Conversation
There was a problem hiding this comment.
Pull request overview
This PR upgrades the project’s Go toolchain to Go 1.26 across local builds, CI, and Docker, and adjusts HTTP middleware ordering to better align request logging with OpenTelemetry tracing.
Changes:
- Bump Go version to 1.26 in
go.mod, CI workflow, and Docker builder image. - Reorder Gin middlewares so OTel instrumentation runs before request logging, and extend slog-gin logging config (trace/span/user-agent).
- Configure Gin to trust Cloudflare platform headers for client IP resolution.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| internal/http/httpsrv/server.go | Reorders tracing/logging middleware and configures Gin’s trusted platform for Cloudflare. |
| go.mod | Updates the Go toolchain version to 1.26.0. |
| Dockerfile | Updates the builder image to golang:1.26. |
| .github/workflows/go.yml | Updates CI Go version to 1.26 and bumps golangci-lint configuration. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| g := gin.New() | ||
| g.ContextWithFallback = true | ||
| g.UseRawPath = true | ||
| g.TrustedPlatform = gin.PlatformCloudflare // this service is run behind CF |
There was a problem hiding this comment.
Setting g.TrustedPlatform = gin.PlatformCloudflare makes Gin trust Cloudflare-provided client IP headers. If the service can be reached directly (e.g., local dev, internal calls, or bypassing CF), this allows client IP spoofing in logs/any future rate-limiting. Consider making this configurable by environment and explicitly configuring SetTrustedProxies (e.g., Cloudflare IP ranges) or disabling proxy trust for non-CF deployments.
and reorder trace middleware