Skip to content

chore: unblock Dependabot scans (statik check-in + compose image bumps)#59

Merged
SyniRon merged 1 commit into
developfrom
chore/unblock-dependabot
May 19, 2026
Merged

chore: unblock Dependabot scans (statik check-in + compose image bumps)#59
SyniRon merged 1 commit into
developfrom
chore/unblock-dependabot

Conversation

@SyniRon

@SyniRon SyniRon commented May 19, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Check in statik/statik.go so Dependabot's go list resolves the OpenAPI bundle import in servers/gateway/gateway.go on a clean clone
  • Bump compose template images (mariadb:10.311.4, nginx:1.19-alpine1.27-alpine) — the older tag formats crashed dependabot-core's docker analyzer

The in-repo docker-compose.yaml is a template only; prod compose lives on traycer and is unaffected.

Long-term fix for the statik chain tracked in #58.

Test plan

  • CI Build + Lint pass
  • After merge, Dependabot opens gomod PRs (otel bump + transitive cleanups)
  • Dependabot docker_compose scan no longer errors

- Check in statik/statik.go so a clean clone resolves the OpenAPI
  bundle import in servers/gateway/gateway.go without needing
  `make generate` to run first. This was silently breaking every
  Dependabot gomod update since at least early 2025.
- Bump compose template images (mariadb:10.3 → 11.4, nginx:1.19-alpine
  → 1.27-alpine) so dependabot-core's docker analyzer stops crashing
  on the older tag formats. The in-repo compose is a template only;
  prod compose is maintained out-of-repo on traycer.

Long-term fix tracked in #58 (replace rakyll/statik with //go:embed).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@SyniRon SyniRon merged commit 6164997 into develop May 19, 2026
2 checks passed
@SyniRon SyniRon deleted the chore/unblock-dependabot branch May 19, 2026 01:48
SyniRon added a commit that referenced this pull request May 20, 2026
`rakyll/statik` has been functionally obsolete since Go 1.16 (Feb 2021)
landed `//go:embed`. Replace the whole chain: blank import + generated
3 MB statik/statik.go + manual `make generate-statik` step are all
gone, and the OpenAPI Swagger UI assets are now bundled into the
binary directly via the stdlib `embed` package.

Changes:

- Move third_party/OpenAPI/ -> openapi/assets/. Delete the now-empty
  third_party/ tree. buf.gen.yaml's openapiv2 output path updated to
  match (`out: openapi/assets`).

- New openapi/ package with `//go:embed assets` exposing `embed.FS`.
  servers/gateway/gateway.go uses `fs.Sub` + `http.FS` to serve.

- Drop rakyll/statik from go.mod (and tools.go's blank import — without
  that, `go mod tidy` would have kept the dep). Makefile's `generate`
  target loses the `statik` invocation; `install` target loses the
  rakyll/statik entry. magefile.go gets the parallel edits.

- statik/statik.go deleted from disk; the directory is empty and gone.

Side effect: the blank import `_ "github.com/7cav/api/statik"` that
broke Dependabot's gomod scan on clean clones (the gitignored target
made `go list` fail) is gone at the root. PR #59's check-in of the
generated statik file was a stopgap for exactly this — that stopgap
now retires.

Verified:
- go vet ./... clean
- go build ./... clean
- make generate succeeds (only buf runs now); swagger.json output
  lands in openapi/assets/ at the new path
- rg statik returns zero hits in the working tree
- Container OpenAPI handler smoke at http://localhost:11000/:
  Swagger UI renders, zero console errors, all 13 embedded files
  (index, oauth2-redirect, both swagger.json, CSS, four JS bundles,
  two favicons, LICENSE) return 200
- Insomnia suite 61/61 green against the local stack

Closes #58

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant