Bump github.com/go-git/go-git/v5 from 5.12.0 to 5.13.0#7
Closed
dependabot[bot] wants to merge 1 commit intomainfrom
Closed
Bump github.com/go-git/go-git/v5 from 5.12.0 to 5.13.0#7dependabot[bot] wants to merge 1 commit intomainfrom
dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.12.0 to 5.13.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.12.0...v5.13.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Author
|
Looks like github.com/go-git/go-git/v5 is up-to-date now, so this is no longer needed. |
dependabot
Bot
deleted the
dependabot/go_modules/github.com/go-git/go-git/v5-5.13.0
branch
10 tasks
Cre-eD
added a commit
that referenced
this pull request
May 8, 2026
## Summary
Adds opt-in encryption-at-rest for AWS RDS instances managed by SC.
Existing customers get **zero** behaviour change unless they explicitly
set the new field.
| File | Change |
|---|---|
| `pkg/clouds/aws/rds_mysql.go` | `MysqlConfig.StorageEncrypted *bool`
(new optional field) |
| `pkg/clouds/aws/rds_postgres.go` | `PostgresConfig.StorageEncrypted
*bool` (same) |
| `pkg/clouds/pulumi/aws/rds_mysql.go` | `StorageEncrypted:
sdk.Bool(lo.FromPtr(dbConfig.StorageEncrypted))` +
`sdk.IgnoreChanges([]string{"storageEncrypted"})` |
| `pkg/clouds/pulumi/aws/rds_postgres.go` | same |
| `pkg/clouds/aws/rds_storage_encrypted_test.go` | new — unit tests for
the opt-in semantics |
## Opt-in behaviour (per Ilya's review feedback)
| Customer config | `dbConfig.StorageEncrypted` | Pulumi
`StorageEncrypted` | Effect |
|---|---|---|---|
| Field omitted (legacy stacks) | `nil` | `false` | UNENCRYPTED —
preserves pre-2026.5 behaviour |
| `storageEncrypted: true` | `&true` | `true` | Encrypted (AWS-managed
`aws/rds` KMS key) |
| `storageEncrypted: false` | `&false` | `false` | Explicit unencrypted
(respect the call) |
This means **no customer gets encryption silently** — they have to opt
in.
## Why `IgnoreChanges` is still required
`storage_encrypted` is **immutable post-creation** in AWS RDS. Without
`IgnoreChanges`, the moment a customer flips the new field to `true` on
a stack with a pre-existing unencrypted instance, Pulumi would propose a
**destructive replacement** (drop + recreate, data loss + downtime).
`sdk.IgnoreChanges([]string{"storageEncrypted"})` silences that drift.
Behaviour:
- ✅ NEW instance + `storageEncrypted: true` → created encrypted from the
start.
- ✅ EXISTING unencrypted instance + customer flips to `true` → no diff,
no replacement; the customer's data is safe but the existing instance
stays unencrypted. They have to migrate out-of-band (see below).
- ✅ EXISTING unencrypted instance + field stays `nil` → no diff.
Pre-2026.5 behaviour preserved exactly.
## Migration path for existing unencrypted instances
`sc deploy` will not migrate automatically — the AWS encryption switch
is destructive. The standard AWS path:
1. Take a snapshot of the unencrypted instance.
2. `CopyDBSnapshot` with encryption enabled (`KmsKeyId` set).
3. Restore from the encrypted snapshot to a new instance.
4. Cut traffic over (DNS / app config), then delete the old instance.
5. Re-import the new instance into the SC Pulumi stack.
Documented inline next to the `IgnoreChanges` line so a future
maintainer doesn't accidentally remove the safety.
## Why surfaced now
`simple-container-com/actions` PR #7 adds a new semgrep rule
`go-aws-rds-no-storage-encryption` (ERROR severity). Walking the api
codebase to write that rule revealed two pre-existing instances with
unset encryption defaults. Originally I went with hard-coded
`StorageEncrypted: true`; per review feedback this is now opt-in.
The semgrep rule on actions repo treats `StorageEncrypted:
pulumi.Bool(true)` literal as "OK", and `StorageEncrypted:
pulumi.Bool(false)` literal as "still ERROR". Our generated value uses
`lo.FromPtr` which the rule sees textually as `pulumi.Bool(...)` — but
it's `sdk.Bool` here. Verified: rule's `pattern-not-regex:
'StorageEncrypted:\s*\w+\.Bool\(true\)'` does NOT match
`sdk.Bool(lo.FromPtr(...))` because the function inside `Bool(...)`
isn't `true`. So this code WILL still trigger the rule when scanned with
PR #7's ruleset — by design. The rule is conservative; it can't
statically prove `lo.FromPtr` resolves to true. Acceptable trade-off:
code is conservatively flagged, reviewer eyeballs the call site,
confirms the opt-in plumbing is correct, dismisses or fixes.
## KMS
`StorageEncrypted: sdk.Bool(true)` without `KmsKeyId` uses AWS-managed
`aws/rds`. Customer-managed key per stack is a follow-up — the
immediate-controls bar is encrypt-at-all when the customer opts in.
## Test plan
### Unit (in this PR — green)
- [x] `go test ./pkg/clouds/aws/...` —
`TestReadRdsMysqlConfig_StorageEncrypted` and
`TestReadRdsPostgresConfig_StorageEncrypted`, 6 subtests total covering
all three states for both engines
- [x] Full `go test ./...` — clean
### Integration (manual, after merge)
- [ ] **Brand-new stack, no opt-in**: `pulumi preview` shows `+
Instance` with `storage_encrypted: false` (legacy behaviour preserved).
- [ ] **Brand-new stack with opt-in**: same preview shows
`storage_encrypted: true`, KmsKeyId resolves to the AWS-managed default.
- [ ] **Existing customer post-upgrade, no config change**: `pulumi
preview` shows **no diff** on the RDS instance (this is the critical
migration-safety test — proves IgnoreChanges + nil default both kick
in).
- [ ] **Existing customer flipping the field to true**: `pulumi preview`
shows **no diff** (silenced by `IgnoreChanges` — explicit demonstration
of the safety net).
### E2E (manual, sandbox AWS account)
- [ ] Variant A (no opt-in): create RDS, `aws rds describe-db-instances
--query '[*].StorageEncrypted'` → `false`.
- [ ] Variant B (opt-in true): same query → `true`.
- [ ] Variant C (legacy → upgrade simulation): create with old code
unencrypted, then `sc deploy` with new code (no config change) →
describe → `StorageEncrypted` still `false`, instance ID unchanged.
- [ ] Tear down.
## Out of scope
- Customer-managed KMS key (`KmsKeyId`) — follow-up.
- Schema-version-style bundling of multiple hardening defaults — only
one knob today; mongodb-atlas precedent (`NamingStrategyVersion`) exists
if the count grows.
- Migrating already-deployed unencrypted instances on customer fleets —
manual, out-of-band, documented above.
---------
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps github.com/go-git/go-git/v5 from 5.12.0 to 5.13.0.
Release notes
Sourced from github.com/go-git/go-git/v5's releases.
... (truncated)
Commits
94bd4afMerge pull request #1261 from BeChris/issue6808b7f5baMerge pull request #1262 from go-git/dependabot/go_modules/github.com/elazarl...41d80a0build: bump github.com/elazarl/goproxy4998140git: worktree_commit, sanitize author and commiter name and email before crea...9049625Merge pull request #1260 from go-git/dependabot/github_actions/github/codeql-...dae48b4build: bump github/codeql-action from 3.27.9 to 3.28.07d6fbc2Merge pull request #1220 from BeChris/accept_uppercase_hexa_in_pktline_length62a77b7plumbing: Fix invalid reference name error while cloning branches containing ...5e11196plumbing: format/pktline, accept upercase hexadecimal value as pktline length...65f5e1aMerge pull request #1256 from go-git/dependabot/go_modules/golang-org-232a611e2dDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.