Update to Cadence v1.7.0-preview.1

[turbolent]

Description

Automatically update to:

• onflow/cadence v1.7.0-preview.1
• onflow/flow-go-sdk v1.7.0
• onflow/flow-go ea886bab7c19

Summary by CodeRabbit

• New Features
  • No user-facing features added.
• Performance
  • Improved performance and stability through runtime and dependency optimizations.
• Security
  • Includes upstream security patches from refreshed toolchain and libraries.
• Bug Fixes
  • Enhanced compatibility and reliability with updated network/protocol stacks and telemetry.
• Chores
  • Upgraded Go toolchain and broadly updated third-party dependencies across blockchain, telemetry, cloud, and networking ecosystems to current versions.

[coderabbitai]

Walkthrough

Updated go.mod to bump Go version/toolchain and refresh a wide set of dependencies. This includes major upgrades across Flow, Ethereum (go-ethereum), OpenTelemetry, Google/AWS/cloud clients, golang.org/x modules, IPFS/Boxo, proto/grpc tooling, and several targeted replaces and indirect additions.

Changes

Cohort / File(s)	Summary
Go toolchain go.mod	Bumped go from 1.23 to 1.23.7; toolchain from go1.23.4 to go1.24.2.
Ethereum / geth go.mod	Upgraded ethereum/go-ethereum v1.14.12 → v1.16.2.
Flow ecosystem go.mod	Upgraded onflow modules: cadence v1.3.3 → v1.7.0-preview.1; crypto v0.25.2 → v0.25.3; flow-go replaced with fork/util-fix; flow-go-sdk to v1.7.0; flow-protobuf/go/flow to v0.4.11; flow-core-contracts (contracts v1.7.3, templates v1.7.1); flow-nft v1.2.4; introduced onflow/flow-evm-bridge (indirect).
Telemetry / OpenTelemetry go.mod	Upgraded otel core to v1.36.0+; updated exporters/instrumentation to new contrib paths and versions.
Cloud providers (Google/AWS) go.mod	Google cloud libs updated (api v0.241.0, auth, storage, IAM, metadata, monitoring, genproto); AWS SDK v2 components bumped (~v1.37.0+).
golang.org/x modules go.mod	Upgraded crypto, net, mod, oauth2, sdeploy, sys, term, text, time, tools.
Proto/GRPC tooling go.mod	Updated google.golang.org/genproto, grpc, and related RPC/protobuf toolchains; added vtprotobuf.
IPFS/Storage go.mod	Updated IPFS libs (datastore, ds-badger2); added replace to onflow/boxo fork.
Misc/Indirects and replaces go.mod	Added cel.dev/expr, spiffe/v2, zeebo/errs, pigin/stun/v2, detectors/gcp, etc.; removed/retired bridging/USDC in favor of onflow/flow-evm-bridge; migrated deprecated modules to newer forks/versions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I nibble modules, neat and small,
Bumping versions, one and all—
Flow and Geth now fresh and bright,
Otel stars align just right.
Cloudy tails and protobuf cheer,
My go.mod garden’s trimmed this year—
Thump-thump! Dependency delight.

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch auto-update-onflow-cadence-v1.7.0-preview.1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

go.mod (5)

113-128: AWS SDK v2 submodule versions drift

Main v1.37.0 with mixed submodule minors (config 1.30.0, sts 1.35.0, etc.). This generally works, but aligning to a consistent minor reduces churn and surprises.

Optionally normalize with:

go get github.com/aws/aws-sdk-go-v2@v1.37.0
go get github.com/aws/aws-sdk-go-v2/{config,credentials,feature/ec2/imds,internal/{configsources,endpoints/v2,ini},service/{sso,ssooidc,sts}}@latest
go mod tidy

---

266-269: Clean up confusing dual-version comments

These lines include a second historical version in the comment, which can confuse readers and automated tools.

Apply:

-	github.com/onflow/flow-core-contracts/lib/go/contracts v1.7.3 // indirect; v1.2.4-0.20230703193002-53362441b57d // indirect
-	github.com/onflow/flow-core-contracts/lib/go/templates v1.7.1 // indirect; v1.2.3 // indirect
+	github.com/onflow/flow-core-contracts/lib/go/contracts v1.7.3 // indirect
+	github.com/onflow/flow-core-contracts/lib/go/templates v1.7.1 // indirect

---

87-87: STUN v0 only an indirect dependency
No direct imports of github.com/pion/stun (v0) were found in the codebase. The v0 entry in go.mod is pulled in transitively and can be safely ignored.

• File: go.mod (line 87) – github.com/pion/stun v0.x.x // indirect
• Action (optional): run go mod tidy to remove the unused v0 indirect dependency and slim down your module graph.

---

33-35: Ensure gRPC/protobuf/genproto and your code-gen plugins stay in sync

From your module list and Makefile:

• go.mod pins
  • google.golang.org/grpc v1.74.2
  • google.golang.org/protobuf v1.36.6
  • google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2
• Makefile (line 131) only invokes:

  protoc --proto_path=model --go_out=model \
  

  (no --go-grpc_out for service stubs)

If you generate gRPC code:

• Add a --go-grpc_out invocation alongside --go_out in your Makefile
• Install/pin matching plugin binaries in your CI/tooling, for example:

  go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.36.6
  go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.3.0

  (latest protoc-gen-go-grpc is in the v1.3.x line, which aligns with grpc v1.74.2)

Optional cleanup: bump any hard-coded protoc-gen-go-grpc@v1.2.0 installs in your docs/CI to v1.3.x to prevent drift.

---

23-30: Align OpenTelemetry exporters to v1.36.0

The module’s core and SDK dependencies are already at v1.36.0, but the OTLP exporters remain at older minor versions. This causes duplicate entries in the module graph and risks subtle API mismatches at runtime.

• File go.mod, update lines 23–26 (the three OTLP exporter requires)
• Change

-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.34.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0

to

+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.36.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.36.0

This will ensure all OpenTelemetry modules align on v1.36.0.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6052b63 and 0525a4f.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (8 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: test

🔇 Additional comments (5)

go.mod (5)

39-46: Telemetry mix: Compatibility between OTel v1.36.0, Contrib v0.61.0, and GCP exporter/detectors confirmed

I’ve verified that:

• The GCP metric exporter (github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.50.0)
• The GCP resource detectors (github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0)
• OpenTelemetry Go core (go.opentelemetry.io/otel v1.36.0)
• OpenTelemetry Contrib modules (go.opentelemetry.io/contrib v0.61.0)

are mutually compatible with no known breaking changes. No changes are needed in go.mod; it’s safe to proceed with these versions.

Affected locations:

• go.mod lines 39–46
• go.mod lines 98–101

---

3-5: Ensure CI workflow sets and uses Go 1.24.2 correctly

Your CI workflow at .github/workflows/ci.yml invokes:

uses: actions/setup-go@v5
with:
  go-version: ${{ env.GO_VERSION }}

but I don’t see a definition for GO_VERSION in that file. Please verify that your runners will install or already have Go 1.24.2 available:

• In .github/workflows/ci.yml, either
  • Add at the top of the file:

  env:
    GO_VERSION: 1.24.2

  • Or switch to reading the toolchain directive automatically by using:

  - uses: actions/setup-go@v5
    with:
      go-version-file: go.mod

  (v5 will pick up your toolchain go1.24.2 line in go.mod)
• Confirm your runners allow downloading the Go toolchain or preinstall Go 1.24.x in your images.
• If you later run module commands with -mod=readonly, be sure to include that flag in your run: steps (none detected currently).

---

17-21: Verify Cadence/Flow Preview Bump Before Merging

The module graph shows exactly one onflow/atree (v0.10.0) and one onflow/cadence (v1.7.0-preview.1) dependency, as expected. A quick search didn’t reveal any direct import "github.com/onflow/cadence" or usages of atree./cadence. in the code—so there’s no obvious divergence in import paths or duplicated versions.

• go.mod lines 17–21 remain:

  github.com/onflow/cadence v1.7.0-preview.1
  github.com/onflow/crypto v0.25.3
  github.com/onflow/flow-go v0.42.3-util-fix.0.20250819165158-ea886bab7c19
  github.com/onflow/flow/protobuf/go/flow v0.4.11
  github.com/rs/zerolog v1.29.0

• Verification script output:

github.com/onflow/atree v0.10.0
github.com/onflow/cadence v1.7.0-preview.1
(no direct imports or symbol references found)

Next steps

• Manually exercise any Cadence-related surfaces:
  – atree type manipulations, storage tree encoding/decoding
  – script and transaction compilation, runtime execution
  – any custom utility fixes in flow-go pseudo-version
• Confirm there are no unintended breaking changes.
• If everything passes, consider filing an issue to track switching to the stable v1.7.0 release once it publishes.

---

351-353: Boxo replace directive verified—please track upstream issue and plan removal

• go.mod (line 352): single replace github.com/ipfs/boxo => github.com/onflow/boxo v0.0.0-20240201202436-f2477b92f483 entry confirmed; no other boxo replaces present.
• Replace version matches the intended fork commit.

Next steps:

• Verify that onflow/flow-go#5338 still reflects the blocking issue.
• Open a follow-up/tracking issue in our tracker to remove this replace once the upstream fix lands.

Happy to draft the tracking issue with context and acceptance criteria.

---

32-32: Fix build errors before running govulncheck

The vulnerability scan is blocked by compilation failures in the onflow/crypto and flow-go modules. Please take the following steps:

• Align your bumped dependencies so that all symbols (e.g. blsInstance, initBLS12381, crypto.NewExpandMsgXOFKMAC128, etc.) are defined.
• Verify the code builds cleanly with the new x/crypto v0.39.0 (and corresponding x/net, x/sys, flow-go, flow-go-sdk) by running:

go build ./...

• Once the build succeeds, re-run the vulnerability check:

go run golang.org/x/vuln/cmd/govulncheck@latest ./...

• Confirm the output reports either “no vulnerabilities found” or lists any issues for triage.

After resolving these build errors and re-running govulncheck, please share the results so we can ensure no security advisories were introduced.

[tim-barry]

Covered by #90 which updates to v1.7.0-preview.3