Skip to content

PSR-41: modernize secrets-init and fix gRPC CVE#3

Open
ibrahimlawal-paystack wants to merge 11 commits into
PaystackHQ:masterfrom
ibrahimlawal-paystack:codex/psr-41-fix-grpc-cve
Open

PSR-41: modernize secrets-init and fix gRPC CVE#3
ibrahimlawal-paystack wants to merge 11 commits into
PaystackHQ:masterfrom
ibrahimlawal-paystack:codex/psr-41-fix-grpc-cve

Conversation

@ibrahimlawal-paystack

Copy link
Copy Markdown

Summary

  • Bring master forward to the published 0.5.4 nested-key behavior.
  • Upgrade to Go 1.26.5, gRPC 1.82.1, and current stable direct dependencies.
  • Replace end-of-support AWS SDK v1 with SDK v2 and use current Google Secret Manager types.
  • Modernize Docker bases, lint/mock tooling, and GitHub Actions release workflows.
  • Make cross-platform builds fail fast and reduce generated mocks to the three operations in use.

Validation

  • make platform-build
  • go test -race -timeout 60s ./...
  • actionlint -no-color .github/workflows/*.yaml
  • go mod verify
  • govulncheck ./... on Darwin and Linux: zero reachable vulnerabilities
  • Release binaries verified as Go 1.26.5 with google.golang.org/grpc v1.82.1

Notes

  • govulncheck reports module-only GO-2026-5932 for the unimported x/crypto/openpgp package; it has no fixed version and is not in the Linux dependency graph.
  • A local Docker image build was not run because the Docker/containerd daemon is unavailable.
  • GitHub currently exposes org-managed checks; the checked-in test.yaml workflow is not registered by the repository.

Tracking

@ibrahimlawal-paystack

ibrahimlawal-paystack commented Jul 17, 2026

Copy link
Copy Markdown
Author

@reneed-paystack @husayn-paystack @shabih-paystack CI is green on the current head: https://github.com/ibrahimlawal-paystack/secrets-init/actions/runs/29592815600. Could you please review this modernization and gRPC security update?

@ibrahimlawal-paystack ibrahimlawal-paystack left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bot review: One CI coverage regression remains in the lint migration.

Comment thread .golangci.yaml
- examples$
formatters:
enable:
- gci

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bot review: These are formatters in golangci-lint v2, but make lint still only runs golangci-lint run; v2 executes formatter checks through golangci-lint fmt. The old config enforced gci/gofmt/goimports during lint, so CI now silently loses that coverage. Please wire the formatter check into CI and make it fail when files would change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants