feat(ics): bump v7 to have ibc-go v10

[traviolus]

Summary by CodeRabbit

• Chores

  • Updated Go toolchain to 1.23.6 across CI, module files, Docker builders; CI build matrix now targets amd64 and arm64 only.
  • Upgraded core dependencies (Cosmos SDK, CometBFT, Ethereum, gRPC, OpenTelemetry, and many transitive libraries).
  • Migrated Interchain Security integration to v7; pinned linter action and allowed vulnerability check to continue-on-error; removed an obsolete linter setting.
  • Docker builders now use automatic Go toolchain resolution.

• Bug Fixes

  • Curve price API endpoint made parameterizable; tests updated for new domain.

• Documentation

  • Improved formatting and trailing newline in the oracle guide.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fc60deca-28e1-4bbe-a3c9-f5ad881c52e5

📥 Commits

Reviewing files that changed from the base of the PR and between f75fe26 and d78e294.

📒 Files selected for processing (6)

• abci/strategies/currencypair/default.go
• abci/strategies/currencypair/delta.go
• abci/strategies/currencypair/hash_test.go
• providers/apis/defi/curve/api_handler.go
• providers/apis/defi/curve/utils.go
• providers/base/provider_test.go

✅ Files skipped from review due to trivial changes (2)

• providers/base/provider_test.go
• providers/apis/defi/curve/utils.go

🚧 Files skipped from review as they are similar to previous changes (1)

• providers/apis/defi/curve/api_handler.go

---

Walkthrough

Standardizes Go toolchain to 1.23.6 across CI and module files; broad direct and transitive module upgrades; interchain-security consumer imports moved from v6 → v7 in voteweighted code; Curve provider URL made templated; Docker builder sets GOTOOLCHAIN=auto; minor linter, cache-initialization, and test adjustments.

Changes

Cohort / File(s)	Summary
CI Workflows \.github/workflows/build.yml, \.github/workflows/e2e.yml, \.github/workflows/lint.yml, \.github/workflows/release.yml, \.github/workflows/test.yml	Set Go to 1.23.6 via actions/setup-go; build.yml drops 386 targets; lint.yml pins golangci-lint-action and marks govulncheck continue-on-error.
Root module go.mod	Bumped go directive to 1.23.6, removed explicit toolchain line, and performed large direct + indirect dependency version upgrades (Cosmos stack, CometBFT, interchain-security v7, go-ethereum, gRPC/protobuf, etc.).
Test modules tests/integration/go.mod, tests/petri/go.mod, tests/simapp/go.mod	Updated go directive to 1.23.6/removed toolchain; refreshed many direct and transitive dependencies (Cosmos stack, telemetry/otel, gRPC/genproto, golang.org/x/*, etc.).
Voteweighted package pkg/math/voteweighted/ccv_compat.go, pkg/math/voteweighted/interfaces.go, pkg/math/voteweighted/math_test.go, pkg/math/voteweighted/mocks/mock_cc_validator_store.go	Repointed imports from github.com/cosmos/interchain-security/.../v6 → .../v7 for consumer ccv types; no API or logic changes.
Curve provider providers/apis/defi/curve/utils.go, providers/apis/defi/curve/api_handler.go, providers/apis/defi/curve/api_handler_test.go	Replaced hardcoded Curve price URL with BaseURL and URLTemplate; CreateURL returns BaseURL on metadata/network parse errors; tests updated to expect prices.curve.finance.
Currency-pair strategies & tests abci/strategies/currencypair/default.go, abci/strategies/currencypair/delta.go, abci/strategies/currencypair/hash_test.go	Constructors initialize previousHeight = -1 to force first-height cache reset; tests updated to use explicit contexts with heights.
Docker build images contrib/images/connect.e2e.Dockerfile, contrib/images/connect.local.Dockerfile, contrib/images/connect.sidecar.dev.Dockerfile, contrib/images/connect.sidecar.prod.Dockerfile	Set GOTOOLCHAIN=auto in builder stages to change Go toolchain resolution during builds.
Linter & config .golangci.yml, guide_oracle.md	Removed maligned linter settings; minor markdown formatting and trailing newline fix in guide.
Misc tests providers/base/provider_test.go, pkg/math/voteweighted/math_test.go	Test adjustments: timestamp updated in WebSocket test; voteweighted test imports switched to interchain-security v7 types.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I hopped through modules, nibbled version vines,

Tweaked Go toolchains and fixed some tiny lines.
Templates and caches set just right,
Builds now chase the toolchain light.
A little rabbit patch—cheerful bytes.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: upgrading to Interchain Security v7 which includes ibc-go v10, as evidenced by the extensive v6→v7 dependency updates throughout the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/bump-ics-v7-ibc-v10

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 15-17: Update the vulnerable module versions in go.mod: bump
google.golang.org/grpc to v1.79.3 (or later), github.com/cometbft/cometbft to
v0.38.19 or v0.38.21, github.com/cosmos/cosmos-sdk to v0.50.14, and
github.com/ethereum/go-ethereum to v1.16.8 or v1.16.9; after changing the module
lines for these identifiers run module resolution (e.g. go get/update and go mod
tidy) to refresh go.sum and verify builds/tests pass.

In `@tests/integration/go.mod`:
- Line 14: Update the module toolchain directive currently pinned as "toolchain
go1.24.5" to "toolchain go1.23.6" so it matches CI; change the literal
"toolchain go1.24.5" entry in tests/integration/go.mod and apply the identical
edit to the same directive in tests/simapp/go.mod and tests/petri/go.mod.

In `@tests/petri/go.mod`:
- Line 5: Update the toolchain directive in tests/petri/go.mod from "toolchain
go1.24.5" to "toolchain go1.23.6" so the module's Go version matches the
repository baseline and CI workflows; edit the "toolchain" line in
tests/petri/go.mod (the toolchain directive) to use 1.23.6.

In `@tests/simapp/go.mod`:
- Line 5: The toolchain directive "toolchain go1.24.5" in tests/simapp/go.mod
must be changed to match the CI baseline; replace that directive with "toolchain
go1.23.6" so local and CI Go versions align (ensure the single-line directive
exactly reads toolchain go1.23.6).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2a44e3f4-9e8a-437d-8bf0-f42b7235c095

📥 Commits

Reviewing files that changed from the base of the PR and between 2252a29 and 3ae102c.

⛔ Files ignored due to path filters (4)

• go.sum is excluded by !**/*.sum
• tests/integration/go.sum is excluded by !**/*.sum
• tests/petri/go.sum is excluded by !**/*.sum
• tests/simapp/go.sum is excluded by !**/*.sum

📒 Files selected for processing (13)

• .github/workflows/build.yml
• .github/workflows/e2e.yml
• .github/workflows/lint.yml
• .github/workflows/release.yml
• .github/workflows/test.yml
• go.mod
• pkg/math/voteweighted/ccv_compat.go
• pkg/math/voteweighted/interfaces.go
• pkg/math/voteweighted/math_test.go
• pkg/math/voteweighted/mocks/mock_cc_validator_store.go
• tests/integration/go.mod
• tests/petri/go.mod
• tests/simapp/go.mod

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

go.mod (1)

21-21: ⚠️ Potential issue | 🔴 Critical

Root module still pins vulnerable go-ethereum and grpc versions.
Line 21 and Line 44 keep direct dependencies on versions with known high/critical advisories. This should be upgraded before release.

Suggested version bump

-	github.com/ethereum/go-ethereum v1.15.5
+	github.com/ethereum/go-ethereum v1.16.9
...
-	google.golang.org/grpc v1.71.0
+	google.golang.org/grpc v1.79.3

Also applies to: 44-44

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 21, The go.mod currently pins vulnerable module versions
(notably github.com/ethereum/go-ethereum and google.golang.org/grpc); update
those module requirements to non-vulnerable upstream releases by replacing the
existing version strings for github.com/ethereum/go-ethereum and
google.golang.org/grpc with fixed versions (use the latest security-patched
release), then run go get <module>@<version> for each, run go mod tidy, and run
the test suite to confirm nothing breaks; ensure the updated module paths in
go.mod reflect the new versions and remove any temporary replaces if used.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/integration/go.mod`:
- Line 23: The go.mod currently pins the vulnerable module
"google.golang.org/grpc v1.71.0"; update that dependency to at least v1.79.3
(e.g., replace "google.golang.org/grpc v1.71.0" with "google.golang.org/grpc
v1.79.3" or a later patch), then run go get ./... or go get
google.golang.org/grpc@v1.79.3 and go mod tidy to refresh go.sum and ensure the
project builds with the patched grpc release.

---

Duplicate comments:
In `@go.mod`:
- Line 21: The go.mod currently pins vulnerable module versions (notably
github.com/ethereum/go-ethereum and google.golang.org/grpc); update those module
requirements to non-vulnerable upstream releases by replacing the existing
version strings for github.com/ethereum/go-ethereum and google.golang.org/grpc
with fixed versions (use the latest security-patched release), then run go get
<module>@<version> for each, run go mod tidy, and run the test suite to confirm
nothing breaks; ensure the updated module paths in go.mod reflect the new
versions and remove any temporary replaces if used.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 28798a92-3750-44b6-9546-0fba6914dcd3

📥 Commits

Reviewing files that changed from the base of the PR and between 3ae102c and b8c2db5.

⛔ Files ignored due to path filters (4)

• go.sum is excluded by !**/*.sum
• tests/integration/go.sum is excluded by !**/*.sum
• tests/petri/go.sum is excluded by !**/*.sum
• tests/simapp/go.sum is excluded by !**/*.sum

📒 Files selected for processing (8)

• contrib/images/connect.e2e.Dockerfile
• contrib/images/connect.local.Dockerfile
• contrib/images/connect.sidecar.dev.Dockerfile
• contrib/images/connect.sidecar.prod.Dockerfile
• go.mod
• tests/integration/go.mod
• tests/petri/go.mod
• tests/simapp/go.mod

✅ Files skipped from review due to trivial changes (2)

• contrib/images/connect.e2e.Dockerfile
• contrib/images/connect.sidecar.prod.Dockerfile

[beer-1]

LGTM, there is one security alert, but we are overriding this in initia side so seems good to ignore

[beer-1]

oh but can you confirm to resolve lint issue?

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@guide_oracle.md`:
- Line 142: Correct the typo in the user-facing instruction by replacing the
misspelled word "enther" with "enter" in the sentence that reads "with the
`oracle.json` file path, enther the following command to run connect." Ensure
the sentence still uses backticks around oracle.json and keeps punctuation
consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 38ce38a4-0881-4647-acc6-f62f41da4297

📥 Commits

Reviewing files that changed from the base of the PR and between b8c2db5 and b157fa4.

📒 Files selected for processing (3)

• .github/workflows/lint.yml
• .golangci.yml
• guide_oracle.md

💤 Files with no reviewable changes (1)

• .golangci.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/lint.yml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/lint.yml:
- Line 42: The govulncheck workflow job is configured as non-blocking via the
continue-on-error: true setting; change continue-on-error to false (or remove
the key entirely) under the govulncheck job so vulnerability findings or scan
failures will fail the workflow and block merges, and ensure the job name
“govulncheck” and its continue-on-error key are updated accordingly.

In `@providers/apis/defi/curve/utils.go`:
- Line 17: The constant URL was changed to a templated format string (URL =
"https://prices.curve.finance/v1/usd_price/%s/%s") but DefaultAPIConfig and the
error return paths in api_handler (references: DefaultAPIConfig, URL, and the
error return statements in the Curve API handler) still expose that raw template
on failures; split into two values: keep a new constant TemplateURL (or similar)
for fmt usage and restore a concrete BaseURL (e.g., BaseURL =
"https://prices.curve.finance/v1/usd_price") used in DefaultAPIConfig, and
update the error returns in the handler to return BaseURL (or empty string)
instead of the template URL so failures do not emit "%s/%s".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 68d84208-c41b-4739-baaa-ed582bbee1c7

📥 Commits

Reviewing files that changed from the base of the PR and between b157fa4 and f75fe26.

📒 Files selected for processing (4)

• .github/workflows/build.yml
• .github/workflows/lint.yml
• providers/apis/defi/curve/api_handler_test.go
• providers/apis/defi/curve/utils.go

✅ Files skipped from review due to trivial changes (1)

• providers/apis/defi/curve/api_handler_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/build.yml

[coderabbitai]

🧹 Nitpick comments (1)

providers/apis/defi/curve/api_handler.go (1)

64-71: Add explicit assertions for error-path returned URL.

Current TestCreateURL failure cases only check require.Error, so this new BaseURL return behavior isn’t locked down by tests.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@providers/apis/defi/curve/api_handler.go` around lines 64 - 71,
TestCreateURL's failure branches only assert an error but don't assert the
returned URL equals the error-path sentinel BaseURL; update TestCreateURL to
explicitly assert the returned URL is BaseURL for each failing case (the cases
that exercise the CreateURL code paths that return BaseURL on errors like the
JSON parse error and network checks). Locate the test function TestCreateURL
and, where it currently requires an error (require.Error / assert.Error), add a
matching require.Equal or assert.Equal check that the returned URL value equals
the BaseURL constant so the error-path return value is locked down.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@providers/apis/defi/curve/api_handler.go`:
- Around line 64-71: TestCreateURL's failure branches only assert an error but
don't assert the returned URL equals the error-path sentinel BaseURL; update
TestCreateURL to explicitly assert the returned URL is BaseURL for each failing
case (the cases that exercise the CreateURL code paths that return BaseURL on
errors like the JSON parse error and network checks). Locate the test function
TestCreateURL and, where it currently requires an error (require.Error /
assert.Error), add a matching require.Equal or assert.Equal check that the
returned URL value equals the BaseURL constant so the error-path return value is
locked down.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3f061a87-8b0b-451c-9cf6-a3fce0dbd1c7

📥 Commits

Reviewing files that changed from the base of the PR and between f75fe26 and 00e8c14.

📒 Files selected for processing (2)

• providers/apis/defi/curve/api_handler.go
• providers/apis/defi/curve/utils.go

[beer-1]

LGTM