Update v1.15.6 #27
Merged
Update v1.15.6 #27
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 0976a1b ] The Hubble OTel repo is going to be archived so it should be removed from the roadmap Signed-off-by: Bill Mulligan <billmulligan516@gmail.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 9e89397 ] Descendants and Ancestors cannot share the same traversal method, because Descendants needs to be able to select at least one in-trie key-prefix match that may not be a full match for the argument key-prefix. The old traversal method worked for the Descendants method if there happened to be an exact match of the argument key-prefix in the trie. These new tests ensure that Descendants will still return a proper list of Descendants even if there is not an exact match in the trie. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
Signed-off-by: Andrew Sauber <2046750+asauber@users.noreply.github.com>
Generated from https://github.com/cilium/cilium/actions/runs/8654016733. `quay.io/cilium/cilium:v1.15.4@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426` `quay.io/cilium/cilium:stable@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426` `quay.io/cilium/clustermesh-apiserver:v1.15.4@sha256:3fadf85d2aa0ecec09152e7e2d57648bda7e35bdc161b25ab54066dd4c3b299c` `quay.io/cilium/clustermesh-apiserver:stable@sha256:3fadf85d2aa0ecec09152e7e2d57648bda7e35bdc161b25ab54066dd4c3b299c` `quay.io/cilium/docker-plugin:v1.15.4@sha256:af22e26e927ec01633526b3d2fd5e15f2c7f3aab9d8c399081eeb746a4e0db47` `quay.io/cilium/docker-plugin:stable@sha256:af22e26e927ec01633526b3d2fd5e15f2c7f3aab9d8c399081eeb746a4e0db47` `quay.io/cilium/hubble-relay:v1.15.4@sha256:03ad857feaf52f1b4774c29614f42a50b370680eb7d0bfbc1ae065df84b1070a` `quay.io/cilium/hubble-relay:stable@sha256:03ad857feaf52f1b4774c29614f42a50b370680eb7d0bfbc1ae065df84b1070a` `quay.io/cilium/operator-alibabacloud:v1.15.4@sha256:7c0e5346483a517e18a8951f4d4399337fb47020f2d9225e2ceaa8c5d9a45a5f` `quay.io/cilium/operator-alibabacloud:stable@sha256:7c0e5346483a517e18a8951f4d4399337fb47020f2d9225e2ceaa8c5d9a45a5f` `quay.io/cilium/operator-aws:v1.15.4@sha256:8675486ce8938333390c37302af162ebd12aaebc08eeeaf383bfb73128143fa9` `quay.io/cilium/operator-aws:stable@sha256:8675486ce8938333390c37302af162ebd12aaebc08eeeaf383bfb73128143fa9` `quay.io/cilium/operator-azure:v1.15.4@sha256:4c1a31502931681fa18a41ead2a3904b97d47172a92b7a7b205026bd1e715207` `quay.io/cilium/operator-azure:stable@sha256:4c1a31502931681fa18a41ead2a3904b97d47172a92b7a7b205026bd1e715207` `quay.io/cilium/operator-generic:v1.15.4@sha256:404890a83cca3f28829eb7e54c1564bb6904708cdb7be04ebe69c2b60f164e9a` `quay.io/cilium/operator-generic:stable@sha256:404890a83cca3f28829eb7e54c1564bb6904708cdb7be04ebe69c2b60f164e9a` `quay.io/cilium/operator:v1.15.4@sha256:4e42b867d816808f10b38f555d6ae50065ebdc6ddc4549635f2fe50ed6dc8d7f` `quay.io/cilium/operator:stable@sha256:4e42b867d816808f10b38f555d6ae50065ebdc6ddc4549635f2fe50ed6dc8d7f` Signed-off-by: Andrew Sauber <2046750+asauber@users.noreply.github.com>
The "unknown" status simply refers to components that accept a health reporter scope, but have not declared their state as being either "ok" or degraded. This is a bit confusing, as this does not necessarily mean any problems with Cilium. In the future we may want to rework this state to distinguish between unreported states and components that are "timing-out" reconciling a desired state. This PR simply removes displaying this information in `cilium-dbg status` Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>
Signed-off-by: renovate[bot] <bot@renovateapp.com>
Signed-off-by: renovate[bot] <bot@renovateapp.com>
- Remove older versions we do not officially support anymore on v1.15. - Make K8s 1.29 the default version on all platforms. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
…1811f8 Signed-off-by: renovate[bot] <bot@renovateapp.com>
Signed-off-by: Cilium Imagebot <noreply@cilium.io>
[ upstream commit d20f15e ] Enable errorlint in golangci-lint to catch uses of improper formatters for Go errors. This helps avoid unnecessary error/warning logs that cause CI flakes, when benign error cases are not caught due to failing error unwrapping when a string or value formatter has been used instead of the dedicated `%w`. Related: cilium#31147 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit fe46958 ] Precede each `%w` formatter with a colon. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit c3108c9 ] Signed-off-by: Natalia Reka Ivanko <natalia@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit aea1ab8 ] Signed-off-by: Natalia Reka Ivanko <natalia@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit b8050e5 ] Global services do not work when KPR is disabled if accessed through a NodePort, or from a host-netns pod, as kube-proxy doesn't know about the remote backends. Let's explicit these limitations. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 56ca923 ] [ backporter's notes: minor adaptations as the InterfaceCandidates field was not scoped by IP family. ] TestPrepareIPAllocation attempts to check that PerpareIPAllocation produces the expected results. It avoids starting the ipam node manager it constructs, likely trying to avoid starting the background maintenance jobs. However, manager.Upsert _does_ asynchronously trigger pool maintenance, which results in a automated creation of an ENI with different params than the test expects, and hence assertion failures. This patch avoids the race condition by explicitly setting the instance API readiness to false, which causes background pool maintenance to be delayed and hence guarantees that the PrepareIPAllocation call runs in the environment expected. The following was used to reproduce this flake: go test -c -race ./pkg/alibabacloud/eni && stress -p 50 ./eni.test The likelihood of hitting this flake approximates 0.02%, hence reproducing requires a reasonably large number of runs, as well as high load on the system to increase the likelihood of the flake (since it does depend on the test being somewhat starved for CPU). Signed-off-by: David Bimmler <david.bimmler@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit df3c02f ] [ backporter's notes: dropped the session affinity changes, and backported only the introduction of the unique cluster id which, together with the interceptors backported as part of the next commit, prevents Cilium agents from incorrectly restarting an etcd watch against a different clustermesh-apiserver instance. ] This commit makes changes to the helm templates for clustermesh-apiserver to support deploying multiple replicas. - Use a unique cluster id for etcd: Each replica of the clustermesh-apiserver deploys its own discrete etcd cluster. Utilize the K8s downward API to provide the Pod UUID to the etcd cluster as an initial cluster token, so that each instance has a unique cluster ID. This is necessary to distinguish connections to multiple clustermesh-apiserver Pods using the same K8s Service. - Use session affinity for the clustermesh-apiserver Service Session affinity ensures that connections from a client are passed to the same service backend each time. This will allow a Cilium Agent or KVStoreMesh instance to maintain a connection to the same backend for both long-living, streaming connections, such as watches on the kv store, and short, single-response connections, such as checking the status of a cluster. However, this can be unreliable if the l3/l4 loadbalancer used does not also implement sticky sessions to direct connections from a particular client to the same cluster node. Signed-off-by: Tim Horner <timothy.horner@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 174e721 ] [ backporter's notes: backported a stripped down version of the upstream commit including the introduction of the interceptors only, as fixing a bug occurring in a single clustermesh-apiserver configuration as well (during rollouts), by preventing Cilium agents from incorrectly restarting an etcd watch against a different clustermesh-apiserver instance. ] In a configuration where there are mutliple replicas of the clustermesh-apiserver, each Pod runs its own etcd instance with a unique cluster ID. This commit adds a `clusterLock` type, which is a wrapper around a uint64 that can only be set once. `clusterLock` is used to create gRPC unary and stream interceptors that are provided to the etcd client to intercept and validate the cluster ID in the header of all responses from the etcd server. If the client receives a response from a different cluster, the connection is terminated and restarted. This is designed to prevent accepting responses from another cluster and potentially missing events or retaining invalid data. Since the addition of the interceptors allows quick detection of a failover event, we no longer need to rely on endpoint status checks to determine if the connection is healthy. Additionally, since service session affinity can be unreliable, the status checks could trigger a false failover event and cause a connection restart. To allow creating etcd clients for ClusterMesh that do not perform endpoint status checks, the option NoEndpointStatusChecks was added to ExtraOptions. Signed-off-by: Tim Horner <timothy.horner@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 7a98d56 ] Update checkpatch image to pull the latest changes we've added: namely, remove the wrapping of individual patch results in GitHub's workflows interface, as it's annoying to click many times to find the commits with issues. Signed-off-by: Quentin Monnet <qmo@qmon.net>
[ upstream commit f3e65bc ] We want bpftool to be able to dump netkit programs, let's update the image with a version that supports it. Signed-off-by: Quentin Monnet <qmo@qmon.net>
Signed-off-by: Quentin Monnet <qmo@qmon.net>
Signed-off-by: Cilium Imagebot <noreply@cilium.io>
Fixes: cilium#31944 Signed-off-by: Robin Gögge <r.goegge@isovalent.com>
Signed-off-by: renovate[bot] <bot@renovateapp.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Cilium Imagebot <noreply@cilium.io>
Signed-off-by: renovate[bot] <bot@renovateapp.com>
Signed-off-by: renovate[bot] <bot@renovateapp.com>
This is mainly to address the below CVE GHSA-3mh5-6q8v-25wj Related release: https://github.com/envoyproxy/envoy/releases/tag/v1.27.5 Signed-off-by: Tam Mach <tam.mach@cilium.io>
[ upstream commit 7da6514 ] The firstGlobalAddr in pkg/node tried to pick public IPs over private IPs even after picking by scope. Include this logic in the address sorting and add a test case to check the different sorting predicates. For NodePort pick the first private address if any, otherwise pick the first public address. Fixes: 5342d01 ("datapath/tables: Add Table[NodeAddress]") Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Gray Liang <gray.liang@isovalent.com>
[ upstream commit 100e625 ] This prevents possible shenanigans caused by search domains possibly configured on the runner, and propagated to the pods. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Gray Liang <gray.liang@isovalent.com>
Signed-off-by: renovate[bot] <bot@renovateapp.com>
[ upstream commit 2750123 ] The only reason for that function to return an error is that the parent context expired, which happens if the agent is being shut down while the synchronization has not yet completed. Hence, let's just return, rather than triggering a fatal error. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit cc7c27d ] [ backporter's notes: hit multiple conflicts in clustermesh.go due to the different surrounding context, addressed with minor adaptations; additionally dropped the endpointslicesync and release notes related hunks, as not relevant in this context. ] Upon agent and operator restart, we need to wait for full clustermesh synchronization in multiple subsystems, to prevent breaking existing cross-cluster connections due to e.g., garbage collection of valid but not yet retrieved entries for a given remote cluster. However, the absence of a timeout controlling this process is problematic as well, as the impossibility of connecting to a remote cluster (e.g., due to a misconfiguration) can cause issues for local communication to the blocked GC operations. Let's standardize the different wait for synchronization functions to automatically return after a user configurable timeout (tunable via the clustermesh-sync-timeout, and set to 1 minute by default) elapses. This mimics and replaces the already existing timeout used to unblock endpoint regeneration, generalizing it to all the other resources as well. The existing flag is deprecated, but it still takes precedence for consistency with the existing behavior. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Clears a CVE from appearing in the operator-generic image Signed-off-by: Feroz Salam <feroz.salam@isovalent.com>
Signed-off-by: renovate[bot] <bot@renovateapp.com>
Signed-off-by: Cilium Imagebot <noreply@cilium.io>
[ upstream commit 3a4c57f ] [ Backporter's notes: switch default to false - so not enabled by default. Switch from testing package to checkmate in unit tests ] Reduces GC CPU usage and memory allocations coming from XfrmStateList. To ensure we have up-to-date cache, wrap all XfrmState related functions inside cache, which is invalidated whenever XfrmState changes. This is follow-up to cilium#32577 While that PR averages out CPU usage over time, in large cluster 100+ nodes amount of allocations coming from netlink.XfrmStateList() is high due to backgroundSync where we usually don't change any Xfrm states. This becomes more and more expensive as number of nodes increases. Added CI test to make sure that we accidentally don't add calls that modify XFRMState without going through cache. Also, added hidden option that allows to turn of caching. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
This commit is to bump envoy version to v1.28.4 for below CVEs: - [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv) - [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4) - [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26) - [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299) - [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc) - [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m) - [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c) Additionally, this build also includes a couple of Cilium fixes, more details can be found in cilium#786. Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4 Relates: cilium/proxy#786 Signed-off-by: Tam Mach <tam.mach@cilium.io>
[ upstream commit b6dd0f4 ] Signed-off-by: Taylor <tskinn12@gmail.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
[ upstream commit 7209275 ] Whenever EKS stopped supporting a particular version of EKS, we had to manually remove it from all stable branches. Now instead of that, we will dynamically check if it's supported and only then run the test. This implementation is not great as supported versions are hard-coded in eksctl until EKS fixes it: aws/containers-roadmap#982 (comment) Because of that, we always fetch newest eksctl version. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
[ upstream commit 686876c ] [ backporter notes: * added missing import for sets dependency in the route_policy.go * removed wellKnownCommunity variable in the route_policy_test.go ] In cilium@27322f3, the CiliumLoadBalancerIPPool's field named "cidrs" was deprecated. The documentation on https://docs.cilium.io/en/stable/network/lb-ipam/ provides an example of configuring a CiliumLoadBalancerIPPool using the field named "blocks". While testing a BGP policy configured with the Advertised Path Attributes feature, I was not able to achieve the desired policy. BGP attributes configured were not being applied. While discussing this in Cilium's Slack channel, it was pointed out that the BGPv1 reconciler was only aware of the deprecated field. This commit updates Cilium's BGPv1 reconciler to support both the deprecated and updated fields. Fixes: cilium#32693 Signed-off-by: David Swafford <dswafford@coreweave.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
[ upstream commit 4b81d22 ] Signed-off-by: Lukas Stehlik <stehlik.lukas@gmail.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
[ upstream commit deee47c ] With the introduction of 57db22b, Syft creates the sbom files under the same directory the image digest files are created. This resulted on image-digest-output.txt file to contain all the SBOMs unexpectedly. Thus, using find, we will make sure that only the files that start with the "image-digests" are used to by copied into the image-digest-output.txt file. Tested in https://github.com/aanm/cilium/actions/runs/9358191181 Fixes: 57db22b ("Generate SBOMs using Syft instead of bom") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
Signed-off-by: renovate[bot] <bot@renovateapp.com>
…9478ce Signed-off-by: renovate[bot] <bot@renovateapp.com>
Signed-off-by: Cilium Imagebot <noreply@cilium.io>
This commit introduces checkpoint mechanism in the FQDN name manager which writes all known FQDN selectors to disk. This allows future versions of Cilium to read these selectors after upgrade and assign IP identities based on selectors rather than CIDR prefixes. This enables dropless upgrades from Cilium v1.15 to v1.16 for ToFQDN policies. Without the knowledge of selectors during restoration, the first endpoint regeneration in Cilium v1.16 may cause drops for IPs selected by ToFQDN selectors. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com>
[ upstream commit: f93a40c ] We have an iptables rule to set 0x200 mark for transparent socket: ``` *mangle -A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_mangle" -j CILIUM_PRE_mangle -A CILIUM_PRE_mangle -m socket --transparent -m mark ! --mark 0xe00/0xf00 -m comment --comment "cilium: any->pod redirect proxied traffic to host proxy" -j MARK --set-xmark 0x200/0xffffffff ``` This rule is in the mangle PREROUTING which checks packets ingressed from a netdev. Let's then focus on the pod to world traffic when IPsec=on + proxy=on + tunnel=off. Currently, a pod-to-world packet will go through the path: 1. from_lxc@lxc: skb->mark is set to 0x200 and returned to stack 2. iptables: skb is hijacked by tproxy (due to 0x200), to be accepted by proxy 3. proxy process: the old skb is consumed by proxy, an new skb is sent to upstream (world) 4. stack routing: the new skb is routed to eth0 5. stack iptables: the new skb is traversing OUTPUT chain and POSTROUTING chain 6. to_netdev@eth0: the new skb is going to world Please note the new skb won't hit PREROUTING chain, where there is a rule setting skb->mark=0x200. To fix cilium#31984, we are going to change the routing for packets from egress proxy; consequently, on the step 4 above, the new skb will be routed to cilium_host instead: 4. stack routing: the new skb is routed to cilium_host 5. from_host@cilium_host: the new skb is returned to stack 6. to_host@cilium_net: the new skb is returned to stack 7. stack: PREROUTING, routing, FORWARD, POSTROUTING Look at step 7, we are hitting PREROUTING! Because of cilium/proxy#742, this to-world skb is also linked to a transparent socket, matching the "-m socket --transparent" condition, the packet will fortunately have the 0x200 mark. If we do nothing, this to-world skb marked with 0x200 will then hit routiong rule "from all fwmark 0x200/0xf00 lookup 2004" and be routed to local. It should have gone to the world. This patch fixes this future issue as a precaution (otherwise we'll break git-bisect). This patch provides a straightforward solution: at step 5 from_host@cilium_host, we set a specical mark 0x800 (MARK_MAGIC_PROXY_TO_WORLD), then iptables can exclude this mark using "-m mark ! --mark 0x800/0xf00". Signed-off-by: gray <gray.liang@isovalent.com>
[ upstream commit: 3384d73 ] After cilium/proxy#742, proxy traffic keeps original pod IP as source IP for to-world packets, which must be masqueraded to eth0 IP. There is no issue for now, but the new routing rule (0xb00 lookup 2005) to be added for cilium#31984 will cause a side effect breaking masquerading. This patch fixes the that side effect as a precaution, otherwise git-bisect breaks. The new routing rule (0xb00 lookup 2005) will cause proxy packets going through POSTROUTING for twice: first time happens when proxy sends packets which are routed to cilium_host, these are hitting OUTPUT + **POSTROUTING**; the second time takes place after packets ingressed from cilium_net, these skbs will traverse PREROUTING + FORWARD + **POSTROUTING**. However, due to kernel's implementation details, an skb won't be processed by nat POSTROUTING for twice: after the first POSTROUTING check, skb's ct `(struct nf_conn*)(skb->_nfct & ~7)` has a status IPS_SRC_NAT_DONE to skip the further traversal at all. [1] To avoid being set the IPS_SRC_NAT_DONE flag, this patch adds an iptables rule `--mark 0xb00 -j CT --notrack` at OUTPUT to skip the first round iptables ct, just for proxy traffic which is characterized by 0xb00 mark. [1] https://elixir.bootlin.com/linux/v6.6.2/source/net/netfilter/nf_nat_core.c#L825 [1] https://elixir.bootlin.com/linux/v6.6.2/source/include/net/netfilter/nf_nat.h#L111 Signed-off-by: gray <gray.liang@isovalent.com>
[ upstream commit: 1ce4c7f ] This commit installs "0xb00/0xf00 lookup 2005" routing rule when IPsec is enabled with native routing and envoy. This is a necessary step towards fixing encryption leaks, otherwise egress proxy's return traffic gets no chance to be set IPsec mark. The new routing rule ensures these packets are routed to cilium_host, where we have bpf_host to handle encryption datapath. This patch uses a different condition from requireFromProxyRoutes() to determine whether to install the new routing rule, otherwise we will see breakage on IPsec=off + envoy=on. Specially, the new routing rule is isolated to IPsec only. Signed-off-by: gray <gray.liang@isovalent.com>
[ upstream commit 5f18d88 ] This was addressed by cilium#32683. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[upstream commit 568dbc5] This commit is to add a generic json field masking based on the field name. Signed-off-by: Tam Mach <tam.mach@cilium.io>
[upstream commit 48a9976] This commit is to explicitly mask the below fields from Envoy config dump: - api_key (used in kafka L7 policy) - TLSContext (used in Cilium NetworkPolicy) One round of scanning on existing Cilium protobuf was done. Related docs: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--config_dump Signed-off-by: Tam Mach <tam.mach@cilium.io>
Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
Release v1.15.6
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.