chore: upgrade to llgo v0.11.6 and simplify CI setup

[luoliwoshang]

Summary

This PR addresses issue #586 by upgrading to llgo v0.11.6 and significantly simplifying the CI configuration.

Changes Made

1. Upgraded llgo dependency

• Updated go.mod from pseudo-version to official v0.11.6 release
• Executed go mod tidy to update dependencies

2. Created llgo download script

• Added .github/actions/setup-llcppg/download-llgo.sh
• Automatically detects OS (macOS/Linux) and architecture (amd64/arm64)
• Downloads and extracts llgo release from GitHub releases
• Verifies installation after extraction

3. Simplified CI configuration

• Removed LLVM installation - Now bundled with llgo release
• Removed llgo repository checkout - Using release binaries instead
• Updated action.yml to use download script
• Updated workflow files to use version tags (v0.11.6) instead of commit hashes

4. Reduced CI dependencies

• macOS: Removed llvm@19 and lld@19 installation
• Linux: Removed LLVM repository setup and all LLVM packages
• Kept only runtime dependencies: bdw-gc, openssl, libffi, libuv, zlib

Benefits

• ✅ Faster CI builds - No need to compile llgo from source or install LLVM
• ✅ More reliable - Using official releases instead of source builds
• ✅ Simpler maintenance - No LLVM version management required
• ✅ Reduced complexity - Cleaner action.yml and workflow files
• ✅ Better reproducibility - Version-tagged releases are immutable

Files Changed

• .github/actions/setup-llcppg/action.yml - Simplified setup action
• .github/actions/setup-llcppg/download-llgo.sh - New download script (executable)
• .github/workflows/go.yml - Updated to use v0.11.6
• .github/workflows/end2end.yml - Updated to use v0.11.6
• go.mod - Updated llgo dependency to v0.11.6
• go.sum - Updated checksums

Testing Plan

• Wait for CI to pass on all platforms (macOS, Linux, ARM)
• Verify llgo installation works correctly
• Verify all tests pass
• Verify demo builds work

Related Issues

Closes #586

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello @luoliwoshang, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the efficiency, reliability, and maintainability of the project's Continuous Integration (CI) pipelines. By upgrading to the official llgo v0.11.6 release and implementing a new automated download mechanism for llgo binaries, the CI setup is greatly simplified. This change eliminates the need for separate LLVM installations and llgo source checkouts, leading to faster builds, reduced complexity, and improved reproducibility across different platforms.

Highlights

• LLGo Dependency Upgrade: The llgo dependency has been updated in go.mod and go.sum from a pseudo-version to the official v0.11.6 release, ensuring more stable and predictable builds.
• Simplified CI Configuration: The Continuous Integration (CI) setup has been significantly streamlined by removing the need for separate LLVM installations and by no longer checking out the llgo repository from source. This reduces build times and complexity.
• Automated LLGo Release Download: A new shell script (.github/actions/setup-llcppg/download-llgo.sh) has been introduced to automatically detect the operating system and architecture, then download and extract the appropriate llgo release binary directly from GitHub.
• Reduced CI Dependencies: CI workflows now install fewer system-level dependencies, specifically removing LLVM-related packages from macOS and Linux environments, as the llgo release binaries bundle necessary components.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/end2end.yml
  • .github/workflows/go.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request significantly improves the CI process by upgrading llgo and switching to pre-built binaries instead of building from source. This is an excellent change that will make CI faster and more reliable. The new download script is a great addition. My review includes several suggestions to make this script more robust and idiomatic by improving error handling, using standard shell practices, and streamlining the download process. I've also included a minor suggestion for the action.yml file to improve clarity.

[gemini-code-assist]

The download and extraction process can be simplified and made more robust.

1. Piping curl to tar avoids creating a temporary file on disk, which is more efficient.
2. Using curl -fsSL provides better error handling: -f fails on HTTP server errors, -s silences progress output, -S shows errors even with -s, and -L follows redirects.

This approach is cleaner and more idiomatic for shell scripting.

Suggested change

	curl -L -o "/tmp/${FILENAME}" "$URL"
	tar -xzf "/tmp/${FILENAME}" -C "$INSTALL_DIR" --strip-components=1
	rm "/tmp/${FILENAME}"
	curl -fsSL "$URL" | tar -xz -C "$INSTALL_DIR" --strip-components=1

[gemini-code-assist]

The export command is not necessary here. A simple variable assignment is sufficient since $LLGO_ROOT is used in the next line within the same run step. Removing export makes the intent clearer that the variable is only used locally within this script block before being passed to the GitHub Actions environment.

      LLGO_ROOT=$GITHUB_WORKSPACE/.llgo
      echo "LLGO_ROOT=$LLGO_ROOT" >> $GITHUB_ENV

[gemini-code-assist]

For more robust error handling in shell scripts, it's a good practice to use set -euo pipefail instead of just set -e.

• e: Exit immediately if a command exits with a non-zero status.
• u: Treat unset variables as an error when substituting.
• o pipefail: The return value of a pipeline is the status of the last command to exit with a non-zero status, or zero if no command exited with a non-zero status. This is particularly useful when piping commands.

Suggested change

	set -e
	set -euo pipefail

[gemini-code-assist]

It's a best practice to print usage and error messages to standard error (stderr) instead of standard output (stdout). This allows users to redirect script output without capturing error messages.

Suggested change

	if [ -z "$VERSION" ] || [ -z "$INSTALL_DIR" ]; then
	echo "Usage: $0 <version> <install_dir>"
	echo "Example: $0 v0.11.6 ./llgo"
	exit 1
	if [ -z "$VERSION" ] || [ -z "$INSTALL_DIR" ]; then
	echo "Usage: $0 <version> <install_dir>" >&2
	echo "Example: $0 v0.11.6 ./llgo" >&2
	exit 1
	fi

[gemini-code-assist]

Error messages should be printed to standard error (stderr) to separate them from normal script output.

Suggested change

	*)
	echo "Unsupported architecture: $ARCH"
	exit 1
	;;
	*)
	echo "Unsupported architecture: $ARCH" >&2
	exit 1
	;;

[gemini-code-assist]

Error messages should be printed to standard error (stderr) to separate them from normal script output.

Suggested change

	else
	echo "Error: llgo binary not found at ${INSTALL_DIR}/bin/llgo"
	exit 1
	fi
	else
	echo "Error: llgo binary not found at ${INSTALL_DIR}/bin/llgo" >&2
	exit 1
	fi

[fennoai]

CRITICAL: Missing checksum verification

The script downloads and executes prebuilt binaries without any integrity verification. This is a significant supply chain security risk.

Recommended fix:

# Add -f flag to fail on HTTP errors, and add retry logic
curl -fL --retry 3 --retry-delay 2 --max-time 300 -o "/tmp/${FILENAME}" "$URL" || {
    echo "Error: Failed to download LLGo from $URL"
    exit 1
}

# Download and verify checksum (if available)
curl -fL -o "/tmp/${FILENAME}.sha256" "${URL}.sha256" 2>/dev/null && {
    cd /tmp
    sha256sum -c "${FILENAME}.sha256" || {
        echo "Error: Checksum verification failed"
        exit 1
    }
}

Security concerns:

• Without checksums, there's no way to verify the binary hasn't been tampered with
• Missing -f flag means curl won't fail on HTTP errors (404, 500)
• No retry logic for transient network failures

See CWE-494: Download of Code Without Integrity Check

[fennoai]

Add input validation for VERSION parameter

The VERSION parameter is interpolated into URLs without validation, creating potential for injection attacks if this script is used outside the controlled CI environment.

Recommended:

VERSION=$1
INSTALL_DIR=$2

if [ -z "$VERSION" ] || [ -z "$INSTALL_DIR" ]; then
    echo "Usage: $0 <version> <install_dir>"
    echo "Example: $0 v0.11.6 ./llgo"
    exit 1
fi

# Validate VERSION format
if ! [[ "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+)?$ ]]; then
    echo "Error: Invalid version format: $VERSION"
    echo "Expected format: vX.Y.Z (e.g., v0.11.6)"
    exit 1
fi

[fennoai]

Use mktemp for secure temporary file handling

Using predictable filenames in /tmp/ can lead to race conditions and symlink attacks.

Recommended:

# Create secure temporary file
TEMP_FILE=$(mktemp /tmp/llgo-download.XXXXXXXXXX)
trap "rm -f '$TEMP_FILE'" EXIT

mkdir -p "$INSTALL_DIR"

echo "Downloading LLGo ${VERSION} for ${OS}-${ARCH}..."
echo "URL: $URL"

curl -fL --retry 3 --retry-delay 2 --max-time 300 -o "$TEMP_FILE" "$URL"
tar -xzf "$TEMP_FILE" -C "$INSTALL_DIR" --strip-components=1

This provides atomic temporary file creation and automatic cleanup.

[fennoai]

Add OS validation

Consider validating the OS as well to provide clear error messages for unsupported platforms:

# Map architecture names
case $ARCH in
    x86_64)
        ARCH="amd64"
        ;;
    aarch64|arm64)
        ARCH="arm64"
        ;;
    *)
        echo "Error: Unsupported architecture: $ARCH"
        echo "Supported architectures: amd64, arm64"
        echo "Detected: $(uname -m) on $(uname -s)"
        exit 1
        ;;
esac

# Validate OS
case $OS in
    darwin|linux)
        # Supported
        ;;
    *)
        echo "Error: Unsupported operating system: $OS"
        echo "Supported systems: darwin (macOS), linux"
        exit 1
        ;;
esac

[fennoai]

Enhance post-installation validation

The current check only verifies file existence. Consider adding:

# Verify installation
if [ ! -f "${INSTALL_DIR}/bin/llgo" ]; then
    echo "Error: llgo binary not found at ${INSTALL_DIR}/bin/llgo"
    exit 1
fi

# Verify it's executable
if [ ! -x "${INSTALL_DIR}/bin/llgo" ]; then
    echo "Error: llgo binary is not executable"
    exit 1
fi

# Verify it's a valid binary
if ! file "${INSTALL_DIR}/bin/llgo" | grep -qE "(executable|ELF|Mach-O)"; then
    echo "Error: llgo is not a valid binary executable"
    exit 1
fi

echo "Installation verified successfully"
ls -lh "${INSTALL_DIR}/bin/llgo"

[fennoai]

Code Review Summary

This PR successfully upgrades to llgo v0.11.6 and simplifies CI by using prebuilt releases instead of compiling from source. The approach will significantly improve CI performance (estimated 5-15 minutes faster per run).

Critical Issues to Address:

1. Missing checksum verification in download-llgo.sh - This is a supply chain security risk that should be fixed before merge
2. Missing -f flag on curl - Won't fail on HTTP errors (404, 500)

Recommended Improvements:

• Add input validation for VERSION parameter
• Use mktemp for secure temporary file handling
• Add OS validation for better error messages
• Enhance post-installation validation

Overall, this is a well-executed modernization of the dependency management. Once the checksum verification is added, this will be ready to merge.