Skip to content

Weekly: Promote nightly to main (2026-06-22)#1093

Merged
Wikid82 merged 154 commits into
mainfrom
nightly
Jun 23, 2026
Merged

Weekly: Promote nightly to main (2026-06-22)#1093
Wikid82 merged 154 commits into
mainfrom
nightly

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

🚀 Weekly Nightly to Main Promotion

Date: 2026-06-22
Trigger: Scheduled weekly promotion
Commits: 153 commits to promote
Changes: 101 files changed, 7937 insertions(+), 979 deletions(-)


Commits Being Promoted

Showing first 50 of 153 commits:

7505d1f4 chore(docker): update GeoLite2-Country.mmdb checksum (#1091)
52377178 chore(dep): update package rules for js-yaml
6e0d4a72 chore: bump nanoid from 3.3.13 to 3.3.14
a5f1c3e2 chore: bump nanoid from 3.3.13 to 3.3.14
e159d58e chore(deps): update actions/checkout action to v7 (#1089)
a1806650 chore(deps): update go-non-major to v1.4.0 (#1090)
ee3c2e66 chore(deps): update dockerfile-non-major to v1.77.0 (#1087)
d3b3d0ad fix(deps): correct react-hook-form 7.80.0 integrity hash in lockfile
3d3f0474 chore(deps): update node.js to v24.17.0 (#1088)
dd079271 chore(deps): update github-actions-non-major (#1086)
f75e6844 chore(deps): bump react-hook-form from 7.79.0 to 7.80.0
8ec4cc4f chore(renovate): add gomodTidy, fix golang-jwt/jwt v5 tracking
7fc632b0 chore(deps): bump @types/node to v26 and eslint-plugin-unicorn to v68
9ca07c51 chore: bump @types/node from 25.9.3 to 26.0.0
41641144 fix: wrap webkit scrollbar styles in @supports selector guard
a4220565 fix(frontend): remove unused autoprefixer dependency
f07555bd chore(frontend): remove autoprefixer from postcss config
b3f4e430 chore(deps): bump eslint-plugin-sonarjs to 4.1.0
c5a75372 chore: bump nanoid to 3.3.13 and yargs to 16.2.2
e9a087c4 chore(deps): bump moby/moby client to v0.5.0 and api to v1.55.0
6fc66620 chore: bump go-sqlite3 from v1.14.45 to v1.14.46
85457823 chore(deps): bump lucide-react from 1.20.0 to 1.21.0
09072ad3 chore: add package package-lock.json
79f52515 chore(deps): bump frontend lockfile dependencies
a6171dca chore: bump mongo-driver/v2 from v2.6.1 to v2.7.0
793f0da1 fix(ci): add post-upload SARIF verification to weekly security rebuild
8089a16b fix(ci): align trivyignores and upload-sarif SHA across scan workflows
fdacd2f3 fix(deps): resolve js-yaml and markdown-it DoS vulnerabilities via npm overrides
b71d2a8b feat: enhanced dashboard with statistics (#25) (#1075)
70af480a fix(deps): update npm-non-major to ^7.18.0 (#1084)
42cd7117 chore(deps): update dependency eslint-plugin-unicorn to v67 (#1083)
b52fdbd2 fix(deps): update npm-non-major (#1082)
1fc98b68 chore(deps): update node.js to v24.16.0 (#1081)
b8217fe2 chore(deps): update github-actions-non-major (#1080)
95ca4de3 chore(deps): update dockerfile-non-major (#1079)
b463c70a chore(deps): update alpine docker tag to v3.24.1 (#1078)
c3b1b7d2 chore(deps): update node.js to 21f403a (#1077)
a0ba91d0 chore: bump mongo-driver to v2.6.1 and modernc/libc to v1.73.4
6c758ffb chore: bump tldts, playwright, and vitest deps
5a3dbec5 chore(docker): update GeoLite2-Country.mmdb checksum (#1074)
8d527834 chore(deps): update eslint-plugin-unicorn to v66 and react-refresh to v0.5.3
470673bb chore: bump @csstools/css-color-parser to 4.1.4
e972633d chore(deps): bump modernc.org/libc from v1.73.1 to v1.73.3
a9691be7 chore: update go.work.sum with golang.org/x/term v0.44.0
8410cc2b chore: bump regjsparser from 0.13.1 to 0.13.2
d9371454 chore(deps): update npm-non-major to ^10.5.0 (#1073)
93dcabc8 chore(deps): bump react-hook-form from 7.78.0 to 7.79.0
4bb8845f chore: fix renovate datasource config for expr-lang/expr
36bc7287 chore(deps): bump modernc.org/libc from v1.73.0 to v1.73.1
8b5874fc chore: bump obug from 2.1.2 to 2.1.3

...and 103 more commits


Pre-Merge Checklist

  • All status checks pass
  • No critical security issues identified
  • Changelog is up-to-date (auto-generated via workflow)
  • Version bump is appropriate (if applicable)

Merge Instructions

This PR promotes changes from nightly to main. Once all checks pass:

  1. Review the commit summary above
  2. Approve if changes look correct
  3. Merge using "Merge commit" to preserve history

This PR was automatically created by the Weekly Nightly Promotion workflow.

Wikid82 and others added 30 commits June 2, 2026 11:08
Propagate changes from main into development
chore(deps): update github-actions-non-major
…ntries

Renovate's automated update regenerated package-lock.json incorrectly,
omitting top-level node_modules entries for eslint and vite. This caused
npm ci to fail in CI during dependency installation. Regenerating with
Node v22.22.1 and npm v11.16.0 restores the correct entries.
The supply-chain Grype scan last ran on Feb 4, 2026 due to a cascade of
compounding failures. This commit resolves all root causes:

- Twelve .trivyignore CVE suppressions expired between Apr 30 and May 25,
  causing the Trivy PR gate to block all PR merges and starve the pipeline
  of push events. All entries extended 60–90 days with appropriate review
  comments; no entry exceeds Sep 1, 2026.

- Ten .grype.yaml suppressions also expired in May, meaning Grype scans
  that did run would immediately fail on HIGH findings and produce no fresh
  SARIF. All entries extended with matching dates.

- The supply-chain-pr.yml job condition had a dead workflow_run branch and
  was missing the push and schedule event names, silently skipping the
  verify-supply-chain job on every push to main. Added push and schedule to
  the condition.

- Added a weekly schedule trigger (Mondays at 02:00 UTC) so scans run
  regardless of PR activity. Added development to push branches to match
  docker-build.yml scope.

- Removed continue-on-error: true from the SARIF upload step so upload
  failures surface as visible workflow failures rather than silent no-ops.

- Simplified concurrency.group to remove dead workflow_run expressions.

Refs: GitHub Code Scanning "last scanned Feb 4, 2026" alert
Add anti-FOUC inline script to index.html that applies the stored theme
class synchronously before React mounts. Switch ThemeContext to useLayoutEffect
for synchronous class application, add explicit light-mode CSS overrides, update
CSP to allowlist the inline script hash, and add a Playwright regression suite.
Update GO_VERSION from 1.26.3 to 1.26.4 in all 9 CI workflow files and
fix go.goroot in .vscode/settings.json to point to /usr/local/go where
1.26.4 is installed, replacing the missing sdk/go1.26.4 path.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Switch setup-go from go-version env var to go-version-file: backend/go.mod
so the action reads the required version directly from go.mod instead of
relying on a cached toolchain version that may lag behind. Change
GOTOOLCHAIN from auto to local across all workflows so Go uses exactly the
version installed by setup-go without attempting auto-downloads that can
silently fall back to an older release.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Upgrades github.com/buger/jsonparser to v1.1.2 in the CrowdSec
dependency patch block to fix a panic in Delete() caused by a
negative slice index on malformed JSON input. Affects both the
crowdsec and cscli binaries.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
chore(deps): update go-non-major to v1.75.0
chore(deps): update go-non-major to v1.2.0
actions-user and others added 23 commits June 18, 2026 03:22
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Jeremy <jhatfield82@gmail.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Jeremy <jhatfield82@gmail.com>
The react-hook-form@7.80.0 tarball was republished on the npm registry
after the package-lock.json was generated, producing a different SHA-512
digest. npm ci --ignore-scripts in the Docker Alpine build layer failed
with EINTEGRITY because the stored hash no longer matched the served tarball.

Updated the integrity field from the stale sha512-mhYp/... to the current
sha512-4P+fk6... value, which resolves the Docker build failure.
* chore(deps): update dockerfile-non-major to v1.77.0

* fix: eliminate TempDir cleanup race in database tests

runQuickCheck ran as an untracked goroutine, leaving WAL/SHM file
handles open when t.TempDir() cleanup fired, causing intermittent
"directory not empty" failures.

Introduce launchQuickCheck (defaults to the goroutine) so tests can
override it to run synchronously via TestMain, ensuring the integrity
check connection is closed before temp dirs are removed.

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Jeremy <jhatfield82@gmail.com>
Co-authored-by: GitHub Actions <actions@github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Jeremy <jhatfield82@gmail.com>
* chore(deps): update actions/checkout action to v7

* fix(auth): ensure server-side session is invalidated before local state clears on logout

The logout() function in AuthContext was clearing React/localStorage state
before the backend POST /auth/logout completed. Because the onClick handler
never awaits the returned Promise, React redirected to /login (and Playwright's
waitForURL resolved) while the session_version increment and cookie-clearing
were still in-flight. Any immediate check against /api/v1/auth/me would receive
200 via the still-valid auth_token cookie (Firefox accepts Secure cookies on
http://127.0.0.1), causing the E2E "Session isolation after logout and re-login"
test to fail consistently.

Fix: call the backend first (cookie still authenticates it), then clear local
state in a finally block so local and server-side state are always consistent.

Also fix a flaky Playwright test ("User cannot promote self to admin") where
page.goto('/users') raced with Login.tsx's pending invalidateQueries→navigate('/')
chain. Adding waitForURL+waitForLoadingComplete after loginWithCredentials
ensures the app settles on the dashboard before navigating.

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Jeremy <jhatfield82@gmail.com>
Co-authored-by: GitHub Actions <actions@github.com>
Automated checksum update for GeoLite2-Country.mmdb database.

Old: 11b88595d026953920668d91f6d531057b397f05170237fc98a13a8b051ab861
New: 6e9212f23d3279a2454404d3b2a7ac30159fddbb9870ba33763014877296455c

Auto-generated by: .github/workflows/update-geolite2.yml

Co-authored-by: Wikid82 <176516789+Wikid82@users.noreply.github.com>
@github-actions github-actions Bot added automated Automatically generated by CI/CD weekly-promotion Weekly promotion from nightly to main labels Jun 22, 2026
@github-advanced-security

Copy link
Copy Markdown
Contributor

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@github-actions

Copy link
Copy Markdown
Contributor Author

✅ Supply Chain Verification Results

PASSED

📦 SBOM Summary

  • Components: 1485

🔍 Vulnerability Scan

Severity Count
🔴 Critical 0
🟠 High 0
🟡 Medium 12
🟢 Low 3
Total 15

📎 Artifacts

  • SBOM (CycloneDX JSON) and Grype results available in workflow artifacts

Generated by Supply Chain Verification workflow • View Details

@Wikid82 Wikid82 merged commit 3687b94 into main Jun 23, 2026
63 of 65 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated Automatically generated by CI/CD weekly-promotion Weekly promotion from nightly to main

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants