release: v2025.1.9

[rustatian]

Reason for This PR

• Stable release cycle.

Description of Changes

🚀 v2025.1.9 🚀

Changelog

📦 grpc plugin

• ✨ Glob Patterns: Added support for ** (globstar/recursive) and brace expansion {pattern1,pattern2} in grpc.proto configuration paths FR (thanks @Nyholm)

🎯 Core

• 🐛 CVE Fixes (deps): Updated Go packages to resolve CVE-2026-27141 and CVE-2026-25882 CHORE (thanks @Orrison)
• 🐛 CVE Fixes (stdlib): Updated Go version to 1.26.1 to address CVE-2026-25679, CVE-2026-27142, CVE-2026-27137 in go/stdlib CHORE (thanks @Orrison)

License Acceptance

By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.

PR Checklist

[Author TODO: Meet these criteria.]
[Reviewer TODO: Verify that these criteria are met. Request changes if not]

• All commits in this PR are signed (git commit -s).
• The reason for this PR is clearly provided (issue no. or explanation).
• The description of changes is clear and encompassing.
• Any required documentation changes (code and docs) are included in this PR.
• Any user-facing changes are mentioned in CHANGELOG.md.
• All added/changed functionality is tested.

Summary by CodeRabbit

Chores

• Updated Go toolchain to 1.26.1 and upgraded key dependencies including RoadRunner gRPC and AWS SDK libraries
• Optimized Docker build process with layer caching to improve build performance
• Enhanced container security by introducing non-root user execution and certificate-based SSL handling
• Added OCI-compliant metadata labels to the container image for improved integration

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the project's build infrastructure and dependencies. It extends Docker ignore rules, optimizes the Dockerfile with improved layer caching and adds a non-root user with OCI metadata labels, and bumps the Go toolchain to 1.26.1 alongside multiple dependency updates.

Changes

Cohort / File(s)	Summary
Docker Configuration .dockerignore	Added five new ignore rules: Makefile, CHANGELOG.md, LICENSE, .golangci\, and .rr-sample-\.yaml to reduce Docker build context.
Dockerfile Build Process Dockerfile	Introduced layer caching by splitting go.mod/go.sum copy and go mod download before source copy; combined build and verification steps; replaced openssl with ca-certificates in final stage; added non-root user (rr); added OCI-style metadata labels (title, description, url, source, vendor, version, created, licenses); added default CMD.
Go Dependencies go.mod	Bumped Go toolchain from 1.26 to 1.26.1; updated roadrunner grpc/v5 to v5.3.0; bumped AWS SDK v2 components to v1.41.3; updated golang.org/x/\* modules (crypto, mod, net, oauth2, sync, sys, text, time, tools); updated google.golang.org modules; updated goccy/go-json and other transitive dependencies.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• release: v2025.1.7 #2290: Directly related through Go toolchain version bump to 1.26.1.
• fix: bump go version #2289: Overlapping changes to go.mod with toolchain and dependency version updates.
• release: v2025.1.5 #2257: Related through similar golang.org/x/\* and AWS SDK dependency bumps across the same modules.

Suggested reviewers

• wolfy-j

Poem

🐰 Hop along with our Docker delight,
Cache layers now stack just right,
A user named rr keeps safety tight,
Go 1.26.1 shines so bright,
Dependencies dance in the moonlight! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'release: v2025.1.9' is directly related to the main change—a stable release with version bumps and dependency updates as shown in the summaries.
Description check	✅ Passed	The PR description includes all required template sections: Reason for PR, Description of Changes with detailed changelog, License Acceptance, and a completed PR Checklist with all items marked.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch release/v2025.1.9

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can customize the high-level summary generated by CodeRabbit.

Configure the reviews.high_level_summary_instructions setting to provide custom instructions for generating the high-level summary.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 35.37%. Comparing base (afc5f0b) to head (c013778).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2315   +/-   ##
=======================================
  Coverage   35.37%   35.37%           
=======================================
  Files          18       18           
  Lines         851      851           
=======================================
  Hits          301      301           
  Misses        511      511           
  Partials       39       39           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Release PR for v2025.1.9, primarily updating Go dependencies (incl. grpc plugin) and adjusting the Docker build to improve caching and runtime hardening.

Changes:

• Bumped github.com/roadrunner-server/grpc/v5 to v5.3.0 and refreshed multiple indirect deps for CVE remediation.
• Updated Go module metadata and sums (including adding doublestar for globstar/brace expansion support via deps).
• Refactored Dockerfile for better layer caching and to run as a non-root user; expanded .dockerignore.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

File	Description
go.mod	Updates Go version directive and dependency versions (grpc plugin + CVE-related bumps).
go.sum	Updates module checksums to match dependency changes.
Dockerfile	Improves build caching, simplifies build steps, installs CA certs, and runs as non-root.
.dockerignore	Excludes additional repo files from Docker build context.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (1)

Dockerfile (1)

45-53: Add WORKDIR for defensive hardening, but note default config does not require it.

The final stage lacks an explicit WORKDIR directive (defaults to /), and USER rr cannot write there. However, the default .rr.yaml config routes logs to stderr and uses pipes for relay—no writable filesystem paths are required. The risk only materializes if users enable the static middleware (dir: ".") or configure custom file-based logging/sockets without first setting a writable working directory. Adding the suggested WORKDIR /app with proper ownership remains good practice for security and to prevent misconfiguration errors when users customize the config.

Suggested minimal hardening patch

 # Non-root user
 RUN addgroup -S rr && adduser -S -G rr rr
+RUN mkdir -p /app && chown rr:rr /app
+WORKDIR /app
 
 # copy required files from builder image
 COPY --from=builder /src/rr /usr/bin/rr
 COPY --from=builder /src/.rr.yaml /etc/rr.yaml
 
 USER rr

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 45 - 53, Add a writable working directory for the
non-root USER to prevent misconfigurations: create and set WORKDIR /app in the
final stage and ensure the directory is owned by the rr user (mkdir -p /app and
chown rr:rr /app) before switching to USER rr; reference the Dockerfile
directives USER rr, WORKDIR, COPY --from=builder /src/.rr.yaml and the .rr.yaml
config when making this change so the image remains secure and writable if users
enable file-based middleware or logging.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Dockerfile`:
- Around line 45-53: Add a writable working directory for the non-root USER to
prevent misconfigurations: create and set WORKDIR /app in the final stage and
ensure the directory is owned by the rr user (mkdir -p /app and chown rr:rr
/app) before switching to USER rr; reference the Dockerfile directives USER rr,
WORKDIR, COPY --from=builder /src/.rr.yaml and the .rr.yaml config when making
this change so the image remains secure and writable if users enable file-based
middleware or logging.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8d1fd3a6-0411-4cbd-a7d6-e5741043af1d

📥 Commits

Reviewing files that changed from the base of the PR and between afc5f0b and c013778.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• .dockerignore
• Dockerfile
• go.mod