Use published SDK version instead of local replace directives#1067
Merged
renuka-fernando merged 6 commits intowso2:mainfrom Feb 13, 2026
Merged
Use published SDK version instead of local replace directives#1067renuka-fernando merged 6 commits intowso2:mainfrom
renuka-fernando merged 6 commits intowso2:mainfrom
Conversation
renuka-fernando
requested review from
Krishanx92,
malinthaprasan and
pubudu538
as code owners
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughRemoves local SDK replace directives from gateway modules and upgrades them to published SDK v0.3.14; adds Changes
Sequence Diagram(s)sequenceDiagram
participant GH as GitHub Actions
participant Repo as Repository
participant Go as Go toolchain (1.25)
participant Docker as Docker Buildx
participant Gateway as Gateway build/test
participant Mocks as Mock server images
GH->>Repo: trigger (gateway/**, common/**) or (sdk/** / workflow_dispatch)
GH->>Repo: checkout
GH->>Go: setup Go 1.25
GH->>Docker: setup Buildx
alt SDK workflow (sdk/**)
GH->>Repo: run `go mod edit -replace` to point gateway modules at local SDK
end
GH->>Gateway: build gateway images (make build-coverage / build-local)
GH->>Mocks: build mock server images
GH->>Gateway: run integration tests (make test-integration)
Gateway-->>GH: test results
alt failure
GH->>Docker: docker ps / docker logs
GH->>Repo: dump gateway/it/logs if present
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @.github/workflows/sdk-integration-test.yml:
- Around line 27-36: The workflow step that injects the local SDK via go mod
edit -replace into the modules (gateway/gateway-runtime/policy-engine,
gateway-builder, gateway-controller) is missing go mod tidy, which can leave
go.sum inconsistent; after each go mod edit -replace invocation run go mod tidy
in the same module to update go.sum and pull correct transitive deps, and make
the step more robust by using absolute paths based on $GITHUB_WORKSPACE instead
of chained cd commands so each module (policy-engine, gateway-builder,
gateway-controller) is edited and tidied reliably.
Comment on lines
+27
to
+36
| - name: Inject local SDK into gateway modules | ||
| run: | | ||
| cd gateway/gateway-runtime/policy-engine | ||
| go mod edit -replace github.com/wso2/api-platform/sdk=../../../sdk | ||
|
|
||
| cd ../../gateway-builder | ||
| go mod edit -replace github.com/wso2/api-platform/sdk=../../sdk | ||
|
|
||
| cd ../gateway-controller | ||
| go mod edit -replace github.com/wso2/api-platform/sdk=../../sdk |
Contributor
There was a problem hiding this comment.
Missing go mod tidy after injecting replace directives.
After go mod edit -replace, the go.sum files won't reflect the local SDK's transitive dependencies. If the local SDK differs from v0.3.9 in its dependency graph, subsequent go build or go test may fail or fetch unexpected versions. Run go mod tidy in each module after editing.
Also, the chained cd navigation is fragile — consider using absolute paths from $GITHUB_WORKSPACE for clarity.
Proposed fix
- name: Inject local SDK into gateway modules
run: |
- cd gateway/gateway-runtime/policy-engine
- go mod edit -replace github.com/wso2/api-platform/sdk=../../../sdk
+ cd $GITHUB_WORKSPACE/gateway/gateway-runtime/policy-engine
+ go mod edit -replace github.com/wso2/api-platform/sdk=../../../sdk
+ go mod tidy
- cd ../../gateway-builder
- go mod edit -replace github.com/wso2/api-platform/sdk=../../sdk
+ cd $GITHUB_WORKSPACE/gateway/gateway-builder
+ go mod edit -replace github.com/wso2/api-platform/sdk=../../sdk
+ go mod tidy
- cd ../gateway-controller
- go mod edit -replace github.com/wso2/api-platform/sdk=../../sdk
+ cd $GITHUB_WORKSPACE/gateway/gateway-controller
+ go mod edit -replace github.com/wso2/api-platform/sdk=../../sdk
+ go mod tidy🤖 Prompt for AI Agents
In @.github/workflows/sdk-integration-test.yml around lines 27 - 36, The
workflow step that injects the local SDK via go mod edit -replace into the
modules (gateway/gateway-runtime/policy-engine, gateway-builder,
gateway-controller) is missing go mod tidy, which can leave go.sum inconsistent;
after each go mod edit -replace invocation run go mod tidy in the same module to
update go.sum and pull correct transitive deps, and make the step more robust by
using absolute paths based on $GITHUB_WORKSPACE instead of chained cd commands
so each module (policy-engine, gateway-builder, gateway-controller) is edited
and tidied reliably.
cad4325 to
180495e
Compare
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
gateway/gateway-runtime/policy-engine/go.mod (1)
18-18:⚠️ Potential issue | 🟠 MajorSDK version inconsistency across gateway modules.
The policy-engine remains on SDK v0.3.9, while gateway-controller and sample-policies have been upgraded to v0.3.14. This creates version skew across gateway components that could lead to incompatibility issues.
Please align all gateway modules to use the same SDK version (v0.3.14) to ensure consistent behavior and API compatibility.
🔄 Proposed fix to align SDK version
- github.com/wso2/api-platform/sdk v0.3.9 + github.com/wso2/api-platform/sdk v0.3.14
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@sdk/go.mod`:
- Around line 88-94: The go.mod bump to etcd v3.5.23 may require API
changes—search the codebase for any use of the etcd resolver types (e.g.,
resolver.State, resolver.State.Addresses, clientv3 or grpc resolver
integrations) and update usages that expect resolver.State.Addresses to the new
shape (resolver.State.Endpoint.Addresses) or adapt to the new Endpoint wrapper;
ensure any code referencing clientv3 resolver/state APIs in functions/methods
interacting with etcd clients is updated accordingly, run unit/integration tests
against v3.5.23 (including any code that does snapshot/defrag or lease renewal),
and consult the etcd 3.5 upgrade guide to apply any other required migration
steps before merging.
Comment on lines
+88
to
+94
| go.etcd.io/etcd/api/v3 v3.5.23 // indirect | ||
| go.etcd.io/etcd/client/pkg/v3 v3.5.23 // indirect | ||
| go.etcd.io/etcd/client/v2 v2.305.23 // indirect | ||
| go.etcd.io/etcd/client/v3 v3.5.23 // indirect | ||
| go.etcd.io/etcd/pkg/v3 v3.5.23 // indirect | ||
| go.etcd.io/etcd/raft/v3 v3.5.23 // indirect | ||
| go.etcd.io/etcd/server/v3 v3.5.23 // indirect |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Find the go.mod file in the repository
find . -name "go.mod" -type f | head -20Repository: wso2/api-platform
Length of output: 743
🏁 Script executed:
# Examine lines 88-94 of sdk/go.mod
sed -n '80,100p' ./sdk/go.modRepository: wso2/api-platform
Length of output: 1238
🏁 Script executed:
# Check git history for this file to see previous versions
cd ./sdk && git log -p --follow -S "go.etcd.io/etcd/api/v3" -- go.mod | head -100Repository: wso2/api-platform
Length of output: 43
🏁 Script executed:
# Verify etcd package versions exist using Go module proxy
echo "=== Checking go.etcd.io/etcd/api/v3 v3.5.23 ==="
curl -s "https://proxy.golang.org/go.etcd.io/etcd/api/v3/@v/v3.5.23.info" | head -20
echo -e "\n=== Checking go.etcd.io/etcd/client/v3 v3.5.23 ==="
curl -s "https://proxy.golang.org/go.etcd.io/etcd/client/v3/@v/v3.5.23.info" | head -20
echo -e "\n=== Listing available etcd/api/v3 versions around v3.5.23 ==="
curl -s "https://proxy.golang.org/go.etcd.io/etcd/api/v3/@v/list" | grep "v3.5" | tail -20Repository: wso2/api-platform
Length of output: 818
🏁 Script executed:
# Check for go.mod.orig or similar to see previous versions
ls -la ./sdk/go.mod* 2>/dev/null || echo "No backup found"
# Also check if there's a go.sum file we can examine
wc -l ./sdk/go.mod ./sdk/go.sum 2>/dev/null
# Get info on a few earlier versions to understand the jump
echo -e "\n=== Checking v3.5.5 ==="
curl -s "https://proxy.golang.org/go.etcd.io/etcd/api/v3/@v/v3.5.5.info"
echo -e "\n=== Checking v3.5.22 and v3.5.24 ==="
curl -s "https://proxy.golang.org/go.etcd.io/etcd/api/v3/@v/v3.5.22.info"
curl -s "https://proxy.golang.org/go.etcd.io/etcd/api/v3/@v/v3.5.24.info"Repository: wso2/api-platform
Length of output: 861
🏁 Script executed:
# Check for security advisories and important changes
echo "=== Checking etcd releases page for security info ==="
curl -s "https://api.github.com/repos/etcd-io/etcd/releases?per_page=30" | \
jq -r '.[] | select(.tag_name | contains("v3.5")) | "\(.tag_name) - \(.published_at) - Draft: \(.draft)"' | \
head -30
# Also search for any known CVEs affecting etcd 3.5
echo -e "\n=== Searching for etcd security advisories ==="
curl -s "https://api.github.com/repos/etcd-io/etcd/security/advisories" 2>/dev/null | jq '.[].ghsa_id' 2>/dev/null || echo "Security advisories API may require authentication"Repository: wso2/api-platform
Length of output: 673
🏁 Script executed:
# Check the actual release notes for v3.5.23 to see if there are breaking changes
echo "=== Fetching v3.5.23 release details ==="
curl -s "https://api.github.com/repos/etcd-io/etcd/releases/tags/v3.5.23" | \
jq -r '.body' | head -100
# Also check if there were any significant fixes between v3.5.5 and v3.5.23
echo -e "\n=== Checking changelog summary ==="
curl -s "https://raw.githubusercontent.com/etcd-io/etcd/v3.5.23/CHANGELOG/v3.5.md" 2>/dev/null | head -200 || echo "Changelog not directly accessible"Repository: wso2/api-platform
Length of output: 3888
🏁 Script executed:
# Try accessing the main changelog file
echo "=== Checking main changelog ==="
curl -s "https://raw.githubusercontent.com/etcd-io/etcd/main/CHANGELOG/CHANGELOG-3.5.md" 2>/dev/null | head -300
# Also check git tags to see what versions exist
echo -e "\n=== Verifying patch versions between v3.5.5 and v3.5.23 ==="
curl -s "https://api.github.com/repos/etcd-io/etcd/git/refs/tags" | \
jq -r '.[] | select(.ref | contains("v3.5")) | .ref' | sort -V | grep -E "v3\.5\.(5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23)" | tail -20Repository: wso2/api-platform
Length of output: 14476
Verify compatibility with etcd v3.5.23 breaking changes and review the upgrade guide.
The etcd packages are being updated from v3.5.5 to v3.5.23 (18 patch versions over ~3 years). While the version exists and includes important fixes, v3.5.22 introduced a breaking change: the clientv3 package replaced resolver.State.Addresses with resolver.State.Endpoint.Addresses. Review the code for any direct usage of this API and consult the etcd upgrade guide before merging. Additionally, v3.5.23 fixes critical issues including potential data corruption during concurrent snapshot and defragmentation operations, and lease renewal failures.
🤖 Prompt for AI Agents
In `@sdk/go.mod` around lines 88 - 94, The go.mod bump to etcd v3.5.23 may require
API changes—search the codebase for any use of the etcd resolver types (e.g.,
resolver.State, resolver.State.Addresses, clientv3 or grpc resolver
integrations) and update usages that expect resolver.State.Addresses to the new
shape (resolver.State.Endpoint.Addresses) or adapt to the new Endpoint wrapper;
ensure any code referencing clientv3 resolver/state APIs in functions/methods
interacting with etcd clients is updated accordingly, run unit/integration tests
against v3.5.23 (including any code that does snapshot/defrag or lease renewal),
and consult the etcd 3.5 upgrade guide to apply any other required migration
steps before merging.
421858e to
095f976
Compare
dushaniw
reviewed
Feb 13, 2026
renuka-fernando
force-pushed
the
publised-sdk
branch
from
095f976 to
97da9ec
Compare
The SDK is a user-facing published module, so gateway components should depend on a specific published version (v0.3.9) rather than using local replace directives. This ensures gateway builds use the same SDK version that external policy authors depend on, providing reproducible builds and clear compatibility contracts. - Remove SDK replace directives from policy-engine, gateway-builder, and gateway-controller go.mod files - Update gateway-builder and gateway-controller SDK dependency from v0.0.0 to published v0.3.9 - Keep common module replace directives (internal, unpublished module) - Add separate sdk-integration-test workflow that injects local SDK via go mod edit -replace to validate SDK changes against gateway integration tests
renuka-fernando
force-pushed
the
publised-sdk
branch
from
cfb73e3 to
215a626
Compare
CrowleyRajapakse
approved these changes
Feb 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix #1066
replacedirectives with published versionv0.3.9in gateway go.mod filessdk-integration-test.yml) to validate SDK changes against gateway integration testsProblem
Gateway components used
replace github.com/wso2/api-platform/sdk => ../../sdkto always build against local SDK source. Since the SDK is a user-facing published module with external consumers (policy authors), this caused non-reproducible builds and masked potential interface drift between the gateway runtime and published SDK versions.Changes
go.mod (3 files):
gateway/gateway-runtime/policy-engine/go.mod— removed SDK replace directivegateway/gateway-builder/go.mod— removed SDK replace, updatedv0.0.0→v0.3.9gateway/gateway-controller/go.mod— removed SDK replace, updatedv0.0.0→v0.3.9commonmodule replace directives kept as-is (internal, unpublished module)CI (1 new file):
.github/workflows/sdk-integration-test.yml— triggers onsdk/**changes, injectsgo mod edit -replaceto test local SDK against gateway integration testsNo changes to Dockerfiles or Makefiles — SDK source continues to be copied into Docker builds via
--build-context sdk. During normal builds Go downloads the published version from module proxy; during SDK CI testing the injected replace directive makes Go use the local copy.Summary by CodeRabbit