Weekly: Promote nightly to main (2026-06-01)#1047
Open
github-actions[bot] wants to merge 57 commits into
Open
Conversation
fix(deps): update non-major-updates
The drag handle column (40px fixed width) was always rendered in the grouped view, compounding the overflow caused by the group column addition. Combined, the table consistently overflowed its container. Drag handles are now hidden by default and toggled via an "Organize" button that appears in the page header only when groups exist. This recovers the column space on normal views while preserving full drag-and-drop when the user explicitly enters organize mode.
The SARIF upload step was gated on artifact_found == 'true', which is only ever set by the check-artifact step. That step itself only runs on workflow_run events, but supply-chain-pr.yml has no workflow_run trigger — it fires on pull_request and push only. The result was that every run since the workflow was restructured successfully scanned the image but silently discarded the SARIF, leaving GitHub Code Scanning with a stale Grype result since Feb 4, 2026. Align the SARIF upload condition with every other post-scan step: gate on set-target.outputs.image_name != '' so it fires whenever a scan actually ran, regardless of the triggering event type. Also corrects a stale inline comment that cited v0.110.0 while the install script pinned v0.112.0.
…g.Add sessions.Store was called before the DB update and wg.Add(1) in HandleWebSocket. The test polling loop exited as soon as the session appeared in the map, starting cleanup while the handler was still writing to the SQLite database. srv.Stop() called wg.Wait() with wg=0 because wg.Add had not yet been called, allowing cleanup to proceed. Concurrent SQLite journal/WAL file creation then raced with os.RemoveAll on the test's TempDir, producing "directory not empty". Move sessions.Store to be the last statement after the DB update and wg.Add(1). External observers now see the session only after all handler setup is complete, ensuring Stop's wg.Wait blocks correctly before any cleanup runs. Fixes: TestOrthrusServer_HandleWebSocket_ValidToken_UpgradesConnection flaky CI
…onents - Replace direct DOM/container access in ImportSitesModal test with Testing Library queries (getByRole, findByRole) as required by testing best practices - Remove useless `undefined` arguments from ImportSitesModal test and DNSProviderSelector component to satisfy no-useless-undefined rule; update corresponding test assertion to match corrected call signature - Convert forEach to for...of loop in ImportReviewTable per ESLint rule - Add role="button", tabIndex, and onKeyDown keyboard handlers to clickable div elements in ImportReviewTable and FeedbackWidget to satisfy accessibility requirements (WCAG 2.2 keyboard operability) - Add required blank line between import groups in GroupDropZone Fixes CI annotations from commit ff52316 reported against the development branch frontend build.
chore(deps): update non-major-updates
Changed dependency automation so non-major updates are grouped into separate pull requests for GitHub Actions, Go, and npm instead of one mixed batch. This improves tracking and review focus by keeping each dependency type isolated and easier to audit. Major updates remain separated for manual review, and existing version safety constraints are preserved to prevent unintended upgrade paths. Validation evidence was generated for config resolution and dry-run behavior, with local runtime compatibility noted as an environment constraint.
The cloudflare provider's Start() method used cmd.StdoutPipe() and cmd.StderrPipe() to capture tunnel output. Go's exec package registers the read-end file descriptors from these calls in an internal closeAfterWait list — when cmd.Wait() returns after the child exits, those fds are closed immediately, regardless of whether the scanner goroutines have finished reading buffered data. On a loaded CI runner this produces an EBADF before the scanner's first Read(), leaving the ring buffer empty and causing TestStart_CapturesStdoutOutput to fail. Replace both pipe methods with os.Pipe() pairs. Assigning bare *os.File to cmd.Stdout and cmd.Stderr bypasses Go's pipe lifecycle management entirely. The parent write ends are closed immediately after cmd.Start() succeeds so the child's exit naturally sends EOF to the scanners. Each scanner goroutine owns its read end and closes it via defer after draining, which preserves the existing scanWg.Wait() guarantee that the ring buffer is fully populated before p.done is closed. All four pipe fds are cleaned up in both the stderr os.Pipe() failure path and the cmd.Start() failure path to prevent fd leaks. Write-end close failures are logged using the provider's structured logger rather than silently discarded. Validated with 50 sequential -race runs on the cloudflare package; 50/50 pass. Fixes TestStart_CapturesStdoutOutput flake in CI
…cts updates Six ARG lines had `# renovate:` comments but no matching custom manager in renovate.json, meaning Renovate silently ignored them. This was the direct cause of missing the CrowdSec 1.7.7 → 1.7.8 release. Added custom managers for: CrowdSec (github-releases), Caddy/CADDY_CANDIDATE (go datasource), gosu (github-releases), npm (npm datasource), golang.org/x/crypto (go datasource), and coraza-caddy/v2 (go datasource). Fixed two Dockerfile comments where the Caddy depName incorrectly included an `https://` URL prefix — Go datasource requires a bare module path. Both CADDY_VERSION and CADDY_CANDIDATE_VERSION comments now reference `github.com/caddyserver/caddy/v2`. The coraza-caddy comment was also corrected to the `/v2` module path for consistency with what the custom manager resolves. Added a `allowedVersions: "<3.0.0"` packageRule for the new Go-datasource Caddy manager to mirror the existing constraint on the dockerfile manager, preventing an automatic jump to a future v3 major. Added a `security`/`dependencies` label rule for CrowdSec releases so they surface visibly in PRs.
…sec dependency caddy-crowdsec-bouncer@v0.10.0 (and all subsequent releases through v0.12.1) declare github.com/crowdsecurity/crowdsec v1.6.3 in their go.mod, which embeds the vulnerable crowdsec library inside the compiled /usr/bin/caddy binary. Trivy detects this and reports GHSA-rw47-hm26-6wr7 (CVE-2026-44982), which describes the CrowdSec AppSec component silently dropping HTTP request bodies for chunked-encoded and HTTP/2 requests — allowing WAF body inspection rules to be bypassed entirely. The dedicated crowdsec and cscli binaries were already clean (built directly from CROWDSEC_VERSION=1.7.8 source), but the Caddy binary was still exposing the vulnerability through its transitive dependency on the bouncer plugin. Add go get github.com/crowdsecurity/crowdsec@v${CROWDSEC_VERSION} to the Caddy builder Stage 2 patch block, immediately after the existing go-ntlmssp override. Declare ARG CROWDSEC_VERSION in the caddy-builder stage so the variable resolves correctly within that Docker build context. Using the ARG rather than a hardcoded version ensures the Caddy override and the CrowdSec binaries always upgrade together when Renovate bumps CROWDSEC_VERSION, preventing version drift. Remove this override once the bouncer ships a release that requires github.com/crowdsecurity/crowdsec >= v1.7.8.
…-crowdsec-bouncer to v0.12.1
chore(deps): update module github.com/aws/aws-sdk-go-v2/service/s3 to v1.102.0
fix(deps): update non-major-updates
chore(deps): update dependency @eslint/json to v2
…yexec, tldts-core, and typed-array-length to latest versions
…common to v0.68.0
…nd eslint to v10.4.1
…th install_if_missing (skips if already present via cscli inspect). On a rebuild where CrowdSec data is on a persistent volume, all items are already installed, so this cuts 10 cscli invocations (60–90s) down to fast inspect checks. First-time installs still work as before.
…d container health monitoring
…dule dependencies
Automated checksum update for GeoLite2-Country.mmdb database. Old: d074a873c0db6755c0d7f22efe8c76d14fd5d4bcdaa5fc5e940508e8517e99ba New: c77ac1d7e64b3fcd1447045615fc3aefb3ed886e176608c568b01f29f955e21a Auto-generated by: .github/workflows/update-geolite2.yml
chore(docker): update GeoLite2-Country.mmdb checksum
…o v1.6.19, and knip to v6.15.0
github-actions
Bot
added
automated
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🚀 Weekly Nightly to Main Promotion
Date: 2026-06-01
Trigger: Scheduled weekly promotion
Commits: 57 commits to promote
Changes: 37 files changed, 1649 insertions(+), 1395 deletions(-)
Commits Being Promoted
Showing first 50 of 57 commits:
...and 7 more commits
Pre-Merge Checklist
Merge Instructions
This PR promotes changes from
nightlytomain. Once all checks pass:This PR was automatically created by the Weekly Nightly Promotion workflow.