Fixes all codacy issues

[maqeel75]

• Updated Go version to 1.25.8 in tests/go.mod and workflow files, fixing multiple stdlib CVEs (CVE-2025-61726, CVE-2025-61728, CVE-2025-68121, CVE-2026-25679, CVE-2026-27142)
• Updated OpenTelemetry packages to v1.40.0 in tests/go.mod, fixing CVE-2026-24051
• Pinned all GitHub Actions to full-length commit SHAs across 3 workflow files
• Refactored parseCommand in tests/main.go to reduce cyclomatic complexity (12 → 3)
• Refactored main() in scripts/build_pgedge_images.py to reduce cyclomatic complexity (19 → 4) and line count (71 → 20) by extracting helper functions
• Split getStandardOnlyTests in tests/main.go into two functions to comply with 50-line limit

False Positives Marked

• subprocess warnings (B603/B607) — all calls use list form with no shell=True
• Docker CVEs (CVE-2026-34040, CVE-2026-33997) — daemon-side vulnerabilities, project uses docker/docker as client only
• psql unused variable in docker-entrypoint.sh — intentional backwards compatibility for sourced init scripts

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Pinned multiple GitHub Actions to specific commit SHAs, bumped Go toolchain to 1.25, added .gitignore entries, refactored image-building script into helpers, and rewrote command parsing and test grouping in tests/main.go.

Changes

Cohort / File(s)	Summary
GitHub Actions — build_images workflow /.github/workflows/build_images.yaml	Replaced tag-based uses with specific commit SHAs for several actions (actions/checkout, docker/setup-qemu-action, sigstore/cosign-installer, docker/login-action, actions/setup-python). No other workflow logic changed.
GitHub Actions — PR/test workflows /.github/workflows/pr_test_latest.yaml, /.github/workflows/test_images.yaml	Pinned actions/checkout, actions/setup-python, and actions/setup-go to specific commit SHAs; updated go-version in workflow steps from 1.23 → 1.25 where present. No other control flow or commands changed.
Image build script (Python) scripts/build_pgedge_images.py	Refactored main() into helpers (_log_config, _should_skip_image, _process_image, _process_extra_tags); changed build() to call bake_cmd(*bake_args) allowing --no-cache and default.platforms args; revised extra-tag decision logic and dry-run handling; public signatures unchanged.
Tests and Go modules tests/main.go, tests/go.mod	Bumped go directive from 1.24.11 → 1.25.8 and updated indirect deps (OpenTelemetry modules, xxhash, go-logr, golang.org/x/sys, etc.). In tests/main.go, refactored parseCommand into a commandParser state machine, changed empty-command behavior (now returns nil and treated as error), and split standard-only test assembly into new helper functions.
VCS Ignore Rules .gitignore	Added ignore patterns for Python bytecode (__pycache__/) and test/build outputs under tests (e.g., tests/tests).

Poem

🐰 I pinned the actions, snug and neat,
hopped Go up a step with nimble feet,
helpers sprouted to tidy the race,
parsers learned quotes and found their place,
I nibbled old clutter — now tidy and sweet.

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 15.38% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Fixes all codacy issues' is vague and does not clearly specify the main changes; it references a generic tooling outcome rather than describing concrete technical improvements.	Consider using a more specific title that highlights the primary change, such as 'Upgrade Go to 1.25.8 and pin GitHub Actions to commit SHAs' or 'Refactor code to reduce cyclomatic complexity and fix security issues'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is well-structured and clearly related to the changeset, detailing Go version updates, security fixes, GitHub Actions pinning, and code refactoring efforts across multiple files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codacy-issues

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	0

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/test_images.yaml (1)

102-103: Pin go-version to 1.25.8 to match the module specification and ensure deterministic builds.

The module explicitly targets go 1.25.8 (tests/go.mod), but the workflow uses go-version: '1.25', which may resolve to different patch versions over time and create version drift, particularly concerning given the CVE remediation context.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test_images.yaml around lines 102 - 103, The workflow
currently uses the broad key go-version: '1.25' which can resolve to different
patch releases; update the go-version value to the exact patched version used in
tests (change go-version from '1.25' to '1.25.8') so the CI uses the
deterministic Go release that matches tests/go.mod.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/build_pgedge_images.py`:
- Around line 334-338: The dry-run path calls index_digest(image.build_tag) and
sign(...) even when build(...) skipped pushing, which can fail; update the logic
in the conditional around build(repo=..., image=..., dry_run=...) so that
index_digest and sign are only invoked when an actual push happened (e.g., when
not config.dry_run and either the image was already published or republish
occurred), or alternatively guard the index_digest and sign calls with a check
for not config.dry_run (and/or confirmed publish), referencing the build,
index_digest, and sign calls to locate and change the flow.

In `@tests/main.go`:
- Around line 543-545: The current tokenization returns []string{cmd} when
parseCommand yields no args, which misrepresents whitespace-only input; modify
parseCommand (or the place where p.args is returned) to return an empty slice
instead of []string{cmd}, and add a guard in TestRunner.exec right after calling
parseCommand (check len(cmdArgs) == 0) to fail fast by returning -1, "",
fmt.Errorf("empty command") so whitespace-only commands are rejected early;
reference parseCommand, p.args (or cmdArgs) and TestRunner.exec to locate the
changes.

---

Nitpick comments:
In @.github/workflows/test_images.yaml:
- Around line 102-103: The workflow currently uses the broad key go-version:
'1.25' which can resolve to different patch releases; update the go-version
value to the exact patched version used in tests (change go-version from '1.25'
to '1.25.8') so the CI uses the deterministic Go release that matches
tests/go.mod.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 10e2e4b8-fa00-40da-84d3-a83325a0301e

📥 Commits

Reviewing files that changed from the base of the PR and between dbf905e and 0178878.

⛔ Files ignored due to path filters (1)

• tests/go.sum is excluded by !**/*.sum

📒 Files selected for processing (7)

• .github/workflows/build_images.yaml
• .github/workflows/pr_test_latest.yaml
• .github/workflows/test_images.yaml
• .gitignore
• scripts/build_pgedge_images.py
• tests/go.mod
• tests/main.go

[coderabbitai]

♻️ Duplicate comments (1)

scripts/build_pgedge_images.py (1)

335-335: ⚠️ Potential issue | 🟠 Major

no_cache / only_arch are still not applied during build.

Even though Line 335 passes both flags, build() currently computes bake_args but executes bake_cmd("--push"), so those options are ignored.

Root-cause fix in build()

-    subprocess.check_output(
-        bake_cmd("--push"),
+    subprocess.check_output(
+        bake_cmd(*bake_args),
         env={
             **os.environ.copy(),
             "PACKAGE_RELEASE_CHANNEL": image.package_release_channel,
             "POSTGRES_MAJOR_VERSION": image.postgres_major,
             "PACKAGE_LIST_FILE": image.package_list,
             "TAG": f"{repo}:{image.build_tag}",
             "TARGET": image.flavor,
         },
     )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/build_pgedge_images.py` at line 335, The build() function computes
bake_args (including no_cache and only_arch) but then ignores them by calling
bake_cmd("--push") directly; update build() so the computed bake_args are
actually passed into the bake execution (e.g., call bake_cmd with "--push" plus
the bake_args array) and ensure the logic that appends flags for no_cache and
only_arch to bake_args (the variables named bake_args and bake_cmd in the diff)
is correct and used; locate the build(...) function and modify the invocation to
include bake_args so the no_cache and only_arch options are applied during the
build.

🧹 Nitpick comments (1)

scripts/build_pgedge_images.py (1)

300-313: Clarify only_arch log wording.

Line 312 says “other images will be skipped,” but only_arch constrains platforms, not image selection. This can mislead operators during runs.

Suggested wording tweak

-    if config.only_arch:
-        logging.info(f"only arch {config.only_arch} enabled. other images will be skipped.")
+    if config.only_arch:
+        logging.info(f"only arch {config.only_arch} enabled. builds will target linux/{config.only_arch} only.")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/build_pgedge_images.py` around lines 300 - 313, The log message for
config.only_arch in _log_config is misleading — it says "other images will be
skipped" though only_arch restricts platforms, not which images are selected;
update the message in the _log_config function (where config.only_arch is
referenced) to clearly state that platform/architecture selection is constrained
(e.g., "only arch X enabled. builds will be limited to that
architecture/platform"), keeping the other config logs unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@scripts/build_pgedge_images.py`:
- Line 335: The build() function computes bake_args (including no_cache and
only_arch) but then ignores them by calling bake_cmd("--push") directly; update
build() so the computed bake_args are actually passed into the bake execution
(e.g., call bake_cmd with "--push" plus the bake_args array) and ensure the
logic that appends flags for no_cache and only_arch to bake_args (the variables
named bake_args and bake_cmd in the diff) is correct and used; locate the
build(...) function and modify the invocation to include bake_args so the
no_cache and only_arch options are applied during the build.

---

Nitpick comments:
In `@scripts/build_pgedge_images.py`:
- Around line 300-313: The log message for config.only_arch in _log_config is
misleading — it says "other images will be skipped" though only_arch restricts
platforms, not which images are selected; update the message in the _log_config
function (where config.only_arch is referenced) to clearly state that
platform/architecture selection is constrained (e.g., "only arch X enabled.
builds will be limited to that architecture/platform"), keeping the other config
logs unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d09b5f3e-2bcc-419c-96ca-1504c9b9700b

📥 Commits

Reviewing files that changed from the base of the PR and between 0178878 and ef8dfeb.

📒 Files selected for processing (1)

• scripts/build_pgedge_images.py

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/build_pgedge_images.py`:
- Around line 323-327: In _process_extra_tags, the current check uses
tag_published.issubset(published) which wrongly treats partial-platform digests
as up-to-date; instead compare exact digest sets. Change the conditional that
decides to call add_tag (in function _process_extra_tags, using
published_digests and variables tag_published and published) to require
equality: if tag_published is empty OR tag_published != published OR
config.republish then call add_tag so stale/partial tags are retagged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fc10276a-1045-4afa-90e5-e5f545f87a15

📥 Commits

Reviewing files that changed from the base of the PR and between 95ce74f and 2e981b2.

📒 Files selected for processing (1)

• scripts/build_pgedge_images.py

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/build_pgedge_images.py`:
- Line 258: The bake command override is using the wrong key name: change the
override from "default.platforms=linux/{only_arch}" to the supported
"default.platform=linux/{only_arch}" so the Buildx bake --set platform override
takes effect; locate the call building bake_args (referenced by bake_cmd and the
only_arch variable) and replace the plural platforms key with the singular
platform key in the --set override string.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 60f0e766-7cc8-493f-8743-4fe3c6389018

📥 Commits

Reviewing files that changed from the base of the PR and between 2e981b2 and 29a4232.

📒 Files selected for processing (1)

• scripts/build_pgedge_images.py

[jason-lynch]

This looks good to me! My comment is non-blocking, but in general, I think we should avoid refactoring just based on complexity/function length. If refactoring makes the code more modular, encourages reuse, improves patterns, etc. then that's worthwhile. But, otherwise, I'd just ignore those results.

[jason-lynch]

Non-blocking: I prefer the way this was before. Cyclomatic complexity and function length are useful indicators that the code deserves a closer look, but I don't like to act on them in the absence of other problems. Codacy and similar tools treat them like proxies for "readability" and "maintainability", but those are subjective and seemingly unquantifiable. I think they're wrong to encourage everyone to refactor code solely to reduce those two metrics.