feat(ci): Bump to upstream v1.94.1 #31
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds an observation point that may identify potentially abusive traffic patterns at outlier values. Updates tailscale/corp#24681 Signed-off-by: James Tucker <james@tailscale.com>
Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
…tion Updates tailscale#17852 Change-Id: I42a64a990dcc8f708fa23a516a40731a19967aba Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Skip the "request review" workflows for PRs that are in draft to reduce noise / skip adding reviewers to PRs that are intentionally marked as not ready to review. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 5.1.7 to 5.4.21. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v5.4.21/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v5.4.21/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 5.4.21 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 1.3.1 to 1.6.1. - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v1.6.1/packages/vitest) --- updated-dependencies: - dependency-name: vitest dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [cross-spawn](https://github.com/moxystudio/node-cross-spawn) from 7.0.3 to 7.0.6. - [Changelog](https://github.com/moxystudio/node-cross-spawn/blob/master/CHANGELOG.md) - [Commits](moxystudio/node-cross-spawn@v7.0.3...v7.0.6) --- updated-dependencies: - dependency-name: cross-spawn dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3. - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](micromatch/braces@3.0.2...3.0.3) --- updated-dependencies: - dependency-name: braces dependency-version: 3.0.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Restrict running the golangci-lint workflow to when the workflow file itself or a .go file, go.mod, or go.sum have actually been modified. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
…le#17596) * cmd/k8s-operator: add support for taiscale.com/http-redirect The k8s-operator now supports a tailscale.com/http-redirect annotation on Ingress resources. When enabled, this automatically creates port 80 handlers that automatically redirect to the equivalent HTTPS location. Fixes tailscale#11252 Signed-off-by: Fernando Serboncini <fserb@tailscale.com> * Fix for permanent redirect Signed-off-by: Fernando Serboncini <fserb@tailscale.com> * lint Signed-off-by: Fernando Serboncini <fserb@tailscale.com> * warn for redirect+endpoint Signed-off-by: Fernando Serboncini <fserb@tailscale.com> * tests Signed-off-by: Fernando Serboncini <fserb@tailscale.com> --------- Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
The call for populateTLSSecret was broken between PRs. Updates #cleanup Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
Updates tailscale/corp#34676 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Thanks to seamless key renewal, you can now do a force-reauth without losing your connection in all circumstances. We softened the interactive warning (see tailscale#17262) so let's soften the help text as well. Updates tailscale/corp#32429 Signed-off-by: Alex Chan <alexc@tailscale.com>
Updates #cleanup Signed-off-by: Alex Chan <alexc@tailscale.com>
The cache artifacts from a full run of test.yml are 14GB. Only save artifacts from the main branch to ensure we don't thrash too much. Most branches should get decent performance with a hit from recent main. Fixes tailscale/corp#34739 Change-Id: Ia83269d878e4781e3ddf33f1db2f21d06ea2130f Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
Implements a new disk put function for cigocacher that does not cause locking issues on Windows when there are multiple processes reading and writing the same files concurrently. Integrates cigocacher into test.yml for Windows where we are running on larger runners that support connecting to private Azure vnet resources where cigocached is hosted. Updates tailscale/corp#10808 Change-Id: I0d0e9b670e49e0f9abf01ff3d605cd660dd85ebb Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
Does not affect code. Updates #cleanup Signed-off-by: Naasir <yoursdeveloper@protonmail.com>
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
111 is 3 years old, and there have been a lot of speed improvements since then. We run wasm-opt twice as part of the CI wasm job, and it currently takes about 3 minutes each time. With 125, it takes ~40 seconds, a 4.5x speed-up. Updates #cleanup Change-Id: I671ae6cefa3997a23cdcab6871896b6b03e83a4f Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
…ale#18014) Add support for pinning specific Tailscale versions during installation via the TAILSCALE_VERSION environment variable. Example usage: curl -fsSL https://tailscale.com/install.sh | TAILSCALE_VERSION=1.88.4 sh Fixes tailscale#17776 Signed-off-by: Raj Singh <raj@tailscale.com>
Updates tailscale/corp#33352 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
Updates: tailscale.com/corp#34148 Signed-off-by: Gesa Stupperich <gesa@tailscale.com>
Fixes tailscale#18112 Change-Id: I85d5c482b01673799d51faeb6cb0579903597502 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
We got a flake in https://github.com/tailscale/tailscale/actions/runs/19867229792/job/56933249360 but it's not obvious to me where it failed. Make it more robust and print out more useful error messages for next time. Updates tailscale/corp#10808 Change-Id: I9ca08ea1103b9ad968c9cc0c42a493981ea62435 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
Updates tailscale/corp#34813 Change-Id: I926f1bad5bf143d82ddb36f51f70deb24fa11e71 Signed-off-by: Alex Chan <alexc@tailscale.com>
This commit uses SO_REUSEPORT (when supported) to bind multiple sockets per address family. Increasing the number of sockets can increase aggregate throughput when serving many peer relay client flows. Benchmarks show 3x improvement in max aggregate bitrate in some environments. Updates tailscale/corp#34745 Signed-off-by: Jordan Whited <jordan@tailscale.com>
Updates tailscale#18122 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Previously, callers of (*LocalBackend).resetControlClientLocked were supposed to call Shutdown on the returned controlclient.Client after releasing b.mu. In tailscale#17804, we started calling Shutdown while holding b.mu, which caused deadlocks during profile switches due to the (*ExecQueue).RunSync implementation. We first patched this in tailscale#18053 by calling Shutdown in a new goroutine, which avoided the deadlocks but made TestStateMachine flaky because the shutdown order was no longer guaranteed. In tailscale#18070, we updated (*ExecQueue).RunSync to allow shutting down the queue without waiting for RunSync to return. With that change, shutting down the control client while holding b.mu became safe. Therefore, this PR updates (*LocalBackend).resetControlClientLocked to shut down the old client synchronously during the reset, instead of returning it and shifting that responsibility to the callers. This fixes the flaky tests and simplifies the code. Fixes tailscale#18052 Signed-off-by: Nick Khyl <nickk@tailscale.com>
…ofile switch (tailscale#18126) If a packet arrives while WireGuard is being reconfigured with b.mu held, such as during a profile switch, calling back into (*LocalBackend).GetPeerAPIPort from (*Wrapper).filterPacketInboundFromWireGuard may deadlock when it tries to acquire b.mu. This occurs because a peer cannot be removed while an inbound packet is being processed. The reconfig and profile switch wait for (*Peer).RoutineSequentialReceiver to return, but it never finishes because GetPeerAPIPort needs b.mu, which the waiting goroutine already holds. In this PR, we make peerAPIPorts a new syncs.AtomicValue field that is written with b.mu held but can be read by GetPeerAPIPort without holding the mutex, which fixes the deadlock. There might be other long-term ways to address the issue, such as moving peer API listeners from LocalBackend to nodeBackend so they can be accessed without holding b.mu, but these changes are too large and risky at this stage in the v1.92 release cycle. Updates tailscale#18124 Signed-off-by: Nick Khyl <nickk@tailscale.com>
Updates tailscale#7436 Signed-off-by: Andrew Dunham <andrew@tailscale.com>
QR codes are used by `tailscale up --qr` to provide an easy way to open a web-page without transcribing a difficult URI. However, there’s no need for this feature if the client will never be called interactively. So this PR adds the `ts_omit_qrcodes` build tag. Updates tailscale#18182 Signed-off-by: Simon Law <sfllaw@tailscale.com>
Add support for authenticating the gitops-pusher using workload identity federation. Updates tailscale/corp#34172 Signed-off-by: Mario Minardi <mario@tailscale.com>
To prevent peer relay servers from sending packets *over* Tailscale. Updates tailscale/corp#35651 Signed-off-by: Jordan Whited <jordan@tailscale.com>
Prior to this change, we were resetting the tsnet's serve config every time tsnet.Server.Up was run. This is important to do on startup, to prevent messy interactions with stale configuration when the code has changed. However, Up is frequently run as a just-in-case step (for example, by Server.ListenTLS/ListenFunnel and possibly by consumers of tsnet). When the serve config is reset on each of these calls to Up, this creates situations in which the serve config disappears unexpectedly. The solution is to reset the serve config only on the first call to Up. Fixes tailscale#8800 Updates tailscale/corp#27200 Signed-off-by: Harry Harpham <harry@tailscale.com>
Previously the funnel listener would leave artifacts in the serve config. This caused weird out-of-sync effects like the admin panel showing that funnel was enabled for a node, but the node rejecting packets because the listener was closed. This change resolves these synchronization issues by ensuring that funnel listeners clean up the serve config when closed. See also: tailscale@e109cf9 Updates #cleanup Signed-off-by: Harry Harpham <harry@tailscale.com>
Updates #cleanup Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
Expose the node's home DERP region ID as a Prometheus gauge via the usermetrics endpoint. Fixes tailscale#18061 Signed-off-by: Raj Singh <raj@tailscale.com>
Updates tailscale#18376 (follow up on feedback) Signed-off-by: Harry Harpham <harry@tailscale.com>
Updates #cleanup Signed-off-by: Harry Harpham <harry@tailscale.com>
…ale#18395) Fixes a bug where, for kube HA proxies, TLS certs for the replica responsible for cert issuance where loaded in memory on startup, although the in-memory store was not updated after renewal (to avoid failing re-issuance for re-created Ingresses). Now the 'write' replica always reads certs from the kube Secret. Updates tailscale#18394 Signed-off-by: Irbe Krumina <irbekrm@gmail.com>
…tailscale#18398) Recently, the golangci-lint workflow has been taking longer and longer to complete, causing it to timeout after the default of 5 minutes. Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: context deadline exceeded Timeout exceeded: try increasing it by passing --timeout option This PR upgrades actions/setup-go to version 6, the latest, and enables caching for Go modules and build outputs. This should speed up linting because most packages won’t have to be downloaded over and over again. Fixes tailscale#18366 Signed-off-by: Simon Law <sfllaw@tailscale.com>
Updates tailscale/corp#31174 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Updates tailscale/corp#31174 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
…tailscale#18373) Adds the ability to detect what provider the client is running on and tries fetch the ID token to use with Workload Identity. Updates tailscale/corp#33316 Signed-off-by: Danni Popova <danni@tailscale.com>
…ck to ./tool/go (tailscale#18409) If local tailscale/tailscale checkout is not available, pulll cigocacher remotely. Fall back to ./tool/go if no other Go installation is present. Updates tailscale/corp#32493 Signed-off-by: Irbe Krumina <irbekrm@gmail.com>
Allow for optionally specifiying an audience for tsnet. This is passed to the underlying identity federation logic to allow for tsnet auth to use automatic ID token generation for authentication. Updates tailscale/corp#33316 Signed-off-by: Mario Minardi <mario@tailscale.com>
Allow for optionally specifying an audience for containerboot. This is passed to tailscale up to allow for containerboot to use automatic ID token generation for authentication. Updates tailscale/corp#34430 Signed-off-by: Mario Minardi <mario@tailscale.com>
…ge) (tailscale#18173) Updates tailscale#18198 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Co-authored-by: James Tucker <raggi@tailscale.com>
) Recently, the golangci-lint workflow has been taking longer and longer to complete, causing it to timeout after the default of 5 minutes. Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: context deadline exceeded Timeout exceeded: try increasing it by passing --timeout option Although PR tailscale#18398 enabled the Go module cache, bootstrapping with a cold cache still takes too long. This PR doubles the default 5 minute timeout for golangci-lint to 10 minutes so that golangci-lint can finish downloading all of its dependencies. Note that this doesn’t affect the 5 minute timeout configured in .golangci.yml, since running golangci-lint on your local instance should still be plenty fast. Fixes tailscale#18366 Signed-off-by: Simon Law <sfllaw@tailscale.com>
Signed-off-by: Nick O'Neill <nick@tailscale.com>
…le#18428) fixes tailscale#18418 Both Serve and PeerAPI broke when we moved the TailscaleInterfaceName into State, which is updated asynchronously and may not be available when we configure the listeners. This extracts the explicit interface name property from netmon.State and adds as a static struct with getters that have proper error handling. The bug is only found in sandboxed Darwin clients, where we need to know the Tailscale interface details in order to set up the listeners correctly (they must bind to our interface explicitly to escape the network sandboxing that is applied by NECP). Currently set only sandboxed macOS and Plan9 set this but it will also be useful on Windows to simplify interface filtering in netns. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com> (cherry picked from commit 643e91f)
This change adds API to ipn.LocalBackend to retrieve the ETag when querying for the current serve config. This allows consumers of ipn.LocalBackend.SetServeConfig to utilize the concurrency control offered by ETags. Previous to this change, utilizing serve config ETags required copying the local backend's internal ETag calcuation. The local API server was previously copying the local backend's ETag calculation as described above. With this change, the local API server now uses the new ETag retrieval function instead. Serve config ETags are therefore now opaque to clients, in line with best practices. Fixes tailscale/corp#35857 Signed-off-by: Harry Harpham <harry@tailscale.com> (cherry picked from commit 1b88e93)
This change allows tsnet nodes to act as Service hosts by adding a new function, tsnet.Server.ListenService. Invoking this function will advertise the node as a host for the Service and create a listener to receive traffic for the Service. Fixes tailscale#17697 Fixes tailscale/corp#27200 Signed-off-by: Harry Harpham <harry@tailscale.com> (cherry picked from commit 3840183)
…nts (tailscale#18393,tailscale#18452) (tailscale#18459) * k8s-operator,kube: allowing k8s api request events to be enabled via grants (tailscale#18393) Updates #35796 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> (cherry picked from commit 1cc6f32) * k8s-operator,kube: remove enableSessionRecording from Kubernetes Cap Map (tailscale#18452) * k8s-operator,kube: removing enableSessionRecordings option. It seems like it is going to create a confusing user experience and it's going to be a very niche use case, so we have decided to defer this for now. Updates tailscale/corp#35796 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> * k8s-operator: adding metric for env var deprecation Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> --------- Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> (cherry picked from commit 7213b35) --------- Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
Release 1.94.1
ChandonPierre
changed the title
anthr76
approved these changes
Jan 27, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://tailscale.com/changelog#2026-01-26
This takes this repo from 1.92.5 > 1.94.1