CORE-12737 - Bump to 0.37.0

[lundgrenalex]

• bump version
• add artefacts build (GCP)

Summary by CodeRabbit

• Chores

  • Added CircleCI pipeline using an orb to build and tag dev/prod Docker images.
  • Updated GitHub Actions CI to prepare TLS certs, run CockroachDB with TLS, and wait for readiness.
  • Upgraded IPFS Kubo dependency to v0.37.0.

• Maintenance

  • Docker image: switched to a non-root runtime user, set IPFS_PATH=/data/storj, and ensured proper data ownership.

• Documentation

  • Updated bundling instructions to reference Kubo v0.37.0.

[coderabbitai]

Walkthrough

Adds a CircleCI pipeline using the chainstack/platform orb with separate workflows for tag and non-tag builds; bumps IPFS Kubo from v0.19.2 to v0.37.0 in Dockerfile, go.mod, and README; updates GitHub Actions to prepare and run CockroachDB with TLS certificates and readiness checks. No application logic changes.

Changes

Cohort / File(s)	Summary
CircleCI config /.circleci/config.yml	Adds CircleCI config using cs: chainstack/platform@12.0.0 with workflows: storj-push (non-tag builds, dev context, tag=pipeline.number) and storj-tag (tag builds with build-dev-image and build-prod-image, tag=pipeline.git.tag, ENV=production). Global filters applied.
Docker image and runtime user /Dockerfile, Dockerfile.fuller*	Bumps base image from ipfs/kubo:v0.36.0 → ipfs/kubo:v0.37.0; adds non-root storj user/group, sets IPFS_PATH=/data/storj, adjusts ownership and switches to USER storj.
Module and docs /go.mod, /README.md	Upgrades github.com/ipfs/kubo requirement from v0.19.2 → v0.37.0; updates README bundling checkout to v0.37.0.
GitHub Actions workflow .github/workflows/go.yml	Adds steps to generate CockroachDB TLS certs, runs CockroachDB in a named container with certs volume and explicit ports, adds a wait-for-ready loop (polling SQL), and updates test env STORJ_TEST_COCKROACH to use TLS verify-full with cert paths.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Commit/Branch Push
  participant CircleCI as CircleCI
  participant Orb as cs/build-image
  participant Registry as Container Registry

  rect rgba(230,245,255,0.6)
    note over CircleCI: Non-tag workflow (storj-push)
    Dev->>CircleCI: push to branch
    CircleCI->>Orb: build-image (context=dev, tag=pipeline.number)
    Orb-->>Registry: push dev image
  end

Loading

sequenceDiagram
  autonumber
  actor Tag as Git Tag
  participant CircleCI as CircleCI
  participant DevJob as build-dev-image
  participant ProdJob as build-prod-image
  participant Registry as Container Registry

  rect rgba(240,255,240,0.6)
    note over CircleCI: Tag workflow (storj-tag)
    Tag->>CircleCI: push tag
    CircleCI->>DevJob: build-image (context=dev, tag=pipeline.git.tag, ENV=production)
    DevJob-->>Registry: push dev-tagged image
    CircleCI->>ProdJob: build-image (context=prod, tag=pipeline.git.tag, ENV=production)
    ProdJob-->>Registry: push prod-tagged image
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

Possibly related PRs

• update kubo + golang #5 — Also updates Dockerfile to bump IPFS Kubo base image (earlier bump to v0.36.0), directly related to the image version changes in this PR.

Poem

I hop through CI with a carrot grin,
Tags and branches, let builds begin.
Kubo climbs to thirty-seven bold,
Certs snugged tight, containers told.
A rabbit's cheer — images roll! 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "CORE-12737 - Bump to 0.37.0" is concise, includes the issue ID, and accurately summarizes the primary change in this PR (upgrading to v0.37.0 in go.mod, Dockerfile, and related docs/workflows), so it communicates the main intent to reviewers.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/CORE-12737

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[guardrails]

All previously detected findings have been fixed. Good job! 👍🎉

We will keep this comment up-to-date as you go along and notify you of any security issues that we identify.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

12-14: Fix version skew: build should use ipfs/kubo v0.37.0

You are building ipfs from v0.36.0 then copying the binary into ipfs/kubo:v0.37.0 (Dockerfile lines 12 and 33) — this can cause subtle breakage. Build from v0.37.0 instead.

Apply this diff:

-RUN git clone https://github.com/ipfs/kubo . && git checkout v0.36.0
+RUN git clone https://github.com/ipfs/kubo . && git checkout v0.37.0

Optional: verify Go toolchain compatibility — Dockerfile uses golang:1.24-alpine; confirm upstream Kubo's go directive (go.mod) is compatible.

🧹 Nitpick comments (1)

README.md (1)

16-21: Fix repo dir name in bundling steps.

After cloning https://github.com/ipfs/kubo, the directory is “kubo”, not “go-ipfs”. Also, this PR targets v0.37.0, which you already set.

Apply this diff:

-> cd go-ipfs
+> cd kubo

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0e31e32 and b2a11cb.

📒 Files selected for processing (4)

• .circleci/config.yml (1 hunks)
• Dockerfile (1 hunks)
• README.md (1 hunks)
• go.mod (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: guardrails/scan

🔇 Additional comments (3)

go.mod (1)

12-12: Align Kubo version across build and runtime.

Dependency bump to github.com/ipfs/kubo v0.37.0 looks good, but the Dockerfile still builds from kubo v0.36.0. Build and runtime should use the same Kubo tag to avoid ABI/config skew.

.circleci/config.yml (2)

4-6: Confirm orb version availability.

Validate that chainstack/platform@12.0.0 exists in the org and exposes build-image with the used params (context, tag, extra_build_args).

---

27-34: Consistent gating for tag builds.

Good use of a shared tag filter. Ensure both dev/prod tag jobs are gated identically (they are) and that non-tag workflow is filtered out (see prior comment).

[coderabbitai]

⚠️ Potential issue

🧩 Analysis chain

Avoid quoting the evaluated tag; ensure non-tag workflow won’t run on tags.

• tag: "'<< pipeline.number >>'" will produce literal quotes in the tag.
• Relying on unless: << pipeline.git.tag >> for gating can be brittle.

Apply this diff:

-    unless: << pipeline.git.tag >>
+    unless: << pipeline.git.tag >>
     jobs:
-    - cs/build-image:
+    - cs/build-image:
         context: "dev.chainstack | GCP"
-        tag: "'<< pipeline.number >>'"
+        tag: << pipeline.number >>

Also add a branch-only filter to ensure this workflow never runs on tags:

   storj-push:
     unless: << pipeline.git.tag >>
     jobs:
     - cs/build-image:
+        filters:
+          tags:
+            ignore: /.*/
+          branches:
+            only: /.*/

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
file=".circleci/config.yml"
if [ ! -f "$file" ]; then
  echo "MISSING $file"
  exit 0
fi

echo "=== .circleci/config.yml (with line numbers) ==="
awk '{printf("%4d: %s\n", NR, $0)}' "$file"
echo

echo "=== Relevant lines (pipeline.git.tag, << pipeline.number >>, cs/build-image, tag:, unless:, filters:) ==="
awk '{
  if ($0 ~ /pipeline\.git\.tag/ || $0 ~ /<<\s*pipeline\.number\s*>>/ || $0 ~ /cs\/build-image/ || $0 ~ /\btag:/ || $0 ~ /\bunless:/ || $0 ~ /filters:/) {
    printf("%4d: %s\n", NR, $0)
  }
}' "$file"
echo

echo "=== Search repo for those patterns ==="
if command -v rg >/dev/null 2>&1; then
  rg -n --hidden --no-ignore "pipeline\.git\.tag|<< pipeline\.number >>|cs/build-image|filters:|unless:" || true
else
  grep -RIn --exclude-dir=.git -E "pipeline\.git\.tag|<< pipeline\.number >>|cs/build-image|filters:|unless:" . || true
fi

Length of output: 2170

---

.circleci/config.yml — unquote << pipeline.number >> and prevent storj-push from running on tags

• Replace tag: "'<< pipeline.number >>'" with tag: << pipeline.number >> (the current quotes become literal in the tag). Add job-level filters so storj-push won't run on tags (relying only on unless: << pipeline.git.tag >> is brittle).

Apply this diff:

-    unless: << pipeline.git.tag >>
+    unless: << pipeline.git.tag >>
     jobs:
-    - cs/build-image:
+    - cs/build-image:
         context: "dev.chainstack | GCP"
-        tag: "'<< pipeline.number >>'"
+        tag: << pipeline.number >>

Also add a branch-only filter to ensure this workflow never runs on tags:

   storj-push:
     unless: << pipeline.git.tag >>
     jobs:
     - cs/build-image:
+        filters:
+          tags:
+            ignore: /.*/
+          branches:
+            only: /.*/

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	unless: << pipeline.git.tag >>
	jobs:
	- cs/build-image:
	context: "dev.chainstack | GCP"
	tag: "'<< pipeline.number >>'"
	unless: << pipeline.git.tag >>
	jobs:
	- cs/build-image:
	context: "dev.chainstack | GCP"
	tag: << pipeline.number >>

🤖 Prompt for AI Agents

In .circleci/config.yml around lines 15-19, the tag value is currently quoted
literally and the workflow lacks robust tag filtering; replace tag: "'<<
pipeline.number >>'" with an unquoted tag: << pipeline.number >>, and add
job-level filters for the storj-push job to exclude tag pipelines (so storj-push
will not run on tags), plus add a workflow-level branch-only filter to ensure
this workflow never runs for tag refs (e.g., configure filters on the workflow
to only run for branches or explicitly ignore tag pipelines).

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

33-39: Version mismatch: runtime base is v0.37.0 but build stage checks out v0.36.0.

You’re copying an ipfs binary built from Kubo v0.36.0 (Line 12) into a runtime image based on v0.37.0 (Line 33). This is likely to cause ABI/behavior drift and subtle runtime bugs. Align both to v0.37.0.

Apply this diff:

- RUN git clone https://github.com/ipfs/kubo . && git checkout v0.36.0
+ RUN git clone https://github.com/ipfs/kubo . && git checkout v0.37.0

Also consider pinning the runtime image by digest to avoid supply‑chain drift.

🧹 Nitpick comments (9)

Dockerfile (4)

43-56: Non‑root runtime: good hardening; add HOME and persist volume.

Nice cross‑distro user creation. Two small improvements:

• Explicit HOME helps tools that rely on $HOME when not using a login shell.
• Declare a VOLUME so data persists by default.

Apply this diff right after IPFS_PATH:

 ENV IPFS_PATH=/data/storj
+ENV HOME=/data/storj
+VOLUME ["/data/storj"]
 
 USER storj

---

33-33: Runtime image pinning.

Tag‑only pulls are mutable. Pin ipfs/kubo:v0.37.0 by digest for reproducible builds.

If you want, I can look up and propose the current digest; confirm which registry (Docker Hub vs GHCR) you prefer.

---

24-29: Build robustness: go toolchain/cache and failure path.

The “expected to fail” make step adds noise; prefer deterministic caching and a single build. Also add Go build/cache mounts to speed builds.

Apply this diff:

- RUN go mod edit -replace storj.io/ipfs-go-ds-storj=./ipfs-go-ds-storj && \
-     go mod tidy && \
-     # Next line is expected to fail
-     make build || true && \
-     go mod tidy && \
-     make build
+ RUN --mount=type=cache,target=/go/pkg/mod \
+     --mount=type=cache,target=/root/.cache/go-build \
+     go mod edit -replace storj.io/ipfs-go-ds-storj=./ipfs-go-ds-storj && \
+     go mod tidy && \
+     make build

---

5-7: Large build base footprint.

vim in the build stage is unnecessary for CI; drop it to reduce network time (keep bash/make/git/curl).

Apply this diff:

-RUN apk add --no-cache git make bash curl vim
+RUN apk add --no-cache git make bash curl

.github/workflows/go.yml (5)

31-38: Cert generation looks solid; pin images and guard keys.

Good TLS flow. Two tweaks:

• Pin cockroachdb/cockroach to an exact version (and ideally digest) instead of latest‑v21.2 for reproducibility.
• Ensure the workspace with ca.key is never uploaded as an artifact/logged.

Optionally add: echo 'cockroach-certs/' >> .gitignore in repo to avoid accidental commits when running locally.

---

40-53: Runtime start: add healthcheck or explicit readiness to container.

You rely on an external wait loop; you can also set a container healthcheck for clearer diagnostics.

Example change (illustrative):

 docker run --rm -d \
   --name cockroach \
+  --health-cmd="cockroach node status --certs-dir=/cockroach/certs --host=localhost:26257 || exit 1" \
+  --health-interval=5s --health-retries=12 --health-timeout=3s \
   -e COCKROACH_SKIP_ENABLING_DIAGNOSTIC_REPORTING=1 \

Also consider pinning the image tag (not latest‑v21.2).

---

54-63: Brace expansion requires bash; add shell and stronger failure diagnostics.

GitHub runners default to bash, but be explicit to keep {1..30} reliable and capture logs on failure.

Apply this diff:

-    - name: Wait for CockroachDB
-      run: |
+    - name: Wait for CockroachDB
+      shell: bash
+      run: |
+        set -Eeuo pipefail
         for attempt in {1..30}; do
           if docker exec cockroach cockroach sql --certs-dir=/cockroach/certs --execute='SELECT 1'; then
             exit 0
           fi
           sleep 2
         done
         echo "CockroachDB did not become ready in time" >&2
+        echo "--- Cockroach logs ---" >&2
+        docker logs cockroach >&2 || true
         exit 1

---

76-78: Quote DSNs; address secret‑scanner noise and YAML parsing edge cases.

Basic auth in the Postgres DSN is test‑scoped, but quoting the values prevents YAML/linters from misinterpreting & and reduces secret‑scanner false positives.

Apply this diff:

-        STORJ_TEST_POSTGRES: postgres://postgres:postgres@localhost/postgres?sslmode=disable
-        STORJ_TEST_COCKROACH: cockroach://root@localhost:26257/defaultdb?sslmode=verify-full&sslrootcert=${{ github.workspace }}/cockroach-certs/ca.crt&sslcert=${{ github.workspace }}/cockroach-certs/client.root.crt&sslkey=${{ github.workspace }}/cockroach-certs/client.root.key
+        STORJ_TEST_POSTGRES: "postgres://postgres:postgres@localhost/postgres?sslmode=disable"
+        STORJ_TEST_COCKROACH: "cockroach://root@localhost:26257/defaultdb?sslmode=verify-full&sslrootcert=${{ github.workspace }}/cockroach-certs/ca.crt&sslcert=${{ github.workspace }}/cockroach-certs/client.root.crt&sslkey=${{ github.workspace }}/cockroach-certs/client.root.key"

If desired, move the DSNs to GitHub Actions secrets to fully silence CKV_SECRET_4 in CI reports.

---

31-53: Add cleanup to avoid orphaned container on job cancellation.

If the job is cancelled, the detached container can linger. Trap EXIT to remove it.

Example:

-      run: |
+      shell: bash
+      run: |
+        set -Eeuo pipefail
+        trap 'docker rm -f cockroach >/dev/null 2>&1 || true' EXIT
         docker run --rm -d \
           --name cockroach \
           -e COCKROACH_SKIP_ENABLING_DIAGNOSTIC_REPORTING=1 \

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b2a11cb and 9bf6fde.

📒 Files selected for processing (2)

• .github/workflows/go.yml (2 hunks)
• Dockerfile (2 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

.github/workflows/go.yml

[medium] 76-77: Basic Auth Credentials

(CKV_SECRET_4)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: guardrails/scan

🔇 Additional comments (1)

Dockerfile (1)

1-1: Go toolchain consistency across CI.

This image uses Go 1.24; your GitHub Action installs Go 1.19. Mismatched toolchains can yield divergent builds/tests. Align CI Go to the same major/minor used here.

I can raise a follow‑up PR to bump actions/setup-go and the version matrix.