build(deps): bump actions/checkout from 4 to 6#5
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Contributor
Author
|
Looks like actions/checkout is up-to-date now, so this is no longer needed. |
2 tasks
emeraldleaf
added a commit
that referenced
this pull request
May 24, 2026
#25) * fix(service-defaults): security trio — middleware order, JWT, error trace ID Three small but distinct security hardening fixes in ServiceDefaults (addresses architecture-review findings #3, #5, #6). 1. MIDDLEWARE ORDER — CorrelationIdMiddleware after UseAuthentication The middleware reads ClaimTypes.NameIdentifier from context.User to populate the UserId logger scope key. Pre-auth, context.User is empty, so UserId was silently always null for every authenticated request — defeating half the context-propagation pipeline. UserId never made it into log scopes from the HTTP entry point and never reached Wolverine envelope headers via the ActivityBaggage → OutgoingContextMiddleware path. Reordered: UseExceptionHandler → UseAuthentication → UseAuthorization → CorrelationIdMiddleware. ExceptionHandler stays first so it still wraps everything below it. 2. JWT — explicit ValidateIssuerSigningKey + tightened ClockSkew ValidateIssuerSigningKey was implicit (JWT Bearer's default validates against JWKS-discovered keys). Made explicit so it's auditable + prevents a future config change from silently disabling it. ClockSkew defaulted to 5 MINUTES. Revoked/expired tokens were accepted for 5 extra minutes — material on typical 15-minute access-token lifetimes. Set to 30 seconds: covers reasonable inter-server clock drift, doesn't give attackers a long replay window. 3. EXCEPTION HANDLER — TraceId only, not full Activity.Id Activity.Current?.Id returns the full W3C traceparent ("00-<trace>-<span>-<flags>") and we were embedding that in every ProblemDetails response. The span ID is information about server-side handler call structure that clients have no business seeing. Switched to Activity.Current?.TraceId.ToString() — same correlation utility, no leak of internal call graph. None of the three needed any consumer changes; all are internal to ServiceDefaults. Build clean (the one CS0436 warning is the pre-existing benchmarks Program-conflict; unaffected). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(service-defaults): place CorrelationIdMiddleware between Auth and Authz CodeRabbit (PR #25) flagged that the previous fix moved the middleware too far down — to AFTER UseAuthorization — which works for populating UserId but drops the audit trail for 401/403 unauthorized-attempt logs. Correct placement is BETWEEN UseAuthentication and UseAuthorization: app.UseExceptionHandler(); app.UseAuthentication(); // populates context.User app.UseMiddleware<CorrelationIdMiddleware>(); // reads User, opens scope app.UseAuthorization(); // any 401/403 here has UserId in scope Two reasons: 1. CorrelationIdMiddleware needs context.User populated to read NameIdentifier (the original ordering bug — pre-auth, User was empty and UserId was always null). 2. Placing it BEFORE Authorization means the UserId scope is active during the authorization decision. If a user is rejected, the log line says "user X tried Y and was denied" — the audit trail we need. My previous fix dropped this by placing the middleware after Authorization, which would only attribute requests that actually passed authorization. Build clean. Single-line move of one app.UseMiddleware call. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * test(service-defaults): unit tests for JWT options + GlobalExceptionHandler Covers the production-code changes in this PR so Codecov's patch-coverage gate stops complaining (was 8.33%; the prior fixes were uncovered because ServiceDefaults had no dedicated tests). GlobalExceptionHandlerTests (3): - TryHandleAsync_WhenActivityIsActive_ReturnsTraceIdOnly_NotFullActivityId: pins the security-critical change (Activity.Id → TraceId.ToString()). Asserts the response traceId equals activity.TraceId.ToString(), NOT activity.Id (which is the full W3C traceparent including span ID). Also asserts no hyphens — distinguishes the bare trace from the full "00-trace-span-flags" format. - TryHandleAsync_WhenNoActivity_FallsBackToHttpContextTraceIdentifier: covers the null-coalesce path. - TryHandleAsync_AlwaysReturnsProblemDetailsWithGenericDetail_NeverExceptionMessage: defense against information disclosure (CLAUDE.md "Error Handling"). Asserts the raw exception message doesn't appear in the response body even when the message contains sensitive-looking content like SQL. ServiceDefaultsJwtTests (3): - AddServiceDefaults_WhenAuthorityConfigured_SetsExplicitSigningKeyValidation - AddServiceDefaults_WhenAuthorityConfigured_SetsTightClockSkew - AddServiceDefaults_WhenAuthorityConfigured_RetainsCoreValidations All three boot a real Host.CreateApplicationBuilder + AddServiceDefaults with a configured authority, resolve the IOptionsMonitor<JwtBearerOptions>, and assert the TokenValidationParameters. Pins both the new hardening (ClockSkew=30s, ValidateIssuerSigningKey=true) AND the pre-existing core validations (Audience/Issuer/Lifetime) so a future refactor can't drop either silently. All 6 tests pass in 0.7s. Build clean (the one CS0436 warning is the pre-existing benchmarks Program-conflict; unaffected). Test placement follows the existing convention — ServiceDefaults tests live in service-test projects (OrderService.Tests.Unit/Application/ already has ContextPropagationMiddlewareTests, CorrelationIdMiddlewareTests, OutgoingContextMiddlewareTests). Not ideal long-term (duplication risk across the 4 service test projects), but matches the established pattern. The middleware-ordering change in Extensions.cs is harder to unit-test — it requires booting WebApplicationFactory and asserting the order of middleware execution at request time. Filed as a project-board issue for later; the JWT and ExceptionHandler tests cover the highest-risk lines of this PR (security hardening that could silently regress). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
emeraldleaf
added a commit
that referenced
this pull request
May 25, 2026
…SA services) Adds an entry to "Recently landed" capturing: - Motivation (Anton Martyniuk's "6 .NET Trends" #5 + #6, simplicity-team reviewer optics) - What changed across each service (rules → OrderService → ShippingService → PaymentService → NotificationService → CatalogService carve-out) - The PaymentRecoveryJob outbox-atomic wrap that got inlined - The CatalogService Clean-Architecture carve-out and why it's load-bearing - Test coverage: 23 mocked-repo handler tests deleted (existing integration suite covers most; remaining gap acknowledged for Shipping + Payment integration projects) - Walkthrough updates Updates "Last updated" timestamp to reflect this change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5 tasks
emeraldleaf
added a commit
that referenced
this pull request
Jun 3, 2026
…Project board (#83) ## Summary Moves open work tracking from STATUS.md "Open issues" into GitHub Issues with structured labels (type/*, area/*, priority/*, rule-encoding-deferred) and a Project board for visual triage. STATUS.md becomes a thin entry-point doc. The Continuous Rule Encoding loop in CLAUDE.md gets surface #5 updated from "docs/STATUS.md Open issues" to "GitHub Issues" — the reflexive step for deferred encodings now creates an issue with `rule-encoding-deferred` label. ## Changes - `.github/ISSUE_TEMPLATE/work-item.yml` — new Issue Form template (What / Why / Acceptance / Notes structure) used by `gh issue create` - `.github/ISSUE_TEMPLATE/config.yml` — disables blank issues, points at dev-loop.md - `docs/STATUS.md` — trimmed 211 → 86 lines; removed the 13-bullet "Open issues / known gaps" section (all migrated to issues); kept "Where we are", "Build/ test state", "How to run", "What's next" (now linking to the board), conditional follow-ups (multi-replica, polyrepo) that aren't issues by their nature, and source-of-truth links - `CLAUDE.md` "Continuous Rule Encoding" surface #5 — STATUS.md → GitHub Issues with the labels callout - `docs/dev-loop.md` six-surfaces table row #5 — same update - `.github/AI_WORKFLOW.md` — "Open issues stay in STATUS.md" → "Open work lives in GitHub Issues; STATUS.md is the entry-point doc" - `docs/ef-core.md` line 409 — STATUS.md "Open issues" reference → GitHub Issues with the area/infra label filter ## What's now in GitHub Issues (18 opened today) Migrated from STATUS.md "Open issues" + this session's follow-ups + dev-loop "Gaps" section: - #65 [epic] Full-saga Hetzner+Dokploy deployment (priority/now) - #66 Align dev-loop.md Promotion Signal table with CLAUDE.md (priority/now, rule-encoding-deferred) - #67 Decide fate of AWS deploy workflow (needs-design) - #68 Cross-service integration tests over real ASB wire (priority/next) - #69 Order cancellation flow (ORD-08) (priority/next) - #70 PaymentRecoveryJob: replay gateway with idempotency key (priority/next) - #71 Batch Catalog gRPC: ValidateLines (priority/next) - #72 [epic/blocked] Wolverine 5.x → 6.x migration - #73 Performance baselines under sustained load - #74 Production migration deploy job (gated) - #75 Codecov coverage gate - #76 AppHost smoke run scheduled job - #77 Service-to-service auth (mTLS or per-service tokens) (needs-design) - #78 DTO payload audit - #79 EF migration FQN snapshot cleanup - #80 Re-introduce .gitleaks.toml when scanner ≥ 8.25 ships (blocked) - #81 GitHub Actions SHA pinning - #82 Generalize PaymentRepository.ExecuteInTransactionAsync pattern ## Labels created - `type/*` (bug, feature, refactor, docs, chore, security, perf, test, epic) - `area/*` (catalog, order, payment, shipping, notification, infra, testing, ci, docs, claude, security) - `priority/*` (now, next, later) - Workflow: `blocked`, `needs-design`, `rule-encoding-deferred` - Dependabot expected: `dependencies`, `nuget`, `github-actions` ## Project board Not created in this PR (gh CLI needs `project` scope refresh). User creates in the web UI: Settings → Projects → New → Board. Recommended columns: Backlog, Next, In Progress, In Review, Done. ## Why this matters This session showed how often "what's next?" came up — five+ times, each answered by re-running `gh pr list` and parsing the queue. A Project board + issues answer that with one glance. STATUS.md got dual-duty as narrative entry-point AND open-work list; the dual duty made it fragile. The code-side loop (CLAUDE.md → PR → CodeRabbit → encode) stays unchanged. This PR adds the work-planning loop alongside it. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/checkout from 4 to 6.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)