chore(deps-dev): bump infrahub-testcontainers from 1.9.6 to 1.9.7

[dependabot]

Bumps infrahub-testcontainers from 1.9.6 to 1.9.7.

Release notes

Sourced from infrahub-testcontainers's releases.

Infrahub - v1.9.7

What's Changed

• Allow community-reported issues into bug pipeline via approval label by @​polmichel in opsmill/infrahub#9319
• fix: emit one log line per user check log entry by @​DharmaBytesX in opsmill/infrahub#9317
• Contributing instructions using bug-fixing pipeline by @​polmichel in opsmill/infrahub#9264
• wait for flaky test by @​ajtmccarty in opsmill/infrahub#9315
• Activate RET lint rules by @​Dhanus3133 in opsmill/infrahub#9297
• fix: pass SchemaBranch when parsing constraint paths in HFID derivation by @​iddocohen in opsmill/infrahub#9322
• fix: reject schema names containing '__' (closes #9209) by @​polmichel in opsmill/infrahub#9328
• chore(workflows): disable report-failure-as-issue for bug-agent workflows by @​polmichel in opsmill/infrahub#9336
• fix(backend): Exclude cascade deleted nodes from deletion validation error by @​Dhanus3133 in opsmill/infrahub#9281
• chore(deps): bump the uv group across 2 directories with 1 update by @​dependabot[bot] in opsmill/infrahub#9296
• docs: rename Automation & Outputs to Design & Integrate by @​yjouffrault in opsmill/infrahub#9330
• docs: fix broken docs.infrahub.app links in README by @​steinzi in opsmill/infrahub#9341
• LLM rule for SOLID basics by @​ajtmccarty in opsmill/infrahub#9345
• Revert: bug pipeline approval-label gating (#9319) by @​polmichel in opsmill/infrahub#9357
• remove arg-type exclusion from mypy rules on schema_branch.py by @​ajtmccarty in opsmill/infrahub#9343
• fix: enforce uniqueness on computed attributes (closes #7924) by @​polmichel in opsmill/infrahub#9359
• docs: add Infrahub Marketplace page by @​yjouffrault in opsmill/infrahub#9366
• Pin node version in frontend tests by @​ogenstad in opsmill/infrahub#9383
• IFC-1681: Fix variable nested data by @​solababs in opsmill/infrahub#9282
• fix: prevent git task workers from diverging during sync fan-out (#9349) by @​polmichel in opsmill/infrahub#9360
• tests: Add unittest for SchemaEnumAdd, SchemaEnumRemove by @​Dhanus3133 in opsmill/infrahub#9348
• docs: fix broken relative links on schema marketplace page by @​petercrocker in opsmill/infrahub#9388
• Add feature flag to gate SSO display-name account fallback (IFC-2662) by @​polmichel in opsmill/infrahub#9396
• fix(frontend): hide internal groups from add-to-group selectors by @​polmichel in opsmill/infrahub#9394
• fix(ci): pin node 24.15.0 in bug-agent workflows (playwright#41000) by @​polmichel in opsmill/infrahub#9411
• fix(security): verify OIDC id_token signature, audience and issuer by default by @​polmichel in opsmill/infrahub#9403
• Honor INFRAHUB_CACHE_TLS_* in Prefect result storage block by @​PhillSimonds in opsmill/infrahub#9218
• Fix issues with docstrings by @​ogenstad in opsmill/infrahub#9424
• feat: Add favicon to OpenAPI documentation pages by @​Dhanus3133 in opsmill/infrahub#9400
• IFC-2664 lock password changes for externally authenticated accounts by @​gmazoyer in opsmill/infrahub#9391
• IFC-1258: Fix relationship mutation constraints by @​solababs in opsmill/infrahub#9270
• IFC-2555: Fix prefix pool duplication by @​solababs in opsmill/infrahub#9299
• fix(security): map OIDC JWKS/key-resolution failures to 401 by @​polmichel in opsmill/infrahub#9426
• fix(frontend): hide delete button on non-editable schema options (IFC… by @​pa-lem in opsmill/infrahub#9428
• update quickstart by @​petercrocker in opsmill/infrahub#9433
• Fix versions and schema generation command by @​ogenstad in opsmill/infrahub#9437
• move the changelogs to the right dir by @​ajtmccarty in opsmill/infrahub#9436
• fix: resolve S3 credentials via AWS default chain when static keys are unset (#9429) by @​minitriga in opsmill/infrahub#9430
• chore(ci): bump gh-aw to v0.77.5 and recompile workflows by @​polmichel in opsmill/infrahub#9358
• fix(ci): drop 'edited' trigger from bug reviewer agent by @​polmichel in opsmill/infrahub#9443
• chore: release 1.9.7 by @​minitriga in opsmill/infrahub#9446

New Contributors

• @​Dhanus3133 made their first contribution in opsmill/infrahub#9297

Full Changelog: opsmill/infrahub@infrahub-v1.9.6...infrahub-v1.9.7

Changelog

Sourced from infrahub-testcontainers's changelog.

Infrahub - v1.9.7 - 2026-06-03

Breaking Changes

• Schema attribute and relationship names containing __ are now rejected at load time, since __ is reserved as the schema path separator. Any existing schema using such names will fail to load after upgrading — rename the affected attributes or relationships in your schema files (and remove or rename the corresponding data) before upgrading. (#9209)

Security

• Added the INFRAHUB_SECURITY_SSO_ACCOUNT_NAME_FALLBACK setting (enabled by default) to control whether an SSO login without a linked identity may adopt a pre-existing account that matches by display name. This transitional behavior supports upgrades; disabling it once all SSO users have completed their first login is recommended as a hardening step. The fallback is deprecated and will be removed in a future release.
• Enable cryptographic verification of the OIDC id_token (signature, audience and issuer) by default when reading group claims. This can be disabled through INFRAHUB_OIDC_<PROVIDER>_ID_TOKEN_VERIFY_SIGNATURE.
• Local password changes are now refused for accounts that authenticate through an external directory (LDAP, OIDC, OAuth2). The self-service form is hidden in the UI and the GraphQL mutation rejects the request, preventing a user from bypassing directory-side revocation by setting a local password.

Fixed

• Prefix pools no longer allocate the same prefix multiple times when the pool resource has the same prefix length as the requested allocation size. Prefix pools can now correctly allocate a prefix that uses an entire linked resource.
• Fix schema processing crashing with 'NodeSchema' object has no attribute 'get' when a node defines a single-element relationship-only uniqueness_constraints entry (e.g. [["parent"]]). (#4483)
• The 'Manage Groups' dropdown and the bulk 'Add to groups' toolbar now hide groups whose group_type is internal, so only user-assignable groups appear in the selector. (#4872)
• RelationshipAdd now allows setting a cardinality-one relationship (previously, any attempt was rejected). A second add is rejected when a peer is already present. RelationshipRemove now enforces mandatory constraints on cardinality-many relationships and rejects removals that would leave a mandatory relationship with no peers. (#5794)
• GraphQL variables used inside the data sub-object of IPPrefixPoolGetResource and IPAddressPoolGetResource mutations now resolve correctly instead of being silently ignored (set to null). (#6850)
• Artifact diffs no longer show spurious changes for artifacts whose schema kind was renamed or moved to a different namespace on a branch. (#7490)
• Fixed unique constraints not being enforced on computed attributes, and the violation message now names the input attributes to change. (#7924)
• Fix user-check failure logs being emitted one character per line in the proposed change task output — each log entry from self.log_error(...) is now rendered as a single warning line. (#8224)
• Honor INFRAHUB_CACHE_TLS_ENABLED, INFRAHUB_CACHE_TLS_INSECURE, and INFRAHUB_CACHE_TLS_CA_FILE for the Prefect result storage block. Background flows previously hung in RUNNING against TLS-only Redis because setup_blocks() constructed the block via a code path that ignored every TLS setting. The block now uses a redis:// or rediss:// connection string that propagates all three TLS knobs through redis.Redis.from_url, bringing the block into parity with the cache adapter and distributed lock. (#9217)
• Fixed git repository sync where multiple task workers could diverge on different commits if upstream advanced during fan-out. (#9349)
• Fixed S3 object storage failing with AuthorizationHeaderMalformed when no static AWS credentials are configured. When both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are unset, Infrahub now falls back to the default AWS credential provider chain, so S3 storage works with IRSA, EC2 instance profiles, and ECS task roles in addition to static access keys. Configuring only one of the two now raises a clear configuration error. (#9429)
• A failed OIDC id_token verification — invalid signature, audience, issuer, or an unresolvable signing key — now returns an authorization error (HTTP 401) instead of an unhandled server error.
• Fixed a crash when pulling a git repository that had to create a missing local branch and record its commit value.
• Fixed the read-only git repository add flow broadcasting the wrong repository kind, which caused peer workers to materialize the new repository as read-write instead of read-only.

Commits

• 1bcda1e chore: update docker-compose
• 8ed0d4d chore: release 1.9.7 (#9446)
• 7fe5303 Merge pull request #9443 from opsmill/pmi-20260603-fix-cubic-blocking-reviewe...
• c89aa8d Merge pull request #9358 from opsmill/pmi-20260526-gh-aw-update
• 9b08603 fix: resolve S3 credentials via AWS default chain when static keys are unset ...
• 86f7be6 move the changelogs to the right dir (#9436)
• 436878f fix(ci): drop 'edited' trigger from bug reviewer agent
• 49cb868 Merge pull request #9437 from opsmill/pog-update-agents
• 76850e4 feat(ci): gate bug pipeline on state/ai-pipeline-ready approval label
• 0913ed8 chore(ci): bump gh-aw to v0.77.5 and recompile workflows
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Summary by cubic

Bumps dev dependency infrahub-testcontainers from 1.9.6 to 1.9.7 to run tests against the latest Infrahub. Test-only change that pulls in security and stability fixes; no runtime impact.

• Migration
  • Test schemas using names with __ will now fail to load; rename if present.
  • OIDC id_token verification is on by default; adjust test OIDC config or set INFRAHUB_OIDC_<PROVIDER>_ID_TOKEN_VERIFY_SIGNATURE=false in tests if needed.

^{Written for commit e454758. Summary will update on new commits.}

[cloudflare-workers-and-pages]

Deploying infrahub-sdk-python with    Cloudflare Pages

Latest commit:	e454758
Status:	🚫  Deploy failed.

View logs