Skip to content

Commit 4b9508a

Browse files
authored
Merge pull request #741 from Wikid82/feature/beta-release
Caddy Version bump to 2.11.1
2 parents 2486dc2 + dc1426a commit 4b9508a

43 files changed

Lines changed: 3070 additions & 810 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.docker/README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,7 @@ Configure the application via `docker-compose.yml`:
9494
| `CHARON_ENV` | `production` | Set to `development` for verbose logging (`CPM_ENV` supported for backward compatibility). |
9595
| `CHARON_HTTP_PORT` | `8080` | Port for the Web UI (`CPM_HTTP_PORT` supported for backward compatibility). |
9696
| `CHARON_DB_PATH` | `/app/data/charon.db` | Path to the SQLite database (`CPM_DB_PATH` supported for backward compatibility). |
97-
| `CHARON_CADDY_ADMIN_API` | `http://localhost:2019` | Internal URL for Caddy API (`CPM_CADDY_ADMIN_API` supported for backward compatibility). |
97+
| `CHARON_CADDY_ADMIN_API` | `http://localhost:2019` | Internal URL for Caddy API (`CPM_CADDY_ADMIN_API` supported for backward compatibility). Must resolve to an internal allowlisted host on port `2019`. |
9898
| `CHARON_CADDY_CONFIG_ROOT` | `/config` | Path to Caddy autosave configuration directory. |
9999
| `CHARON_CADDY_LOG_DIR` | `/var/log/caddy` | Directory for Caddy access logs. |
100100
| `CHARON_CROWDSEC_LOG_DIR` | `/var/log/crowdsec` | Directory for CrowdSec logs. |
@@ -218,6 +218,8 @@ environment:
218218
- CPM_CADDY_ADMIN_API=http://your-caddy-host:2019
219219
```
220220
221+
If using a non-localhost internal hostname, add it to `CHARON_SSRF_INTERNAL_HOST_ALLOWLIST`.
222+
221223
**Warning**: Charon will replace Caddy's entire configuration. Backup first!
222224

223225
## Performance Tuning

.github/skills/test-backend-coverage-scripts/run.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ cd "${PROJECT_ROOT}"
3232
validate_project_structure "backend" "scripts/go-test-coverage.sh" || error_exit "Invalid project structure"
3333

3434
# Set default environment variables
35-
set_default_env "CHARON_MIN_COVERAGE" "85"
35+
set_default_env "CHARON_MIN_COVERAGE" "87"
3636
set_default_env "PERF_MAX_MS_GETSTATUS_P95" "25ms"
3737
set_default_env "PERF_MAX_MS_GETSTATUS_P95_PARALLEL" "50ms"
3838
set_default_env "PERF_MAX_MS_LISTDECISIONS_P95" "75ms"

.github/skills/test-frontend-coverage-scripts/run.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ cd "${PROJECT_ROOT}"
3232
validate_project_structure "frontend" "scripts/frontend-test-coverage.sh" || error_exit "Invalid project structure"
3333

3434
# Set default environment variables
35-
set_default_env "CHARON_MIN_COVERAGE" "85"
35+
set_default_env "CHARON_MIN_COVERAGE" "87"
3636

3737
# Execute the legacy script
3838
log_step "EXECUTION" "Running frontend tests with coverage"

.github/workflows/release-goreleaser.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ permissions:
2020

2121
jobs:
2222
goreleaser:
23+
if: ${{ !contains(github.ref_name, '-candidate') && !contains(github.ref_name, '-rc') }}
2324
runs-on: ubuntu-latest
2425
env:
2526
# Use the built-in GITHUB_TOKEN by default for GitHub API operations.
@@ -32,10 +33,22 @@ jobs:
3233
with:
3334
fetch-depth: 0
3435

36+
- name: Enforce PR-2 release promotion guard
37+
env:
38+
REPO_VARS_JSON: ${{ toJSON(vars) }}
39+
run: |
40+
PR2_GATE_STATUS="$(printf '%s' "$REPO_VARS_JSON" | jq -r '.CHARON_PR2_GATES_PASSED // "false"')"
41+
if [[ "$PR2_GATE_STATUS" != "true" ]]; then
42+
echo "::error::Releasable tag promotion is blocked until PR-2 security/retirement gates pass."
43+
echo "::error::Set repository variable CHARON_PR2_GATES_PASSED=true only after PR-2 approval."
44+
exit 1
45+
fi
46+
3547
- name: Set up Go
3648
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
3749
with:
3850
go-version: ${{ env.GO_VERSION }}
51+
cache-dependency-path: backend/go.sum
3952

4053
- name: Set up Node.js
4154
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6

.github/workflows/renovate.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ jobs:
2525
fetch-depth: 1
2626

2727
- name: Run Renovate
28-
uses: renovatebot/github-action@d65ef9e20512193cc070238b49c3873a361cd50c # v46.1.1
28+
uses: renovatebot/github-action@8d75b92f43899d483728e9a8a7fd44238020f6e6 # v46.1.2
2929
with:
3030
configurationFile: .github/renovate.json
3131
token: ${{ secrets.RENOVATE_TOKEN || secrets.GITHUB_TOKEN }}

.github/workflows/security-pr.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,7 @@ jobs:
174174
- name: Download PR image artifact
175175
if: steps.check-artifact.outputs.artifact_exists == 'true'
176176
# actions/download-artifact v4.1.8
177-
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
177+
uses: actions/download-artifact@ac21fcf45e0aaee541c0f7030558bdad38d77d6c
178178
with:
179179
name: ${{ steps.pr-info.outputs.is_push == 'true' && 'push-image' || format('pr-image-{0}', steps.pr-info.outputs.pr_number) }}
180180
run-id: ${{ steps.check-artifact.outputs.run_id }}
@@ -280,7 +280,7 @@ jobs:
280280
- name: Upload Trivy SARIF to GitHub Security
281281
if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request'
282282
# github/codeql-action v4
283-
uses: github/codeql-action/upload-sarif@710e2945787622b429f8982cacb154faa182de18
283+
uses: github/codeql-action/upload-sarif@cb4e075f119f8bccbc942d49655b2cd4dc6e615a
284284
with:
285285
sarif_file: 'trivy-binary-results.sarif'
286286
category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event.workflow_run.head_branch) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}

.pre-commit-config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,7 @@ repos:
113113
stages: [manual] # Only runs when explicitly called
114114
- id: frontend-type-check
115115
name: Frontend TypeScript Check
116-
entry: bash -c 'cd frontend && npm run type-check'
116+
entry: bash -c 'cd frontend && npx tsc --noEmit'
117117
language: system
118118
files: '^frontend/.*\.(ts|tsx)$'
119119
pass_filenames: false

.version

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
v0.19.0
1+
v0.19.1

.vscode/tasks.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -724,6 +724,13 @@
724724
"group": "test",
725725
"problemMatcher": []
726726
},
727+
{
728+
"label": "Security: Caddy PR-1 Compatibility Matrix",
729+
"type": "shell",
730+
"command": "cd /projects/Charon && bash scripts/caddy-compat-matrix.sh --candidate-version 2.11.1 --patch-scenarios A,B,C --platforms linux/amd64,linux/arm64 --smoke-set boot_caddy,plugin_modules,config_validate,admin_api_health --output-dir test-results/caddy-compat --docs-report docs/reports/caddy-compatibility-matrix.md",
731+
"group": "test",
732+
"problemMatcher": []
733+
},
727734
{
728735
"label": "Test: E2E Playwright (Skill)",
729736
"type": "shell",

Dockerfile

Lines changed: 28 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,9 @@ ARG BUILD_DEBUG=0
1616
## Try to build the requested Caddy v2.x tag (Renovate can update this ARG).
1717
## If the requested tag isn't available, fall back to a known-good v2.11.0-beta.2 build.
1818
ARG CADDY_VERSION=2.11.0-beta.2
19+
ARG CADDY_CANDIDATE_VERSION=2.11.1
20+
ARG CADDY_USE_CANDIDATE=0
21+
ARG CADDY_PATCH_SCENARIO=B
1922
## When an official caddy image tag isn't available on the host, use a
2023
## plain Alpine base image and overwrite its caddy binary with our
2124
## xcaddy-built binary in the later COPY step. This avoids relying on
@@ -196,6 +199,9 @@ FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS caddy-builder
196199
ARG TARGETOS
197200
ARG TARGETARCH
198201
ARG CADDY_VERSION
202+
ARG CADDY_CANDIDATE_VERSION
203+
ARG CADDY_USE_CANDIDATE
204+
ARG CADDY_PATCH_SCENARIO
199205
# renovate: datasource=go depName=github.com/caddyserver/xcaddy
200206
ARG XCADDY_VERSION=0.4.5
201207

@@ -213,10 +219,16 @@ RUN --mount=type=cache,target=/go/pkg/mod \
213219
RUN --mount=type=cache,target=/root/.cache/go-build \
214220
--mount=type=cache,target=/go/pkg/mod \
215221
sh -c 'set -e; \
222+
CADDY_TARGET_VERSION="${CADDY_VERSION}"; \
223+
if [ "${CADDY_USE_CANDIDATE}" = "1" ]; then \
224+
CADDY_TARGET_VERSION="${CADDY_CANDIDATE_VERSION}"; \
225+
fi; \
226+
echo "Using Caddy target version: v${CADDY_TARGET_VERSION}"; \
227+
echo "Using Caddy patch scenario: ${CADDY_PATCH_SCENARIO}"; \
216228
export XCADDY_SKIP_CLEANUP=1; \
217229
echo "Stage 1: Generate go.mod with xcaddy..."; \
218230
# Run xcaddy to generate the build directory and go.mod
219-
GOOS=$TARGETOS GOARCH=$TARGETARCH xcaddy build v${CADDY_VERSION} \
231+
GOOS=$TARGETOS GOARCH=$TARGETARCH xcaddy build v${CADDY_TARGET_VERSION} \
220232
--with github.com/greenpau/caddy-security \
221233
--with github.com/corazawaf/coraza-caddy/v2 \
222234
--with github.com/hslatman/caddy-crowdsec-bouncer@v0.10.0 \
@@ -239,12 +251,21 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
239251
go get github.com/expr-lang/expr@v1.17.7; \
240252
# renovate: datasource=go depName=github.com/hslatman/ipstore
241253
go get github.com/hslatman/ipstore@v0.4.0; \
242-
# NOTE: smallstep/certificates (pulled by caddy-security stack) currently
243-
# uses legacy nebula APIs removed in nebula v1.10+, which causes compile
244-
# failures in authority/provisioner. Keep this pinned to a known-compatible
245-
# v1.9.x release until upstream stack supports nebula v1.10+.
246-
# renovate: datasource=go depName=github.com/slackhq/nebula
247-
go get github.com/slackhq/nebula@v1.9.7; \
254+
if [ "${CADDY_PATCH_SCENARIO}" = "A" ]; then \
255+
# Rollback scenario: keep explicit nebula pin if upstream compatibility regresses.
256+
# NOTE: smallstep/certificates (pulled by caddy-security stack) currently
257+
# uses legacy nebula APIs removed in nebula v1.10+, which causes compile
258+
# failures in authority/provisioner. Keep this pinned to a known-compatible
259+
# v1.9.x release until upstream stack supports nebula v1.10+.
260+
# renovate: datasource=go depName=github.com/slackhq/nebula
261+
go get github.com/slackhq/nebula@v1.9.7; \
262+
elif [ "${CADDY_PATCH_SCENARIO}" = "B" ] || [ "${CADDY_PATCH_SCENARIO}" = "C" ]; then \
263+
# Default PR-2 posture: retire explicit nebula pin and use upstream resolution.
264+
echo "Skipping nebula pin for scenario ${CADDY_PATCH_SCENARIO}"; \
265+
else \
266+
echo "Unsupported CADDY_PATCH_SCENARIO=${CADDY_PATCH_SCENARIO}"; \
267+
exit 1; \
268+
fi; \
248269
# Clean up go.mod and ensure all dependencies are resolved
249270
go mod tidy; \
250271
echo "Dependencies patched successfully"; \

0 commit comments

Comments
 (0)