feat(ics): bump v7 to have ibc-go v10

[traviolus]

Summary by CodeRabbit

• Chores

  • Updated Go toolchain to 1.23.6 across CI, module files, and build images.
  • Upgraded core dependencies (Cosmos SDK, CometBFT, Ethereum, gRPC, OpenTelemetry, and many transitive libraries).
  • Migrated Interchain Security integration to v7 and refreshed numerous indirect dependencies.
  • Pinned linter action version and adjusted lint configuration.
  • Docker builder now uses automatic Go toolchain resolution.

• Documentation

  • Improved formatting and trailing newline in the oracle guide.

[coderabbitai]

Walkthrough

Standardizes the Go toolchain to 1.23.6 across CI/workflows and module files; upgrades many direct and transitive Go module dependencies (Cosmos SDK, CometBFT, go-ethereum, gRPC, protobuf, etc.); migrates interchain-security consumer imports from v6 to v7 in voteweighted code; minor Docker and linter/config formatting tweaks.

Changes

Cohort / File(s)	Summary
CI Workflows \.github/workflows/build.yml, \.github/workflows/e2e.yml, \.github/workflows/lint.yml, \.github/workflows/release.yml, \.github/workflows/test.yml	Bumped Go toolchain to 1.23.6 in actions/setup-go steps; pinned golangci-lint-action in lint workflow; workflow logic otherwise unchanged.
Root module go.mod	Set go 1.23.6, removed explicit toolchain directive; upgraded numerous direct deps (cosmossdk, cometbft, interchain-security v6→v7, go-ethereum, grpc, protobuf, cobra, etc.) and refreshed many indirect requirements.
Test modules tests/integration/go.mod, tests/petri/go.mod, tests/simapp/go.mod	Updated go directive to 1.23.6 and bumped many direct and transitive dependencies (cosmos stack, telemetry/otel, gRPC/genproto, crypto, golang.org/x/*, etc.).
Voteweighted package pkg/math/voteweighted/ccv_compat.go, pkg/math/voteweighted/interfaces.go, pkg/math/voteweighted/math_test.go, pkg/math/voteweighted/mocks/mock_cc_validator_store.go	Repointed imports from github.com/cosmos/interchain-security/.../v6 to .../v7 (consumer ccv types); no API/signature or logic changes.
Docker build images contrib/images/connect.e2e.Dockerfile, contrib/images/connect.local.Dockerfile, contrib/images/connect.sidecar.dev.Dockerfile, contrib/images/connect.sidecar.prod.Dockerfile	Set GOTOOLCHAIN=auto in builder stages to alter Go toolchain resolution during build; build steps unchanged.
Linter & docs .golangci.yml, guide_oracle.md	Removed maligned linter settings; formatting/newline fixes to guide_oracle.md only.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I nibble on updates, tidy and spry,

Hopped imports from v6 up to v7 high.
Go 1.23.6 gleams like a bright carrot slice,
Workflows and modules marching precise.
Hop on — the build blossoms, soft and nice.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: upgrading interchain-security to v7 and integrating ibc-go v10 across go.mod files and related imports.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/bump-ics-v7-ibc-v10

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 15-17: Update the vulnerable module versions in go.mod: bump
google.golang.org/grpc to v1.79.3 (or later), github.com/cometbft/cometbft to
v0.38.19 or v0.38.21, github.com/cosmos/cosmos-sdk to v0.50.14, and
github.com/ethereum/go-ethereum to v1.16.8 or v1.16.9; after changing the module
lines for these identifiers run module resolution (e.g. go get/update and go mod
tidy) to refresh go.sum and verify builds/tests pass.

In `@tests/integration/go.mod`:
- Line 14: Update the module toolchain directive currently pinned as "toolchain
go1.24.5" to "toolchain go1.23.6" so it matches CI; change the literal
"toolchain go1.24.5" entry in tests/integration/go.mod and apply the identical
edit to the same directive in tests/simapp/go.mod and tests/petri/go.mod.

In `@tests/petri/go.mod`:
- Line 5: Update the toolchain directive in tests/petri/go.mod from "toolchain
go1.24.5" to "toolchain go1.23.6" so the module's Go version matches the
repository baseline and CI workflows; edit the "toolchain" line in
tests/petri/go.mod (the toolchain directive) to use 1.23.6.

In `@tests/simapp/go.mod`:
- Line 5: The toolchain directive "toolchain go1.24.5" in tests/simapp/go.mod
must be changed to match the CI baseline; replace that directive with "toolchain
go1.23.6" so local and CI Go versions align (ensure the single-line directive
exactly reads toolchain go1.23.6).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2a44e3f4-9e8a-437d-8bf0-f42b7235c095

📥 Commits

Reviewing files that changed from the base of the PR and between 2252a29 and 3ae102c.

⛔ Files ignored due to path filters (4)

• go.sum is excluded by !**/*.sum
• tests/integration/go.sum is excluded by !**/*.sum
• tests/petri/go.sum is excluded by !**/*.sum
• tests/simapp/go.sum is excluded by !**/*.sum

📒 Files selected for processing (13)

• .github/workflows/build.yml
• .github/workflows/e2e.yml
• .github/workflows/lint.yml
• .github/workflows/release.yml
• .github/workflows/test.yml
• go.mod
• pkg/math/voteweighted/ccv_compat.go
• pkg/math/voteweighted/interfaces.go
• pkg/math/voteweighted/math_test.go
• pkg/math/voteweighted/mocks/mock_cc_validator_store.go
• tests/integration/go.mod
• tests/petri/go.mod
• tests/simapp/go.mod

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

go.mod (1)

21-21: ⚠️ Potential issue | 🔴 Critical

Root module still pins vulnerable go-ethereum and grpc versions.
Line 21 and Line 44 keep direct dependencies on versions with known high/critical advisories. This should be upgraded before release.

Suggested version bump

-	github.com/ethereum/go-ethereum v1.15.5
+	github.com/ethereum/go-ethereum v1.16.9
...
-	google.golang.org/grpc v1.71.0
+	google.golang.org/grpc v1.79.3

Also applies to: 44-44

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 21, The go.mod currently pins vulnerable module versions
(notably github.com/ethereum/go-ethereum and google.golang.org/grpc); update
those module requirements to non-vulnerable upstream releases by replacing the
existing version strings for github.com/ethereum/go-ethereum and
google.golang.org/grpc with fixed versions (use the latest security-patched
release), then run go get <module>@<version> for each, run go mod tidy, and run
the test suite to confirm nothing breaks; ensure the updated module paths in
go.mod reflect the new versions and remove any temporary replaces if used.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/integration/go.mod`:
- Line 23: The go.mod currently pins the vulnerable module
"google.golang.org/grpc v1.71.0"; update that dependency to at least v1.79.3
(e.g., replace "google.golang.org/grpc v1.71.0" with "google.golang.org/grpc
v1.79.3" or a later patch), then run go get ./... or go get
google.golang.org/grpc@v1.79.3 and go mod tidy to refresh go.sum and ensure the
project builds with the patched grpc release.

---

Duplicate comments:
In `@go.mod`:
- Line 21: The go.mod currently pins vulnerable module versions (notably
github.com/ethereum/go-ethereum and google.golang.org/grpc); update those module
requirements to non-vulnerable upstream releases by replacing the existing
version strings for github.com/ethereum/go-ethereum and google.golang.org/grpc
with fixed versions (use the latest security-patched release), then run go get
<module>@<version> for each, run go mod tidy, and run the test suite to confirm
nothing breaks; ensure the updated module paths in go.mod reflect the new
versions and remove any temporary replaces if used.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 28798a92-3750-44b6-9546-0fba6914dcd3

📥 Commits

Reviewing files that changed from the base of the PR and between 3ae102c and b8c2db5.

⛔ Files ignored due to path filters (4)

• go.sum is excluded by !**/*.sum
• tests/integration/go.sum is excluded by !**/*.sum
• tests/petri/go.sum is excluded by !**/*.sum
• tests/simapp/go.sum is excluded by !**/*.sum

📒 Files selected for processing (8)

• contrib/images/connect.e2e.Dockerfile
• contrib/images/connect.local.Dockerfile
• contrib/images/connect.sidecar.dev.Dockerfile
• contrib/images/connect.sidecar.prod.Dockerfile
• go.mod
• tests/integration/go.mod
• tests/petri/go.mod
• tests/simapp/go.mod

✅ Files skipped from review due to trivial changes (2)

• contrib/images/connect.e2e.Dockerfile
• contrib/images/connect.sidecar.prod.Dockerfile

[beer-1]

LGTM, there is one security alert, but we are overriding this in initia side so seems good to ignore

[beer-1]

oh but can you confirm to resolve lint issue?

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@guide_oracle.md`:
- Line 142: Correct the typo in the user-facing instruction by replacing the
misspelled word "enther" with "enter" in the sentence that reads "with the
`oracle.json` file path, enther the following command to run connect." Ensure
the sentence still uses backticks around oracle.json and keeps punctuation
consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 38ce38a4-0881-4647-acc6-f62f41da4297

📥 Commits

Reviewing files that changed from the base of the PR and between b8c2db5 and b157fa4.

📒 Files selected for processing (3)

• .github/workflows/lint.yml
• .golangci.yml
• guide_oracle.md

💤 Files with no reviewable changes (1)

• .golangci.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/lint.yml