Skip to content

fix(ci): unblock all jobs (scip-go, RealIP, lucide v1, plugin-react v6, tailwind v4, linters)#28

Merged
aanogueira merged 3 commits into
mainfrom
andre.nogueira/fix-ci-web-deps
May 26, 2026
Merged

fix(ci): unblock all jobs (scip-go, RealIP, lucide v1, plugin-react v6, tailwind v4, linters)#28
aanogueira merged 3 commits into
mainfrom
andre.nogueira/fix-ci-web-deps

Conversation

@aanogueira
Copy link
Copy Markdown
Contributor

@aanogueira aanogueira commented May 26, 2026
edited
Loading

Summary

All pre-existing CI failures consolidated. Originally split as #27 (scip-go) + #28 (web deps); now bundled here so one CI run proves the full picture. Closes #27.

None of these are caused by #26 (deploy-website) — they would fail any PR.

Go

1. `indexer-scip` Dockerfile — upstream module rename
go install github.com/sourcegraph/scip-go/cmd/scip-go@latest fails because upstream moved to the scip-code org. Switch to github.com/scip-code/scip-go/cmd/scip-go@latest.

2. `chi` middleware.RealIP deprecated (GHSA-3fxj-6jh8-hvhx + 2 others)
Replace with a new `internal/middleware.RealIP` that only honors X-Forwarded-For when the immediate TCP peer is in a configured trusted-proxy CIDR set.

  • New `server.trusted_proxies` config field (list of CIDRs / bare IPs)
  • Empty config = no-op middleware; r.RemoteAddr keeps the actual TCP peer (the safe default)
  • Indexer's internal HTTP server doesn't need client IP rewriting → line removed entirely
  • 12 unit tests covering the spoofing scenarios

3. `gomodguard` linter renamed to `gomodguard_v2` in .golangci.yml.

Web

4. `lucide-react` 0.x → 1.x removed brand logos
Github/Gitlab icons no longer exist (trademark/licensing). Add web/components/GithubIcon.tsx + GitlabIcon.tsx (inline SVGs matching the existing CodeSearchIcon.tsx pattern), update ConnectionsClient.tsx.

5. `@vitejs/plugin-react` 5 → 6 peer mismatch
Plugin-react 6 peers on vite ^8, lock has vite 7 → vitest startup error. Pin to ^5.2.0 (peers 4–8 inclusive). No functional change.

6. `tailwindcss` 3 → 4 breaking change
Major rewrite — new @import directive, new config model, breaking utility-class changes. Revert to ^3.4.19; v4 migration is its own deliberate PR.

Verification (locally on this branch)

  • go build ./...
  • go test ./internal/middleware/... ./internal/config/... — 33 pass ✓
  • golangci-lint run ./... — no issues ✓
  • bun run build (web) ✓
  • bun run test:run (web) — 71 tests ✓
  • bun run lint (web) — only pre-existing warnings ✓

Test plan

  • All docker-build jobs pass
  • go-checks passes (lint + tests)
  • web-checks passes
  • No regressions in already-passing jobs

Follow-ups (separate PRs)

  • Tailwind v4 migration (CSS + config rewrite)
  • Once deployed behind ingress, document/set server.trusted_proxies in production config

aanogueira added 3 commits May 26, 2026 09:27
@aanogueira
fix(web): inline brand icons after lucide-react v1 dropped them
45ecb80 
lucide-react v1.x removed brand logos (Github, Gitlab, etc.) for
trademark reasons. The dependabot bump from 0.555 to 1.11 in #19 made
ConnectionsClient.tsx fail to compile.

Add small inline SVG components for GithubIcon and GitlabIcon, matching
the existing CodeSearchIcon.tsx pattern (currentColor fill, className
prop). The other lucide imports are unaffected.

Signed-off-by: Andre Nogueira <aanogueira@protonmail.com>
@aanogueira
fix(web): pin @vitejs/plugin-react to ^5 and tailwindcss to ^3
9c7bfdd 
Two more breakages from the dependabot bump in #19:

@vitejs/plugin-react 6.x peers on vite ^8, but vitest pulls vite ^7,
so the lockfile resolves vite 7.3.1 and plugin-react 6 fails on
vitest startup with 'Package subpath ./internal is not defined'.
Pin to ^5.2.0 (peers on vite 4-8 inclusive). No behavior change for
the React plugin itself; just removes the peer conflict.

tailwindcss 4.x is a major rewrite (new @import directive, new config
model, breaking utility-class changes) and the project's CSS still
uses v3 syntax. The full v4 migration is a separate deliberate effort;
revert to ^3.4.19 for now to unblock CI.

Signed-off-by: Andre Nogueira <aanogueira@protonmail.com>
@aanogueira
fix(docker): install scip-go from new scip-code org
081b35a 
Upstream renamed the module from github.com/sourcegraph/scip-go to
github.com/scip-code/scip-go. Installing via @latest under the old path
now fails the go.mod path check. Switch to the new canonical path; the
cmd subpath and resulting binary name are unchanged.

Signed-off-by: Andre Nogueira <aanogueira@protonmail.com>
@aanogueira aanogueira changed the title fix(ci): unblock web build + tests (lucide v1, plugin-react v6, tailwind v4) fix(ci): unblock builds — scip-go rename, lucide v1, plugin-react v6, tailwind v4 May 26, 2026
@aanogueira aanogueira mentioned this pull request May 26, 2026
Closed
3 tasks
@aanogueira aanogueira merged commit b241b9b into main May 26, 2026
11 checks passed
@aanogueira aanogueira changed the title fix(ci): unblock builds — scip-go rename, lucide v1, plugin-react v6, tailwind v4 fix(ci): unblock all jobs (scip-go, RealIP, lucide v1, plugin-react v6, tailwind v4, linters) May 26, 2026
@aanogueira aanogueira mentioned this pull request May 26, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aanogueira