Weekly: Promote nightly to main (2026-06-01)

.github/renovate.json

@@ -269,6 +269,74 @@
       "datasourceTemplate": "github-releases",
       "versioningTemplate": "semver",
       "extractVersionTemplate": "^v(?<version>.*)"
+    },
+    {
+      "customType": "regex",
+      "description": "Track CrowdSec version ARG in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=github-releases\\s+depName=crowdsecurity/crowdsec\\s*\\nARG CROWDSEC_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "crowdsecurity/crowdsec",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver",
+      "extractVersionTemplate": "^v?(?<version>.*)$"
+    },
+    {
+      "customType": "regex",
+      "description": "Track Caddy version ARGs in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=go\\s+depName=github\\.com/caddyserver/caddy[^\\s]*\\s*\\nARG CADDY_VERSION=(?<currentValue>[^\\s]+)",
+        "#\\s*renovate:\\s*datasource=go\\s+depName=github\\.com/caddyserver/caddy[^\\s]*\\s*\\nARG CADDY_CANDIDATE_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "github.com/caddyserver/caddy/v2",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track gosu version ARG in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=github-releases\\s+depName=tianon/gosu\\s*\\nARG GOSU_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "tianon/gosu",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track npm version ARG in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=npm\\s+depName=npm\\s*\\nARG NPM_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "npm",
+      "datasourceTemplate": "npm",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track golang.org/x/crypto version ARG in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=go\\s+depName=golang\\.org/x/crypto\\s*\\nARG XCRYPTO_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "golang.org/x/crypto",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track coraza-caddy version ARG in Dockerfile",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=go\\s+depName=github\\.com/corazawaf/coraza-caddy[^\\s]*\\s*\\nARG CORAZA_CADDY_VERSION=(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "github.com/corazawaf/coraza-caddy/v2",
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
     }
   ],
 
@@ -280,17 +348,70 @@
 
   "packageRules": [
     {
-      "description": "THE MEGAZORD: Group ALL non-major updates (NPM, Docker, Go, Actions) into one PR",
+      "description": "Group GitHub Actions non-major updates into one PR",
+      "matchManagers": [
+        "github-actions"
+      ],
       "matchUpdateTypes": [
         "minor",
         "patch",
         "pin",
         "digest"
       ],
-      "groupName": "non-major-updates",
+      "groupName": "github-actions-non-major",
+      "groupSlug": "github-actions-non-major"
+    },
+    {
+      "description": "Group Go non-major updates into one PR",
+      "matchDatasources": [
+        "go",
+        "golang-version"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch",
+        "pin",
+        "digest"
+      ],
+      "groupName": "go-non-major",
+      "groupSlug": "go-non-major"
+    },
+    {
+      "description": "Group Go github-tags fallback updates from Dockerfile custom manager into Go non-major PR",
+      "matchDatasources": [
+        "github-tags"
+      ],
+      "matchManagers": [
+        "custom.regex"
+      ],
+      "matchFileNames": [
+        "Dockerfile"
+      ],
       "matchPackageNames": [
-        "*"
-      ]
+        "jackc/pgx"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch",
+        "pin",
+        "digest"
+      ],
+      "groupName": "go-non-major",
+      "groupSlug": "go-non-major"
+    },
+    {
+      "description": "Group NPM non-major updates into one PR",
+      "matchDatasources": [
+        "npm"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch",
+        "pin",
+        "digest"
+      ],
+      "groupName": "npm-non-major",
+      "groupSlug": "npm-non-major"
     },
     {
       "description": "Development branch: Auto-merge non-major updates after proven stable",
@@ -315,6 +436,18 @@
       "matchPackageNames": ["caddy"],
       "allowedVersions": "<3.0.0"
     },
+    {
+      "description": "Go: keep Caddy within v2 (no automatic jump to v3) - ARG tracking via custom manager",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["github.com/caddyserver/caddy/v2"],
+      "allowedVersions": "<3.0.0"
+    },
+    {
+      "description": "Label CrowdSec updates as security-relevant",
+      "matchDatasources": ["github-releases"],
+      "matchPackageNames": ["crowdsecurity/crowdsec"],
+      "labels": ["security", "dependencies"]
+    },
     {
       "description": "Go: keep pgx within v4 (CrowdSec requires pgx/v4 module path) - applies to go.mod lookups",
       "matchDatasources": ["go"],

.github/workflows/auto-changelog.yml

@@ -24,6 +24,6 @@ jobs:
         with:
           ref: ${{ github.event.workflow_run.head_sha || github.sha }}
       - name: Draft Release
-        uses: release-drafter/release-drafter@c2e2804cc59f45f57076a99af580d0fedb697927 # v7
+        uses: release-drafter/release-drafter@693d20e7c1ce1a81d3a41962f85914253b518449 # v7
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/docker-build.yml

@@ -168,7 +168,7 @@ jobs:
 
       - name: Set up QEMU
         if: steps.skip.outputs.skip_build != 'true'
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
       - name: Set up Docker Buildx
         if: steps.skip.outputs.skip_build != 'true'
         uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0

.github/workflows/nightly-build.yml

@@ -154,6 +154,17 @@ jobs:
       digest: ${{ steps.resolve_digest.outputs.digest }}
 
     steps:
+      - name: Free disk space
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be  # v1.3.1
+        with:
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          docker-images: false
+          swap-storage: true
+          tool-cache: false
+
       - name: Checkout nightly branch
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
@@ -164,7 +175,7 @@ jobs:
         run: echo "IMAGE_NAME_LC=${IMAGE_NAME,,}" >> "$GITHUB_ENV"
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a  # v4.0.0
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3  # v4.1.0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5  # v4.1.0
@@ -224,9 +235,10 @@ jobs:
             VCS_REF=${{ github.sha }}
             BUILD_DATE=${{ github.event.repository.pushed_at }}
             ALPINE_IMAGE=${{ steps.alpine.outputs.image }}
+            CROWDSEC_VERSION=1.7.8
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          no-cache-filters: caddy-builder
+          no-cache-filters: caddy-builder,crowdsec-builder
           provenance: true
           sbom: true
 
@@ -396,6 +408,17 @@ jobs:
       packages: write
 
     steps:
+      - name: Free disk space
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be  # v1.3.1
+        with:
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          docker-images: false
+          swap-storage: true
+          tool-cache: false
+
       - name: Checkout nightly branch
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
@@ -406,7 +429,7 @@ jobs:
         run: echo "ORTHRUS_IMAGE_NAME_LC=${ORTHRUS_IMAGE_NAME,,}" >> "$GITHUB_ENV"
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a  # v4.0.0
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3  # v4.1.0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5  # v4.1.0

.github/workflows/orthrus-build.yml

@@ -99,7 +99,7 @@ jobs:
           fi
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0

.github/workflows/security-weekly-rebuild.yml

@@ -53,7 +53,7 @@ jobs:
           echo "IMAGE_NAME=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV"
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0

.github/workflows/supply-chain-pr.yml

@@ -282,7 +282,7 @@ jobs:
           echo "component_count=${COMPONENT_COUNT}" >> "$GITHUB_OUTPUT"
           echo "✅ SBOM generated with ${COMPONENT_COUNT} components"
 
-      # Scan for vulnerabilities using manual Grype installation (pinned to v0.110.0)
+      # Scan for vulnerabilities using manual Grype installation (pinned to v0.112.0)
       - name: Install Grype
         if: steps.set-target.outputs.image_name != ''
         run: |
@@ -362,7 +362,7 @@ jobs:
           fi
 
       - name: Upload SARIF to GitHub Security
-        if: steps.check-artifact.outputs.artifact_found == 'true'
+        if: steps.set-target.outputs.image_name != ''
         uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
         continue-on-error: true
         with:

.gitignore

@@ -328,4 +328,5 @@ backend/***_coverage.txt
 backend/***_cov.txt
 .tmp/caddy-binary-pin-cleanup
 .tmp/caddy-binary-pin-cleanup-local.tar
-.tmp/***
+.tmp/***
+charon-scan.tar

CHANGELOG.md

@@ -69,6 +69,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Security
 
+- **CVE-2026-44982 / GHSA-rw47-hm26-6wr7**: Resolved high-severity CrowdSec AppSec vulnerability where HTTP request bodies were silently dropped for chunked/HTTP-2 requests, allowing WAF bypass
+  - Upgraded `CROWDSEC_VERSION` to `v1.7.8` in the Dockerfile
+  - Upgraded `caddy-crowdsec-bouncer` to `v0.12.1` to align with the updated crowdsec API
+  - Applied build-time source patches for two breaking API changes in crowdsec v1.7.8 (`DecisionsListOpts` field pointer types, `version.DetectOS()` return arity)
+
 - **CVE-2026-34040**: Remediated high-severity vulnerability by migrating from `github.com/docker/docker` to `github.com/moby/moby/client v0.4.1`
   - Affected component: Docker client SDK used for container management features
   - Resolution: Updated `go.mod` to reference the actively maintained `moby/moby` module