fix: pin buf plugin versions to prevent CI drift#36
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
There was a problem hiding this comment.
Pull request overview
This PR pins protobuf plugin versions in buf.gen.yaml to prevent CI drift caused by automatic updates to the latest plugin versions. The change ensures that generated protobuf files remain stable across builds by locking to specific plugin versions.
Changes:
- Pinned four protobuf/gRPC plugin versions in buf.gen.yaml (Go: v1.36.6 and v1.6.0, Python: v30.2 and v1.78.0)
- Regenerated all .pb.go files to reflect the pinned versions in their version comments
- Updated TrustLevel enum documentation in badge.pb.go with improved RFC-002 mapping clarity
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| proto/buf.gen.yaml | Pins buf plugin versions to prevent drift, adds explanatory comments |
| pkg/rpc/gen/capiscio/v1/trust.pb.go | Updates protoc-gen-go version from v1.36.11 to v1.36.6 |
| pkg/rpc/gen/capiscio/v1/simpleguard_grpc.pb.go | Updates protoc-gen-go-grpc version from v1.6.1 to v1.6.0 |
| pkg/rpc/gen/capiscio/v1/simpleguard.pb.go | Updates protoc-gen-go version from v1.36.11 to v1.36.6 |
| pkg/rpc/gen/capiscio/v1/scoring.pb.go | Updates protoc-gen-go version from v1.36.11 to v1.36.6 |
| pkg/rpc/gen/capiscio/v1/revocation.pb.go | Updates protoc-gen-go version from v1.36.11 to v1.36.6 |
| pkg/rpc/gen/capiscio/v1/registry.pb.go | Updates protoc-gen-go version from v1.36.11 to v1.36.6 |
| pkg/rpc/gen/capiscio/v1/mcp.pb.go | Updates protoc-gen-go version from v1.36.11 to v1.36.6 |
| pkg/rpc/gen/capiscio/v1/did.pb.go | Updates protoc-gen-go version from v1.36.11 to v1.36.6 |
| pkg/rpc/gen/capiscio/v1/common.pb.go | Updates protoc-gen-go version from v1.36.11 to v1.36.6 |
| pkg/rpc/gen/capiscio/v1/badge.pb.go | Updates protoc-gen-go version and improves TrustLevel documentation |
| // Trust level for badges (RFC-002 §5) | ||
| // NOTE: Proto enum ordinals (1-5) map to RFC-002 level strings ("0"-"4") | ||
| // The badge JWT `vc.credentialSubject.level` uses the RFC string values | ||
| type TrustLevel int32 | ||
|
|
||
| const ( | ||
| TrustLevel_TRUST_LEVEL_UNSPECIFIED TrustLevel = 0 | ||
| TrustLevel_TRUST_LEVEL_SELF_SIGNED TrustLevel = 1 // Self-signed (Level 0, did:key) | ||
| TrustLevel_TRUST_LEVEL_DV TrustLevel = 2 // Domain Validated (Level 1) | ||
| TrustLevel_TRUST_LEVEL_OV TrustLevel = 3 // Organization Validated (Level 2) | ||
| TrustLevel_TRUST_LEVEL_EV TrustLevel = 4 // Extended Validated (Level 3) | ||
| TrustLevel_TRUST_LEVEL_CV TrustLevel = 5 // Community Vouched (Level 4) | ||
| TrustLevel_TRUST_LEVEL_SELF_SIGNED TrustLevel = 1 // RFC-002 Level "0": Self-Signed (SS) - did:key, iss == sub | ||
| TrustLevel_TRUST_LEVEL_DV TrustLevel = 2 // RFC-002 Level "1": Registered (REG) - account registration | ||
| TrustLevel_TRUST_LEVEL_OV TrustLevel = 3 // RFC-002 Level "2": Domain Validated (DV) - DNS/HTTP proof | ||
| TrustLevel_TRUST_LEVEL_EV TrustLevel = 4 // RFC-002 Level "3": Organization Validated (OV) - legal entity | ||
| TrustLevel_TRUST_LEVEL_CV TrustLevel = 5 // RFC-002 Level "4": Extended Validated (EV) - security audit |
There was a problem hiding this comment.
The PR description states "No functional changes to generated code," but the regeneration has updated the TrustLevel enum documentation comments beyond just version numbers. The comments now include more detailed RFC-002 mappings and clarifications about string vs. numeric representations (lines 26-37).
While these are documentation improvements and not functional changes, they should be mentioned in the PR description for transparency, especially since the comment changes in the .proto source file already existed and are just now being reflected in the generated code.
proto/buf.gen.yaml
Outdated
| # Go - pinned versions to prevent CI drift | ||
| - remote: buf.build/protocolbuffers/go:v1.36.6 |
There was a problem hiding this comment.
The PR description mentions "The E2E CI workflow verifies that generated protobuf files match committed files," but there doesn't appear to be an E2E workflow in .github/workflows/ that performs this verification. The existing ci.yml workflow only runs tests and excludes generated protobuf code from coverage.
If such a verification step exists, it should be clearly documented. If it doesn't exist yet, consider adding it to prevent drift between committed files and generated code, or update the PR description to accurately reflect the current CI setup.
Python SDKs (capiscio-sdk-python, capiscio-mcp-python) need different import paths for their package structure. Each repo should manage its own protobuf generation. This prevents 'make proto' from generating broken Python files with wrong import paths.
| # Go only - pinned versions to prevent CI drift | ||
| # Python SDKs (capiscio-sdk-python, capiscio-mcp-python) manage their own | ||
| # protobuf generation with correct import paths for their package structure | ||
| - remote: buf.build/protocolbuffers/go:v1.36.6 |
There was a problem hiding this comment.
PR description says Python plugin versions are pinned (protocolbuffers/python + grpc/python), but this file removes Python plugin entries entirely and documents that Python SDKs generate protobufs themselves. Please either (a) update the PR description to match this behavior change, or (b) reintroduce the Python plugins with pinned versions if this repo is still expected to generate SDK stubs.
1 participant
Pin protobuf plugin versions in buf.gen.yaml to prevent CI from regenerating files with newer versions and causing verification failures.
Changes
buf.build/protocolbuffers/go:v1.36.6buf.build/grpc/go:v1.6.0buf.build/protocolbuffers/python:v30.2buf.build/grpc/python:v1.78.0Why
The E2E CI workflow verifies that generated protobuf files match committed files. Without pinned versions, CI uses latest plugin versions which may differ from committed files, causing spurious failures.
Testing