Release v1.54.5

🚀 Enhancements

GoFr now supports OpenTelemetry span links for Google Cloud Pub/Sub, extending the tracing capabilities introduced for Kafka in v1.54.4.

End-to-End Traceability: Connects producer and consumer spans across asynchronous Google Pub/Sub messaging, enabling complete request lifecycle visualization.
Context Propagation: Automatically injects and extracts trace context through Pub/Sub message attributes using the standard OpenTelemetry propagator.
Semantic Conventions: Follows OpenTelemetry messaging semantic conventions for consistent, standards-compliant spans and links.

Added OpenTelemetry span links for AWS SQS, completing pub/sub tracing support across all major message brokers.

AWS Observability: Connects producer and consumer spans for SQS messages, providing full distributed tracing for AWS-based event-driven architectures.
Attribute Propagation: Leverages SQS message attributes for trace context propagation, enabling seamless correlation across services.
Consistent Tracing: Aligns with the same span link patterns used for Kafka and Google Pub/Sub for a unified observability experience.

Extended migration locks support to Oracle datasources, building on the SQL & Redis locking introduced in v1.54.3.

Safe Concurrent Deployments: In multi-instance deployments (e.g., Kubernetes), only one instance executes Oracle migrations at a time, preventing race conditions.
Automatic Lock Lifecycle: Manages lock acquisition, expiry-based cleanup, periodic refresh, and safe release with full PL/SQL-based error handling.
Data Integrity: Prevents corrupted migration states during parallel deployments against Oracle databases.

Resolved a security issue in the static file handler where sibling directory names could bypass the restricted file check.

Security Hardening: Appended a path separator in isRestrictedFile to ensure that sibling directories sharing a common prefix with the static directory (e.g., /app/publicother vs /app/public) cannot be traversed to serve unauthorized files.
What's Restricted: Files outside the configured static directory are blocked from being served. Additionally, direct access to openapi.json via static routes remains restricted — it is only accessible through the /.well-known/swagger or /.well-known/openapi.json endpoints.

Fixed a data race condition in the Kafka Subscribe method that could surface under concurrent access.

Concurrency Safety: Ensures thread-safe subscription handling, preventing unpredictable behavior in high-concurrency environments.

Resolved an issue where invalid or missing configuration values would fail silently, making it difficult to diagnose misconfiguration issues.

Better Error Reporting: Added proper nil-checks and logging for configuration parsing, ensuring misconfigurations are surfaced through structured log messages instead of being swallowed silently.