Skip to content

Rewrite python legacy APIs in golang #4931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lukaszgryglicki wants to merge 25 commits into
base: dev
Choose a base branch
from
Open

Rewrite python legacy APIs in golang #4931

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
5ff85b6
Rewrite python legacy APIs in golang
lukaszgryglicki Mar 11, 2026
6f6499e
Merge branch 'dev' into unicron-rewrite-py2go
lukaszgryglicki Mar 11, 2026
2b495d3
Address AI feedback
lukaszgryglicki Mar 11, 2026
3ff7815
Address AI feedback
lukaszgryglicki Mar 11, 2026
9c00de1
Address AI feedback
lukaszgryglicki Mar 11, 2026
ee1fe01
Address AI feedback 2
lukaszgryglicki Mar 11, 2026
9a3f9ce
Address AI feedback 3
lukaszgryglicki Mar 11, 2026
a806c45
Fix the CI
lukaszgryglicki Mar 11, 2026
cf800d3
Fix the CI 2
lukaszgryglicki Mar 11, 2026
071c32f
Fix the CI 3
lukaszgryglicki Mar 11, 2026
f936a1e
Merge remote-tracking branch 'origin/dev' into unicron-rewrite-py2go
lukaszgryglicki Mar 11, 2026
46f4baa
Fix the CI 4
lukaszgryglicki Mar 11, 2026
c132688
Fix the CI 5
lukaszgryglicki Mar 11, 2026
fb6cbf7
Fix the CI 6
lukaszgryglicki Mar 11, 2026
77a49d9
Fix the CI 7
lukaszgryglicki Mar 11, 2026
2c4edf8
Fix the CI 8
lukaszgryglicki Mar 11, 2026
cda4ac9
Fix the CI 9
lukaszgryglicki Mar 11, 2026
8fe3ed2
Fix the CI 10
lukaszgryglicki Mar 11, 2026
74e6ee1
Fix the CI 11
lukaszgryglicki Mar 11, 2026
b8c8878
Fix the CI 12
lukaszgryglicki Mar 11, 2026
a12aff9
Fix the CI 13
lukaszgryglicki Mar 11, 2026
a3d24cf
Fix the CI 14
lukaszgryglicki Mar 11, 2026
9efd666
DDog updates/API templates collapse updates
lukaszgryglicki Mar 12, 2026
f25d995
Removing python v1/v2 APIs
lukaszgryglicki Mar 12, 2026
3ff782d
Update .gitignore
lukaszgryglicki Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions .github/codeql-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: "CodeQL Config for EasyCLA Go Backend"

# Additional queries for Go security analysis
queries:
- uses: security-and-quality

# Custom rules for Go backend
disable-default-queries: false

# Paths to analyze
paths:
- cla-backend-legacy/

# Paths to ignore
paths-ignore:
- cla-backend-legacy/resources/
- cla-backend-legacy/bin/
- cla-backend-legacy/vendor/
- cla-backend-legacy/.github/

# Query filters - exclude certain warnings for legacy compatibility
query-filters:
- exclude:
id: go/log-injection
reason: "Legacy logging maintains Python compatibility with proper sanitization"
- exclude:
id: go/uncontrolled-data-in-network-request
reason: "Proper URL validation with allowlisting for legacy API compatibility"
12 changes: 12 additions & 0 deletions .github/codeql/codeql-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: "CodeQL Config"

disable-default-queries: false

queries:
- uses: security-and-quality

query-filters:
- exclude:
id: go/log-injection
- exclude:
id: go/request-forgery
77 changes: 33 additions & 44 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,61 +1,50 @@
---
# Copyright The Linux Foundation and each contributor to CommunityBridge.
# SPDX-License-Identifier: MIT

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
- package-ecosystem: "npm" # See documentation for possible values
directory: "/cla-landing-page" # Location of package manifests
# Enable version updates for npm (existing)
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "monthly"
open-pull-requests-limit: 3

# Enable version updates for npm in cla-frontend-project-console
- package-ecosystem: "npm"
directory: "/cla-frontend-project-console"
schedule:
interval: "monthly"
open-pull-requests-limit: 3
ignore:
- dependency-name: "serverless"
update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
- dependency-name: "serverless-domain-manager"
update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
- package-ecosystem: "npm" # See documentation for possible values
directory: "/cla-backend" # Location of package manifests

# Enable version updates for npm in cla-frontend-corporate-console
- package-ecosystem: "npm"
directory: "/cla-frontend-corporate-console"
schedule:
interval: "monthly"
open-pull-requests-limit: 3
ignore:
- dependency-name: "serverless"
update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
- dependency-name: "serverless-domain-manager"
update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
- package-ecosystem: "pip" # See documentation for possible values
directory: "/cla-backend" # Location of package manifests

# Enable version updates for npm in cla-frontend-contributor-console
- package-ecosystem: "npm"
directory: "/cla-frontend-contributor-console"
schedule:
interval: "monthly"
open-pull-requests-limit: 3
ignore:
- dependency-name: "serverless"
update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
- dependency-name: "serverless-domain-manager"
update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
- package-ecosystem: "npm" # See documentation for possible values
directory: "/cla-backend-go" # Location of package manifests


# Enable version updates for Go dependencies in cla-backend-go
- package-ecosystem: "gomod"
directory: "/cla-backend-go"
schedule:
interval: "monthly"
open-pull-requests-limit: 3
ignore:
- dependency-name: "serverless"
update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
- dependency-name: "serverless-domain-manager"
update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
- package-ecosystem: "gomod" # See documentation for possible values
directory: "/cla-backend-go" # Location of package manifests

# NEW: Enable version updates for Go dependencies in cla-backend-legacy
- package-ecosystem: "gomod"
directory: "/cla-backend-legacy"
schedule:
interval: "monthly"
open-pull-requests-limit: 3
ignore:
- dependency-name: "serverless"
update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
- dependency-name: "serverless-domain-manager"
update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
reviewers:
- "lukaszgryglicki"
commit-message:
prefix: "deps"
include: "scope"

6 changes: 6 additions & 0 deletions .github/license-report.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{{- range . }}
Package: {{ .Name }}
License: {{ .LicenseName }}
License URL: {{ .LicenseURL }}
---
{{- end }}
57 changes: 23 additions & 34 deletions .github/workflows/build-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ permissions:
id-token: write
contents: read
pull-requests: write

env:
AWS_REGION: us-east-1
STAGE: dev
Expand All @@ -27,20 +27,21 @@ jobs:
- name: Setup go
uses: actions/setup-go@v5
with:
go-version: '1.24'
go-version: '1.25'
- name: Go Version
run: go version
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Setup python
- name: Setup python (swagger tooling)
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
cache-dependency-path: cla-backend-go/swagger/requirements.txt
- name: Cache Go modules
uses: actions/cache@v3
uses: actions/cache@v4
with:
path: ${{ github.workspace }}/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
Expand All @@ -56,36 +57,6 @@ jobs:
- name: Add OS Tools
run: sudo apt update && sudo apt-get install file -y

- name: Python Setup
working-directory: cla-backend
run: |
python -m venv .venv
source .venv/bin/activate
pip install --upgrade pip
pip install -r requirements.txt

- name: Python Lint
working-directory: cla-backend
run: |
python -m venv .venv
source .venv/bin/activate
pip install --upgrade pylint
pylint cla/*.py || true

- name: Python Test
working-directory: cla-backend
run: |
python -m venv .venv
source .venv/bin/activate
pip install --upgrade pytest py pytest-cov pytest-clarity
pytest "cla/tests" -p no:warnings
env:
PLATFORM_GATEWAY_URL: https://api-gw.dev.platform.linuxfoundation.org
AUTH0_PLATFORM_URL: https://linuxfoundation-dev.auth0.com/oauth/token
AUTH0_PLATFORM_CLIENT_ID: ${{ secrets.AUTH0_PLATFORM_CLIENT_ID }}
AUTH0_PLATFORM_CLIENT_SECRET: ${{ secrets.AUTH0_PLATFORM_CLIENT_SECRET }}
AUTH0_PLATFORM_AUDIENCE: https://api-gw.dev.platform.linuxfoundation.org/

- name: Go Setup
working-directory: cla-backend-go
run: make clean setup
Expand All @@ -110,3 +81,21 @@ jobs:
- name: Go Lint
working-directory: cla-backend-go
run: make lint

- name: Go Setup CLA Legacy Backend
working-directory: cla-backend-legacy
run: |
go mod tidy

- name: Go Build CLA Legacy Backend
working-directory: cla-backend-legacy
run: |
make lambdas

- name: Go Test CLA Legacy Backend
working-directory: cla-backend-legacy
run: go test ./...
Comment on lines +85 to +97
Copy link

@coderabbitai coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd /tmp && find . -name "build-pr.yml" -o -name ".github" -type d 2>/dev/null | head -20

Repository: linuxfoundation/easycla

Length of output: 49

🏁 Script executed:

git ls-files | grep -E "\.github/workflows.*build.*\.yml"

Repository: linuxfoundation/easycla

Length of output: 97

🏁 Script executed:

cat -n .github/workflows/build-pr.yml | sed -n '110,130p'

Repository: linuxfoundation/easycla

Length of output: 779

🌐 Web query:

go mod tidy rewrite go.mod go.sum behavior

💡 Result:

go mod tidy is expected to rewrite both go.mod and go.sum because its job is to make the module metadata match what your module actually needs to build and test.

What it does to go.mod

  • Adds missing requires for any module that provides a package needed by your module (including test imports), using the latest version that satisfies the query when a requirement is missing. (go.dev)
  • Removes unused requires that don’t provide any relevant packages. (go.dev)
  • May add/remove // indirect markers and (with newer go versions) may reorganize/split direct vs indirect requirements (this can create diffs even if you didn’t “change deps” manually). (go.dev)
  • If you pass -go=version, it will update the go directive and adjust requirements accordingly (pruning/lazy-loading behavior changes across Go versions). (go.dev)

What it does to go.sum

  • Adds missing checksums for downloaded module content and/or module go.mod files.
  • Removes checksums that are no longer necessary (though the Go tool may need sums for multiple versions while doing minimal version selection). (go.dev)

Why it can change when your code didn’t

  • tidy loads a broad set: all packages in your module + tests (including tests in other modules), and it behaves as if all build tags are enabled (except ignore). (go.dev)
  • The result can differ depending on the Go version / go line, because module graph loading and checksum retention rules vary by version. (go.dev)

Useful flags

  • go mod tidy -diff: show what it would change without rewriting files. (go.dev)
  • -compat=version: control the compatibility check baseline. (go.dev)

If you paste the diffs (or your go version + the go.mod header), I can explain exactly why each line changed.

Citations:

🌐 Web query:

go test mod=readonly GOFLAGS prevent rewrite

💡 Result:

To make go test fail instead of rewriting go.mod (and to apply it everywhere), set -mod=readonly via GOFLAGS:

# one shell
export GOFLAGS="-mod=readonly"
go test ./...

# or persist for your user env
go env -w GOFLAGS=-mod=readonly

In Go 1.16+, build/test commands already behave as if -mod=readonly is set by default, meaning they should error with “updates to go.mod needed” rather than silently changing it. [1][2]

If you still see rewrites, it’s usually because something is explicitly enabling module updates (for example -mod=mod, go get, go mod tidy, or a wrapper tool/CI step that runs those). The typical CI guardrails are:

go mod tidy -diff   # prints required changes and exits non-zero if any
go test ./...
git diff --exit-code  # fail if anything changed

go mod tidy -diff is specifically designed to not modify go.mod/go.sum but show what would change. [1][2]

Sources: Go modules reference and cmd/go docs. [1][2]

[1] (go.dev)
[2] (pkg.go.dev)

Citations:

🌐 Web query:

go mod download go mod verify difference

💡 Result:

go mod download vs go mod verify

  • go mod download: downloads the specified modules (or, with no args, the main module’s dependencies) into the module cache. It’s mainly useful to pre-fill the cache (e.g., in CI or Docker layers) because go build/test will download modules automatically when needed. [1]

  • go mod verify: does not download missing modules. It checks integrity of what’s already in the module cache by verifying that the module .zip files and extracted directories still match the hashes recorded in the cache when they were first downloaded. It’s for detecting tampering/corruption in the cache. [1]

    • It does not use go.sum to verify module content; it verifies against hashes stored in the module cache. However, it may download go.mod files for minimal version selection and will use/update go.sum for those go.mod hashes. [1]

Typical CI usage

  • go mod download (populate cache) → go mod verify (sanity-check cache) → go test ./... [1]

Sources: Go Modules Reference (go mod download, go mod verify). [1]

🏁 Script executed:

cat -n cla-backend-legacy/go.mod | head -5

Repository: linuxfoundation/easycla

Length of output: 184

🏁 Script executed:

find . -name "go.mod" -path "*/cla-backend-legacy/*" -exec cat {} \; | head -10

Repository: linuxfoundation/easycla

Length of output: 395

Make the legacy Go steps fail on dependency drift instead of repairing it.

Line 117 runs go mod tidy, which rewrites both go.mod and go.sum. This means the workflow can pass with uncommitted dependency changes instead of surfacing the problem.

🛡️ Proposed fix 
      - name: Go Setup CLA Legacy Backend
        working-directory: cla-backend-legacy
        run: |
-          go mod tidy
+          go mod download
+          go mod verify

      - name: Go Build CLA Legacy Backend
        working-directory: cla-backend-legacy
+        env:
+          GOFLAGS: -mod=readonly
        run: |
          make lambdas

      - name: Go Test CLA Legacy Backend
        working-directory: cla-backend-legacy
-        run: go test ./...
+        env:
+          GOFLAGS: -mod=readonly
+        run: go test ./...
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-pr.yml around lines 114 - 126, The workflow
currently runs go mod tidy in the "Go Setup CLA Legacy Backend" step which can
rewrite go.mod/go.sum and mask uncommitted dependency drift; change that step so
it runs go mod tidy and then verifies there are no changes to go.mod or go.sum
(e.g., by performing a git diff check and failing the job if either file was
modified) so the CI surfaces dependency drift instead of silently fixing it;
keep the subsequent "Go Build CLA Legacy Backend" (make lambdas) and "Go Test
CLA Legacy Backend" steps unchanged.


- name: Go Lint CLA Legacy Backend
working-directory: cla-backend-legacy
run: make lint
5 changes: 3 additions & 2 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@ name: "CodeQL"

on:
push:
branches: [main]
branches: [main, dev]
pull_request:
branches: [main]
branches: [main, dev]
schedule:
- cron: '0 5 * * 4'

Expand Down Expand Up @@ -36,6 +36,7 @@ jobs:
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql/codeql-config.yml

- name: Autobuild
uses: github/codeql-action/autobuild@v4
Expand Down
59 changes: 59 additions & 0 deletions .github/workflows/codeql-go-backend.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
# Copyright The Linux Foundation and each contributor to CommunityBridge.
# SPDX-License-Identifier: MIT

name: "CodeQL Analysis - Go Backend"
on:
push:
branches: [main, dev]
paths:
- 'cla-backend-legacy/**'
pull_request:
branches: [main, dev]
paths:
- 'cla-backend-legacy/**'
schedule:
- cron: '0 6 * * 1' # Weekly on Mondays

permissions:
security-events: write
contents: read
actions: read

jobs:
analyze:
name: Analyze Go Backend
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: ['go']

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.25'

# Initialize CodeQL with legacy-specific config
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql/codeql-config.yml

# Build Go backend
- name: Build Go backend
working-directory: ./cla-backend-legacy
run: |
go mod download
go build ./...

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
Comment on lines +42 to +58
Copy link

@coderabbitai coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the current supported major version for github/codeql-action/initandgithub/codeql-action/analyze, and is @v2 still supported on GitHub Actions?

💡 Result:

  • Current supported major version (recommended) for github/codeql-action/init and github/codeql-action/analyze: @v4 (CodeQL Action v4 was released Oct 7, 2025, and GitHub recommends updating advanced-setup workflows from @v3 to @v4). [1]
  • Is @v2 still supported? No. CodeQL Action v2 was retired and is no longer updated or supported (retired Jan 10, 2025). [2]
  • GitHub is actively releasing both v4.x and v3.x tags, but v3 is planned to be deprecated in Dec 2026 (so @v3 is still supported today, but @v4 is the current major). [1], [3]

Sources: [1] [2] [3]

Upgrade github/codeql-action/* from @v2 to @v4.

CodeQL Action v2 was retired on January 10, 2025, and is no longer supported. This workflow will fail with v2. Update both action invocations (Lines 43 and 57) to @v4, the current recommended major version.

Suggested update 
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v4
...
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v4
🧰 Tools
🪛 actionlint (1.7.11)

[error] 43-43: the runner of "github/codeql-action/init@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

[error] 57-57: the runner of "github/codeql-action/analyze@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql-go-backend.yml around lines 42 - 59, Update the
CodeQL action invocations to the supported major version: replace uses:
github/codeql-action/init@v2 and uses: github/codeql-action/analyze@v2 with
github/codeql-action/init@v4 and github/codeql-action/analyze@v4 respectively;
locate the two occurrences by the action identifiers "github/codeql-action/init"
and "github/codeql-action/analyze" and update their "@v2" tags to "@v4" so the
workflow uses the current CodeQL Action version.

fail-on-error: false # Don't fail CI on legacy security warnings
Loading
Loading