style: update curl command formatting in api reference swagger json

[tolgaozen]

Summary by CodeRabbit

• Documentation

  • Bumped API docs version to v1.4.3.
  • Updated cURL examples for attribute and relationship read endpoints to a cleaner object-style (examples only).

• Chores

  • Updated app/version metadata to v1.4.3 (banner/reported version).
  • Bumped Go toolchain to 1.24.6 across modules and CI workflows.
  • Updated Docker base images and included grpc-health-probe in the container build.
  • Container default command remains to run the service ("serve").

[coderabbitai]

Walkthrough

Adds a build stage to compile grpc-health-probe in Dockerfiles, bumps Go toolchain and Docker base images to 1.24.6, increments project/API version from v1.4.2 to v1.4.3 across code and OpenAPI/docs, and updates two Swagger cURL examples to a JS-like object style; runtime image sets CMD ["serve"].

Changes

Cohort / File(s)	Summary of Changes
Docker images & runtime Dockerfile, Dockerfile.release, Dockerfile.local	Bump Go base images/builders to go1.24.6-alpine (digest updated); add health-probe-builder stage that clones and builds grpc-health-probe and copy it into final image as /usr/local/bin/grpc_health_probe; final image keeps ENTRYPOINT ["permify"] and sets CMD ["serve"].
CI / Go toolchain .github/workflows/coverage.yml, .github/workflows/nightly.yaml, .github/workflows/release.yml, go.mod, sdk/go/grpc/go.mod, tools/go.mod	Update Go toolchain directive and GitHub Actions go-version entries from 1.24.4/1.24.5 → 1.24.6.
API docs (Swagger/OpenAPI) docs/api-reference/apidocs.swagger.json, docs/api-reference/openapiv2/apidocs.swagger.json	Bump info.version v1.4.2 → v1.4.3; modify two cURL example request bodies to use JS-like object literal syntax (unquoted keys, trailing commas); add trailing newlines.
Service version constant internal/info.go	Update exported Version constant from "v1.4.2" → "v1.4.3".
Proto OpenAPI metadata proto/base/v1/openapi.proto	Bump openapiv2_swagger info.version "v1.4.2" → "v1.4.3".

Sequence Diagram(s)

sequenceDiagram
    participant Container
    participant Startup as "Init (entrypoint)"
    participant Permify as "/usr/local/bin/permify"
    participant HealthProbe as "/usr/local/bin/grpc_health_probe"

    Note over Container,Startup: Container start
    Container->>Startup: run ENTRYPOINT
    Startup->>Permify: invoke with default args ["serve"]
    Startup->>HealthProbe: health-check binary present
    Permify-->>Container: serve started (HTTP/gRPC) or exit code

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• docs: update API versions to v1.3.4 #2108 — Prior version bump touching internal/info.go and OpenAPI/swagger JSON.
• chore: adjust Dockerfile dependencies and resolve code formatting issues #2334 — Changes to Docker build setup and grpc-health-probe handling.
• build: version info update #1521 — Related version metadata updates across code and docs.

Suggested labels

dependencies, docker

Poem

"I hopped a version up to three,
built a probe from source for me.
Docs talk loose in playful style,
the banner beams a newer smile.
Thump—build, pack, and ship with glee! 🐇"

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update-v1-4-3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (3)

Dockerfile.release (1)

3-3: Pin grpc-health-probe image and confirm binary path

We’ve verified that the v0.4.40 release provides platform binaries named grpc_health_probe-linux-<arch> and that the OCI package places the probe at /ko-app/grpc-health-probe . To ensure reproducible, immutable builds, update your Dockerfile.release to pin the image by digest:

-COPY --from=ghcr.io/grpc-ecosystem/grpc-health-probe:v0.4.40 /ko-app/grpc-health-probe /usr/local/bin/grpc_health_probe
+COPY --from=ghcr.io/grpc-ecosystem/grpc-health-probe@sha256:38d74888e537b1a4d581ffa9281dec6c24e55429f3a20d943c9a118e7f3fab7f \
+     /ko-app/grpc-health-probe /usr/local/bin/grpc_health_probe

Multi-arch (manifest/index) digest:
sha256:38d74888e537b1a4d581ffa9281dec6c24e55429f3a20d943c9a118e7f3fab7f

Optionally, you can target a single platform by using its specific digest (e.g., linux/amd64:
sha256:89681cb8547431a60d02a4180791d9d8ea41decf155a540c6703564927abc87b).

docs/api-reference/apidocs.swagger.json (1)

3559-3559: Optional: add a top-level security requirement to satisfy CKV_OPENAPI_4/5.

Static analysis flags the lack of a global security rule; you have securityDefinitions but no top-level “security” stanza. If desired, add something like:

   "securityDefinitions": {
     "ApiKeyAuth": {
       "type": "apiKey",
       "name": "Authorization",
       "in": "header"
     }
   }
+ , "security": [
+   { "ApiKeyAuth": [] }
+ ]

Note: This is outside the stated scope; feel free to defer.

docs/api-reference/openapiv2/apidocs.swagger.json (1)

3531-3537: Consider defining global security to match the existing ApiKeyAuth definition.

You define securityDefinitions.ApiKeyAuth but don’t reference it globally or per-operation. Adding a top-level security requirement improves accuracy and satisfies common linters (e.g., CKV_OPENAPI_4/5). Endpoints that are intentionally public can override with "security": [] at the operation level.

Apply this diff to add a global security block:

   "securityDefinitions": {
     "ApiKeyAuth": {
       "type": "apiKey",
       "name": "Authorization",
       "in": "header"
     }
-  }
+  },
+  "security": [
+    { "ApiKeyAuth": [] }
+  ]
 }

Note: The trailing newline at EOF is a nice touch; keep it.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a7bd9f3 and e829e43.

⛔ Files ignored due to path filters (1)

• pkg/pb/base/v1/openapi.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (6)

• Dockerfile (1 hunks)
• Dockerfile.release (1 hunks)
• docs/api-reference/apidocs.swagger.json (4 hunks)
• docs/api-reference/openapiv2/apidocs.swagger.json (4 hunks)
• internal/info.go (1 hunks)
• proto/base/v1/openapi.proto (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

docs/api-reference/apidocs.swagger.json

[HIGH] 1-3559: Ensure that the global security field has rules defined

(CKV_OPENAPI_4)

---

[HIGH] 1-3559: Ensure that security operations is not empty.

(CKV_OPENAPI_5)

docs/api-reference/openapiv2/apidocs.swagger.json

[HIGH] 1-3537: Ensure that the global security field has rules defined

(CKV_OPENAPI_4)

---

[HIGH] 1-3537: Ensure that security operations is not empty.

(CKV_OPENAPI_5)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Analyze (go)
• GitHub Check: Test with Coverage
• GitHub Check: Test with Coverage

🔇 Additional comments (4)

internal/info.go (1)

26-26: Version bump verified and consistent.

All occurrences of “v1.4.3” have been updated and match the intended bump:

• internal/info.go (Version constant)
• proto/base/v1/openapi.proto (OpenAPI version field)
• docs/api-reference/apidocs.swagger.json
• docs/api-reference/openapiv2/apidocs.swagger.json
• go.mod (github.com/go-logr/logr v1.4.3 // indirect)
• go.sum & sdk/go/grpc/go.sum (lockfile entries for logr v1.4.3)

No stray references remain.

proto/base/v1/openapi.proto (1)

12-12: OpenAPI proto version updated correctly.

No issues spotted with the bump to v1.4.3.

docs/api-reference/apidocs.swagger.json (1)

6-6: Info.version bumped to v1.4.3 — LGTM.

docs/api-reference/openapiv2/apidocs.swagger.json (1)

6-6: All version references updated to v1.4.3

Verified that every OpenAPI spec and internal version constant has been bumped to v1.4.3:

• docs/api-reference/openapiv2/apidocs.swagger.json (version: “v1.4.3”)
• docs/api-reference/apidocs.swagger.json (version: “v1.4.3”)
• proto/base/v1/openapi.proto (version: “v1.4.3”)
• internal/info.go (Version = “v1.4.3”)

No mismatches detected. If this spec is the canonical source for generating downstream docs/SDKs, be sure to regenerate those artifacts for v1.4.3 before release.

[coderabbitai]

⚠️ Potential issue

cURL payload is no longer valid JSON (unquoted keys, trailing comma).

cURL examples should be copy-pasteable; this body will fail server-side JSON parsing.

Apply this diff to restore valid JSON:

-            "source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/attributes/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n  metadata: {\n    snap_token: \"\",\n  },\n  filter: {\n    entity: {\n      type: \"organization\",\n      ids: [\n        \"1\"\n      ]\n    },\n    attributes: [\n      \"private\"\n    ],\n  }\n}'"
+            "source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/attributes/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n  \"metadata\": {\n    \"snap_token\": \"\"\n  },\n  \"filter\": {\n    \"entity\": {\n      \"type\": \"organization\",\n      \"ids\": [\n        \"1\"\n      ]\n    },\n    \"attributes\": [\n      \"private\"\n    ]\n  }\n}'"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/attributes/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n metadata: {\n snap_token: \"\",\n },\n filter: {\n entity: {\n type: \"organization\",\n ids: [\n \"1\"\n ]\n },\n attributes: [\n \"private\"\n ],\n }\n}'"
	"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/attributes/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n \"metadata\": {\n \"snap_token\": \"\"\n },\n \"filter\": {\n \"entity\": {\n \"type\": \"organization\",\n \"ids\": [\n \"1\"\n ]\n },\n \"attributes\": [\n \"private\"\n ]\n }\n}'"

🤖 Prompt for AI Agents

In docs/api-reference/apidocs.swagger.json around line 421 the cURL example body
is invalid JSON (unquoted keys and trailing commas); update the example payload
so all object keys are quoted, remove trailing commas, and ensure string values
are quoted so the body is valid JSON and copy-pasteable for clients (e.g., quote
"metadata", "snap_token", "filter", "entity", "type", "ids", "attributes" and
remove any extraneous commas).

[coderabbitai]

⚠️ Potential issue

cURL payload is no longer valid JSON (unquoted keys, trailing comma).

Same issue in the relationships read example; keys must be quoted and no trailing commas.

Apply this diff:

-            "source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/relationships/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n  metadata: {\n    snap_token: \"\",\n  },\n  filter: {\n    entity: {\n      type: \"organization\",\n      ids: [\n        \"1\"\n      ]\n    },\n    relation: \"member\",\n    subject: {\n      type: \"\",\n      ids: [],\n      relation: \"\"\n    }\n  }\n}'"
+            "source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/relationships/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n  \"metadata\": {\n    \"snap_token\": \"\"\n  },\n  \"filter\": {\n    \"entity\": {\n      \"type\": \"organization\",\n      \"ids\": [\n        \"1\"\n      ]\n    },\n    \"relation\": \"member\",\n    \"subject\": {\n      \"type\": \"\",\n      \"ids\": [],\n      \"relation\": \"\"\n    }\n  }\n}'"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/relationships/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n metadata: {\n snap_token: \"\",\n },\n filter: {\n entity: {\n type: \"organization\",\n ids: [\n \"1\"\n ]\n },\n relation: \"member\",\n subject: {\n type: \"\",\n ids: [],\n relation: \"\"\n }\n }\n}'"

"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/relationships/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n \"metadata\": {\n \"snap_token\": \"\"\n },\n \"filter\": {\n \"entity\": {\n \"type\": \"organization\",\n \"ids\": [\n \"1\"\n ]\n },\n \"relation\": \"member\",\n \"subject\": {\n \"type\": \"\",\n \"ids\": [],\n \"relation\": \"\"\n }\n }\n}'"

🤖 Prompt for AI Agents

In docs/api-reference/apidocs.swagger.json around line 535, the cURL example's
--data-raw payload is not valid JSON (unquoted object keys and a trailing
comma); fix by replacing the payload with properly quoted JSON keys, remove any
trailing commas, and ensure arrays/strings are valid JSON values (e.g.,
"metadata": {"snap_token": ""}, "filter": {"entity":
{"type":"organization","ids":["1"]},"relation":"member","subject":{"type":"","ids":[],"relation":""}});
update the "source" string to contain this corrected JSON payload so the example
is valid.

[coderabbitai]

⚠️ Potential issue

cURL example body is not valid JSON (unquoted keys and trailing commas).

This request will fail against a JSON parser. Keys must be quoted and trailing commas removed.

Apply this diff to fix the sample while preserving formatting:

 "label": "cURL",
 "lang": "curl",
-"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/attributes/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n  metadata: {\n    snap_token: \"\",\n  },\n  filter: {\n    entity: {\n      type: \"organization\",\n      ids: [\n        \"1\"\n      ]\n    },\n    attributes: [\n      \"private\"\n    ],\n  }\n}'"
+"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/attributes/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n  \"metadata\": {\n    \"snap_token\": \"\"\n  },\n  \"filter\": {\n    \"entity\": {\n      \"type\": \"organization\",\n      \"ids\": [\n        \"1\"\n      ]\n    },\n    \"attributes\": [\n      \"private\"\n    ]\n  }\n}'"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"label": "cURL",
	"lang": "curl",
	"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/attributes/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n \"metadata\": {\n \"snap_token\": \"\"\n },\n \"filter\": {\n \"entity\": {\n \"type\": \"organization\",\n \"ids\": [\n \"1\"\n ]\n },\n \"attributes\": [\n \"private\"\n ]\n }\n}'"
	"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/attributes/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n metadata: {\n snap_token: \"\",\n },\n filter: {\n entity: {\n type: \"organization\",\n ids: [\n \"1\"\n ]\n },\n attributes: [\n \"private\"\n ],\n }\n}'"
	}
	"label": "cURL",
	"lang": "curl",
	"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/attributes/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n \"metadata\": {\n \"snap_token\": \"\"\n },\n \"filter\": {\n \"entity\": {\n \"type\": \"organization\",\n \"ids\": [\n \"1\"\n ]\n },\n \"attributes\": [\n \"private\"\n ]\n }\n}'"

🤖 Prompt for AI Agents

In docs/api-reference/openapiv2/apidocs.swagger.json around lines 419 to 422,
the cURL example body uses unquoted JSON keys and trailing commas which is
invalid; replace the --data-raw payload with properly formatted JSON by quoting
all keys (e.g., "metadata", "snap_token", "filter", "entity", "type", "ids",
"attributes"), removing trailing commas, and preserving the surrounding
single-quoted cURL string and placeholders like {tenant_id} so the example
remains formatted the same but contains valid JSON.

[coderabbitai]

⚠️ Potential issue

cURL example body is not valid JSON (unquoted keys and trailing commas).

Same issue as above for relationships read; this will not parse.

Apply this diff to fix the sample:

 "label": "cURL",
 "lang": "curl",
-"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/relationships/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n  metadata: {\n    snap_token: \"\",\n  },\n  filter: {\n    entity: {\n      type: \"organization\",\n      ids: [\n        \"1\"\n      ]\n    },\n    relation: \"member\",\n    subject: {\n      type: \"\",\n      ids: [],\n      relation: \"\"\n    }\n  }\n}'"
+"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/relationships/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n  \"metadata\": {\n    \"snap_token\": \"\"\n  },\n  \"filter\": {\n    \"entity\": {\n      \"type\": \"organization\",\n      \"ids\": [\n        \"1\"\n      ]\n    },\n    \"relation\": \"member\",\n    \"subject\": {\n      \"type\": \"\",\n      \"ids\": [],\n      \"relation\": \"\"\n    }\n  }\n}'"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"label": "cURL",
	"lang": "curl",
	"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/relationships/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n \"metadata\": {\n \"snap_token\": \"\"\n },\n \"filter\": {\n \"entity\": {\n \"type\": \"organization\",\n \"ids\": [\n \"1\"\n ]\n },\n \"relation\": \"member\",\n \"subject\": {\n \"type\": \"\",\n \"ids\": [],\n \"relation\": \"\"\n }\n }\n}'"
	"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/relationships/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n metadata: {\n snap_token: \"\",\n },\n filter: {\n entity: {\n type: \"organization\",\n ids: [\n \"1\"\n ]\n },\n relation: \"member\",\n subject: {\n type: \"\",\n ids: [],\n relation: \"\"\n }\n }\n}'"
	}
	"label": "cURL",
	"lang": "curl",
	"source": "curl --location --request POST 'localhost:3476/v1/tenants/{tenant_id}/data/relationships/read' \\\n--header 'Content-Type: application/json' \\\n--data-raw '{\n \"metadata\": {\n \"snap_token\": \"\"\n },\n \"filter\": {\n \"entity\": {\n \"type\": \"organization\",\n \"ids\": [\n \"1\"\n ]\n },\n \"relation\": \"member\",\n \"subject\": {\n \"type\": \"\",\n \"ids\": [],\n \"relation\": \"\"\n }\n }\n}'"
	}

🤖 Prompt for AI Agents

In docs/api-reference/openapiv2/apidocs.swagger.json around lines 533 to 536,
the cURL example body contains invalid JSON (unquoted keys and trailing commas);
update the sample payload to be valid JSON by quoting all property names,
removing trailing commas, using double quotes for string values, keeping arrays
properly formatted (e.g., "ids": ["1"]), and ensuring the full JSON string is
properly escaped inside the shell command so the curl --data-raw argument
contains syntactically correct JSON.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

Dockerfile (1)

8-8: Critical: grpc-health-probe v0.4.40 tag not published on GHCR (as of Aug 21, 2025) — build will fail.

The COPY stage references ghcr.io/grpc-ecosystem/grpc-health-probe:v0.4.40, but the GHCR package page shows the latest published tag is v0.4.36; v0.4.40 is not listed. This will cause the multi-stage COPY to fail at build time. Pinning by digest is recommended once you choose an available tag. (github.com)

Proposed stop-gap (use the latest available tag and pin by digest):

- COPY --from=ghcr.io/grpc-ecosystem/grpc-health-probe:v0.4.40 /ko-app/grpc-health-probe /usr/local/bin/grpc_health_probe
+ # Use currently published tag and pin to its digest (update when newer tag is available).
+ COPY --from=ghcr.io/grpc-ecosystem/grpc-health-probe:v0.4.36@sha256:55a379bb4a7ef1c779e4e123ff31dd0046d1014eab083a89f4ac196a97548bec \
+   /ko-app/grpc-health-probe /usr/local/bin/grpc_health_probe

Follow-ups:

• When upstream publishes a newer tag you want (e.g., v0.4.40), switch to tag@sha256:.
• Optionally drop the dependency entirely and use native Kubernetes gRPC probes if you don’t rely on grpc_health_probe-specific features. (kubernetes.io)

Run this to verify the tag availability and binary path before merging:

#!/bin/bash
set -euo pipefail

# 1) Confirm which tags exist on GHCR
# (The web UI shows v0.4.36 as latest; this confirms via skopeo if available.)
skopeo inspect docker://ghcr.io/grpc-ecosystem/grpc-health-probe:v0.4.36 | jq '.Digest,.Name' || true
skopeo inspect docker://ghcr.io/grpc-ecosystem/grpc-health-probe:v0.4.40 | jq '.Digest,.Name' || true

# 2) Inspect image config to see entrypoint/cmd; ko-built images usually place the binary under /ko-app/
skopeo inspect --raw docker://ghcr.io/grpc-ecosystem/grpc-health-probe:v0.4.36 | jq -r '.config.Config.Entrypoint,.config.Config.Cmd'

# 3) Optionally verify the file exists in the layer (pull + containerd-less check)
#   Note: If docker is available:
# docker pull ghcr.io/grpc-ecosystem/grpc-health-probe:v0.4.36
# docker run --rm ghcr.io/grpc-ecosystem/grpc-health-probe:v0.4.36 ls -l /ko-app/ || true

🧹 Nitpick comments (1)

Dockerfile.local (1)

2-2: Base image bump and digest pinning LGTM; consider pinning the Air install for supply-chain safety.

• Nice: golang:1.24.6-alpine is pinned by digest — good practice.
• Suggestion: the curl | sh install of Air pulls the installer from the moving "master" HEAD. Pin to a specific Air version and verify checksum to reduce supply-chain risk.

Example refactor:

-RUN curl -sSfL https://raw.githubusercontent.com/cosmtrek/air/master/install.sh | sh -s -- -b $(go env GOPATH)/bin
+ARG AIR_VERSION=v1.52.0
+# Pin install script by commit and verify checksum (example shows pattern; update COMMIT/SHASUM to real values).
+ADD https://raw.githubusercontent.com/cosmtrek/air/<COMMIT>/install.sh /tmp/air-install.sh
+RUN echo "<SHASUM>  /tmp/air-install.sh" | sha256sum -c - && \
+    sh /tmp/air-install.sh -b $(go env GOPATH)/bin -d -v ${AIR_VERSION}

If you want, I can look up the latest stable Air version and its checksum and provide the exact values.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e829e43 and 946317e.

📒 Files selected for processing (8)

• .github/workflows/coverage.yml (1 hunks)
• .github/workflows/nightly.yaml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• Dockerfile (1 hunks)
• Dockerfile.local (1 hunks)
• go.mod (1 hunks)
• sdk/go/grpc/go.mod (1 hunks)
• tools/go.mod (1 hunks)

✅ Files skipped from review due to trivial changes (4)

• .github/workflows/coverage.yml
• go.mod
• sdk/go/grpc/go.mod
• .github/workflows/nightly.yaml

🔇 Additional comments (3)

tools/go.mod (1)

3-3: Toolchain bump to 1.24.6 looks consistent.

Matches the broader PR intent to unify Go version across modules and CI. No action needed.

.github/workflows/release.yml (1)

26-26: CI Go version aligned to ~1.24.6.

Good consistency with go.mod and Docker bases. Pinning the action by commit is already in place.

Dockerfile (1)

1-1: Builder base bump + digest pinning LGTM.

The update to golang:1.24.6-alpine with a pinned digest is consistent with the rest of the PR and good for reproducibility.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

Dockerfile.release (2)

5-6: If you keep git, use shallow, pinned clone; drop redundant apk update

If you decide to stick with git, reduce attack surface and layer size.

-RUN apk update && apk add --no-cache git
-RUN git clone https://github.com/grpc-ecosystem/grpc-health-probe.git
+RUN apk add --no-cache git
+ARG GRPC_HEALTH_PROBE_REF=v0.4.40
+RUN git clone --depth 1 --branch ${GRPC_HEALTH_PROBE_REF} https://github.com/grpc-ecosystem/grpc-health-probe.git

---

10-11: Ensure the binary lands at /go/bin deterministically

go install relies on GOPATH/GOBIN defaults; to make the COPY robust, you can build with an explicit output path.

-ENV GOTOOLCHAIN=local
-RUN CGO_ENABLED=0 go install -a -tags netgo -ldflags=-w
+ENV GOTOOLCHAIN=local
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 go build -trimpath -tags netgo -ldflags "-s -w -buildid=" \
+      -o /go/bin/grpc-health-probe .

Dockerfile (1)

16-21: Optional: pin the final static base by digest here as well (consistency with permify-builder)

You already pin the builder image; consider pinning the final cgr.dev/chainguard/static:latest to a digest in this Dockerfile too (it’s already pinned in Dockerfile.release), or make it an ARG that CI injects with a digest. This avoids drift if latest changes between builds.

Example:

-FROM cgr.dev/chainguard/static:latest@sha256:6a4b683f4708f1f167ba218e31fcac0b7515d94c33c3acf223c36d5c6acd3783
+ARG STATIC_BASE=cgr.dev/chainguard/static:latest@sha256:6a4b683f4708f1f167ba218e31fcac0b7515d94c33c3acf223c36d5c6acd3783
+FROM ${STATIC_BASE}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 946317e and 573892a.

📒 Files selected for processing (2)

• Dockerfile (1 hunks)
• Dockerfile.release (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Analyze (go)
• GitHub Check: Scan Container for Vulnerabilities
• GitHub Check: Test with Coverage
• GitHub Check: Test with Coverage

🔇 Additional comments (4)

Dockerfile.release (1)

13-13: LGTM: Copy path matches builder output

Assuming the install/build writes to /go/bin/grpc-health-probe, the COPY destination and binary name are consistent with common conventions. Nice.

Dockerfile (3)

1-1: LGTM: Builder image is pinned by digest

Pinning the Go builder image improves reproducibility. Good call.

---

17-17: LGTM: Final copy path and binary name are consistent

This matches the builder output path and retains the expected destination name.

---

18-21: Note: This change addresses the prior GHCR tag/path concern

Switching from copying out of a prebuilt GHCR image to building the probe from source resolves the earlier concern about the non-existent tag and uncertain binary path. Nice move.

[coderabbitai]

🛠️ Refactor suggestion

Repeatability and size: pin grpc-health-probe version, avoid cloning master, add caches, strip symbols

Same concerns as in Dockerfile.release: pin to a tag/commit and avoid an unpinned master. Also add cache mounts and standard strip flags.

Proposed refactor:

-FROM golang:1.24.6-alpine3.22@sha256:c8c5f95d64aa79b6547f3b626eb84b16a7ce18a139e3e9ca19a8c078b85ba80d AS health-probe-builder
-WORKDIR /go/src/app
-RUN apk update && apk add --no-cache git
-RUN git clone https://github.com/grpc-ecosystem/grpc-health-probe.git
-WORKDIR /go/src/app/grpc-health-probe
-RUN git checkout master
-ENV GOTOOLCHAIN=local
-RUN CGO_ENABLED=0 go install -a -tags netgo -ldflags=-w
+FROM golang:1.24.6-alpine3.22@sha256:c8c5f95d64aa79b6547f3b626eb84b16a7ce18a139e3e9ca19a8c078b85ba80d AS health-probe-builder
+ARG GRPC_HEALTH_PROBE_VERSION=v0.4.40
+ENV GOTOOLCHAIN=local
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 go install \
+      -tags netgo \
+      -ldflags="-s -w -buildid=" \
+      github.com/grpc-ecosystem/grpc-health-probe/cmd/grpc-health-probe@${GRPC_HEALTH_PROBE_VERSION}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	FROM golang:1.24.6-alpine3.22@sha256:c8c5f95d64aa79b6547f3b626eb84b16a7ce18a139e3e9ca19a8c078b85ba80d AS health-probe-builder
	WORKDIR /go/src/app
	RUN apk update && apk add --no-cache git
	RUN git clone https://github.com/grpc-ecosystem/grpc-health-probe.git
	WORKDIR /go/src/app/grpc-health-probe
	RUN git checkout master
	ENV GOTOOLCHAIN=local
	RUN CGO_ENABLED=0 go install -a -tags netgo -ldflags=-w
	FROM golang:1.24.6-alpine3.22@sha256:c8c5f95d64aa79b6547f3b626eb84b16a7ce18a139e3e9ca19a8c078b85ba80d AS health-probe-builder
	# Pin the version for repeatable builds
	ARG GRPC_HEALTH_PROBE_VERSION=v0.4.40
	# Use local toolchain if configured
	ENV GOTOOLCHAIN=local
	# Use Docker BuildKit cache mounts for Go build & module cache,
	# strip symbols and build without CGO for smallest, reproducible binary
	RUN --mount=type=cache,target=/root/.cache/go-build \
	--mount=type=cache,target=/go/pkg/mod \
	CGO_ENABLED=0 go install \
	-tags netgo \
	-ldflags="-s -w -buildid=" \
	github.com/grpc-ecosystem/grpc-health-probe/cmd/grpc-health-probe@${GRPC_HEALTH_PROBE_VERSION}

🤖 Prompt for AI Agents

Dockerfile lines 7-15: avoid cloning master and reduce image size and rebuild
times by pinning grpc-health-probe to a specific tag/commit (or using go install
github.com/grpc-ecosystem/grpc-health-probe@<tag>), eliminate an unpinned git
checkout, shallow-clone if you must (depth=1) and checkout the tag, consolidate
apk calls, add build caches for Go (e.g. cache mounts for module and build
caches) so successive builds are faster, ensure CGO_ENABLED=0 remains set and
use linker strip flags (-s -w) to strip symbols for a smaller binary, and
combine steps to reduce layers; implement these changes so the Dockerfile builds
a reproducible, smaller health-probe binary.

[coderabbitai]

🛠️ Refactor suggestion

Pin grpc-health-probe to a tag/commit and avoid cloning master for reproducible, supply-chain-safe builds

Cloning the repo and checking out master makes builds non-reproducible and vulnerable to upstream changes. Prefer a fixed tag/commit or use go install module@version to fetch exact source without git, plus enable build caching and strip flags.

Proposed refactor (uses module-aware install, drops git, adds cache mounts, pins version via ARG):

-FROM golang:1.24.6-alpine3.22@sha256:c8c5f95d64aa79b6547f3b626eb84b16a7ce18a139e3e9ca19a8c078b85ba80d AS health-probe-builder
-WORKDIR /go/src/app
-RUN apk update && apk add --no-cache git
-RUN git clone https://github.com/grpc-ecosystem/grpc-health-probe.git
-WORKDIR /go/src/app/grpc-health-probe
-RUN git checkout master
-ENV GOTOOLCHAIN=local
-RUN CGO_ENABLED=0 go install -a -tags netgo -ldflags=-w
+FROM golang:1.24.6-alpine3.22@sha256:c8c5f95d64aa79b6547f3b626eb84b16a7ce18a139e3e9ca19a8c078b85ba80d AS health-probe-builder
+ARG GRPC_HEALTH_PROBE_VERSION=v0.4.40
+ENV GOTOOLCHAIN=local
+# Use module-aware install with explicit version; add caches to speed up.
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 go install \
+      -tags netgo \
+      -ldflags="-s -w -buildid=" \
+      github.com/grpc-ecosystem/grpc-health-probe/cmd/grpc-health-probe@${GRPC_HEALTH_PROBE_VERSION}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	FROM golang:1.24.6-alpine3.22@sha256:c8c5f95d64aa79b6547f3b626eb84b16a7ce18a139e3e9ca19a8c078b85ba80d AS health-probe-builder
	WORKDIR /go/src/app
	RUN apk update && apk add --no-cache git
	RUN git clone https://github.com/grpc-ecosystem/grpc-health-probe.git
	WORKDIR /go/src/app/grpc-health-probe
	RUN git checkout master
	ENV GOTOOLCHAIN=local
	RUN CGO_ENABLED=0 go install -a -tags netgo -ldflags=-w
	FROM golang:1.24.6-alpine3.22@sha256:c8c5f95d64aa79b6547f3b626eb84b16a7ce18a139e3e9ca19a8c078b85ba80d AS health-probe-builder
	ARG GRPC_HEALTH_PROBE_VERSION=v0.4.40
	ENV GOTOOLCHAIN=local
	# Use module-aware install with explicit version; add caches to speed up and strip debug info.
	RUN --mount=type=cache,target=/root/.cache/go-build \
	--mount=type=cache,target=/go/pkg/mod \
	CGO_ENABLED=0 go install \
	-tags netgo \
	-ldflags="-s -w -buildid=" \
	github.com/grpc-ecosystem/grpc-health-probe/cmd/grpc-health-probe@${GRPC_HEALTH_PROBE_VERSION}