feat: upgrade all components to go 1.25

[miklosbarabas]

Summary by CodeRabbit

• Chores

  • Require Go 1.25 across CI defaults, container builder images, templates, docs, examples, and local-install scripts; developer tooling and linter defaults bumped.

• Dependencies

  • Promoted a logging library to a direct dependency in the router plugin; updated one indirect library to a newer patch version.

• Tests

  • Improved router test cleanup to ensure proper context cancellation and more reliable test runs.

• Documentation

  • Updated contributing and README prerequisites and guidance to reflect new toolchain versions.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Walkthrough

Bumped Go toolchain to 1.25 across multiple go.mod files and Docker builder images; promoted github.com/hashicorp/go-hclog v1.6.3 to a direct require in router-plugin/go.mod; updated GitHub Action defaults, CLI plugin template, CONTRIBUTING/ADR snippets, proto-tools script, Makefile/tooling versions, and added a cancel-with-cause + interrupt signal path in a router test helper. No exported API/signature changes.

Changes

Cohort / File(s)	Summary of Changes
Module go directive bumps aws-lambda-router/go.mod, composition-go/go.mod, connect-go/go.mod, demo/go.mod, demo/pkg/subgraphs/projects/go.mod, graphqlmetrics/go.mod, router-tests/go.mod, router/go.mod	Updated go directive from 1.23/1.23.0 → 1.25; no other require/replace edits.
router-plugin go.mod router-plugin/go.mod	Updated go directive 1.23.0 → 1.25; moved github.com/hashicorp/go-hclog v1.6.3 from indirect to direct require.
Dockerfiles (builder/base image bumps) demo/docker/* (multiple files), demo/pkg/subgraphs/projects/Dockerfile, graphqlmetrics/Dockerfile, otelcollector/Dockerfile, router/Dockerfile, router/custom.Dockerfile	Changed builder/base images from golang:1.23 (or 1.23-alpine) → golang:1.25 (or 1.25-alpine); remaining instructions unchanged.
CLI plugin template cli/src/commands/router/commands/plugin/templates/plugin.ts	Template go.mod GO version updated 1.24.1 → 1.25.1; template Dockerfile builder image updated to golang:1.25-alpine and a blank line added.
GitHub Action input default .github/actions/go/action.yaml	Default public input go-version changed from 1.23 → 1.25.
Docs / ADR / CONTRIBUTING CONTRIBUTING.md, adr/custom-modules-v1.md, router/README.md	Textual examples and snippets updated to reference Go 1.25 (prereqs and examples).
Proto-tools install script scripts/install-proto-tools.sh	Default GO_VERSION changed from 1.24.1 → 1.25.1; installation logic unchanged.
Tooling versions & CI linter Makefile, .github/actions/go-linter/action.yaml	Bumped gotestsum v1.12.2 → v1.12.3; updated staticcheck input from 2024.1.1 → 2025.1.1.
Router test helper router-tests/testenv/testexec.go	On error path, call cancel(err) for the context created by context.WithCancelCause(ctx) and attempt to signal the child process (os.Interrupt) before returning; ensures cancellation-with-cause and process interruption on failures.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: improve plugin handling #2132 — relates to converting github.com/hashicorp/go-hclog to a direct dependency in router-plugin/go.mod.

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

demo/go.mod (1)

3-3: Go 1.25 upgrade acknowledged; consider pinning mcp-go to the vetted version.
Per maintained learning, avoid mcp-go v0.38.0; v0.36.0 is the stable pick. Demo currently pulls v0.30.0 (indirect). To avoid accidental bumps via transitive deps, consider explicitly requiring or replacing github.com/mark3labs/mcp-go v0.36.0 in this module or a top-level go.work replace.

router-plugin/go.mod (1)

6-6: Promoting go-hclog to a direct dependency: confirm necessity.
If the plugin code imports hclog symbols directly (e.g., for gRPC server logger init), keeping it direct is correct. If not, prefer it as indirect to avoid unnecessary surface area. Please verify actual imports in router-plugin sources.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6375c4b and 454a4cc.

📒 Files selected for processing (9)

• aws-lambda-router/go.mod (1 hunks)
• composition-go/go.mod (1 hunks)
• connect-go/go.mod (1 hunks)
• demo/go.mod (1 hunks)
• demo/pkg/subgraphs/projects/go.mod (1 hunks)
• graphqlmetrics/go.mod (1 hunks)
• router-plugin/go.mod (1 hunks)
• router-tests/go.mod (1 hunks)
• router/go.mod (1 hunks)

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

📚 Learning: 2025-08-20T22:13:25.222Z

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

Applied to files:

• graphqlmetrics/go.mod
• demo/pkg/subgraphs/projects/go.mod
• connect-go/go.mod
• aws-lambda-router/go.mod
• router/go.mod
• demo/go.mod
• router-plugin/go.mod
• router-tests/go.mod

📚 Learning: 2025-08-12T13:50:45.964Z

Learnt from: Noroth
PR: wundergraph/cosmo#2132
File: router-plugin/plugin.go:139-146
Timestamp: 2025-08-12T13:50:45.964Z
Learning: In the Cosmo router plugin system, the plugin framework creates its own logger independently. When creating a logger in NewRouterPlugin, it's only needed for the gRPC server setup (passed via setup.GrpcServerInitOpts.Logger) and doesn't need to be assigned back to serveConfig.Logger.

Applied to files:

• router-plugin/go.mod

📚 Learning: 2025-07-21T14:46:34.879Z

Learnt from: SkArchon
PR: wundergraph/cosmo#2067
File: router/pkg/authentication/jwks_token_decoder.go:80-106
Timestamp: 2025-07-21T14:46:34.879Z
Learning: In the Cosmo router project, required field validation for JWKS configuration (Secret, Algorithm, KeyId) is handled at the JSON schema level in config.schema.json rather than through runtime validation in the Go code at router/pkg/authentication/jwks_token_decoder.go.

Applied to files:

• router-tests/go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: build_test
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./events)
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (6)

connect-go/go.mod (1)

3-3: No additional Go version references found; please verify CI/Docker/other tooling
Searches didn’t uncover any setup-go or go-version steps in .github/workflows, Dockerfiles using a golang base image, nor version pins in .go-version, .tool-versions, Makefile, or Taskfile.yml. Manually confirm there are no other Go 1.x version references in this repo (or in external CI/Docker configs). Optionally add:

 go 1.25
+toolchain go1.25

composition-go/go.mod (1)

3-3: Modules already tidy under Go 1.25 All go.mod and go.sum files were normalized with go mod tidy -go=1.25; no changes detected.

aws-lambda-router/go.mod (1)

3-3: Verify Go 1.25 build environment for Lambda deployments
No Dockerfile references to AWS Lambda base images and no Serverless/SAM runtime declarations specifying Go were found—manually confirm that all Lambda functions are built and deployed using Go 1.25 (e.g., by selecting a custom runtime or container image based on Go 1.25).

router-tests/go.mod (1)

3-3: mcp-go version pins verified
All mark3labs/mcp-go references are pinned to v0.36.0 (only an indirect v0.30.0), so no module pulls >0.36.0. Continue with go vet ./... and go test -race ./... before merging.

graphqlmetrics/go.mod (1)

3-3: LGTM on the Go 1.25 upgrade.
No dependency changes detected here; just ensure CI/build images for this module use Go 1.25 as well.

router-plugin/go.mod (1)

3-3: Go 1.25 upgrade looks fine.
Confirm CI and plugin build images use 1.25 to prevent mixed toolchains.

[github-actions]

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-d734b3e3ea5a43e0fa0f55a6b79d4c0df6a33809

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (6)

otelcollector/Dockerfile (1)

9-17: Cross-arch bug: ocb binary built for TARGETARCH is executed on BUILDPLATFORM.

With the builder stage running on BUILDPLATFORM, downloading ocb for ${TARGETARCH} and executing it will fail on cross-builds (e.g., linux/arm64 target on amd64 host).

Two safe fixes (pick one):

• Prefer: run builder on TARGETPLATFORM so the ocb target-arch binary can execute via QEMU when needed.

-FROM --platform=${BUILDPLATFORM} golang:1.25 AS builder
+FROM --platform=${TARGETPLATFORM} golang:1.25.1 AS builder

• Or: keep builder on BUILDPLATFORM and fetch ocb for the build arch. Example:

-ARG TARGETOS
-ARG TARGETARCH
+ARG TARGETOS
+ARG TARGETARCH
+ARG BUILDPLATFORM
+# derive BUILDARCH from BUILDPLATFORM ('linux/amd64' -> 'amd64')
+RUN BUILDARCH="$(printf '%s' "${BUILDPLATFORM}" | awk -F/ '{print $2}')" && \
-  curl -LJO https://github.com/open-telemetry/opentelemetry-collector/releases/download/cmd%2Fbuilder%2Fv0.103.1/ocb_0.103.1_linux_${TARGETARCH} \
-  && chmod +x ocb_0.103.1_linux_${TARGETARCH} \
-  && mv ocb_0.103.1_linux_${TARGETARCH} ocb
+  curl -LJO "https://github.com/open-telemetry/opentelemetry-collector/releases/download/cmd%2Fbuilder%2Fv0.103.1/ocb_0.103.1_linux_${BUILDARCH}" && \
+  chmod +x "ocb_0.103.1_linux_${BUILDARCH}" && \
+  mv "ocb_0.103.1_linux_${BUILDARCH}" ocb

router/custom.Dockerfile (1)

21-24: Ensure mcp-go is consistently pinned at v0.36.0 across all modules
demo/go.mod (line 95) currently uses v0.30.0—bump it to v0.36.0 and regenerate go.mod/go.sum.

scripts/install-proto-tools.sh (4)

100-121: Add SHA256 verification for Go tarball

We’re downloading executables without integrity checks. Verify against go.dev’s .sha256 to mitigate supply-chain risks.

 download_go() {
     info "Downloading Go $GO_VERSION..."
     go_url="https://go.dev/dl/go${GO_VERSION}.${go_platform}.tar.gz"
+    sha_url="${go_url}.sha256"
     tmp_file="$TMP_DIR/go.tar.gz"
+    sha_file="$TMP_DIR/go.tar.gz.sha256"
     
     curl --fail --location --progress-bar --output "$tmp_file" "$go_url" ||
         error "Failed to download Go from \"$go_url\""
+    curl --fail --location --progress-bar --output "$sha_file" "$sha_url" ||
+        error "Failed to download Go checksum from \"$sha_url\""
+
+    info "Verifying Go archive checksum..."
+    expected_sha="$(cut -d ' ' -f1 "$sha_file" | tr -d '\n')"
+    actual_sha="$(shasum -a 256 "$tmp_file" | awk '{print $1}')"
+    [[ "$expected_sha" == "$actual_sha" ]] || error "Checksum mismatch for Go archive"
     
     info "Extracting Go..."

---

124-141: Do the same checksum verification for protoc

GitHub releases provide checksums; verify before extracting.

 download_protoc() {
     info "Downloading protoc $PROTOC_VERSION..."
     protoc_url="https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-${protoc_platform}.zip"
+    protoc_sha_url="https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-${protoc_platform}.zip.sha256"
     tmp_file="$TMP_DIR/protoc.zip"
+    sha_file="$TMP_DIR/protoc.zip.sha256"
@@
     curl --fail --location --progress-bar --output "$tmp_file" "$protoc_url" ||
         error "Failed to download Protoc from \"$protoc_url\""
+    curl --fail --location --progress-bar --output "$sha_file" "$protoc_sha_url" ||
+        error "Failed to download Protoc checksum from \"$protoc_sha_url\""
+    info "Verifying protoc checksum..."
+    expected_sha="$(cut -d ' ' -f1 "$sha_file" | tr -d '\n')"
+    actual_sha="$(shasum -a 256 "$tmp_file" | awk '{print $1}')"
+    [[ "$expected_sha" == "$actual_sha" ]] || error "Checksum mismatch for protoc"

---

143-166: Checksum verify protoc-gen-go

Same rationale; verify tarball before extracting.

     plugin_url="https://github.com/protocolbuffers/protobuf-go/releases/download/v${PROTOC_GEN_GO_VERSION}/protoc-gen-go.v${PROTOC_GEN_GO_VERSION}.${protoc_gen_go_platform}.tar.gz"
     tmp_file="$TMP_DIR/protoc-gen-go.tar.gz"
+    sha_url="${plugin_url}.sha256"
+    sha_file="$TMP_DIR/protoc-gen-go.tar.gz.sha256"
@@
     curl --fail --location --progress-bar --output "$tmp_file" "$plugin_url" ||
         error "Failed to download protoc-gen-go from \"$plugin_url\""
+    curl --fail --location --progress-bar --output "$sha_file" "$sha_url" ||
+        error "Failed to download checksum from \"$sha_url\""
+    info "Verifying protoc-gen-go checksum..."
+    expected_sha="$(cut -d ' ' -f1 "$sha_file" | tr -d '\n')"
+    actual_sha="$(shasum -a 256 "$tmp_file" | awk '{print $1}')"
+    [[ "$expected_sha" == "$actual_sha" ]] || error "Checksum mismatch for protoc-gen-go"

---

169-197: Checksum verify protoc-gen-go-grpc

grpc-go also publishes checksums; verify before extract.

     tar_file="$TMP_DIR/protoc-gen-go-grpc.tar.gz"
+    sha_url="${grpc_url}.sha256"
+    sha_file="$TMP_DIR/protoc-gen-go-grpc.tar.gz.sha256"
@@
     curl --fail --location --progress-bar --output "$tar_file" "$grpc_url" ||
         error "Failed to download protoc-gen-go-grpc from \"$grpc_url\""
+    curl --fail --location --progress-bar --output "$sha_file" "$sha_url" ||
+        error "Failed to download checksum from \"$sha_url\""
+    info "Verifying protoc-gen-go-grpc checksum..."
+    expected_sha="$(cut -d ' ' -f1 "$sha_file" | tr -d '\n')"
+    actual_sha="$(shasum -a 256 "$tar_file" | awk '{print $1}')"
+    [[ "$expected_sha" == "$actual_sha" ]] || error "Checksum mismatch for protoc-gen-go-grpc"

♻️ Duplicate comments (1)

demo/pkg/subgraphs/projects/go.mod (1)

47-47: Local replace may break CI unless a workspace handles it.

This mirrors an existing review note: ensure CI builds add a repo-root go.work or inject this replace before building examples.

🧹 Nitpick comments (24)

CONTRIBUTING.md (1)

90-90: Pin the required Go version to a patch release for consistency.

Recommend “Go 1.25.x (we test with 1.25.1)” to match CI/scripts and reduce ambiguity.

Apply:

-- [Go 1.25+](https://golang.org/doc/install)
+- [Go 1.25.x](https://golang.org/doc/install) (we test with 1.25.1)

demo/docker/countries.Dockerfile (1)

1-1: Pin builder image to a patch version for reproducible builds.

Using a floating 1.25 tag can introduce nondeterminism when upstream is updated.

Apply:

-FROM golang:1.25 as builder
+FROM golang:1.25.1 as builder

router/Dockerfile (1)

1-1: Pin Go builder image to 1.25.1 across all Dockerfiles

• router/Dockerfile (line 1): change to FROM --platform=${BUILDPLATFORM} golang:1.25.1 AS builder
• otelcollector/Dockerfile (lines 1 & 19): update both golang:1.25 → golang:1.25.1
• graphqlmetrics/Dockerfile (line 1): change to FROM --platform=${BUILDPLATFORM} golang:1.25.1 AS builder

Scripts (install-proto-tools.sh) and plugin templates already use 1.25.1; mark3labs/mcp-go remains pinned at v0.36.0.

demo/docker/hobbies.Dockerfile (1)

1-1: Pin builder image for determinism.

Apply:

-FROM golang:1.25 as builder
+FROM golang:1.25.1 as builder

demo/docker/mood.Dockerfile (1)

1-1: Pin builder image for determinism.

Apply:

-FROM golang:1.25 as builder
+FROM golang:1.25.1 as builder

demo/docker/employees.Dockerfile (1)

1-13: Consider multi-stage and non-root runtime; also trim the binary.

Current image ships the full Go toolchain and runs as root. Suggest switching to a minimal final image, static build, and non-root user for smaller, safer images.

-FROM golang:1.25 as builder
-
-WORKDIR /app
-
-COPY . ./
-
-RUN go mod download && go mod verify
-
-RUN go build ./cmd/employees && mv employees server
-
-ENTRYPOINT [ "./server" ]
-
-EXPOSE 4001
+FROM golang:1.25 AS builder
+WORKDIR /src
+COPY go.mod go.sum ./
+RUN go mod download && go mod verify
+COPY . .
+# Static, smaller binary
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH:-amd64} \
+    go build -trimpath -ldflags="-s -w" -o /out/server ./cmd/employees
+
+# Minimal runtime, non-root
+FROM gcr.io/distroless/static-debian12:nonroot
+COPY --from=builder /out/server /server
+USER nonroot:nonroot
+ENTRYPOINT ["/server"]
+EXPOSE 4001

cli/src/commands/router/commands/plugin/templates/plugin.ts (2)

405-427: Harden Dockerfile template: cache modules, slim binary, drop root.

Improves build speed and image security/size for generated plugins.

-FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder
@@
-COPY go.mod go.sum ./
-RUN go mod download
+COPY go.mod go.sum ./
+# Cache module downloads
+RUN --mount=type=cache,target=/go/pkg/mod,sharing=locked go mod download
@@
-RUN --mount=type=cache,target="/root/.cache/go-build" CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o dist/plugin ./src
+RUN --mount=type=cache,target="/root/.cache/go-build" \
+    CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \
+    go build -trimpath -ldflags="-s -w" -o dist/plugin ./src
@@
-FROM --platform=$BUILDPLATFORM scratch
+FROM scratch
@@
-COPY --from=builder /build/dist/plugin ./{originalPluginName}-plugin
+COPY --from=builder /build/dist/plugin /{originalPluginName}-plugin
+USER 65532:65532
-ENTRYPOINT ["./{originalPluginName}-plugin"]
+ENTRYPOINT ["/{originalPluginName}-plugin"]

---

422-422: Minor: --platform has no effect with scratch.

You can drop --platform=$BUILDPLATFORM on the scratch stage for clarity.

demo/docker/test1.Dockerfile (1)

1-13: Align with multi-stage minimal runtime and non-root.

Same considerations as employees.Dockerfile to reduce size/attack surface.

-FROM golang:1.25 as builder
-
-WORKDIR /app
-
-COPY . ./
-
-RUN go mod download && go mod verify
-
-RUN go build ./cmd/test1 && mv test1 server
-
-ENTRYPOINT [ "./server" ]
-
-EXPOSE 4002
+FROM golang:1.25 AS builder
+WORKDIR /src
+COPY go.mod go.sum ./
+RUN go mod download && go mod verify
+COPY . .
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH:-amd64} \
+    go build -trimpath -ldflags="-s -w" -o /out/server ./cmd/test1
+
+FROM gcr.io/distroless/static-debian12:nonroot
+COPY --from=builder /out/server /server
+USER nonroot:nonroot
+ENTRYPOINT ["/server"]
+EXPOSE 4002

demo/pkg/subgraphs/projects/Dockerfile (2)

11-11: Speed up go mod download with cache mount.

-RUN go mod download
+RUN --mount=type=cache,target=/go/pkg/mod,sharing=locked go mod download

---

18-23: Run as non-root and use absolute entrypoint path.

Minor hardening and clarity for scratch images.

-FROM --platform=$BUILDPLATFORM scratch
+FROM --platform=$BUILDPLATFORM scratch
@@
-COPY --from=builder /build/dist/plugin ./my-plugin
+COPY --from=builder /build/dist/plugin /my-plugin
+USER 65532:65532
-ENTRYPOINT ["./my-plugin"]
+ENTRYPOINT ["/my-plugin"]

otelcollector/Dockerfile (2)

1-1: Pin Go patch version for reproducibility and align with tooling (1.25.1).

Using a floating minor can drift. The repo scripts mention 1.25.1; consider pinning here too.

Apply:

-FROM --platform=${BUILDPLATFORM} golang:1.25 AS builder
+FROM --platform=${TARGETPLATFORM} golang:1.25.1 AS builder

Note: switching to TARGETPLATFORM also resolves the cross-arch binary execution issue below.

---

19-19: Consider a slimmer non-root runtime image.

Final stage uses golang:1.25 which is large and runs as root. Prefer distroless/base or alpine with a dedicated user if CGO deps exist; if fully static, distroless/static:nonroot.

Example (if static):

-FROM --platform=${BUILDPLATFORM} golang:1.25
+FROM gcr.io/distroless/static:nonroot
...
-COPY --from=builder /app/otelcol-dev/otelcol /otelcol
+COPY --from=builder /app/otelcol-dev/otelcol /otelcol
+USER nonroot:nonroot

demo/docker/family.Dockerfile (1)

1-1: Pin Go patch and improve build cache.

Minor-only tags drift; also, copying the whole tree before go mod download defeats layer caching.

Apply:

-FROM golang:1.25 as builder
+FROM golang:1.25.1 as builder
 WORKDIR /app
-COPY . ./
-RUN go mod download && go mod verify
+COPY go.mod go.sum ./
+RUN go mod download && go mod verify
+COPY . ./
 RUN go build ./cmd/family && mv family server

demo/docker/availability.Dockerfile (1)

1-1: Same caching + pinning as other demo images.

-FROM golang:1.25 as builder
+FROM golang:1.25.1 as builder
 WORKDIR /app
-COPY . ./
-RUN go mod download && go mod verify
+COPY go.mod go.sum ./
+RUN go mod download && go mod verify
+COPY . ./
 RUN go build ./cmd/availability && mv availability server

demo/docker/products.Dockerfile (1)

1-1: Repeatable builds: pin patch and leverage module cache.

-FROM golang:1.25 as builder
+FROM golang:1.25.1 as builder
 WORKDIR /app
-COPY . ./
-RUN go mod download && go mod verify
+COPY go.mod go.sum ./
+RUN go mod download && go mod verify
+COPY . ./
 RUN go build ./cmd/products && mv products server

router/custom.Dockerfile (3)

1-1: Pin Go patch version to match toolchain references.

For consistency with scripts/docs using 1.25.1, pin here too.

-FROM golang:1.25 as builder
+FROM golang:1.25.1 as builder

---

21-27: Optional: avoid running tests in release Docker builds.

RUN go test -v ./... slows CI builds of release images; consider moving tests to CI jobs and keeping images strictly build-only.

---

30-35: Reproducibility nit: embed VCS info without -a, and consider -buildvcs=false if CI lacks .git.

-a forces full rebuild; often unnecessary. If builds run without a full Git checkout, add -buildvcs=false to avoid warnings/errors in Go ≥1.18+.

-RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
-    go build -trimpath -ldflags "-extldflags=-static \
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -trimpath -buildvcs=false -ldflags "-extldflags=-static \
     -X 'github.com/wundergraph/cosmo/router/core.Version=${VERSION}' \
     -X 'github.com/wundergraph/cosmo/router/core.Commit=${COMMIT}' \
     -X 'github.com/wundergraph/cosmo/router/core.Date=${DATE}'" \
-    -a -o router cmd/custom/main.go
+    -o router cmd/custom/main.go

.github/actions/go/action.yaml (1)

6-6: Prefer auto-patching with 1.25.x

Use 1.25.x so CI automatically picks up security/bugfix patches without PR churn.

-    default: '1.25'
+    default: '1.25.x'

graphqlmetrics/Dockerfile (2)

1-1: Pin patch or parametrize to align with scripts (1.25.1)

Either pin to 1.25.1 (matches scripts/install-proto-tools.sh) or make it a build ARG to keep versions consistent repo-wide.

-FROM --platform=${BUILDPLATFORM} golang:1.25 AS builder
+ARG GO_VERSION=1.25.1
+FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION} AS builder

---

23-24: Nit: -extldflags -static is redundant with CGO_DISABLED=0

Pure Go builds don’t use the external linker. Dropping it reduces noise and avoids surprises if CGO flips on.

-RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -trimpath -ldflags "-extldflags -static -X github.com/wundergraph/cosmo/graphqlmetrics/core.Version=${VERSION}" -a -o graphqlmetrics cmd/main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -trimpath -ldflags "-X github.com/wundergraph/cosmo/graphqlmetrics/core.Version=${VERSION}" -a -o graphqlmetrics cmd/main.go

scripts/install-proto-tools.sh (2)

100-121: Skip reinstall when the correct Go version is already present

Speeds up dev containers and CI warm starts.

 download_go() {
+    if [[ -x "$BIN_DIR/go" ]] && [[ "$("$BIN_DIR/go" version | awk '{print $3}')" == "go${GO_VERSION}" ]]; then
+        info "Go $GO_VERSION already installed, skipping."
+        return
+    fi

---

5-5: Unify Go version pinning
scripts/install-proto-tools.sh defaults GO_VERSION to 1.25.1 (line 5) while Dockerfiles pull golang:1.25 (floating). To prevent patch-level drift when 1.25.x releases land, pin both to the same semantic version—e.g. update Dockerfiles to FROM golang:1.25.1 or change the script default to 1.25—or centralize the Go version in a single source.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 454a4cc and eb2474e.

📒 Files selected for processing (28)

• .github/actions/go/action.yaml (1 hunks)
• CONTRIBUTING.md (2 hunks)
• adr/custom-modules-v1.md (1 hunks)
• aws-lambda-router/go.mod (1 hunks)
• cli/src/commands/router/commands/plugin/templates/plugin.ts (2 hunks)
• composition-go/go.mod (1 hunks)
• connect-go/go.mod (1 hunks)
• demo/docker/availability.Dockerfile (1 hunks)
• demo/docker/countries.Dockerfile (1 hunks)
• demo/docker/employees.Dockerfile (1 hunks)
• demo/docker/family.Dockerfile (1 hunks)
• demo/docker/hobbies.Dockerfile (1 hunks)
• demo/docker/mood.Dockerfile (1 hunks)
• demo/docker/products.Dockerfile (1 hunks)
• demo/docker/products_fg.Dockerfile (1 hunks)
• demo/docker/test1.Dockerfile (1 hunks)
• demo/go.mod (1 hunks)
• demo/pkg/subgraphs/projects/Dockerfile (1 hunks)
• demo/pkg/subgraphs/projects/go.mod (1 hunks)
• graphqlmetrics/Dockerfile (1 hunks)
• graphqlmetrics/go.mod (1 hunks)
• otelcollector/Dockerfile (2 hunks)
• router-plugin/go.mod (1 hunks)
• router-tests/go.mod (1 hunks)
• router/Dockerfile (1 hunks)
• router/custom.Dockerfile (1 hunks)
• router/go.mod (1 hunks)
• scripts/install-proto-tools.sh (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• adr/custom-modules-v1.md
• demo/docker/products_fg.Dockerfile

🚧 Files skipped from review as they are similar to previous changes (8)

• router/go.mod
• demo/go.mod
• aws-lambda-router/go.mod
• connect-go/go.mod
• router-plugin/go.mod
• graphqlmetrics/go.mod
• composition-go/go.mod
• router-tests/go.mod

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

📚 Learning: 2025-08-20T22:13:25.222Z

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

Applied to files:

• demo/pkg/subgraphs/projects/go.mod

🪛 LanguageTool

CONTRIBUTING.md

[grammar] ~90-~90: There might be a mistake here.
Context: ...ttps://pnpm.io/installation) - Go 1.25+ - wgc ...

(QB_NEW_EN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: build-router
• GitHub Check: integration_test (./events)
• GitHub Check: build_push_image
• GitHub Check: integration_test (./telemetry)
• GitHub Check: image_scan
• GitHub Check: image_scan (nonroot)
• GitHub Check: build_push_image
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

🔇 Additional comments (4)

CONTRIBUTING.md (1)

47-47: Docs: Go workspace example correctly updated to 1.25.

Looks good and consistent with the repo-wide upgrade.

demo/pkg/subgraphs/projects/go.mod (1)

3-3: LGTM: module now targets Go 1.25.

demo/pkg/subgraphs/projects/Dockerfile (1)

1-1: LGTM: builder updated to Go 1.25-alpine.

.github/actions/go/action.yaml (1)

14-17: Optional: add support for go-version-file to avoid drift

Let callers pin via go.mod/go.work and keep CI in sync with the module toolchain. Apply this minimal pattern (only when inputs.go-version-file is set):

     - uses: actions/setup-go@v5
       with:
         go-version: ${{ inputs.go-version }}
         cache-dependency-path: ${{ inputs.cache-dependency-path }}
+
+    - if: ${{ inputs.go-version-file != '' }}
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: ${{ inputs.go-version-file }}
+        cache-dependency-path: ${{ inputs.cache-dependency-path }}

Manually verify there are no other go-version or go-version-file entries pinning Go < 1.25 in .github/**/*.yaml and that all go.mod directives use go 1.25.

[miklosbarabas]

@coderabbitai summary

[coderabbitai]

✅ Actions performed

Summary regeneration triggered.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

CONTRIBUTING.md (1)

47-56: Fix sanity-check script in CONTRIBUTING.md to scan all modules and Dockerfiles recursively

• In CONTRIBUTING.md (lines 47–56), replace the hard-coded rg … go.mod lookup with a recursive search, for example:

  fd -e mod --hidden --exclude node_modules --exclude vendor . \
    | xargs -r rg -nP '^\s*go\s+1\.(\d+)' -S -C0

• Likewise, update the Dockerfile checks to locate every *Dockerfile* under all subdirectories (using fd or rg -g '**/Dockerfile*') instead of assuming they live at the repo root.
• Maintain the existing pin check for github.com/mark3labs/mcp-go at v0.36.0.

🧹 Nitpick comments (3)

CONTRIBUTING.md (2)

47-56: Update all doc prerequisites to consistently require Go 1.25+.

The example now shows go 1.25, but earlier in this file the Prerequisites still say “golang >= 1.18,” and there are a couple of small wording/typo nits nearby. Recommend:

• Change “golang >= 1.18” to “Go 1.25+”
• Fix “IOS” → “iOS”
• Change “You can also pnpm to install Node.js.” → “You can also use pnpm to install Node.js.”

This keeps docs aligned with the repo-wide upgrade.

If helpful, I can push a follow-up doc tweak PR with these fixes.

---

90-90: Consider pinning a patch version or referencing toolchain if that’s the project norm.

This updates Local Development to “Go 1.25+,” which is fine. If elsewhere we require 1.25.1 (e.g., CLI template/Docker tags), consider saying “Go 1.25.1+” here for consistency; otherwise, keep it as-is.

Would you like me to scan the repo to confirm whether 1.25 or 1.25.1 is the prevailing convention and open a small docs PR accordingly?

demo/docker/employees.Dockerfile (1)

1-1: Pin the Go image to a patch tag for reproducibility; consider multi-stage to reduce image size.

Using golang:1.25 is correct but mutable. Prefer a patch and distro tag (e.g., golang:1.25.1-bookworm or -alpine) to avoid surprise rebuilds. If image size matters, switch to a 2-stage build and run from a minimal base (distroless/alpine).

Apply at minimum:

-FROM golang:1.25 as builder
+FROM golang:1.25.1-bookworm as builder

Optional multi-stage (outside the selected range):

FROM golang:1.25.1-bookworm as builder
WORKDIR /app
COPY . ./
RUN go mod download && go mod verify
RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o server ./cmd/employees

FROM gcr.io/distroless/static-debian12
WORKDIR /
COPY --from=builder /app/server /server
EXPOSE 4001
ENTRYPOINT ["/server"]

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between eb2474e and e508828.

📒 Files selected for processing (29)

• .github/actions/go/action.yaml (1 hunks)
• CONTRIBUTING.md (2 hunks)
• Makefile (1 hunks)
• adr/custom-modules-v1.md (1 hunks)
• aws-lambda-router/go.mod (1 hunks)
• cli/src/commands/router/commands/plugin/templates/plugin.ts (2 hunks)
• composition-go/go.mod (1 hunks)
• connect-go/go.mod (1 hunks)
• demo/docker/availability.Dockerfile (1 hunks)
• demo/docker/countries.Dockerfile (1 hunks)
• demo/docker/employees.Dockerfile (1 hunks)
• demo/docker/family.Dockerfile (1 hunks)
• demo/docker/hobbies.Dockerfile (1 hunks)
• demo/docker/mood.Dockerfile (1 hunks)
• demo/docker/products.Dockerfile (1 hunks)
• demo/docker/products_fg.Dockerfile (1 hunks)
• demo/docker/test1.Dockerfile (1 hunks)
• demo/go.mod (1 hunks)
• demo/pkg/subgraphs/projects/Dockerfile (1 hunks)
• demo/pkg/subgraphs/projects/go.mod (1 hunks)
• graphqlmetrics/Dockerfile (1 hunks)
• graphqlmetrics/go.mod (1 hunks)
• otelcollector/Dockerfile (2 hunks)
• router-plugin/go.mod (1 hunks)
• router-tests/go.mod (1 hunks)
• router/Dockerfile (1 hunks)
• router/custom.Dockerfile (1 hunks)
• router/go.mod (1 hunks)
• scripts/install-proto-tools.sh (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• demo/docker/products.Dockerfile
• adr/custom-modules-v1.md

🚧 Files skipped from review as they are similar to previous changes (24)

• demo/docker/availability.Dockerfile
• graphqlmetrics/Dockerfile
• composition-go/go.mod
• router-tests/go.mod
• demo/docker/test1.Dockerfile
• connect-go/go.mod
• cli/src/commands/router/commands/plugin/templates/plugin.ts
• demo/pkg/subgraphs/projects/Dockerfile
• router/Dockerfile
• otelcollector/Dockerfile
• demo/pkg/subgraphs/projects/go.mod
• demo/docker/products_fg.Dockerfile
• router/custom.Dockerfile
• demo/go.mod
• graphqlmetrics/go.mod
• router-plugin/go.mod
• demo/docker/mood.Dockerfile
• demo/docker/countries.Dockerfile
• demo/docker/hobbies.Dockerfile
• .github/actions/go/action.yaml
• aws-lambda-router/go.mod
• scripts/install-proto-tools.sh
• router/go.mod
• demo/docker/family.Dockerfile

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

🪛 LanguageTool

CONTRIBUTING.md

[grammar] ~90-~90: There might be a mistake here.
Context: ...ttps://pnpm.io/installation) - Go 1.25+ - wgc ...

(QB_NEW_EN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: build-router
• GitHub Check: image_scan (nonroot)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: build_push_image
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: build_test
• GitHub Check: image_scan
• GitHub Check: integration_test (./events)
• GitHub Check: build_push_image
• GitHub Check: Analyze (go)
• GitHub Check: build_test
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: build_push_image

🔇 Additional comments (2)

Makefile (2)

7-7: LGTM: gotestsum bumped to v1.12.3.

This aligns tooling with the Go 1.25 upgrade. No issues spotted.

---

11-11: LGTM: staticcheck updated to 2025.1.1.

Matches current release cadence and should be compatible with Go 1.25.

[miklosbarabas]

@coderabbitai summary

[coderabbitai]

✅ Actions performed

Summary regeneration triggered.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.github/actions/go-linter/action.yaml (1)

21-23: Pin staticcheck-action to specific commit for supply-chain hardening

-      uses: dominikh/staticcheck-action@v1.3.1
+      uses: dominikh/staticcheck-action@5106bb8ba1333e0510c91b2aa44c5ede005d9cff

router/custom.Dockerfile (2)

37-41: Harden runtime image: pin distroless and drop root

Pinning and using non-root reduces supply-chain and privilege risk.

Apply:

-FROM gcr.io/distroless/static:latest
+FROM gcr.io/distroless/static:nonroot

-COPY --from=builder /app/router /router
+COPY --from=builder /app/router /router
+# Explicit, though the base already runs as nonroot
+USER nonroot:nonroot

Optionally pin to a digest to ensure reproducible builds.

---

1-1: Speed up builds and avoid surprise toolchain downloads

Use BuildKit cache mounts for Go modules/build cache and lock toolchain resolution to local.

Apply:

+# syntax=docker/dockerfile:1.7-labs
 FROM golang:1.25 as builder
@@
 ARG VERSION=dev
 ENV VERSION=$VERSION
@@
 ENV COMMIT=$COMMIT
@@
 ENV DATE=$DATE
+ENV GOTOOLCHAIN=local
@@
-# Download dependencies
-RUN go mod download
+# Download dependencies (cached)
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go mod download
@@
-# Run tests
-RUN go test -v ./...
+# Run tests (cached); -race where supported
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go test -race -v ./...
@@
 RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
     go build -trimpath -ldflags "-extldflags=-static \

Also applies to: 17-27, 31-35

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e508828 and bb88b66.

📒 Files selected for processing (30)

• .github/actions/go-linter/action.yaml (1 hunks)
• .github/actions/go/action.yaml (1 hunks)
• CONTRIBUTING.md (2 hunks)
• Makefile (1 hunks)
• adr/custom-modules-v1.md (1 hunks)
• aws-lambda-router/go.mod (1 hunks)
• cli/src/commands/router/commands/plugin/templates/plugin.ts (2 hunks)
• composition-go/go.mod (1 hunks)
• connect-go/go.mod (1 hunks)
• demo/docker/availability.Dockerfile (1 hunks)
• demo/docker/countries.Dockerfile (1 hunks)
• demo/docker/employees.Dockerfile (1 hunks)
• demo/docker/family.Dockerfile (1 hunks)
• demo/docker/hobbies.Dockerfile (1 hunks)
• demo/docker/mood.Dockerfile (1 hunks)
• demo/docker/products.Dockerfile (1 hunks)
• demo/docker/products_fg.Dockerfile (1 hunks)
• demo/docker/test1.Dockerfile (1 hunks)
• demo/go.mod (1 hunks)
• demo/pkg/subgraphs/projects/Dockerfile (1 hunks)
• demo/pkg/subgraphs/projects/go.mod (1 hunks)
• graphqlmetrics/Dockerfile (1 hunks)
• graphqlmetrics/go.mod (1 hunks)
• otelcollector/Dockerfile (2 hunks)
• router-plugin/go.mod (1 hunks)
• router-tests/go.mod (1 hunks)
• router/Dockerfile (1 hunks)
• router/custom.Dockerfile (1 hunks)
• router/go.mod (1 hunks)
• scripts/install-proto-tools.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (27)

• connect-go/go.mod
• demo/go.mod
• router-tests/go.mod
• composition-go/go.mod
• router-plugin/go.mod
• cli/src/commands/router/commands/plugin/templates/plugin.ts
• demo/pkg/subgraphs/projects/go.mod
• demo/docker/countries.Dockerfile
• demo/docker/products_fg.Dockerfile
• demo/pkg/subgraphs/projects/Dockerfile
• graphqlmetrics/Dockerfile
• graphqlmetrics/go.mod
• router/go.mod
• demo/docker/products.Dockerfile
• demo/docker/family.Dockerfile
• scripts/install-proto-tools.sh
• Makefile
• router/Dockerfile
• demo/docker/employees.Dockerfile
• demo/docker/hobbies.Dockerfile
• demo/docker/availability.Dockerfile
• aws-lambda-router/go.mod
• demo/docker/mood.Dockerfile
• otelcollector/Dockerfile
• adr/custom-modules-v1.md
• demo/docker/test1.Dockerfile
• .github/actions/go/action.yaml

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

🪛 LanguageTool

CONTRIBUTING.md

[grammar] ~90-~90: There might be a mistake here.
Context: ...ttps://pnpm.io/installation) - Go 1.25+ - wgc ...

(QB_NEW_EN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: build-router
• GitHub Check: build_push_image
• GitHub Check: integration_test (./events)
• GitHub Check: image_scan (nonroot)
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_push_image (nonroot)
• GitHub Check: image_scan
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

🔇 Additional comments (2)

router/custom.Dockerfile (1)

1-1: Go 1.25 builder bump: LGTM

Matches repo-wide upgrade intent; no functional regressions expected.

CONTRIBUTING.md (1)

47-56: Go workspace example updated to 1.25: LGTM

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

CONTRIBUTING.md (1)

90-90: Repo-wide sanity check for version drift (Go 1.25 and mcp-go pin).

Re-run the sweep to ensure all docs/templates reference Go 1.25+ and mcp-go stays pinned to v0.36.x per prior regressions.

#!/bin/bash
# Go version references lingering below 1.25
rg -nP -S --glob '!*node_modules*' '(?i)\bgo(?:lang)?[:\s-]*1\.(18|19|20|21|22|23|24)\b|golang:1\.(18|19|20|21|22|23|24)'

# toolchain directives that might pull a different Go toolchain
rg -nP --type=go '^\s*toolchain\s+go1\.\d+'

# mcp-go should be v0.36.x across modules (per Learnings)
rg -nP 'github\.com/mark3labs/mcp-go\s+v?(\S+)' -C2

🧹 Nitpick comments (2)

CONTRIBUTING.md (2)

13-13: Fix OS naming and casing.

“linux / IOS” should be “Linux and macOS”.

Apply:

-- make (should be installed on all linux / IOS systems)
+- make (usually preinstalled on Linux and macOS)

Additionally (nearby text), minor grammar fix:

- Node.js [LTS](https://nodejs.org/en/about/releases/). You can also pnpm to [install](https://pnpm.io/cli/env) Node.js.
+ Node.js [LTS](https://nodejs.org/en/about/releases/). You can also use pnpm to [install](https://pnpm.io/cli/env) Node.js.

---

90-90: Align PNPM version to match prerequisites.

Top section requires pnpm >= 9 (Line 15), but Local Development lists “PNPM 8+”. Standardize on PNPM 9+.

Apply:

-- [PNPM 8+](https://pnpm.io/installation)
+- [PNPM 9+](https://pnpm.io/installation)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between bb88b66 and 1b8b90b.

⛔ Files ignored due to path filters (1)

• demo/go.sum is excluded by !**/*.sum

📒 Files selected for processing (31)

• .github/actions/go-linter/action.yaml (1 hunks)
• .github/actions/go/action.yaml (1 hunks)
• CONTRIBUTING.md (3 hunks)
• Makefile (1 hunks)
• adr/custom-modules-v1.md (1 hunks)
• aws-lambda-router/go.mod (1 hunks)
• cli/src/commands/router/commands/plugin/templates/plugin.ts (2 hunks)
• composition-go/go.mod (1 hunks)
• connect-go/go.mod (1 hunks)
• demo/docker/availability.Dockerfile (1 hunks)
• demo/docker/countries.Dockerfile (1 hunks)
• demo/docker/employees.Dockerfile (1 hunks)
• demo/docker/family.Dockerfile (1 hunks)
• demo/docker/hobbies.Dockerfile (1 hunks)
• demo/docker/mood.Dockerfile (1 hunks)
• demo/docker/products.Dockerfile (1 hunks)
• demo/docker/products_fg.Dockerfile (1 hunks)
• demo/docker/test1.Dockerfile (1 hunks)
• demo/go.mod (2 hunks)
• demo/pkg/subgraphs/projects/Dockerfile (1 hunks)
• demo/pkg/subgraphs/projects/go.mod (1 hunks)
• graphqlmetrics/Dockerfile (1 hunks)
• graphqlmetrics/go.mod (1 hunks)
• otelcollector/Dockerfile (2 hunks)
• router-plugin/go.mod (1 hunks)
• router-tests/go.mod (1 hunks)
• router/Dockerfile (1 hunks)
• router/README.md (1 hunks)
• router/custom.Dockerfile (1 hunks)
• router/go.mod (1 hunks)
• scripts/install-proto-tools.sh (1 hunks)

✅ Files skipped from review due to trivial changes (3)

• router/README.md
• adr/custom-modules-v1.md
• router/go.mod

🚧 Files skipped from review as they are similar to previous changes (26)

• router/Dockerfile
• demo/docker/employees.Dockerfile
• demo/pkg/subgraphs/projects/go.mod
• router/custom.Dockerfile
• Makefile
• demo/docker/availability.Dockerfile
• graphqlmetrics/go.mod
• demo/docker/mood.Dockerfile
• demo/docker/countries.Dockerfile
• demo/docker/hobbies.Dockerfile
• router-tests/go.mod
• demo/docker/family.Dockerfile
• router-plugin/go.mod
• demo/go.mod
• .github/actions/go-linter/action.yaml
• .github/actions/go/action.yaml
• graphqlmetrics/Dockerfile
• demo/docker/test1.Dockerfile
• aws-lambda-router/go.mod
• demo/docker/products_fg.Dockerfile
• scripts/install-proto-tools.sh
• cli/src/commands/router/commands/plugin/templates/plugin.ts
• composition-go/go.mod
• connect-go/go.mod
• demo/docker/products.Dockerfile
• demo/pkg/subgraphs/projects/Dockerfile

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-20T22:13:25.222Z

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

Applied to files:

• CONTRIBUTING.md

🪛 LanguageTool

CONTRIBUTING.md

[grammar] ~13-~13: There might be a mistake here.
Context: ...systems) - golang >= 1.25 - pnpm >= 9...

(QB_NEW_EN)

---

[grammar] ~90-~90: There might be a mistake here.
Context: ...ttps://pnpm.io/installation) - Go 1.25+ - wgc ...

(QB_NEW_EN)

🪛 markdownlint-cli2 (0.17.2)

CONTRIBUTING.md

90-90: Hard tabs
Column: 1

(MD010, no-hard-tabs)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: build-router
• GitHub Check: build_push_image
• GitHub Check: image_scan (nonroot)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: integration_test (./events)
• GitHub Check: image_scan
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

CONTRIBUTING.md (1)

47-47: LGTM: workspace example matches Go 1.25.

The example correctly reflects the new Go version.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

router/go.mod (1)

3-3: Go 1.25 directive is fine; align CI/tooling and consider pinning toolchain patch.

• Ensure all GitHub Actions steps using actions/setup-go pin go-version: '1.25' and builder images/devcontainers use 1.25 as well. This mirrors an existing verification comment; avoid drift.
• Optional: add a toolchain directive to lock the patch version for reproducible builds.

Apply if you decide to pin the patch:

 go 1.25
+toolchain go1.25.1

🧹 Nitpick comments (1)

CONTRIBUTING.md (1)

47-47: Optional: show toolchain pinning in the Go workspace example.

Helps contributors match the repo’s patch level locally.

 go 1.25
+toolchain go1.25.1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1b8b90b and 618c9df.

⛔ Files ignored due to path filters (1)

• demo/go.sum is excluded by !**/*.sum

📒 Files selected for processing (31)

• .github/actions/go-linter/action.yaml (1 hunks)
• .github/actions/go/action.yaml (1 hunks)
• CONTRIBUTING.md (3 hunks)
• Makefile (1 hunks)
• adr/custom-modules-v1.md (1 hunks)
• aws-lambda-router/go.mod (1 hunks)
• cli/src/commands/router/commands/plugin/templates/plugin.ts (2 hunks)
• composition-go/go.mod (1 hunks)
• connect-go/go.mod (1 hunks)
• demo/docker/availability.Dockerfile (1 hunks)
• demo/docker/countries.Dockerfile (1 hunks)
• demo/docker/employees.Dockerfile (1 hunks)
• demo/docker/family.Dockerfile (1 hunks)
• demo/docker/hobbies.Dockerfile (1 hunks)
• demo/docker/mood.Dockerfile (1 hunks)
• demo/docker/products.Dockerfile (1 hunks)
• demo/docker/products_fg.Dockerfile (1 hunks)
• demo/docker/test1.Dockerfile (1 hunks)
• demo/go.mod (2 hunks)
• demo/pkg/subgraphs/projects/Dockerfile (1 hunks)
• demo/pkg/subgraphs/projects/go.mod (1 hunks)
• graphqlmetrics/Dockerfile (1 hunks)
• graphqlmetrics/go.mod (1 hunks)
• otelcollector/Dockerfile (2 hunks)
• router-plugin/go.mod (1 hunks)
• router-tests/go.mod (1 hunks)
• router/Dockerfile (1 hunks)
• router/README.md (1 hunks)
• router/custom.Dockerfile (1 hunks)
• router/go.mod (1 hunks)
• scripts/install-proto-tools.sh (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .github/actions/go-linter/action.yaml

🚧 Files skipped from review as they are similar to previous changes (28)

• demo/docker/countries.Dockerfile
• .github/actions/go/action.yaml
• demo/docker/family.Dockerfile
• router/README.md
• composition-go/go.mod
• graphqlmetrics/Dockerfile
• demo/docker/mood.Dockerfile
• demo/docker/hobbies.Dockerfile
• aws-lambda-router/go.mod
• cli/src/commands/router/commands/plugin/templates/plugin.ts
• router-tests/go.mod
• demo/docker/employees.Dockerfile
• graphqlmetrics/go.mod
• demo/docker/availability.Dockerfile
• demo/docker/products.Dockerfile
• demo/pkg/subgraphs/projects/Dockerfile
• router/custom.Dockerfile
• connect-go/go.mod
• Makefile
• scripts/install-proto-tools.sh
• adr/custom-modules-v1.md
• router-plugin/go.mod
• router/Dockerfile
• demo/docker/test1.Dockerfile
• demo/go.mod
• demo/docker/products_fg.Dockerfile
• otelcollector/Dockerfile
• demo/pkg/subgraphs/projects/go.mod

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

📚 Learning: 2025-08-20T22:13:25.222Z

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

Applied to files:

• router/go.mod
• CONTRIBUTING.md

🪛 LanguageTool

CONTRIBUTING.md

[grammar] ~13-~13: There might be a mistake here.
Context: ...systems) - golang >= 1.25 - pnpm >= 9...

(QB_NEW_EN)

---

[grammar] ~90-~90: There might be a mistake here.
Context: ...ttps://pnpm.io/installation) - Go 1.25+ - wgc ...

(QB_NEW_EN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: build-router
• GitHub Check: build_push_image (nonroot)
• GitHub Check: image_scan (nonroot)
• GitHub Check: build_push_image
• GitHub Check: image_scan
• GitHub Check: integration_test (./events)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: build_push_image

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

router-tests/testenv/testexec.go (2)

167-171: Ensure cleanup on startup failure.

If starting/logging setup fails, cancel the derived context before returning.

-  err = runCmdWithLogs(t, ctx, cmd, false, cmdLogChannel)
-  if err != nil {
-    return nil, err
-  }
+  err = runCmdWithLogs(t, ctx, cmd, false, cmdLogChannel)
+  if err != nil {
+    cancel(err)
+    return nil, err
+  }

---

200-203: Also cancel on readiness failure.

Avoid leaking goroutines/resources when the router never becomes ready.

-  err = env.WaitForServer(newCtx, env.RouterURL+"/health/ready", 600, 60)
-  if err != nil {
-    return nil, err
-  }
+  err = env.WaitForServer(newCtx, env.RouterURL+"/health/ready", 600, 60)
+  if err != nil {
+    cancel(err)
+    return nil, err
+  }

♻️ Duplicate comments (3)

cli/src/commands/router/commands/plugin/templates/plugin.ts (1)

9-9: go.mod template: use go 1.25 (patch not allowed); optionally pin toolchain.

The go directive must be major.minor. If you want to pin a patch, use a separate toolchain line.

 module {modulePath}

-go 1.25.1
+go 1.25
+toolchain go1.25.1

CONTRIBUTING.md (2)

13-17: Docs nits: OS capitalization, PNPM wording, and product names.

Tighten phrasing and capitalization.

-- make (should be installed on all linux / IOS systems)
+- make (should be installed on all Linux / macOS systems)
 - [golang](https://go.dev/dl/) `>= 1.25`
 - [pnpm](https://pnpm.io/installation) >= 9
-- Node.js [LTS](https://nodejs.org/en/about/releases/). You can also pnpm to [install](https://pnpm.io/cli/env) Node.js.
- - [docker desktop](https://docs.docker.com/desktop/) (includes: engine, buildkit & compose) **or**:
- - [docker engine](https://docs.docker.com/engine/) with:
+- Node.js [LTS](https://nodejs.org/en/about/releases/). You can also use pnpm to [install](https://pnpm.io/cli/env) Node.js.
+- [Docker Desktop](https://docs.docker.com/desktop/) (includes: Engine, BuildKit & Compose) **or**:
+- [Docker Engine](https://docs.docker.com/engine/) with:
   - [docker buildkit](https://docs.docker.com/build/buildkit/), with optionally: [docker buildx plugin](https://docs.docker.com/build/install-buildx/)
   - [docker compose plugin](https://docs.docker.com/compose/install/#scenario-two-install-the-compose-plugin)

---

84-91: Standardize PNPM requirement to 9+.

Line 89 still says “PNPM 8+”. Prior sections require “>= 9”.

 - [NodeJS LTS](https://nodejs.org/en/download/)
-- [PNPM 8+](https://pnpm.io/installation)
+- [PNPM 9+](https://pnpm.io/installation)
 - [Go 1.25+](https://golang.org/doc/install)

🧹 Nitpick comments (4)

cli/src/commands/router/commands/plugin/templates/plugin.ts (1)

405-405: Dockerfile template: prefer ${BUILDPLATFORM} for consistency; add mod cache (optional).

Minor consistency with the rest of the repo and most templates.

-FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder
+FROM --platform=${BUILDPLATFORM} golang:1.25-alpine AS builder

Optional cache improvements elsewhere in this template (keeps image build fast on CI with BuildKit):

-COPY go.mod go.sum ./
-RUN go mod download
+COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/go/pkg/mod go mod download

-RUN --mount=type=cache,target="/root/.cache/go-build" CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o dist/plugin ./src
+RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target="/root/.cache/go-build" \
+  CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o dist/plugin ./src

graphqlmetrics/Dockerfile (1)

1-1: Builder image upgraded to Go 1.25 — LGTM. Optional: add cache mounts to speed CI.

Optional tweaks elsewhere in the file to leverage BuildKit caching:

-COPY ./go.* .
-# Download dependencies
-RUN go mod download
+COPY ./go.* .
+# Download dependencies with cache
+RUN --mount=type=cache,target=/go/pkg/mod go mod download

-# Run tests
-RUN make test
+# Run tests with build cache
+RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target=/root/.cache/go-build make test

router-tests/testenv/testexec.go (2)

167-167: Prefer tying log capture lifecycle to newCtx.

Stops the scanner as soon as env is canceled or the process exits (via cancel(err)), not only when the outer test ctx ends.

-  err = runCmdWithLogs(t, ctx, cmd, false, cmdLogChannel)
+  err = runCmdWithLogs(t, newCtx, cmd, false, cmdLogChannel)

---

151-152: Preserve the parent environment (PATH, etc.).

Appending to os.Environ avoids surprises for the router/process tree.

-  cmd := exec.Command(fullBinPath)
-  cmd.Env = envs
+  cmd := exec.Command(fullBinPath)
+  cmd.Env = append(os.Environ(), envs...)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 618c9df and 9737b26.

⛔ Files ignored due to path filters (1)

• demo/go.sum is excluded by !**/*.sum

📒 Files selected for processing (32)

• .github/actions/go-linter/action.yaml (1 hunks)
• .github/actions/go/action.yaml (1 hunks)
• CONTRIBUTING.md (3 hunks)
• Makefile (1 hunks)
• adr/custom-modules-v1.md (1 hunks)
• aws-lambda-router/go.mod (1 hunks)
• cli/src/commands/router/commands/plugin/templates/plugin.ts (2 hunks)
• composition-go/go.mod (1 hunks)
• connect-go/go.mod (1 hunks)
• demo/docker/availability.Dockerfile (1 hunks)
• demo/docker/countries.Dockerfile (1 hunks)
• demo/docker/employees.Dockerfile (1 hunks)
• demo/docker/family.Dockerfile (1 hunks)
• demo/docker/hobbies.Dockerfile (1 hunks)
• demo/docker/mood.Dockerfile (1 hunks)
• demo/docker/products.Dockerfile (1 hunks)
• demo/docker/products_fg.Dockerfile (1 hunks)
• demo/docker/test1.Dockerfile (1 hunks)
• demo/go.mod (2 hunks)
• demo/pkg/subgraphs/projects/Dockerfile (1 hunks)
• demo/pkg/subgraphs/projects/go.mod (1 hunks)
• graphqlmetrics/Dockerfile (1 hunks)
• graphqlmetrics/go.mod (1 hunks)
• otelcollector/Dockerfile (2 hunks)
• router-plugin/go.mod (1 hunks)
• router-tests/go.mod (1 hunks)
• router-tests/testenv/testexec.go (1 hunks)
• router/Dockerfile (1 hunks)
• router/README.md (1 hunks)
• router/custom.Dockerfile (1 hunks)
• router/go.mod (1 hunks)
• scripts/install-proto-tools.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (28)

• composition-go/go.mod
• aws-lambda-router/go.mod
• router-plugin/go.mod
• demo/docker/test1.Dockerfile
• demo/docker/products_fg.Dockerfile
• router/Dockerfile
• router/custom.Dockerfile
• adr/custom-modules-v1.md
• demo/docker/mood.Dockerfile
• connect-go/go.mod
• otelcollector/Dockerfile
• router/go.mod
• demo/docker/products.Dockerfile
• router/README.md
• demo/docker/family.Dockerfile
• router-tests/go.mod
• Makefile
• demo/docker/availability.Dockerfile
• .github/actions/go-linter/action.yaml
• demo/docker/countries.Dockerfile
• demo/go.mod
• scripts/install-proto-tools.sh
• demo/docker/employees.Dockerfile
• demo/pkg/subgraphs/projects/Dockerfile
• graphqlmetrics/go.mod
• demo/docker/hobbies.Dockerfile
• .github/actions/go/action.yaml
• demo/pkg/subgraphs/projects/go.mod

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

📚 Learning: 2025-08-20T22:13:25.222Z

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

Applied to files:

• CONTRIBUTING.md

🪛 LanguageTool

CONTRIBUTING.md

[grammar] ~13-~13: There might be a mistake here.
Context: ...systems) - golang >= 1.25 - pnpm >= 9...

(QB_NEW_EN)

---

[grammar] ~90-~90: There might be a mistake here.
Context: ...ttps://pnpm.io/installation) - Go 1.25+ - wgc ...

(QB_NEW_EN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: build-router
• GitHub Check: build_push_image
• GitHub Check: build_push_image
• GitHub Check: integration_test (./telemetry)
• GitHub Check: image_scan (nonroot)
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_push_image
• GitHub Check: integration_test (./events)
• GitHub Check: image_scan
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: build_test
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

CONTRIBUTING.md (1)

47-48: Go workspace example bump looks good.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

CONTRIBUTING.md (2)

89-91: Standardize PNPM requirement to 9+.

Line 14 says “>= 9” while here it’s “PNPM 8+”. Recommend making both “PNPM 9+”.

- - [PNPM 8+](https://pnpm.io/installation)
+ - [PNPM 9+](https://pnpm.io/installation)

---

88-91: Update Helm chart Go requirement comments
helm/cosmo/charts/otelcollector/values.yaml:29 and helm/cosmo/charts/graphqlmetrics/values.yaml:29 still reference “Requires Go 1.19+”—please bump to “Go 1.25+” to match the project’s new minimum. mcp-go is correctly pinned to v0.36.0.

🧹 Nitpick comments (1)

CONTRIBUTING.md (1)

12-15: Polish OS names and Node.js sentence; align Go phrasing.

• Capitalize OS names and use “macOS”.
• Fix “You can also pnpm to install” wording.
• Prefer “Go 1.25+” to match the rest of the doc.

- - make (should be installed on all linux / IOS systems)
- - [golang](https://go.dev/dl/) `>= 1.25`
+ - make (should be installed on all Linux / macOS systems)
+ - [Go](https://go.dev/dl/) 1.25+
  - [pnpm](https://pnpm.io/installation) >= 9
- - Node.js [LTS](https://nodejs.org/en/about/releases/). You can also pnpm to [install](https://pnpm.io/cli/env) Node.js.
+ - Node.js [LTS](https://nodejs.org/en/about/releases/). You can also use pnpm to [install](https://pnpm.io/cli/env) Node.js.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9737b26 and f554c49.

⛔ Files ignored due to path filters (1)

• demo/go.sum is excluded by !**/*.sum

📒 Files selected for processing (32)

• .github/actions/go-linter/action.yaml (1 hunks)
• .github/actions/go/action.yaml (1 hunks)
• CONTRIBUTING.md (3 hunks)
• Makefile (1 hunks)
• adr/custom-modules-v1.md (1 hunks)
• aws-lambda-router/go.mod (1 hunks)
• cli/src/commands/router/commands/plugin/templates/plugin.ts (2 hunks)
• composition-go/go.mod (1 hunks)
• connect-go/go.mod (1 hunks)
• demo/docker/availability.Dockerfile (1 hunks)
• demo/docker/countries.Dockerfile (1 hunks)
• demo/docker/employees.Dockerfile (1 hunks)
• demo/docker/family.Dockerfile (1 hunks)
• demo/docker/hobbies.Dockerfile (1 hunks)
• demo/docker/mood.Dockerfile (1 hunks)
• demo/docker/products.Dockerfile (1 hunks)
• demo/docker/products_fg.Dockerfile (1 hunks)
• demo/docker/test1.Dockerfile (1 hunks)
• demo/go.mod (2 hunks)
• demo/pkg/subgraphs/projects/Dockerfile (1 hunks)
• demo/pkg/subgraphs/projects/go.mod (1 hunks)
• graphqlmetrics/Dockerfile (1 hunks)
• graphqlmetrics/go.mod (1 hunks)
• otelcollector/Dockerfile (2 hunks)
• router-plugin/go.mod (1 hunks)
• router-tests/go.mod (1 hunks)
• router-tests/testenv/testexec.go (1 hunks)
• router/Dockerfile (1 hunks)
• router/README.md (1 hunks)
• router/custom.Dockerfile (1 hunks)
• router/go.mod (1 hunks)
• scripts/install-proto-tools.sh (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• Makefile

🚧 Files skipped from review as they are similar to previous changes (30)

• .github/actions/go/action.yaml
• scripts/install-proto-tools.sh
• connect-go/go.mod
• router/Dockerfile
• demo/docker/countries.Dockerfile
• demo/pkg/subgraphs/projects/go.mod
• cli/src/commands/router/commands/plugin/templates/plugin.ts
• demo/go.mod
• aws-lambda-router/go.mod
• demo/docker/hobbies.Dockerfile
• demo/docker/family.Dockerfile
• otelcollector/Dockerfile
• demo/docker/availability.Dockerfile
• router/custom.Dockerfile
• adr/custom-modules-v1.md
• router-tests/go.mod
• router/go.mod
• router/README.md
• graphqlmetrics/go.mod
• demo/docker/products.Dockerfile
• graphqlmetrics/Dockerfile
• demo/docker/products_fg.Dockerfile
• demo/docker/employees.Dockerfile
• demo/pkg/subgraphs/projects/Dockerfile
• demo/docker/mood.Dockerfile
• .github/actions/go-linter/action.yaml
• demo/docker/test1.Dockerfile
• composition-go/go.mod
• router-plugin/go.mod
• router-tests/testenv/testexec.go

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

📚 Learning: 2025-08-20T22:13:25.222Z

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

Applied to files:

• CONTRIBUTING.md

🪛 LanguageTool

CONTRIBUTING.md

[grammar] ~13-~13: There might be a mistake here.
Context: ...systems) - golang >= 1.25 - pnpm >= 9...

(QB_NEW_EN)

---

[grammar] ~90-~90: There might be a mistake here.
Context: ...ttps://pnpm.io/installation) - Go 1.25+ - wgc ...

(QB_NEW_EN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: build-router
• GitHub Check: build_test
• GitHub Check: integration_test (./telemetry)
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_push_image
• GitHub Check: integration_test (./events)
• GitHub Check: image_scan (nonroot)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: image_scan
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: build_push_image
• GitHub Check: build_test

🔇 Additional comments (1)

CONTRIBUTING.md (1)

46-56: Go workspace example bump looks good.

“go 1.25” in the example matches the toolchain upgrade. No action needed.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

CONTRIBUTING.md (1)

12-15: Nit: macOS capitalization and wording for pnpm sentence.

-- make (should be installed on all Linux / MacOS systems)
+- make (should be installed on all Linux / macOS systems)
@@
-- Node.js [LTS](https://nodejs.org/en/about/releases/). You can also pnpm to [install](https://pnpm.io/cli/env) Node.js.
+- Node.js [LTS](https://nodejs.org/en/about/releases/). You can also use pnpm to [install](https://pnpm.io/cli/env) Node.js.

🧹 Nitpick comments (3)

connect-go/go.mod (1)

3-3: Go directive bump to 1.25 looks good; consider pinning toolchain for reproducibility.

Optional: add a toolchain directive to ensure all devs use the same 1.25.x patch locally.

 module github.com/wundergraph/cosmo/connect-go

 go 1.25
+toolchain go1.25.1

router/Dockerfile (1)

1-1: Upgrade to Go 1.25 is correct; pin builder patch and disable go.work during builds for reproducibility.

• Pin to golang:1.25.1 to avoid silent patch drifts.
• Disable go.work resolution in Docker builds to prevent accidental workspace pollution.

-FROM --platform=${BUILDPLATFORM} golang:1.25 AS builder
+FROM --platform=${BUILDPLATFORM} golang:1.25.1 AS builder
@@
 WORKDIR /app/
 
+# Ensure reproducible module resolution inside the container
+ENV GOWORK=off
+
 # Copy only the files required for go mod download
 COPY go.* .
 
 # Download dependencies
 RUN go mod download

Also applies to: 21-21

.github/actions/go/action.yaml (1)

6-6: Default '1.25' works; consider '1.25.x' and/or check-latest to auto-pick newest patch.

Keeps CI on latest 1.25 patch without manual bumps.

-    default: '1.25'
+    default: '1.25.x'
@@
     - uses: actions/setup-go@v5
       with:
         go-version: ${{ inputs.go-version }}
+        check-latest: true
         cache-dependency-path: ${{ inputs.cache-dependency-path }}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f554c49 and e98b4c6.

⛔ Files ignored due to path filters (1)

• demo/go.sum is excluded by !**/*.sum

📒 Files selected for processing (32)

• .github/actions/go-linter/action.yaml (1 hunks)
• .github/actions/go/action.yaml (1 hunks)
• CONTRIBUTING.md (3 hunks)
• Makefile (1 hunks)
• adr/custom-modules-v1.md (1 hunks)
• aws-lambda-router/go.mod (1 hunks)
• cli/src/commands/router/commands/plugin/templates/plugin.ts (2 hunks)
• composition-go/go.mod (1 hunks)
• connect-go/go.mod (1 hunks)
• demo/docker/availability.Dockerfile (1 hunks)
• demo/docker/countries.Dockerfile (1 hunks)
• demo/docker/employees.Dockerfile (1 hunks)
• demo/docker/family.Dockerfile (1 hunks)
• demo/docker/hobbies.Dockerfile (1 hunks)
• demo/docker/mood.Dockerfile (1 hunks)
• demo/docker/products.Dockerfile (1 hunks)
• demo/docker/products_fg.Dockerfile (1 hunks)
• demo/docker/test1.Dockerfile (1 hunks)
• demo/go.mod (2 hunks)
• demo/pkg/subgraphs/projects/Dockerfile (1 hunks)
• demo/pkg/subgraphs/projects/go.mod (1 hunks)
• graphqlmetrics/Dockerfile (1 hunks)
• graphqlmetrics/go.mod (1 hunks)
• otelcollector/Dockerfile (2 hunks)
• router-plugin/go.mod (1 hunks)
• router-tests/go.mod (1 hunks)
• router-tests/testenv/testexec.go (1 hunks)
• router/Dockerfile (1 hunks)
• router/README.md (1 hunks)
• router/custom.Dockerfile (1 hunks)
• router/go.mod (1 hunks)
• scripts/install-proto-tools.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (28)

• cli/src/commands/router/commands/plugin/templates/plugin.ts
• router/custom.Dockerfile
• scripts/install-proto-tools.sh
• demo/pkg/subgraphs/projects/go.mod
• aws-lambda-router/go.mod
• router/README.md
• demo/docker/availability.Dockerfile
• router-tests/go.mod
• demo/docker/countries.Dockerfile
• demo/docker/mood.Dockerfile
• graphqlmetrics/Dockerfile
• Makefile
• demo/docker/test1.Dockerfile
• demo/docker/employees.Dockerfile
• otelcollector/Dockerfile
• demo/docker/family.Dockerfile
• router/go.mod
• composition-go/go.mod
• router-tests/testenv/testexec.go
• demo/docker/products_fg.Dockerfile
• demo/docker/products.Dockerfile
• demo/go.mod
• router-plugin/go.mod
• graphqlmetrics/go.mod
• adr/custom-modules-v1.md
• .github/actions/go-linter/action.yaml
• demo/pkg/subgraphs/projects/Dockerfile
• demo/docker/hobbies.Dockerfile

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

📚 Learning: 2025-08-20T22:13:25.222Z

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

Applied to files:

• connect-go/go.mod
• CONTRIBUTING.md

🪛 LanguageTool

CONTRIBUTING.md

[grammar] ~12-~12: There might be a mistake here.
Context: ... installed on all Linux / MacOS systems) - golang >= 1.25 - ...

(QB_NEW_EN)

---

[grammar] ~13-~13: There might be a mistake here.
Context: ...systems) - golang >= 1.25 - pnpm >= 9...

(QB_NEW_EN)

---

[grammar] ~89-~89: There might be a mistake here.
Context: ...ps://nodejs.org/en/download/) - PNPM 9+ - [Go 1.25+](https://golang.org/doc/install...

(QB_NEW_EN)

---

[grammar] ~90-~90: There might be a mistake here.
Context: ...ttps://pnpm.io/installation) - Go 1.25+ - wgc ...

(QB_NEW_EN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: build-router
• GitHub Check: integration_test (./telemetry)
• GitHub Check: build_push_image
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: image_scan
• GitHub Check: integration_test (./events)
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_push_image
• GitHub Check: image_scan (nonroot)
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)
• GitHub Check: build_test
• GitHub Check: build_push_image

🔇 Additional comments (3)

connect-go/go.mod (1)

3-3: No stale Go version or mcp-go discrepancies found
All matches were in test vectors or chart comments (not actionable); no updates needed.

CONTRIBUTING.md (2)

47-47: Go workspace example updated to 1.25 — LGTM.

---

89-90: Local dev requirements updated to PNPM 9+ and Go 1.25+ — LGTM.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

CONTRIBUTING.md (1)

40-56: Update stale Go version references and confirm mcp-go version

• Tests in router/internal/versioninfo/versioninfo_test.go still assert GoVersion "go1.20" (at lines 88, 100, 114, 122, 133, 142, 153, 159) – bump expected value to "go1.25".
• Helm chart values in helm/cosmo/charts/otelcollector/values.yaml and graphqlmetrics/values.yaml mention “Requires Go 1.19+” – update to reflect Go 1.25+.
• All go.mod files correctly pin github.com/mark3labs/mcp-go to v0.36.0; no v0.38.0 usage detected.
• demo module’s go.sum still lists v0.30.0 checksums – run go mod tidy to prune unused entries.

♻️ Duplicate comments (1)

demo/pkg/subgraphs/projects/go.mod (1)

47-47: Local replace breaks CI unless a go.work or CI edit step supplies it.
Same concern as noted earlier: the relative replace to ../../../../router-plugin won’t resolve in clean CI/build contexts without a go.work or an injected replace.

Consider either adding a repo-root go.work that includes this module and router-plugin, or ensure CI injects the replace before builds.

Run to verify:

#!/bin/bash
set -euo pipefail
echo "go.work files (if any):"
fd -HI go.work && cat go.work || true
echo -e "\nExternal replaces in go.mod files:"
rg -nI -g '**/go.mod' -e '^replace\s' -C0

🧹 Nitpick comments (5)

demo/pkg/subgraphs/projects/go.mod (1)

1-11: Optional: pin toolchain for reproducibility.
Add a toolchain directive to ensure developers auto-fetch/use Go 1.25.x.

 module github.com/wundergraph/cosmo/demo/pkg/subgraphs/projects

-go 1.25
+go 1.25
+toolchain go1.25.1

router/custom.Dockerfile (3)

37-41: Harden runtime: nonroot user and CA certs for TLS.
If the router makes HTTPS calls, distroless:static may lack CA certs; also prefer nonroot.

-FROM gcr.io/distroless/static:latest
+FROM gcr.io/distroless/static:nonroot
+# Ensure system CAs are available (needed for outbound TLS)
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-COPY --from=builder /app/router /router
+COPY --from=builder /app/router /router
-ENTRYPOINT ["/router"]
+USER nonroot:nonroot
+ENTRYPOINT ["/router"]

---

20-28: Speed up Docker builds with BuildKit cache and optional tests.
Use cache mounts for go mod/build and make running tests configurable.

-# Download dependencies
-RUN go mod download
+# Download dependencies (with cache)
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go mod download

-# Run tests
-RUN go test -v ./...
+# Run tests (optional)
+ARG RUN_TESTS=false
+RUN if [ "$RUN_TESTS" = "true" ]; then \
+      --mount=type=cache,target=/go/pkg/mod \
+      --mount=type=cache,target=/root/.cache/go-build \
+      go test -v ./... ; \
+    fi

Note: to use cache mounts, add this header at the top: # syntax=docker/dockerfile:1.7-labs.

---

30-35: Cache the build step.
Further speedups for go build.

-RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
     go build -trimpath -ldflags "-extldflags=-static \
     -X 'github.com/wundergraph/cosmo/router/core.Version=${VERSION}' \
     -X 'github.com/wundergraph/cosmo/router/core.Commit=${COMMIT}' \
     -X 'github.com/wundergraph/cosmo/router/core.Date=${DATE}'" \
     -a -o router cmd/custom/main.go

CONTRIBUTING.md (1)

12-15: Minor wording/capitalization fixes.
Consistency and grammar.

-- make (should be installed on all Linux / MacOS systems)
+- make (should be installed on all Linux / macOS systems)
 - [golang](https://go.dev/dl/) `>= 1.25`
 - [pnpm](https://pnpm.io/installation) >= 9
-- Node.js [LTS](https://nodejs.org/en/about/releases/). You can also pnpm to [install](https://pnpm.io/cli/env) Node.js.
+- Node.js [LTS](https://nodejs.org/en/about/releases/). You can also use pnpm to [install](https://pnpm.io/cli/env) Node.js.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e98b4c6 and c4ab521.

⛔ Files ignored due to path filters (1)

• demo/go.sum is excluded by !**/*.sum

📒 Files selected for processing (32)

• .github/actions/go-linter/action.yaml (1 hunks)
• .github/actions/go/action.yaml (1 hunks)
• CONTRIBUTING.md (3 hunks)
• Makefile (1 hunks)
• adr/custom-modules-v1.md (1 hunks)
• aws-lambda-router/go.mod (1 hunks)
• cli/src/commands/router/commands/plugin/templates/plugin.ts (2 hunks)
• composition-go/go.mod (1 hunks)
• connect-go/go.mod (1 hunks)
• demo/docker/availability.Dockerfile (1 hunks)
• demo/docker/countries.Dockerfile (1 hunks)
• demo/docker/employees.Dockerfile (1 hunks)
• demo/docker/family.Dockerfile (1 hunks)
• demo/docker/hobbies.Dockerfile (1 hunks)
• demo/docker/mood.Dockerfile (1 hunks)
• demo/docker/products.Dockerfile (1 hunks)
• demo/docker/products_fg.Dockerfile (1 hunks)
• demo/docker/test1.Dockerfile (1 hunks)
• demo/go.mod (2 hunks)
• demo/pkg/subgraphs/projects/Dockerfile (1 hunks)
• demo/pkg/subgraphs/projects/go.mod (1 hunks)
• graphqlmetrics/Dockerfile (1 hunks)
• graphqlmetrics/go.mod (1 hunks)
• otelcollector/Dockerfile (2 hunks)
• router-plugin/go.mod (1 hunks)
• router-tests/go.mod (1 hunks)
• router-tests/testenv/testexec.go (1 hunks)
• router/Dockerfile (1 hunks)
• router/README.md (1 hunks)
• router/custom.Dockerfile (1 hunks)
• router/go.mod (1 hunks)
• scripts/install-proto-tools.sh (1 hunks)

✅ Files skipped from review due to trivial changes (3)

• connect-go/go.mod
• router/go.mod
• demo/docker/products_fg.Dockerfile

🚧 Files skipped from review as they are similar to previous changes (26)

• aws-lambda-router/go.mod
• demo/docker/availability.Dockerfile
• adr/custom-modules-v1.md
• demo/docker/employees.Dockerfile
• demo/docker/countries.Dockerfile
• router/README.md
• graphqlmetrics/Dockerfile
• demo/docker/products.Dockerfile
• demo/go.mod
• demo/docker/family.Dockerfile
• demo/docker/hobbies.Dockerfile
• .github/actions/go/action.yaml
• router-plugin/go.mod
• router-tests/go.mod
• cli/src/commands/router/commands/plugin/templates/plugin.ts
• graphqlmetrics/go.mod
• router/Dockerfile
• router-tests/testenv/testexec.go
• scripts/install-proto-tools.sh
• demo/pkg/subgraphs/projects/Dockerfile
• otelcollector/Dockerfile
• demo/docker/test1.Dockerfile
• .github/actions/go-linter/action.yaml
• composition-go/go.mod
• demo/docker/mood.Dockerfile
• Makefile

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

📚 Learning: 2025-08-20T22:13:25.222Z

Learnt from: StarpTech
PR: wundergraph/cosmo#2157
File: router-tests/go.mod:16-16
Timestamp: 2025-08-20T22:13:25.222Z
Learning: github.com/mark3labs/mcp-go v0.38.0 has regressions and should not be used in the wundergraph/cosmo project. v0.36.0 is the stable version that should be used across router-tests and other modules.

Applied to files:

• demo/pkg/subgraphs/projects/go.mod
• CONTRIBUTING.md

🪛 LanguageTool

CONTRIBUTING.md

[grammar] ~12-~12: There might be a mistake here.
Context: ... installed on all Linux / MacOS systems) - golang >= 1.25 - ...

(QB_NEW_EN)

---

[grammar] ~13-~13: There might be a mistake here.
Context: ...systems) - golang >= 1.25 - pnpm >= 9...

(QB_NEW_EN)

---

[grammar] ~89-~89: There might be a mistake here.
Context: ...ps://nodejs.org/en/download/) - PNPM 9+ - [Go 1.25+](https://golang.org/doc/install...

(QB_NEW_EN)

---

[grammar] ~90-~90: There might be a mistake here.
Context: ...ttps://pnpm.io/installation) - Go 1.25+ - wgc ...

(QB_NEW_EN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: build-router
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: image_scan (nonroot)
• GitHub Check: image_scan
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_push_image
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./events)
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: build_test

🔇 Additional comments (4)

demo/pkg/subgraphs/projects/go.mod (1)

3-3: Go toolchain bump to 1.25 looks good.
Matches the repo-wide upgrade and should be compatible with existing deps here.

router/custom.Dockerfile (1)

1-1: Base image bump to golang:1.25 is correct.
Aligns with the module go directive.

CONTRIBUTING.md (2)

47-47: Docs aligned to Go 1.25.
The workspace example matches the toolchain bump.

---

89-90: Local dev prerequisites updated to PNPM 9+ and Go 1.25+.
Looks consistent with the rest of the PR.

[StarpTech]

LGTM