
/retest |
1 similar comment
|
/retest |
ti-chi-bot
bot
added
size/L
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@tools/check/go.mod`:
- Line 3: Replace the unexplained version line in tools/check/go.mod ("go
1.25.8") by adding a brief rationale in the PR description or a short comment in
the repo (e.g., CONTRIBUTING or a changelog entry) that states why 1.25.8 was
chosen over 1.25.7 — mention that it is an official stable 1.25.x release
containing explicit security and bug fixes (released 2026-03-05) and that the
project prefers the latest patched minor in the 1.25 line for safety and
compatibility; reference the go directive "go 1.25.8" and cite the
security/bugfix release to make the decision traceable.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: c8afca20-e59a-4e5a-9be9-e6db31eb1621
⛔ Files ignored due to path filters (1)
tools/check/go.sumis excluded by!**/*.sum
📒 Files selected for processing (1)
tools/check/go.mod
| module github.com/pingcap/tidb-cdc/_tools | ||
|
|
||
| go 1.25.5 | ||
| go 1.25.8 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Does Go version 1.25.8 exist and is it a stable release?
💡 Result:
Yes. Go 1.25.8 exists—it is listed in the official Go Release History as go1.25.8 (released 2026-03-05), a minor revision containing security and bug fixes. [1]
Because it is an official “go1.25.8” release (not rc/beta), it is considered a stable release in the Go project’s release line. [1] The Go toolchain download wrapper golang.org/dl/go1.25.8 was also published for it. [2]
Sources
[1] https://go.dev/doc/devel/release (entry for go1.25.8)
[2] https://pkg.go.dev/golang.org/dl/go1.25.8
Go 1.25.8 is a valid, stable release—explain version choice rationale.
Go 1.25.8 is confirmed as an official, stable release (released 2026-03-05) containing security and bug fixes. While it differs from the versions explicitly suggested in issue #4466 (v1.24.13, v1.25.7, or v1.26.0-rc.3), it uses the same minor version line (1.25.x) as v1.25.7 with added security improvements. Please explain the rationale for selecting v1.25.8 over v1.25.7.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@tools/check/go.mod` at line 3, Replace the unexplained version line in
tools/check/go.mod ("go 1.25.8") by adding a brief rationale in the PR
description or a short comment in the repo (e.g., CONTRIBUTING or a changelog
entry) that states why 1.25.8 was chosen over 1.25.7 — mention that it is an
official stable 1.25.x release containing explicit security and bug fixes
(released 2026-03-05) and that the project prefers the latest patched minor in
the 1.25 line for safety and compatibility; reference the go directive "go
1.25.8" and cite the security/bugfix release to make the decision traceable.
|
/retest |
4 similar comments
|
/retest |
|
/retest |
|
/retest |
|
/retest |
wk989898
added
the
needs-cherry-pick-release-8.5
|
In response to a cherrypick label: new pull request created to branch |
Signed-off-by: ti-chi-bot <ti-community-prow-bot@tidb.io>
## Summary This PR update image to mix Go patch toolchain artifacts (`go1.25.8` vs older `go tool`) that cause compile failures in PR jobs. ## Why Some jobs are still running in environments/images that are not fully aligned to Go `1.25.8`, while repo-side changes already pull `1.25.8` artifacts. This can trigger errors like: ```text compile: version "go1.25.8" does not match go tool version "go1.25.x" ``` ## replay test pingcap/ticdc#4467 - https://prow.tidb.net/view/gs/prow-tidb-logs/pr-logs/pull/pingcap_ticdc/4467/pull-unit-test/2034863608625631232 - https://prow.tidb.net/view/gs/prow-tidb-logs/pr-logs/pull/pingcap_ticdc/4467/pull-unit-test/2034863608625631232 pingcap/tiflow#12560 - https://prow.tidb.net/view/gs/prow-tidb-logs/pr-logs/pull/pingcap_tiflow/12560/pull-unit-test-cdc/2034866305454051328 - https://do.pingcap.net/jenkins/blue/organizations/jenkins/pingcap%2Ftiflow%2Fghpr_verify/detail/ghpr_verify/4500/pipeline/ Signed-off-by: lyb <yebin.li@pingcap.com>
4 participants
What problem does this PR solve?
Issue Number: close #4466
What is changed and how it works?
Check List
Tests
Questions
Will it cause performance regression or break compatibility?
Do you need to update user documentation, design documentation or monitoring documentation?
Release note
Summary by CodeRabbit
Chores
Documentation