Skip to content

Merge stable into develop#9434

Open
infrahub-github-bot-app[bot] wants to merge 21 commits into
developfrom
stable
Open

Merge stable into develop#9434
infrahub-github-bot-app[bot] wants to merge 21 commits into
developfrom
stable

Conversation

@infrahub-github-bot-app
Copy link
Copy Markdown
Contributor

@infrahub-github-bot-app infrahub-github-bot-app Bot commented Jun 2, 2026
edited by cubic-dev-ai Bot
Loading

Merging stable into develop after merging pull request #9433.

Summary by cubic

Merge stable into develop for the 1.9.7 release: OIDC/S3/IPAM/Redis TLS fixes, guarded account password changes for externally managed users, and CI workflow hardening. Adds release notes, bumps versions, and updates docker-compose image tags; breaking change: schema attribute/relationship names containing “__” are now rejected.

  • Bug Fixes

    • OIDC id_token verification now returns 401 on invalid signature/audience/issuer or unresolved JWKS; non‑JSON JWKS maps to a gateway error (IFC-2664).
    • Prefix pools no longer return duplicate allocations when resource prefix length equals the requested size; allocator now excludes the parent resource by UUID (IFC-2555).
    • Relationship mutations enforce cardinality: allow a single set on cardinality‑one and reject duplicates; prevent removals that break mandatory cardinality‑many.
    • Removing attributes/relationships from generic schemas now prunes inherited nodes’ schema‑path props (uniqueness_constraints, human_friendly_id, display_labels, order_by, default_filter) to avoid orphaned paths and related errors.
    • Prefect result storage honors INFRAHUB_CACHE_TLS_* using a redis:///rediss:// URL, fixing TLS‑only Redis connections (bug: Background flows hang against TLS-only Redis (INFRAHUB_CACHE_TLS_* not honored by Prefect result-storage block) #9217).
    • S3 storage falls back to the AWS default credential chain when static keys are unset; supplying only one key raises a clear configuration error (bug: S3 storage breaks with IRSA / instance-profile credentials (empty access key passed to boto3) #9429).
    • Hide delete buttons for Enum/Dropdown options on non‑user‑editable namespaces; added tests.
    • Add favicons to Swagger UI and ReDoc.
    • Recompiled bug‑agent workflows with gh-aw v0.77.5, gated them on the state/ai-pipeline-ready approval label, and removed the “edited” trigger; reformatted .github/dependabot.yml and ignored it in .yamllint.
    • Release updates: bump to 1.9.7, update docker-compose image tags, add release notes and sidebar entry; breaking change documented — reject __ in schema attribute/relationship names.

  • New Features

    • GraphQL CoreAccount.is_externally_managed field with resolver.
    • GraphQL updateSelf now rejects password changes for accounts linked to external identities; the UI hides the Password tab and form for such accounts (IFC-2664).

Written for commit 1abea46. Summary will update on new commits.

Review in cubic

PhillSimonds and others added 9 commits June 2, 2026 06:29
@PhillSimonds @claude
Honor INFRAHUB_CACHE_TLS_* in Prefect result storage block (#9218)
2ebf2fd 
Background flows hung in RUNNING against TLS-only Redis because setup_blocks()
built the Prefect RedisStorageContainer via from_host(), whose internal client
path constructs redis.Redis(...) with no ssl= argument. INFRAHUB_CACHE_TLS_*
settings were silently ignored for this one client even though lock.py and the
cache adapter honored them.

Always construct a connection_string URL from cache settings. Scheme selects
rediss:// when tls_enabled is set; ssl_cert_reqs / ssl_check_hostname /
ssl_ca_certs propagate as query params through redis.Redis.from_url onto the
underlying SSLConnection. Single deterministic code path; brings the block in
parity with the rest of the codebase's Redis clients.

Closes #9217

Co-authored-by: Phillip Simonds <phillip@opsmill.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@ogenstad
Fix issues with docstrings (#9424)
41e96d2
@Dhanus3133
feat: Add favicon to OpenAPI documentation pages (#9400)
108f87c
@gmazoyer
IFC-2664 lock password changes for externally authenticated accounts (#…
1a42fe3 
…9391)
@solababs @ajtmccarty
IFC-1258: Fix relationship mutation constraints (#9270)
b4ef8e1 
* IFC-1258: Fix relationship mutation constraints

* refactor logic

* update tests

* update error message

* early return and test cleanup

---------

Co-authored-by: Aaron McCarty <aaron@opsmill.com>
@solababs
Merge pull request #9299 from opsmill/fix-prefix-pool-dup-ifc-2555
851f5a2 
IFC-2555: Fix prefix pool duplication
@polmichel
fix(security): map OIDC JWKS/key-resolution failures to 401 (#9426)
79721de 
* increase the scope of the try catch: include the key lookup into JWKS

* tests that no JWT exception slips through the test cases

* test: extract shared OIDC setup into fixtures

* chore: add changelog fragment for OIDC id_token verification error mapping

* fix(security): return a gateway error for a non-JSON OIDC JWKS response
@pa-lem @claude
fix(frontend): hide delete button on non-editable schema options (IFC… (
edbff71 
#9428)

* fix(frontend): hide delete button on non-editable schema options (IFC-2663)

The inline delete (trash) button on Enum and Dropdown input options was
rendered for every option, including those on non-user-editable schema
namespaces (e.g. the Core `group_type` enum: "default"/"internal"). The
backend rejects deleting these, so users hit an error toast.

Gate the delete button on `useNamespace(schema.namespace)?.user_editable`,
mirroring the existing "+ Add option" affordance which was already gated
the same way. Also add an `aria-label` to the icon-only delete buttons.

Fixes #9389

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* lint

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@petercrocker
update quickstart (#9433)
e64cbfb 
* update quickstart

* update

* Revert non-quickstart changes from PR

Restore .superset/config.json, schema-visualizer, and python_sdk to stable.
@infrahub-github-bot-app infrahub-github-bot-app Bot requested review from a team as code owners June 2, 2026 18:31
ogenstad and others added 10 commits June 3, 2026 08:58
@ogenstad
Fix versions and schema generation command
2e1764b
@polmichel @claude
chore(ci): bump gh-aw to v0.77.5 and recompile workflows
0913ed8 
Recompile bug-agent workflows with gh-aw v0.77.5 (mcpg v0.3.22,
firewall 0.25.58, setup v0.77.5) — brings the DIFC array-response fix
(mcpg #6538 / gh-aw#34904).

gh aw compile reformats .github/dependabot.yml into its managed shape
(no doc-start, sequence indent 0, a >120-char ignore comment), which
trips the repo's yamllint. Exclude it in .yamllint.yml, same as the
already-ignored generated *.lock.yml files.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@polmichel @claude
feat(ci): gate bug pipeline on state/ai-pipeline-ready approval label
76850e4 
Re-introduce the approval-label gating reverted in #9357: set
min-integrity: approved and approval-labels: [state/ai-pipeline-ready]
on all four bug-agent workflows, recompiled with gh-aw v0.77.5.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ogenstad
Merge pull request #9437 from opsmill/pog-update-agents
49cb868 
Fix versions and schema generation command
@polmichel @claude
fix(ci): drop 'edited' trigger from bug reviewer agent
436878f 
PR body edits by non-allowed bots (e.g. cubic-dev-ai appending its review
summary) spawn a workflow run that fails the actor gate and, via the
cancel-in-progress concurrency group, cancels the legitimate in-flight
reviewer run. Every pipeline iteration ends with a push, so 'synchronize'
(plus 'opened'/'reopened') is sufficient to re-trigger the reviewer.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ajtmccarty
move the changelogs to the right dir (#9436)
86f7be6
@minitriga
fix: resolve S3 credentials via AWS default chain when static keys ar…
9b08603 
…e unset (#9429) (#9430)

S3StorageSettings defaults the access key and secret to empty strings, and the
storage layer forwarded them straight to boto3. boto3 treats an empty string as
an explicit credential and skips the default credential provider chain, so S3
storage failed with AuthorizationHeaderMalformed on deployments relying on IRSA,
EC2 instance profiles, or ECS task roles.

InfrahubS3ObjectStorage now treats blank, whitespace-only, or incomplete static
credentials as "not configured" and passes None, letting boto3 fall back to the
default AWS credential provider chain. Complete static credentials are forwarded
unchanged, so existing static-key and S3-compatible deployments are unaffected.
@polmichel
Merge pull request #9358 from opsmill/pmi-20260526-gh-aw-update
c89aa8d 
chore(ci): bump gh-aw to v0.77.5 and recompile workflows
@polmichel
Merge pull request #9443 from opsmill/pmi-20260603-fix-cubic-blocking…
7fe5303 
…-reviewer-step

fix(ci): drop 'edited' trigger from bug reviewer agent
@minitriga @claude
chore: release 1.9.7 (#9446)
8ed0d4d 
* chore: release 1.9.7

* docs: address review feedback on 1.9.7 release notes

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@minitriga minitriga requested a review from a team as a code owner June 3, 2026 16:04
@opsmill-bot opsmill-bot requested a review from a team as a code owner June 3, 2026 16:05
@ajtmccarty
prune uniqueness constraints for removed attributes/relationships (#9435
1abea46 
)

* remove deleted fields from all schema path schema properties

uniqueness_constraints, order_by, human_friendly_id, and display_labels

* move changelog to the right place

* rename private method, include default_filter

* add changelog for 8990
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@petercrocker petercrocker

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.