Skip to content

chore(deps): retire docker/docker via testenv migration (Aikido)#1075

Closed
dorothyyzh wants to merge 3 commits into
mainfrom
fix/aikido-retire-docker-docker-2026-05-13
Closed

chore(deps): retire docker/docker via testenv migration (Aikido)#1075
dorothyyzh wants to merge 3 commits into
mainfrom
fix/aikido-retire-docker-docker-2026-05-13

Conversation

@dorothyyzh
Copy link
Copy Markdown
Contributor

@dorothyyzh dorothyyzh commented May 13, 2026

Status: DRAFT — depends on upstream PRs. Pseudo-versions will be re-pointed to release tags before this is marked ready. Do not merge yet.

Summary

Retire github.com/docker/docker from this module by:

  1. Bumping the three upstreams that previously pulled docker/docker to their dropped-docker/docker branches:
  2. Replacing github.com/theplant/testenv usage in 15 _test.go files with qor5/x/v3/gormx.OpenContainer + plain gorm.Open.

Why

docker/docker is frozen at v28.5.2+incompatible on the Go module proxy — moby moved Go-module publishing to github.com/moby/moby/api. Aikido flags docker/docker for CVE-2026-33997 / 34040 (group 25543337) for which no fix can ship via the legacy module path.

theplant/testenv@v0.2.1 (HEAD, unreleased ~10 months) directly imports docker/docker/api/types/container and was the last remaining transitive path bringing docker/docker into admin's go.mod (after the upstream bumps above retired the other paths).

Changes

15 test files migrated off testenv → gormx (all DB-only, no Redis)

File Variable
activity/builder_test.go db
activity/tests/gorm_test.go db
autocomplete/integration/autocomplete_test.go TestDB
cmd/qor5/website-template/admin/integration_test.go TestDB
docs/docsrc/examples/examples_admin/db_test.go TestDB
docs/docsrc/examples/examples_admin/publish_test/env_test.go DB
docs/docsrc/examples/examples_presets/presets_test.go TestDB
example/integration/pagebuilder_test.go TestDB
media/integration/integration_test.go TestDB
pagebuilder/publish_test.go TestDB
presets/integration/example_test.go TestDB
publish/publish_test.go TestDB
redirection/redirection_test.go TestDB
seo/helper_test.go dbForTest
worker/integration_test/setup_test.go db

Same swap in each:

- env, err := testenv.New().DBEnable(true).SetUp()
- ...
- defer env.TearDown()
- <var> = env.DB
+ ctx := context.Background()
+ pgContainer, err := gormx.OpenContainer(ctx, nil)
+ ...
+ defer func() { _ = pgContainer.Terminate(ctx) }()
+ <var>, err = gorm.Open(postgres.Open(pgContainer.DSN), &gorm.Config{})
+ if err != nil { panic(err) }

go.mod / go.sum

Why gormx.OpenContainer rather than gormx.SetupDatabase

SetupDatabase installs OmitAssociationsPlugin globally on the returned *gorm.DB, which omits GORM associations on every Create/Update/Delete. Several admin packages (activity, pagebuilder, seo, publish) exercise GORM associations in their tests, so this side effect would silently break them. The lighter OpenContainer + plain gorm.Open mirrors the prior testenv behavior 1:1.

Verification

  • go vet ./... clean (except a pre-existing unreachable code warning in pagebuilder/model_events.go:101 that also exists on main)
  • go test -run='^$' -count=1 ./... typechecks all migrated packages cleanly
  • Real test runs verified on ./activity/..., ./seo/..., ./redirection/... — containers come up, GORM operations succeed
  • go mod why github.com/docker/docker(main module does not need package github.com/docker/docker)
  • docker/docker no longer in go.mod
  • theplant/testenv no longer in go.mod

go build ./... can't complete locally because media/vips is cgo-dependent (libvips / pkg-config) and the dev environment doesn't have libvips. This affects only media/vips and is a pre-existing environment issue (same error reproduces on main). All other packages build cleanly.

Merge plan

  1. Merge qor5/go-bus#20 → tag
  2. Merge theplant/ratelimiter#14 → tag
  3. Merge qor5/x#582 (re-pointed to step 1–2 tags) → tag
  4. Merge theplant/relay#35 (re-pointed to step 3 tag) → tag
  5. Re-point this PR's qor5/x/v3, qor5/go-bus, theplant/relay to the release tags
  6. Mark ready for review and merge

Deployment note

Skill opens this PR; it does not touch any release-* branch.

dorothyyzh and others added 2 commits May 13, 2026 14:19
@claude
chore(deps): migrate tests off testenv to gormx, drop docker/docker (…
0841dd0 
…Aikido)

Retire `github.com/docker/docker` from this module by:

1. Bumping the three upstreams that previously pulled docker/docker:
   - `qor5/x/v3` v3.2.1-0.20251126082016-f61128fc8187 -> pseudo from qor5/x#582
   - `qor5/go-bus` -> pseudo from qor5/go-bus#20
   - `theplant/relay` v0.8.0 -> pseudo from theplant/relay#35
   All three already dropped docker/docker themselves.

2. Replacing `theplant/testenv` usage in 15 `_test.go` files with
   `qor5/x/v3/gormx.OpenContainer` + plain `gorm.Open`. testenv was
   the only remaining transitive path bringing docker/docker into
   admin's go.mod.

Why `gormx.OpenContainer` rather than `gormx.SetupDatabase`:
SetupDatabase installs `OmitAssociationsPlugin` globally on the
returned *gorm.DB, which omits GORM associations on every
Create/Update/Delete. Admin tests (especially activity, pagebuilder,
seo) exercise associations, so this side effect would silently break
them. The lighter OpenContainer + plain gorm.Open mirrors the prior
testenv behavior 1:1.

Migrated files (all DB-only, no Redis):
  activity/builder_test.go
  activity/tests/gorm_test.go
  autocomplete/integration/autocomplete_test.go
  cmd/qor5/website-template/admin/integration_test.go
  docs/docsrc/examples/examples_admin/db_test.go
  docs/docsrc/examples/examples_admin/publish_test/env_test.go
  docs/docsrc/examples/examples_presets/presets_test.go
  example/integration/pagebuilder_test.go
  media/integration/integration_test.go
  pagebuilder/publish_test.go
  presets/integration/example_test.go
  publish/publish_test.go
  redirection/redirection_test.go
  seo/helper_test.go
  worker/integration_test/setup_test.go

Verification:
- `go vet ./...` clean (except a pre-existing unreachable-code warning
  in pagebuilder/model_events.go:101 that also exists on main)
- `go test -run=NoRealTests` typechecks all migrated packages cleanly
- Real test runs verified on activity, seo, redirection
  (containers come up, GORM operations succeed)
- `go mod why github.com/docker/docker` -> not needed
- `docker/docker` no longer in `go.mod`
- `theplant/testenv` no longer in `go.mod`

`go build ./...` cannot complete on my local environment because
`media/vips` is cgo-dependent (libvips/pkg-config) and the dev box
doesn't have libvips installed. This affects only media/vips and
is a pre-existing environment issue (same error on main). All other
packages build cleanly.

DRAFT — depends on upstream merges:
- qor5/go-bus#20
- theplant/ratelimiter#14
- qor5/x#582 (depends on the above two)
- theplant/relay#35 (depends on qor5/x#582)
Pseudo-versions will be re-pointed to release tags before this PR is
marked ready for review.

Aikido group 25543337 (CVE-2026-33997 / CVE-2026-34040).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@deepsource-autofix
style: format code with Gofumpt
36bb93e 
This commit fixes the style issues introduced in 0841dd0 according to the output
from Gofumpt.

Details: #1075
@deepsource-io
Copy link
Copy Markdown

deepsource-io Bot commented May 13, 2026
edited
Loading

DeepSource Code Review

We reviewed changes in 61df933...fb934dd on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
Go May 13, 2026 7:29a.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

@codecov
Copy link
Copy Markdown

codecov Bot commented May 13, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@claude
chore: switch tests to gormx.MustStartRawTestSuite
fb934dd 
Replace OpenContainer + gorm.Open hand-wiring in all 15 admin
_test.go files with the new MustStartRawTestSuite helper
(qor5/x f23cd74e). Equivalent behavior in fewer lines, with
lifecycle-managed container teardown.

Plain MustStartTestSuite was not an option here: SetupDatabase
installs OmitAssociationsPlugin / TracingPlugin, which silently
change GORM semantics (some admin tests exercise associations)
and pollute test output with JSON log lines.

Verification:
- `go vet ./...` clean except a pre-existing
  pagebuilder/model_events.go:101 unreachable-code warning
  (also present on main)
- `go test ./activity/... ./seo/... ./redirection/...` pass
  (containers come up, GORM operations succeed)
- `docker/docker` still absent from go.mod

`go build ./...` can't complete locally — media/vips needs
libvips/pkg-config (pre-existing env issue, same on main); CI
should verify that package.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@dorothyyzh dorothyyzh closed this May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dorothyyzh