Skip to content

Commit 8895f5c

Browse files
committed
fix(ci): extend no-cache-filters to caddy-builder and crowdsec-builder in e2e workflow
Prevents stale GHA BuildKit layer cache from serving outdated caddy-builder and crowdsec-builder stage outputs in e2e-tests-split.yml, mirroring the same fix already applied to nightly-build.yml for CVE-2026-45135. Also corrects a stale fallback version comment in Dockerfile (v2.11.3 → v2.11.4) and updates SECURITY.md to mark CVE-2026-45135 as fully remediated across all affected build workflows.
1 parent 3febf21 commit 8895f5c

4 files changed

Lines changed: 19 additions & 11 deletions

File tree

.github/workflows/e2e-tests-split.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -184,6 +184,7 @@ jobs:
184184
tags: ${{ steps.resolve-image.outputs.image_tag }}
185185
cache-from: type=gha
186186
cache-to: type=gha,mode=max
187+
no-cache-filters: caddy-builder,crowdsec-builder
187188

188189
- name: Save Docker image
189190
if: steps.resolve-image.outputs.image_source == 'build'

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ ARG NPM_VERSION=11.16.0
3737
# avoid accidentally pulling a v3 major release. Renovate can still update
3838
# this ARG to a specific v2.x tag when desired.
3939
## Try to build the requested Caddy v2.x tag (Renovate can update this ARG).
40-
## If the requested tag isn't available, fall back to a known-good v2.11.3 build.
40+
## If the requested tag isn't available, fall back to a known-good v2.11.4 build.
4141
# renovate: datasource=go depName=github.com/caddyserver/caddy/v2
4242
ARG CADDY_VERSION=2.11.4
4343
# renovate: datasource=go depName=github.com/caddyserver/caddy/v2

SECURITY.md

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -241,13 +241,13 @@ Charon users is negligible since the vulnerable code path is not exercised.
241241

242242
---
243243

244-
### [HIGH] CVE-2026-45135 · Caddy FastCGI Unsafe Unicode Handling in splitPos
244+
### [HIGH] CVE-2026-45135 · Caddy FastCGI Unsafe Unicode Handling in splitPos
245245

246246
| Field | Value |
247247
|--------------|-------|
248248
| **ID** | CVE-2026-45135 |
249249
| **Severity** | High · 8.1 |
250-
| **Status** | Fix deployed`no-cache-filter: caddy-builder` added to nightly workflow |
250+
| **Status** | Fully remediated`no-cache-filters: caddy-builder,crowdsec-builder` applied to nightly and E2E build workflows |
251251

252252
**What**
253253
Caddy v2.11.2 contains unsafe Unicode handling in the FastCGI `splitPos` function. A
@@ -280,10 +280,11 @@ prior nightly run despite the ARG value change — a known edge case where GHA c
280280
loses ARG-scoped metadata, preventing proper cache key invalidation.
281281

282282
**Remediation Applied**
283-
Added `no-cache-filter: caddy-builder` to the `build-and-push-nightly` job in
284-
`.github/workflows/nightly-build.yml`. This forces the `caddy-builder` stage to rebuild from
285-
scratch on every nightly run, bypassing the GHA layer cache for that stage. All other stages
286-
continue to benefit from the cache.
283+
Added `no-cache-filters: caddy-builder,crowdsec-builder` to the `build-and-push-nightly` job in
284+
`.github/workflows/nightly-build.yml` and to the `Build Docker image` step in
285+
`.github/workflows/e2e-tests-split.yml`. This forces both the `caddy-builder` and
286+
`crowdsec-builder` stages to rebuild from scratch on every nightly and E2E build run, bypassing
287+
the GHA layer cache for those stages. All other stages continue to benefit from the cache.
287288

288289
---
289290

docs/plans/current_spec.md

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,14 @@
1-
# Fix: Flash of Unstyled Content (FOUC) / Forced Layout Warning
1+
---
2+
goal: Fix CVE-2026-45135 — Ensure CI detects Caddy v2.11.4 not stale v2.11.2 in all build workflows
3+
version: 1.0
4+
date_created: 2026-06-08
5+
status: 'Planned'
6+
tags: [fix, security, infrastructure]
7+
---
8+
9+
# Fix CVE-2026-45135: Caddy FastCGI Unsafe Unicode Handling
210

3-
**Status:** Draft
4-
**Date:** 2026-06-05
5-
**Target Files:** `frontend/index.html`, `frontend/src/context/ThemeContext.tsx`, `frontend/src/i18n.ts`, `frontend/src/main.tsx`, `frontend/src/index.css`
11+
![Status: Planned](https://img.shields.io/badge/status-Planned-blue)
612

713
---
814

0 commit comments

Comments
 (0)