release: v2025.1.3

[rustatian]

Reason for This PR

• Release cycle.

Description of Changes

📦 Temporal plugin

• ✨ Support for the NO_PROXY environment variable to disable proxy usage FR
• ✨ Support for setting the Workflow Versioning Behavior from the PHP Worker FR

📦 Kafka driver

• ✨ Support for partition strategies FR

🎯 Core

• ✨ The Fileserver plugin has been excluded from the standard bundle but is available to be built with Velox. This is because its dependency, GoFiber, has had too many CVEs in recent months.
• ✨ Update dependencies and Go to the latest versions.
• ✨ Use the new Green Tea garbage collector by default; see Go RFC

License Acceptance

By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.

PR Checklist

[Author TODO: Meet these criteria.]
[Reviewer TODO: Verify that these criteria are met. Request changes if not]

• All commits in this PR are signed (git commit -s).
• The reason for this PR is clearly provided (issue no. or explanation).
• The description of changes is clear and encompassing.
• Any required documentation changes (code and docs) are included in this PR.
• Any user-facing changes are mentioned in CHANGELOG.md.
• All added/changed functionality is tested.

Summary by CodeRabbit

• New Features

  • Optional HTTP/3 support (configurable address), Redis TLS skeleton, Kafka pipeline options (partitioning strategy, instance_id, per-pipeline SASL), status check timeout (default 60s), and adjusted Centrifuge gRPC default address.

• Documentation

  • Added comprehensive contributor guide with project layout, build/test workflows, coding standards, and security/configuration tips.

• Chores

  • Enabled Go greentea GC during builds, broad dependency version updates, and removed automated JSON Schema CI validation (and an associated schema README).

[coderabbitai]

Walkthrough

Adds GOEXPERIMENT=greenteagc to build stages (GitHub release workflow and Docker builder), removes the JSON Schema validation workflow, adds AGENTS.md, updates .rr.yaml with new config fields (HTTP/3, Redis TLS skeleton, status timeout, Kafka options, Centrifuge gRPC default), and bumps many module versions in go.mod. No public API changes.

Changes

Cohort / File(s)	Summary
CI workflows .github/workflows/release.yml, .github/workflows/schema.yaml	Set GOEXPERIMENT=greenteagc in the release workflow build step; removed the schema.yaml workflow that validated JSON schemas.
Docker Build Dockerfile	Added build-stage ENV GOEXPERIMENT=greenteagc (commented); runtime stage unchanged.
Configuration .rr.yaml	Added http.http3 section (address example), commented Redis tls skeleton, status.check_timeout, Kafka additions (producer_options.partitioning_strategy, group_options.instance_id, per-pipeline sasl_options), and changed centrifuge.grpc_api_address default to tcp://127.0.0.1:10000.
Dependencies go.mod	Large dependency bumps and replacements across many RoadRunner modules and indirect deps (grpc, kafka, memory, redis families, AWS SDK v2 pieces, tools); no source changes.
Documentation AGENTS.md	New repo guidelines: project layout, build/test commands, coding style, testing practices, commit/PR guidance, and security/config notes.
Schemas docs schemas/config/readme.md	Deleted README describing config schemas and contribution rules.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• release: v2025.1.2 #2190 — Overlapping dependency version updates in go.mod.
• feature: Reference plugin JSON schemas #2035 — Related to JSON Schema validation and CI workflow changes affecting schema validation.
• release: v2024.3.3 #2123 — Additional go.mod dependency bumps that overlap with these updates.

Suggested labels

R-stable

Suggested reviewers

• wolfy-j

Pre-merge checks (3 passed)

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "release: v2025.1.3" is concise, a single short sentence, and correctly identifies the changeset as a release with the new version number; for a release PR this directly communicates the primary intent and is relevant to the changeset. It is clear and easy for teammates to scan in history.
Description Check	✅ Passed	The PR description follows the repository template by providing "Reason for This PR", a detailed "Description of Changes", "License Acceptance", and a filled PR checklist, and it documents the main release highlights (Temporal, Kafka, core changes and GC update), so it is largely complete. It does omit some file-level items visible in the diff (for example AGENTS.md addition and removal of the schema validation workflow), but those are non-critical omissions for a release summary and the description meets the template requirements.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

Poem

I hopped through builds with a tasseled flag,
Tucked greentea GC inside the bag.
Wrote lines of guidance in AGENTS.md bright,
Tuned configs, bumped deps, then took flight—
A rabbit's cheer: "All set for the night!" 🐇✨

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch release/v2025.1.3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR is a release for version v2025.1.3 that enables the Go greentea garbage collector experiment across build configurations.

• Enables the GOEXPERIMENT=greenteagc flag in both Docker builds and GitHub Actions release workflow
• Adds a new repository guidelines document (AGENTS.md) documenting project structure, development commands, and coding standards

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
Dockerfile	Adds GOEXPERIMENT=greenteagc environment variable for Docker builds
.github/workflows/release.yml	Adds GOEXPERIMENT=greenteagc environment variable for release builds
AGENTS.md	New repository guidelines document with project structure and development practices

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 36.32%. Comparing base (b67b3ae) to head (75a1e3c).
⚠️ Report is 5 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2234   +/-   ##
=======================================
  Coverage   36.32%   36.32%           
=======================================
  Files          18       18           
  Lines        1093     1093           
=======================================
  Hits          397      397           
  Misses        657      657           
  Partials       39       39           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (7)

Dockerfile (5)

22-25: RUN set -x is a no‑op here; consider collapsing layers and dropping tidy

RUN set -x affects only that layer; subsequent RUNs won’t inherit. Also, running go mod tidy inside the Docker build can mutate go.mod/go.sum and hurt reproducibility.

-RUN set -x
-RUN go mod download
-RUN go mod tidy
+RUN set -eux; \
+    go mod download

---

25-26: PGO file hard requirement; add graceful fallback to -pgo=auto

If roadrunner.pprof is missing, the build will fail. Use a conditional.

-RUN CGO_ENABLED=0 go build -pgo=roadrunner.pprof -trimpath -ldflags "$LDFLAGS" -o ./rr ./cmd/rr
+RUN set -eux; \
+    PGO_FLAG="-pgo=auto"; \
+    [ -f roadrunner.pprof ] && PGO_FLAG="-pgo=roadrunner.pprof"; \
+    CGO_ENABLED=0 go build ${PGO_FLAG} -trimpath -ldflags "$LDFLAGS" -o ./rr ./cmd/rr

---

9-10: Improve build cache: copy go.mod/go.sum first; ensure .dockerignore excludes VCS/artifacts

This reduces rebuild time and image size.

-COPY . /src
+COPY go.mod go.sum /src/
+WORKDIR /src
+RUN go mod download
+COPY . /src

---

28-33: Pin runtime base and drop root for hardening

Floating alpine:3 can change under you; also consider a non‑root user.

-FROM --platform=${TARGETPLATFORM:-linux/amd64} alpine:3
+FROM --platform=${TARGETPLATFORM:-linux/amd64} alpine:3.20
@@
-RUN apk upgrade --update-cache --available && \
-    apk add openssl && \
+RUN apk upgrade --update-cache --available && \
+    apk add --no-cache openssl && \
     rm -rf /var/cache/apk/*
+RUN adduser -D -H -u 10001 rr && chown rr:rr /usr/bin
+USER rr

---

18-20: Optional: make greenteagc opt‑in via build‑arg

Go 1.25 supports GOEXPERIMENT=greenteagc across linux/darwin/windows/freebsd (amd64, arm64), so this is optional — making it overridable at build time is a low‑risk, backward‑compatible safeguard.

-# enable Go greentea GC experiment during build
-ENV GOEXPERIMENT=greenteagc
+# enable Go greentea GC experiment during build (overridable)
+ARG GOEXPERIMENT_OPT=greenteagc
+ENV GOEXPERIMENT=$GOEXPERIMENT_OPT

.github/workflows/release.yml (1)

119-147: Add checksums (and optionally SBOM) to release assets

Provide SHA256 sums for reproducibility; optionally attach SBOM via buildx.

       - name: Create distributive
         run: |
           mkdir ${{ steps.dist-dir.outputs.name }}
           mv "./${{ steps.values.outputs.binary-name }}"  "./${{ steps.values.outputs.sign-cert-name }}" ./${{ steps.dist-dir.outputs.name }}/
           cp  ./README.md ./CHANGELOG.md ./LICENSE ./${{ steps.dist-dir.outputs.name }}
+          (cd ./${{ steps.dist-dir.outputs.name }} && shasum -a 256 "${{ steps.values.outputs.binary-name }}" > SHA256SUMS)

AGENTS.md (1)

13-19: Document Go baseline and optional greentea usage

Align docs with the release pipeline.

-## Build, Test, and Development Commands
+## Build, Test, and Development Commands (Go 1.25+)
@@
-- `make build` — build the `rr` binary to `./rr`.
+- `make build` — build the `rr` binary to `./rr` (uses your local Go; Go 1.25+ recommended).
@@
-- `golangci-lint run` — lint/format per `.golangci.yml` (install locally).
+- `golangci-lint run` — lint/format per `.golangci.yml` (install locally).
+- To match CI builds, you may enable the greentea GC locally:
+  `GOEXPERIMENT=greenteagc go build ./cmd/rr` (only if supported by your Go toolchain/OS).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b67b3ae and ff763ff.

📒 Files selected for processing (3)

• .github/workflows/release.yml (1 hunks)
• AGENTS.md (1 hunks)
• Dockerfile (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Analyze (go)
• GitHub Check: Unit tests

🔇 Additional comments (2)

.github/workflows/release.yml (1)

89-89: Do not gate greenteagc — no documented platform exclusions in Go 1.25

Go 1.25 release notes and the Green Tea GC tracking issue list greenteagc as an opt‑in experiment (GOEXPERIMENT=greenteagc) with no documented platform exclusions, so moving it into the step and gating by OS/Go version is unnecessary.

Likely an incorrect or invalid review comment.

AGENTS.md (1)

36-39: Verify DOTENV flags and debug port

Confirm the exact env var/flag names and default debug bind address to avoid drift with the CLI.

Would you like me to cross‑check the current rr CLI docs and update this section accordingly?

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (6)

.rr.yaml (6)

935-946: HTTP/3 enabled on 127.0.0.1:8443 — verify TLS + UDP and Alt-Svc exposure.

HTTP/3 requires TLS over QUIC (UDP). Ensure cert/key are provided (or ACME is active) and that UDP/8443 is open. If you expect browsers to upgrade, confirm Alt-Svc is emitted by the HTTPS endpoint or consider aligning HTTP/3 to :443 behind the same certs.

Would you like a short snippet showing an Alt-Svc header config example for your ingress/reverse proxy?

---

979-987: Redis TLS skeleton looks good; prefer env vars for secrets when enabling mTLS.

When uncommenting, avoid hardcoding paths/keys; wire via environment variables to keep samples production-friendly.

Example:

-  #   root_ca: "/ssl/ca.crt"
+  #   root_ca: ${REDIS_TLS_ROOT_CA}
-  #   # cert: "/ssl/cert.crt"
+  #   # cert: ${REDIS_TLS_CERT}
-  #   # key: "/ssl/key.pem"
+  #   # key: ${REDIS_TLS_KEY}

---

1029-1034: check_timeout unit consistency — confirm plugin expects integer seconds.

Most durations elsewhere use Go-style units (e.g., 60s). The comment says “in seconds”; if the plugin expects a duration string, switch to 60s. Otherwise, keep 60 as-is.

---

1799-1802: Static group membership note.

If you later enable instance_id, ensure each consumer instance has a unique value to prevent session fencing or stuck rebalances.

---

1803-1808: Pipeline-level SASL override — avoid committing credentials.

Use env vars in the sample to discourage plaintext secrets.

-        sasl_options:
-          mechanism: plain
-          username: foo
-          password: bar
+        sasl_options:
+          mechanism: ${KAFKA_SASL_MECHANISM:-plain}
+          username: ${KAFKA_USERNAME}
+          password: ${KAFKA_PASSWORD}

---

2111-2113: grpc_api_address quoting for consistency and YAML safety.

Most DSNs are quoted elsewhere; quote this too.

-  grpc_api_address: tcp://127.0.0.1:10000
+  grpc_api_address: "tcp://127.0.0.1:10000"

Also confirm Centrifugo’s grpc_port matches 10000.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff763ff and 1d23f1e.

📒 Files selected for processing (1)

• .rr.yaml (6 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Analyze (go)
• GitHub Check: Unit tests

🔇 Additional comments (1)

.rr.yaml (1)

1701-1704: Kafka partitioning_strategy explicitly set to Uniform — LGTM.

Explicit beats implicit; this improves readability. Verify accepted values are case-insensitive in your parser to avoid surprises.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d23f1e and 75a1e3c.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• .github/workflows/schema.yaml (0 hunks)
• go.mod (6 hunks)
• schemas/config/readme.md (0 hunks)

💤 Files with no reviewable changes (2)

• schemas/config/readme.md
• .github/workflows/schema.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: CodeQL
• GitHub Check: Analyze (go)
• GitHub Check: Unit tests

🔇 Additional comments (6)

go.mod (6)

13-55: RR ecosystem bumps look consistent across v5.x.

Versions are aligned (most at 5.1.9, with targeted bumps where needed). No API skew obvious.

---

144-147: Redis v9.14.0 extras bump: LGTM.

Healthy updates; no API changes expected for telemetry/prometheus helpers.

---

211-211: x/tools v0.37.0 with Go 1.25 toolchain: OK.

Matches the 1.25 toolchain directive; no action.

---

73-85: Sanity-check SSO/SQS/STS auth flows in CI.
go.mod shows only minor/patch bumps to aws-sdk-go-v2 and submodules (aws-sdk-go-v2 v1.39.0; config v1.31.8; sqs v1.42.5; sso v1.29.3; ssooidc v1.34.4; sts v1.38.4). Run SQS/STS/SSO auth paths in CI to catch config/env regressions.

---

129-129: Confirmed: github.com/olekukonko/cat is a legitimate transitive dependency.

go mod graph/why shows github.com/olekukonko/tablewriter → github.com/olekukonko/ll → github.com/olekukonko/cat; tablewriter is imported by internal/cli/jobs/render.go and internal/cli/workers/render.go.

---

55-55: Temporal stack alignment — confirm roadrunner-temporal v5.9.0 vs go.temporal API/SDK

go.mod shows github.com/temporalio/roadrunner-temporal/v5 v5.9.0 and indirect go.temporal.io/api v1.53.0 / go.temporal.io/sdk v1.36.0, but there is no official rr‑temporal v5.9.0 release (latest v5.8.0).

• Confirm the source of v5.9.0 (official tag vs commit/fork/replace). If not an upstream release, pin the exact commit or revert to a released version.
• Verify the referenced rr‑temporal tag/commit declares compatibility with go.temporal.io/sdk v1.36.0 and api v1.53.0 (check rr‑temporal's go.mod/release notes); watch for runtime-breaking changes (e.g., workflow versioning).
• Resolve mixed/conflicting api entries in go.mod (v1.26.1 vs v1.53.0) so a single consistent go.temporal.io/api version is used.

Location: go.mod (line ~55; also applies to lines 191–195).

[coderabbitai]

🛠️ Refactor suggestion

Remove static plugin from root require to truly exclude it (and avoid pulling Fiber with CVEs).

PR description says the Fileserver plugin is excluded from the standard bundle. Keeping github.com/roadrunner-server/static/v5 in root require still fetches/transitively pins its deps (incl. GoFiber), triggering scanners and supply-chain surface.

-	github.com/roadrunner-server/static/v5 v5.1.7

If Velox builds need it, document adding it in a Velox-specific go.mod or via replace in that build context.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

github.com/roadrunner-server/static/v5 v5.1.7

🤖 Prompt for AI Agents

In go.mod around line 49, the project still lists
"github.com/roadrunner-server/static/v5 v5.1.7" in the root require which keeps
its transitive deps (including GoFiber) in the module graph; remove that require
from the root go.mod to truly exclude the static/fileserver plugin and then run
go mod tidy to prune unused transitive dependencies. If Velox builds need the
plugin, instead add the static module to a Velox-specific go.mod or introduce a
build-context replace/add in that build's module file and document the change so
scanners and supply-chain tooling no longer see Fiber in the main module.

[coderabbitai]

⚠️ Potential issue

Fix invalid YAML module paths and dedupe v3 entry.

go.yaml.in/yaml/{v2,v3} are not valid module paths; canonical is gopkg.in/yaml.{v2,v3}. You also have two v3 entries (one wrong, one correct at Line 219). This will break go mod download and confuse SCA.

Apply:

-	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect

Then run go mod tidy to reconcile the single gopkg.in/yaml.v3 entry (Line 219) and pin to the solver’s chosen version.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	go.yaml.in/yaml/v2 v2.4.3 // indirect
	go.yaml.in/yaml/v3 v3.0.4 // indirect
	golang.org/x/crypto v0.42.0 // indirect
	gopkg.in/yaml.v2 v2.4.0 // indirect
	golang.org/x/crypto v0.42.0 // indirect

🤖 Prompt for AI Agents

In go.mod around lines 201 to 203, the module paths use the invalid prefix
"go.yaml.in" and you also have a duplicate v3 entry; replace "go.yaml.in/yaml/v2
v2.4.3" with the canonical "gopkg.in/yaml.v2 v2.4.3" (if you need v2), and
remove the incorrect "go.yaml.in/yaml/v3" line so only the correct
"gopkg.in/yaml.v3" entry remains (keep the solver-chosen version at Line 219),
then run "go mod tidy" to reconcile and pin the single gopkg.in/yaml.v3
dependency.