Conversation
fix(deps): update non-major-updates
The drag handle column (40px fixed width) was always rendered in the grouped view, compounding the overflow caused by the group column addition. Combined, the table consistently overflowed its container. Drag handles are now hidden by default and toggled via an "Organize" button that appears in the page header only when groups exist. This recovers the column space on normal views while preserving full drag-and-drop when the user explicitly enters organize mode.
The SARIF upload step was gated on artifact_found == 'true', which is only ever set by the check-artifact step. That step itself only runs on workflow_run events, but supply-chain-pr.yml has no workflow_run trigger — it fires on pull_request and push only. The result was that every run since the workflow was restructured successfully scanned the image but silently discarded the SARIF, leaving GitHub Code Scanning with a stale Grype result since Feb 4, 2026. Align the SARIF upload condition with every other post-scan step: gate on set-target.outputs.image_name != '' so it fires whenever a scan actually ran, regardless of the triggering event type. Also corrects a stale inline comment that cited v0.110.0 while the install script pinned v0.112.0.
…g.Add sessions.Store was called before the DB update and wg.Add(1) in HandleWebSocket. The test polling loop exited as soon as the session appeared in the map, starting cleanup while the handler was still writing to the SQLite database. srv.Stop() called wg.Wait() with wg=0 because wg.Add had not yet been called, allowing cleanup to proceed. Concurrent SQLite journal/WAL file creation then raced with os.RemoveAll on the test's TempDir, producing "directory not empty". Move sessions.Store to be the last statement after the DB update and wg.Add(1). External observers now see the session only after all handler setup is complete, ensuring Stop's wg.Wait blocks correctly before any cleanup runs. Fixes: TestOrthrusServer_HandleWebSocket_ValidToken_UpgradesConnection flaky CI
…onents - Replace direct DOM/container access in ImportSitesModal test with Testing Library queries (getByRole, findByRole) as required by testing best practices - Remove useless `undefined` arguments from ImportSitesModal test and DNSProviderSelector component to satisfy no-useless-undefined rule; update corresponding test assertion to match corrected call signature - Convert forEach to for...of loop in ImportReviewTable per ESLint rule - Add role="button", tabIndex, and onKeyDown keyboard handlers to clickable div elements in ImportReviewTable and FeedbackWidget to satisfy accessibility requirements (WCAG 2.2 keyboard operability) - Add required blank line between import groups in GroupDropZone Fixes CI annotations from commit ff52316 reported against the development branch frontend build.
chore(deps): update non-major-updates
Changed dependency automation so non-major updates are grouped into separate pull requests for GitHub Actions, Go, and npm instead of one mixed batch. This improves tracking and review focus by keeping each dependency type isolated and easier to audit. Major updates remain separated for manual review, and existing version safety constraints are preserved to prevent unintended upgrade paths. Validation evidence was generated for config resolution and dry-run behavior, with local runtime compatibility noted as an environment constraint.
The cloudflare provider's Start() method used cmd.StdoutPipe() and cmd.StderrPipe() to capture tunnel output. Go's exec package registers the read-end file descriptors from these calls in an internal closeAfterWait list — when cmd.Wait() returns after the child exits, those fds are closed immediately, regardless of whether the scanner goroutines have finished reading buffered data. On a loaded CI runner this produces an EBADF before the scanner's first Read(), leaving the ring buffer empty and causing TestStart_CapturesStdoutOutput to fail. Replace both pipe methods with os.Pipe() pairs. Assigning bare *os.File to cmd.Stdout and cmd.Stderr bypasses Go's pipe lifecycle management entirely. The parent write ends are closed immediately after cmd.Start() succeeds so the child's exit naturally sends EOF to the scanners. Each scanner goroutine owns its read end and closes it via defer after draining, which preserves the existing scanWg.Wait() guarantee that the ring buffer is fully populated before p.done is closed. All four pipe fds are cleaned up in both the stderr os.Pipe() failure path and the cmd.Start() failure path to prevent fd leaks. Write-end close failures are logged using the provider's structured logger rather than silently discarded. Validated with 50 sequential -race runs on the cloudflare package; 50/50 pass. Fixes TestStart_CapturesStdoutOutput flake in CI
…cts updates Six ARG lines had `# renovate:` comments but no matching custom manager in renovate.json, meaning Renovate silently ignored them. This was the direct cause of missing the CrowdSec 1.7.7 → 1.7.8 release. Added custom managers for: CrowdSec (github-releases), Caddy/CADDY_CANDIDATE (go datasource), gosu (github-releases), npm (npm datasource), golang.org/x/crypto (go datasource), and coraza-caddy/v2 (go datasource). Fixed two Dockerfile comments where the Caddy depName incorrectly included an `https://` URL prefix — Go datasource requires a bare module path. Both CADDY_VERSION and CADDY_CANDIDATE_VERSION comments now reference `github.com/caddyserver/caddy/v2`. The coraza-caddy comment was also corrected to the `/v2` module path for consistency with what the custom manager resolves. Added a `allowedVersions: "<3.0.0"` packageRule for the new Go-datasource Caddy manager to mirror the existing constraint on the dockerfile manager, preventing an automatic jump to a future v3 major. Added a `security`/`dependencies` label rule for CrowdSec releases so they surface visibly in PRs.
…sec dependency caddy-crowdsec-bouncer@v0.10.0 (and all subsequent releases through v0.12.1) declare github.com/crowdsecurity/crowdsec v1.6.3 in their go.mod, which embeds the vulnerable crowdsec library inside the compiled /usr/bin/caddy binary. Trivy detects this and reports GHSA-rw47-hm26-6wr7 (CVE-2026-44982), which describes the CrowdSec AppSec component silently dropping HTTP request bodies for chunked-encoded and HTTP/2 requests — allowing WAF body inspection rules to be bypassed entirely. The dedicated crowdsec and cscli binaries were already clean (built directly from CROWDSEC_VERSION=1.7.8 source), but the Caddy binary was still exposing the vulnerability through its transitive dependency on the bouncer plugin. Add go get github.com/crowdsecurity/crowdsec@v${CROWDSEC_VERSION} to the Caddy builder Stage 2 patch block, immediately after the existing go-ntlmssp override. Declare ARG CROWDSEC_VERSION in the caddy-builder stage so the variable resolves correctly within that Docker build context. Using the ARG rather than a hardcoded version ensures the Caddy override and the CrowdSec binaries always upgrade together when Renovate bumps CROWDSEC_VERSION, preventing version drift. Remove this override once the bouncer ships a release that requires github.com/crowdsecurity/crowdsec >= v1.7.8.
…common to v0.68.0
…nd eslint to v10.4.1
…th install_if_missing (skips if already present via cscli inspect). On a rebuild where CrowdSec data is on a persistent volume, all items are already installed, so this cuts 10 cscli invocations (60–90s) down to fast inspect checks. First-time installs still work as before.
…d container health monitoring
…dule dependencies
Automated checksum update for GeoLite2-Country.mmdb database. Old: d074a873c0db6755c0d7f22efe8c76d14fd5d4bcdaa5fc5e940508e8517e99ba New: c77ac1d7e64b3fcd1447045615fc3aefb3ed886e176608c568b01f29f955e21a Auto-generated by: .github/workflows/update-geolite2.yml
chore(docker): update GeoLite2-Country.mmdb checksum
…o v1.6.19, and knip to v6.15.0
github-actions
Bot
added
automated
…7 binaries in nightly The nightly image promoted by the weekly PR was built with stale Docker GHA cache for the crowdsec-builder stage. When CROWDSEC_VERSION was bumped from 1.7.7 to 1.7.8 in the Dockerfile, BuildKit computed an identical cache key for the re-declared ARG inside crowdsec-builder (no default, so only the instruction string was hashed), resulting in a false cache hit that restored the old v1.7.7 binary layers. The image passed validation checks but embedded the unfixed binaries. Two changes to nightly-build.yml: - Added crowdsec-builder to no-cache-filters so the stage unconditionally rebuilds on every nightly run, matching the protection already applied to caddy-builder - Added CROWDSEC_VERSION as an explicit build-arg so any future version bump in the Dockerfile also changes the build-arg value, guaranteeing a proper cache miss in the GHA cache backend The resulting nightly image will produce crowdsec/cscli binaries reporting v1.7.8+dirty (the +dirty suffix is structural — the builder always modifies go.mod and source files post-clone — and should not be flagged by Grype since v1.7.8 is the patched release for CVE-2026-44982). Unblocks PR #1047 (weekly nightly → main promotion).
Contributor
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Contributor
Author
✅ Supply Chain Verification Results✅ PASSED 📦 SBOM Summary
🔍 Vulnerability Scan
📎 Artifacts
Generated by Supply Chain Verification workflow • View Details |
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
Add a disk space reclamation step as the first step in both multi-platform build jobs to eliminate runner disk exhaustion during linux/amd64 + linux/arm64 Docker builds. The ubuntu-latest runner ships with Android SDK (~8 GB), .NET (~2 GB), and Haskell (~2 GB) pre-installed, consuming nearly all available disk before Buildx begins. When disk fills mid-build, the runner process dies without sending terminal step statuses to GitHub, leaving the UI in a paradoxical "failed and in progress" state simultaneously. Docker daemon images are intentionally preserved so Buildx can operate normally. Expected recovery: 10–15 GB per build job. Action pinned to full SHA per supply chain security policy.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🚀 Weekly Nightly to Main Promotion
Date: 2026-06-01
Trigger: Scheduled weekly promotion
Commits: 57 commits to promote
Changes: 37 files changed, 1649 insertions(+), 1395 deletions(-)
Commits Being Promoted
Showing first 50 of 57 commits:
...and 7 more commits
Pre-Merge Checklist
Merge Instructions
This PR promotes changes from
nightlytomain. Once all checks pass:This PR was automatically created by the Weekly Nightly Promotion workflow.