fix: upgrade docker cli dependency

[SkArchon]

This PR fixes this vulnerability https://github.com/wundergraph/cosmo/security/code-scanning/323

Summary by CodeRabbit

• Chores

  • Updated Docker CLI dependency to a newer compatible version across modules.
  • Added a container-registry dependency for test tooling.

• Tests

  • Added end-to-end OCI plugin tests and supportive test helpers to validate image push/pull, runtime behavior, error handling, and restart scenarios.
  • Extended test environment to support OCI plugin registry URLs and bundled test data for OCI scenarios.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Walkthrough

Bumps docker CLI indirect dependency, adds go-containerregistry to router-tests, introduces OCI test helpers and three OCI integration tests that build/push plugin images to an in-memory registry, and extends testenv PluginConfig with a RegistryURL field plus an embedded OCI config template.

Changes

Cohort / File(s)	Summary
Dependency updates demo/go.mod, router/go.mod, router-tests/go.mod	Bumped indirect github.com/docker/cli from v28.2.2+incompatible → v29.2.0+incompatible. Added github.com/google/go-containerregistry v0.20.3 to router-tests/go.mod top-level require (removed as indirect).
New OCI test helpers router-tests/oci_test_helpers.go	Adds helpers to start an in-memory OCI registry, build an OCI-compatible plugin image (tar layer renaming binary to plugin, set entrypoint and platform), wrap image with OCI media types, and push to the test registry using crane.
New OCI integration tests router-tests/router_oci_plugin_test.go	Adds tests: TestOCIPlugin_PullAndRun, TestOCIPlugin_ImageNotFound, and TestOCIPlugin_Restart covering image build/push, missing-image error, and restart/log-observation flows using the test registry and testenv.
Test environment updates router-tests/testenv/testenv.go	Adds RegistryURL string to PluginConfig; constructs PluginsConfiguration in two steps to optionally set a Registry field when RegistryURL is provided (with scheme validation). Adds an embedded JSON template variable for OCI plugin test configs.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: upgrade docker cli dependency' directly and clearly describes the primary change across all modified files, which involves upgrading the docker/cli dependency from v28.2.2 to v29.2.0 and supporting OCI plugin infrastructure.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-0427c522f5eddd8b5e62b40cd7cebfb62d51f7da-nonroot

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.81%. Comparing base (1bad24d) to head (cdefea6).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2589      +/-   ##
==========================================
+ Coverage   62.27%   62.81%   +0.54%     
==========================================
  Files         243      243              
  Lines       25746    25746              
==========================================
+ Hits        16033    16173     +140     
+ Misses       8371     8202     -169     
- Partials     1342     1371      +29     

see 8 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[dkorittki]

docker cli is an indirect dependency used by go-containerregistry. When you update it without updating go-containerregistry that library is using the updated library without us knowing wether that works or not. I think it's better to update go-containerregistry itself but you need to ensure the router uses a newer go version.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@router-tests/router_oci_plugin_test.go`:
- Around line 99-104: The EventuallyWithT retry callback must not call
xEnv.MakeGraphQLRequestOK because it uses fatal assertions and can abort the
test instead of allowing retries; replace the call with the non-fatal request
helper (e.g., xEnv.MakeGraphQLRequest or another variant that returns a response
without calling t.Fatal) and assert the response body using the provided
CollectT (require.Equal(c, ...)) inside the callback so transient failures
during plugin restart are retried by require.EventuallyWithT rather than
terminating the test.

In `@router-tests/testenv/testenv.go`:
- Around line 1499-1503: Validate and reject schema-prefixed registry URLs when
assigning testConfig.Plugins.RegistryURL to pluginsCfg.Registry.URL: check the
string in the setup code that currently assigns testConfig.Plugins.RegistryURL
(the block that sets pluginsCfg.Registry =
config.PluginRegistryConfiguration{URL: ...}) and if it starts with "http://" or
"https://" return an error or fatally fail the test setup with a clear message
instructing that OCI registry URLs must be host-only (no schema). Ensure the
validation triggers before any plugin pull attempts so failures are fast and
actionable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1db695a7-d484-4eef-98aa-97ca6f6a1a26

📥 Commits

Reviewing files that changed from the base of the PR and between 671a560 and 70f392f.

📒 Files selected for processing (5)

• router-tests/go.mod
• router-tests/oci_test_helpers.go
• router-tests/router_oci_plugin_test.go
• router-tests/testenv/testdata/configWithOCIPlugins.json
• router-tests/testenv/testenv.go

🚧 Files skipped from review as they are similar to previous changes (1)

• router-tests/go.mod

[coderabbitai]

🧹 Nitpick comments (1)

router-tests/router_oci_plugin_test.go (1)

24-29: Consider extracting duplicated plugin image setup into a helper.

The binary path + build/push sequence is repeated across tests; extracting it will reduce drift and simplify future image/tag changes.

♻️ Suggested refactor

+func pushTestPlugins(t *testing.T, registryHost string) {
+	t.Helper()
+	projectsBinary := fmt.Sprintf("../router/plugins/projects/bin/%s_%s", runtime.GOOS, runtime.GOARCH)
+	coursesBinary := fmt.Sprintf("../router/plugins/courses/bin/%s_%s", runtime.GOOS, runtime.GOARCH)
+	buildAndPushPluginImage(t, registryHost, "test-org/projects", "v1", projectsBinary)
+	buildAndPushPluginImage(t, registryHost, "test-org/courses", "v1", coursesBinary)
+}
+
 func TestOCIPlugin_PullAndRun(t *testing.T) {
 	t.Parallel()
 
 	registryHost := startTestOCIRegistry(t)
-
-	projectsBinary := fmt.Sprintf("../router/plugins/projects/bin/%s_%s", runtime.GOOS, runtime.GOARCH)
-	coursesBinary := fmt.Sprintf("../router/plugins/courses/bin/%s_%s", runtime.GOOS, runtime.GOARCH)
-
-	buildAndPushPluginImage(t, registryHost, "test-org/projects", "v1", projectsBinary)
-	buildAndPushPluginImage(t, registryHost, "test-org/courses", "v1", coursesBinary)
+	pushTestPlugins(t, registryHost)
 ...
 func TestOCIPlugin_Restart(t *testing.T) {
 	t.Parallel()
 
 	registryHost := startTestOCIRegistry(t)
-
-	projectsBinary := fmt.Sprintf("../router/plugins/projects/bin/%s_%s", runtime.GOOS, runtime.GOARCH)
-	coursesBinary := fmt.Sprintf("../router/plugins/courses/bin/%s_%s", runtime.GOOS, runtime.GOARCH)
-
-	buildAndPushPluginImage(t, registryHost, "test-org/projects", "v1", projectsBinary)
-	buildAndPushPluginImage(t, registryHost, "test-org/courses", "v1", coursesBinary)
+	pushTestPlugins(t, registryHost)

Also applies to: 71-75

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@router-tests/router_oci_plugin_test.go` around lines 24 - 29, Duplicate
plugin image setup (projectsBinary/coursesBinary + buildAndPushPluginImage
calls) should be extracted into a helper to avoid repetition; create a function
(e.g., prepareAndPushPluginImage or setupPluginImage) that takes registryHost,
org/name, version and OS/ARCH or derives runtime.GOOS/runtime.GOARCH, builds the
binary path (like "../router/plugins/%s/bin/%s_%s") and calls
buildAndPushPluginImage internally, then replace the repeated lines in
router_oci_plugin_test.go (references: projectsBinary, coursesBinary,
buildAndPushPluginImage, registryHost) with calls to this helper in both the
24-29 block and the similar 71-75 block.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@router-tests/router_oci_plugin_test.go`:
- Around line 24-29: Duplicate plugin image setup (projectsBinary/coursesBinary
+ buildAndPushPluginImage calls) should be extracted into a helper to avoid
repetition; create a function (e.g., prepareAndPushPluginImage or
setupPluginImage) that takes registryHost, org/name, version and OS/ARCH or
derives runtime.GOOS/runtime.GOARCH, builds the binary path (like
"../router/plugins/%s/bin/%s_%s") and calls buildAndPushPluginImage internally,
then replace the repeated lines in router_oci_plugin_test.go (references:
projectsBinary, coursesBinary, buildAndPushPluginImage, registryHost) with calls
to this helper in both the 24-29 block and the similar 71-75 block.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 38c2340d-e986-4b8a-8c5d-f35d5ba3f04e

📥 Commits

Reviewing files that changed from the base of the PR and between 70f392f and 8ea5a0c.

📒 Files selected for processing (2)

• router-tests/router_oci_plugin_test.go
• router-tests/testenv/testenv.go

🚧 Files skipped from review as they are similar to previous changes (1)

• router-tests/testenv/testenv.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@router-tests/testenv/testenv.go`:
- Around line 1499-1505: The RegistryURL validation only checks for lowercase
"http://" and "https://" but must reject any URI scheme (case-insensitive) such
as "oci://", "HTTP://", or other "scheme://" forms; update the check around
testConfig.Plugins.RegistryURL so it rejects inputs containing a scheme by
either parsing with net/url (url.Parse and ensure u.Scheme == "" and u.Host ==
"") or by case-insensitive detection of any "<scheme>://" pattern (e.g.,
strings.Contains(strings.ToLower(testConfig.Plugins.RegistryURL), "://") or a
regex) before assigning pluginsCfg.Registry =
config.PluginRegistryConfiguration{URL: testConfig.Plugins.RegistryURL}; keep
the error message descriptive and include the offending value
(testConfig.Plugins.RegistryURL).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 02622299-f0dc-4e9c-ba5b-ca2a1ea5fa82

📥 Commits

Reviewing files that changed from the base of the PR and between 8ea5a0c and cdefea6.

📒 Files selected for processing (1)

• router-tests/testenv/testenv.go