build(protobufs): regen protobufs with nanopb 0.4.9.1#84
Conversation
- update CI workflow env NANOPB_VERSION to 0.4.9.1 - update regen script defaults to nanopb-0.4.9.1 - regenerate protobuf Python files and stubs with updated imports - add Protobuf runtime version checks to generated files - bump protobuf Python dependency to >=5.28.1 in pyproject.toml - update CONTRIBUTING.md with protobuf update instructions
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Code Review
This pull request updates the project's protobuf definitions and dependencies, upgrading the protobuf library to version 5.28.1 and updating the protobufs submodule. The changes include the regeneration of all Python protobuf files to use relative imports and include runtime version checks, alongside updates to bin/regen-protobufs.sh for improved protoc discovery and documentation updates in CONTRIBUTING.md. Feedback was provided to remove a hardcoded fallback to an older nanopb version in the regeneration script to ensure consistency with the updated version requirements.
WalkthroughRegenerates Python protobuf artifacts and updates tooling: CI/workflow and regen script now parameterize nanopb/protoc download and verify checksums; many Changes
Sequence Diagram(s)sequenceDiagram
participant Dev as Developer
participant CI as GitHub Actions Runner
participant Nano as nanopb Release (remote)
participant FS as Filesystem
participant Protoc as protoc (tool)
Dev->>CI: push update_protobufs workflow/run
CI->>Nano: curl download tarball (using NANOPB_VERSION)
Nano-->>CI: tarball
CI->>CI: sha256sum -c - (verify NANOPB_SHA256)
alt checksum OK
CI->>CI: tar xzf, mv extracted to nanopb-${NANOPB_VERSION}-linux-x86
CI->>Protoc: use protoc from nanopb dir (or from PATH if allowed)
Protoc-->>CI: protoc --version (logged)
CI->>FS: run regen script (bin/regen-protobufs.sh) to generate *_pb2.py and .pyi
FS-->>CI: generated files
else checksum FAIL
CI-->>Dev: fail job with instructions to re-run/download
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/update_protobufs.yml:
- Line 9: Remove the redundant quoting for the YAML variable NANOPB_VERSION by
changing its value from a quoted string to an unquoted scalar (i.e., replace
"0.4.9.1" with 0.4.9.1) so it passes YAMLlint's quoted-strings rule; update the
NANOPB_VERSION entry in the workflow file where the key is defined to use the
unquoted value.
- Around line 40-42: The workflow currently downloads and extracts
nanopb-${NANOPB_VERSION}-linux-x86.tar.gz without integrity checks; update the
steps around the curl/tar/mv commands to fetch or embed the official SHA256 for
nanopb-${NANOPB_VERSION}-linux-x86.tar.gz and verify it before extraction (e.g.,
download a .sha256 file or echo the known hash and run sha256sum -c or sha256sum
--check), and fail the job on mismatch so the tar extraction and subsequent mv
only run after successful checksum validation.
In @.gitignore:
- Line 23: The .codex entry in .gitignore appears to be an IDE/assistant
artifact (like .cursor) and not related to the nanopb/protobuf changes in this
PR; remove the .codex addition from this PR or move it into a separate, focused
PR for editor/IDE exclusions, and update the PR description to reflect that only
nanopb/protobuf regeneration is included; reference the .codex gitignore line
(and related .cursor entry) when making the split so the IDE-related ignores are
handled separately from functions touching nanopb/protobuf generation.
In `@bin/regen-protobufs.sh`:
- Around line 29-57: Remove the legacy nanopb-0.4.8 fallback by deleting the
"./nanopb-0.4.8/generator-bin/protoc" candidate from the PROTOC_CANDIDATE loop
(symbols: PROTOC_CANDIDATE, NANOPB_DIR, NANOPB_LINUX_DIR) and change the
automatic system lookup block that uses "command -v protoc" so it only accepts a
system protoc when ALLOW_SYSTEM_PROTOC=1 is set (check the ALLOW_SYSTEM_PROTOC
env var before assigning PROTOC from command -v protoc); keep the existing
failure message and the later logging of the chosen PROTOC and ensure
NANOPB_VERSION is still the single source-of-truth for the expected nanopb
release.
In `@meshtastic/protobuf/config_pb2.pyi`:
- Around line 16-24: The project is missing typing_extensions as a
runtime/dependency even though the regenerated stubs import
typing_extensions.deprecated for Python <3.13; add typing_extensions to the
project dependencies in pyproject.toml (e.g., add a dependency entry like
typing_extensions = "^4.0.0" or a compatible newer version) so imports in
meshtastic/protobuf/config_pb2.pyi (the conditional imports of TypeAlias and
deprecated from typing_extensions) will succeed for Python 3.10–3.12.
In `@meshtastic/protobuf/mesh_pb2.py`:
- Around line 5-19: The project currently allows protobuf versions starting at
5.28.1 which includes vulnerable releases; update the dependency constraint in
pyproject.toml to exclude the vulnerable range by raising the minimum to
protobuf >=5.29.5 (or use an explicit exclusion like "protobuf
>=5.28.1,!=5.28.1-5.29.4, <6") and then run dependency lock/install; you can
verify the runtime check in mesh_pb2.py
(runtime_version.ValidateProtobufRuntimeVersion and
_runtime_version.Domain.PUBLIC) will still accept the newer non-vulnerable
protobuf at import.
In `@meshtastic/protobuf/module_config_pb2.pyi`:
- Around line 16-24: module_config_pb2.pyi imports typing_extensions.deprecated
for Python <3.13 (see the _deprecated alias) so typing_extensions must be
declared as an explicit project dependency; add typing_extensions to your
pyproject.toml project dependencies (or equivalent manifest) so consumers on
Python 3.10–3.12 get it, optionally using an environment marker (e.g.,
python_version < "3.13") if you want to limit it, then regenerate your lockfile
(poetry lock / pip-compile / pipenv lock) so the lock includes the explicit
dependency.
In `@pyproject.toml`:
- Line 18: Update the protobuf version constraint to exclude vulnerable releases
by changing the dependency declaration for protobuf (the line containing
protobuf = ">=5.28.1") to require at least the patched release; replace the
current constraint with one that sets the minimum to >=5.29.5 so installations
cannot pick affected versions (<5.29.5).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: f721e1d1-de7d-4e70-b242-ddbc67524ba6
⛔ Files ignored due to path filters (1)
poetry.lockis excluded by!**/*.lock
📒 Files selected for processing (54)
.github/workflows/update_protobufs.yml.gitignoreCONTRIBUTING.mdbin/regen-protobufs.shmeshtastic/protobuf/admin_pb2.pymeshtastic/protobuf/admin_pb2.pyimeshtastic/protobuf/apponly_pb2.pymeshtastic/protobuf/apponly_pb2.pyimeshtastic/protobuf/atak_pb2.pymeshtastic/protobuf/atak_pb2.pyimeshtastic/protobuf/cannedmessages_pb2.pymeshtastic/protobuf/cannedmessages_pb2.pyimeshtastic/protobuf/channel_pb2.pymeshtastic/protobuf/channel_pb2.pyimeshtastic/protobuf/clientonly_pb2.pymeshtastic/protobuf/clientonly_pb2.pyimeshtastic/protobuf/config_pb2.pymeshtastic/protobuf/config_pb2.pyimeshtastic/protobuf/connection_status_pb2.pymeshtastic/protobuf/connection_status_pb2.pyimeshtastic/protobuf/device_ui_pb2.pymeshtastic/protobuf/device_ui_pb2.pyimeshtastic/protobuf/deviceonly_pb2.pymeshtastic/protobuf/deviceonly_pb2.pyimeshtastic/protobuf/interdevice_pb2.pymeshtastic/protobuf/interdevice_pb2.pyimeshtastic/protobuf/localonly_pb2.pymeshtastic/protobuf/localonly_pb2.pyimeshtastic/protobuf/mesh_pb2.pymeshtastic/protobuf/mesh_pb2.pyimeshtastic/protobuf/module_config_pb2.pymeshtastic/protobuf/module_config_pb2.pyimeshtastic/protobuf/mqtt_pb2.pymeshtastic/protobuf/mqtt_pb2.pyimeshtastic/protobuf/nanopb_pb2.pymeshtastic/protobuf/nanopb_pb2.pyimeshtastic/protobuf/paxcount_pb2.pymeshtastic/protobuf/paxcount_pb2.pyimeshtastic/protobuf/portnums_pb2.pymeshtastic/protobuf/portnums_pb2.pyimeshtastic/protobuf/powermon_pb2.pymeshtastic/protobuf/powermon_pb2.pyimeshtastic/protobuf/remote_hardware_pb2.pymeshtastic/protobuf/remote_hardware_pb2.pyimeshtastic/protobuf/rtttl_pb2.pymeshtastic/protobuf/rtttl_pb2.pyimeshtastic/protobuf/storeforward_pb2.pymeshtastic/protobuf/storeforward_pb2.pyimeshtastic/protobuf/telemetry_pb2.pymeshtastic/protobuf/telemetry_pb2.pyimeshtastic/protobuf/xmodem_pb2.pymeshtastic/protobuf/xmodem_pb2.pyiprotobufspyproject.toml
bump protobuf version requirement in pyproject.toml to >=5.29.5 update regen-protobufs.sh to honor ALLOW_SYSTEM_PROTOC and drop fallback to nanopb-0.4.8 CI workflow updates: set NANOPB_SHA256 and verify tarball integrity update CONTRIBUTING.md with sha256 verification steps and ALLOW_SYSTEM_PROTOC guidance
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@bin/regen-protobufs.sh`:
- Around line 7-8: The script currently hardcodes NANOPB_LINUX_DIR and
NANOPB_DOWNLOAD_URL while NANOPB_DIR is overrideable; change both to respect
environment overrides by only assigning defaults when the vars are unset (e.g.,
use conditional assignments for NANOPB_LINUX_DIR and NANOPB_DOWNLOAD_URL), and
ensure NANOPB_DOWNLOAD_URL is derived from NANOPB_VERSION/NANOPB_LINUX_DIR if
needed so custom NANOPB_LINUX_DIR or NANOPB_DIR values are honored; update
references to NANOPB_LINUX_DIR and NANOPB_DOWNLOAD_URL accordingly (symbols:
NANOPB_LINUX_DIR, NANOPB_DOWNLOAD_URL, NANOPB_DIR, NANOPB_VERSION).
In `@pyproject.toml`:
- Around line 18-19: The pyproject.toml currently allows protobuf ">=5.29.5"
which permits protobuf 6.x and will cause runtime import failures; update the
protobuf dependency constraint to lock the major version (e.g., change protobuf
= ">=5.29.5" to protobuf = ">=5.29.5,<6") so the project only installs protobuf
5.x until generated modules are regenerated; edit the protobuf entry in
pyproject.toml accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 508dc316-d457-451a-9926-b3cfc3363f5e
⛔ Files ignored due to path filters (1)
poetry.lockis excluded by!**/*.lock
📒 Files selected for processing (4)
.github/workflows/update_protobufs.ymlCONTRIBUTING.mdbin/regen-protobufs.shpyproject.toml
update regen-protobufs.sh to read NANOPB_LINUX_DIR and NANOPB_DOWNLOAD_URL from environment with defaults This enables overriding nanopb sources without editing the script, while preserving existing behavior when variables are unset
Overview
This PR regenerates protobuf sources using nanopb 0.4.9.1 and tightens the protobuf regeneration workflow and CI verification. It updates regenerated Python protobuf modules and stubs to the newer nanopb/protoc output, bumps the Python protobuf dependency, and documents the local regeneration process and integrity checks.
Key changes
Features
Fixes / Security
Refactors / Generated outputs
Other
Breaking changes / migration notes