Skip to content

Commit cfb4a0f

Browse files
github-actions[bot]Wikid82renovate[bot]actions-userclaude
authored
Weekly: Promote nightly to main (2026-06-15) (#1076)
* chore(deps): update github-actions-non-major * chore(deps): update go-non-major * chore(deps): update npm-non-major * fix: regenerate lockfile to restore missing eslint and vite package entries Renovate's automated update regenerated package-lock.json incorrectly, omitting top-level node_modules entries for eslint and vite. This caused npm ci to fail in CI during dependency installation. Regenerating with Node v22.22.1 and npm v11.16.0 restores the correct entries. * fix(security): restore stale Grype code scanning pipeline The supply-chain Grype scan last ran on Feb 4, 2026 due to a cascade of compounding failures. This commit resolves all root causes: - Twelve .trivyignore CVE suppressions expired between Apr 30 and May 25, causing the Trivy PR gate to block all PR merges and starve the pipeline of push events. All entries extended 60–90 days with appropriate review comments; no entry exceeds Sep 1, 2026. - Ten .grype.yaml suppressions also expired in May, meaning Grype scans that did run would immediately fail on HIGH findings and produce no fresh SARIF. All entries extended with matching dates. - The supply-chain-pr.yml job condition had a dead workflow_run branch and was missing the push and schedule event names, silently skipping the verify-supply-chain job on every push to main. Added push and schedule to the condition. - Added a weekly schedule trigger (Mondays at 02:00 UTC) so scans run regardless of PR activity. Added development to push branches to match docker-build.yml scope. - Removed continue-on-error: true from the SARIF upload step so upload failures surface as visible workflow failures rather than silent no-ops. - Simplified concurrency.group to remove dead workflow_run expressions. Refs: GitHub Code Scanning "last scanned Feb 4, 2026" alert * fix(deps): update Renovate configuration to correctly map gopkg.in/yaml.v3 * chore(deps): update go-non-major * fix(deps): update Caddy version to 2.11.4 in Dockerfile * fix(deps): update prometheus/common to v0.68.1 * fix(deps): update @tanstack/react-query to v5.101.0 and axios to v1.17.0 * fix(deps): update Go version to 1.26.4 in settings, Dockerfile, and module files * fix(deps): update Syft version to v1.45.0 in multiple workflows and scripts * fix(theme): prevent flash of unstyled content on page load Add anti-FOUC inline script to index.html that applies the stored theme class synchronously before React mounts. Switch ThemeContext to useLayoutEffect for synchronous class application, add explicit light-mode CSS overrides, update CSP to allowlist the inline script hash, and add a Playwright regression suite. * fix(dep): update grype version to 0.113.0 * fix(go): align all workflow and VS Code go.goroot references to 1.26.4 Update GO_VERSION from 1.26.3 to 1.26.4 in all 9 CI workflow files and fix go.goroot in .vscode/settings.json to point to /usr/local/go where 1.26.4 is installed, replacing the missing sdk/go1.26.4 path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(deps): update go-non-major to v1.75.0 * fix(ci): resolve Go toolchain mismatch in CodeQL and all CI workflows Switch setup-go from go-version env var to go-version-file: backend/go.mod so the action reads the required version directly from go.mod instead of relying on a cached toolchain version that may lag behind. Change GOTOOLCHAIN from auto to local across all workflows so Go uses exactly the version installed by setup-go without attempting auto-downloads that can silently fall back to an older release. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(sec): patch CVE-2026-40898 in buger/jsonparser via crowdsec-builder Upgrades github.com/buger/jsonparser to v1.1.2 in the CrowdSec dependency patch block to fix a panic in Delete() caused by a negative slice index on malformed JSON input. Affects both the crowdsec and cscli binaries. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(deps): update go-non-major * chore(deps): update i18next version to 26.3.1 * chore(deps): update github-actions-non-major * chore(deps): update go-non-major * fix(deps): update npm-non-major to ^7.17.0 * fix(sec): patch CVE-2026-40898 in buger/jsonparser via caddy-builder Adds go get github.com/buger/jsonparser@v1.2.0 to the xcaddy build stage. The Caddy binary embeds buger/jsonparser transitively through caddy-crowdsec-bouncer -> crowdsec, which Trivy flags as a blocker. The crowdsec-builder stage already had this pin; this closes the gap in the caddy-builder stage. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(sec): patch CVE-2026-40898 (quic-go QPACK) in crowdsec-builder CVE-2026-40898 / GHSA-vvgj-x9jq-8cj9 is a quic-go HTTP/3 QPACK Trailer Expansion Memory Exhaustion, fixed in github.com/quic-go/quic-go@v0.59.1. CrowdSec v1.7.8 embeds quic-go v0.57.0; this is what Trivy flags as 2 blockers (crowdsec + cscli binaries). Caddy already resolves v0.59.1 through its own module graph and is unaffected. Also corrects the caddy-builder comment for buger/jsonparser, which was incorrectly attributed to CVE-2026-40898 in the prior commit. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(sec): suppress GO-2024-2565, GO-2024-2557, GO-2026-4518 in grype/trivy Three new findings block CI on the development branch: - GO-2024-2565 / CVE-2024-21495 (CRITICAL): Insufficient randomness in caddy-security. FALSE POSITIVE — Go vulndb has no fixed version recorded, but per Snyk/NVD the fix shipped in v1.0.42; we run v1.1.62. Suppressed with documented rationale pending Go vulndb update. - GO-2024-2557 / CVE-2024-21492 (HIGH): Insufficient session expiration in caddy-security. No upstream fix; stateless JWT architecture means no server-side revocation. JWT TTL bounds exploitation window. Risk accepted. - GO-2026-4518 (HIGH): Go vulndb alias for the pgproto3/v2 DataRow negative field length panic already suppressed under GHSA-jqcq-xjh3-6g23 / CVE-2026-4427. Same EOL-module rationale applies. All entries include expiry dates (2026-09-05 for caddy-security, 2026-09-01 for pgproto3) and removal criteria. .trivyignore updated for the two CVE IDs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(dep) update syft to v 1.45.1 in multiple workflows * fix(dep): update knip to v 6.16.0 * fix(dep): update bytedance/sonic to v1.15.2 and mattn/go-sqlite3 to v1.14.45 * chore: add Claude Code configuration from .github copilot files Convert the project's GitHub Copilot configuration into native Claude Code equivalents so the same team conventions, agent roles, and slash commands work out-of-the-box in Claude Code sessions. - CLAUDE.md — project-wide instructions adapted from copilot-instructions.md; covers architecture rules, backend/frontend workflows, DoD checklist, and a quick-reference skills table - .claude/agents/ — nine specialized subagents (management, planning, supervisor, backend-dev, frontend-dev, qa-security, devops, docs-writer, playwright-dev) translated from .github/agents/*.agent.md, with VS Code- specific frontmatter removed and references updated to CLAUDE.md - .claude/commands/ — five slash commands translated from .github/prompts/: /create-implementation-plan, /debug-web-console-errors, /supply-chain-remediation, /playwright-generate-test, /fix-patch-coverage Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(frontend): remove deprecated Firefox CSS and add modern browserslist targets (#1060) Remove -moz-osx-font-smoothing (Firefox never supported it; -webkit-font-smoothing already handles Chrome/Safari). Add .browserslistrc targeting modern browsers so autoprefixer stops emitting legacy -moz- vendor prefixes eliminated from Firefox ESR+. Co-authored-by: GitHub Actions <actions@github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: update ignore files * fix(dep) update npm deps to lates versions * chore(deps): update dependency anchore/syft to v1.45.1 (#1061) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency anchore/grype to v0.114.0 (#1062) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(dep): update codecov action * chore(docker): update GeoLite2-Country.mmdb checksum (#1064) Automated checksum update for GeoLite2-Country.mmdb database. Old: c77ac1d7e64b3fcd1447045615fc3aefb3ed886e176608c568b01f29f955e21a New: abce3a42f4f6bfb2c90cded582341da6764f5e152782ce6c832bc8fa1d873778 Auto-generated by: .github/workflows/update-geolite2.yml Co-authored-by: Wikid82 <176516789+Wikid82@users.noreply.github.com> * fix(assets): serve banner.webp and use picture element for optimized image delivery (#1063) * fix(assets): serve banner.webp and use picture element for optimized image delivery Register /banner.webp, /banner.svg, /logo.webp, and /logo.svg as static routes so browsers receive WebP variants with correct MIME types instead of falling through to index.html. Replace the bare <img src="/banner.png"> in the sidebar with a <picture> element that serves the 74%-smaller WebP to capable browsers and falls back to PNG, eliminating NS_BINDING_ABORTED caused by the 1.2 MB PNG stalling under load. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: remove tracked worktree gitlink and ignore .claude/worktrees/ The .claude/worktrees/enumerated-snacking-parnas path was committed as a gitlink (unregistered submodule), causing `git submodule foreach` to exit with code 128 and failing Codecov upload steps in CI. Remove it from the index and add .claude/worktrees/ to .gitignore so future worktrees are never inadvertently staged. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: GitHub Actions <actions@github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(deps): bump quic-go, maxminddb, and sqlite dependencies * chore(deps): bump knip from 6.16.0 to 6.16.1 * docs: add no-worktrees instruction to CLAUDE.md * chore(deps): bump react-hook-form and eslint-plugin-unicorn * chore: ignore gorilla/websocket in renovate updates * fix(deps): add Renovate sourceUrl overrides for gin packages (#1065) * chore(deps): bump quic-go, maxminddb, and sqlite dependencies * fix(deps): add sourceUrl overrides for gin packages in Renovate config Renovate fails to resolve github.com/gin-gonic/gin and its sibling packages gin-contrib/gzip and gin-contrib/sse with a "no-result" error. Adds three sourceUrl packageRules entries following the established pattern already present for google/uuid, gorm.io/gorm, and other Go packages in this repo. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: GitHub Actions <actions@github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: clean node_modules before npm install in update script * chore(frontend): bump typescript-eslint to 8.61.0 and update deps * chore: bump dev dependencies (obug, semver, tinyexec) * chore(deps): bump golang.org/x/sys from v0.45.0 to v0.46.0 * chore(deps): bump golang.org/x and modernc.org dependencies * fix(ci): pass pr_number when dispatching security-pr.yml from weekly promotion The trigger-required-checks job in weekly-nightly-promotion.yml dispatched security-pr.yml without providing the required pr_number input, causing HttpError: Required input 'pr_number' not provided. The fix resolves the PR number from the create-promotion-pr job output and passes it as an input when dispatching the security workflow. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(ci): extend no-cache-filters to caddy-builder and crowdsec-builder in e2e workflow Prevents stale GHA BuildKit layer cache from serving outdated caddy-builder and crowdsec-builder stage outputs in e2e-tests-split.yml, mirroring the same fix already applied to nightly-build.yml for CVE-2026-45135. Also corrects a stale fallback version comment in Dockerfile (v2.11.3 → v2.11.4) and updates SECURITY.md to mark CVE-2026-45135 as fully remediated across all affected build workflows. * chore: bump prettier from 3.8.3 to 3.8.4 * chore(deps): bump eslint-plugin-unicorn to 65.0.1 * fix(dockerfile): gate Delve install on BUILD_DEBUG, pin x/sys for GO-2026-5024 Production builds now install a harmless stub instead of Delve to avoid shipping golang.org/x/sys < v0.27.0 (GO-2026-5024). Debug builds pin golang.org/x/sys to v0.46.0 via a temporary module before installing dlv. * fix(entrypoint): gracefully handle production dlv stub when CHARON_DEBUG=1 The GO-2026-5024 fix replaced the Delve binary with a shell stub in production images. When CI integration tests run with CHARON_DEBUG=1, the entrypoint tried to launch `dlv exec /app/charon`, the stub exited immediately with code 1, APP_PID captured the dead stub PID, and the wait loop triggered container shutdown before Charon ever started. Guard the Delve path with `dlv version` — real Delve exits 0, the stub exits 1 — and fall back to direct execution when the stub is detected. * chore(deps): update go-non-major (#1058) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Jeremy <jhatfield82@gmail.com> * chore(deps): update github-actions-non-major to v46.1.15 (#1067) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Jeremy <jhatfield82@gmail.com> * fix(deps): update go-non-major to v0.7.2 (#1068) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update alpine docker tag to v3.24.0 (#1069) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): bump go-pkcs12 from v0.7.1 to v0.7.2 * chore: bump semver from 7.8.3 to 7.8.4 * chore(deps): bump frontend dev dependencies to latest patch versions * chore: replace eslint-plugin-react-compiler with react-hooks built-in * fix(frontend): unregister auth error handler on AuthProvider unmount (#1070) Issue #579 reported that page reload did not redirect to /login when the session expired. Root-cause tracing showed the reload guard already works on development (all 16 auth E2E tests pass), but the trace surfaced a real hazard: the axios 401 interceptor kept a stale handler closure after AuthProvider unmounted. setAuthErrorHandler now accepts null and the provider unregisters its handler on unmount. Adds regression tests for RequireAuth, AuthContext mount/unmount handler lifecycle, and the client interceptor null-handler path. Closes #579 Co-authored-by: GitHub Actions <actions@github.com> Co-authored-by: Claude Fable 5 <noreply@anthropic.com> * chore: bump golang.org/x/net from v0.55.0 to v0.56.0 * chore: bump @napi-rs/wasm-runtime from 1.1.4 to 1.1.5 * chore: bump frontend dev dependencies to latest versions * chore: add Docker Scout CLI install script * fix(docker): move frontend builder to node alpine3.24 base to clear critical/high base-image CVEs The pinned node:24.16.0-alpine (alpine 3.23) base was flagged with 1 critical and 8 high vulnerabilities. Repin to the freshly published alpine 3.24 variant, which also aligns the builder with the alpine 3.24 runtime base. Remaining openssl advisories (CVE-2026-45447) are patched in-stage by the existing apk upgrade step; the rebuilt stage scans clean for critical/high findings. * chore: bump @types/node from 25.9.2 to 25.9.3 * chore: remove lint step from npm_update script * chore: enhance go_update.sh with vuln checks and test runs - Auto-install govulncheck if missing - Update go/toolchain directives before deps - Include test dependencies with -t flag - Run tests and govulncheck after each module update * fix(go_update): simplify PATH export and remove redundant list cmd * chore(renovate): group Dockerfile ARG updates separately from Go/NPM - Replace Go github-tags Dockerfile fallback rule with a generic custom.regex + Dockerfile filename matcher - New group: dockerfile-non-major with "dockerfile" label - Preserves npm-non-major grouping rule unchanged * chore(deps): update go-non-major to v0.56.0 (#1071) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore: update acorn from 8.16.0 to 8.17.0 * chore: bump frontend deps (acorn, caniuse-lite, enhanced-resolve) * chore: bump felixge/httpsnoop from v1.0.4 to v1.1.0 * chore: update frontend lock file dependencies * fix(security): prepare for npm v12 breaking changes (#1072) * chore(ci): bump e2e workflow Node to 24.12.0 and track NODE_VERSION via Renovate Node 20 is EOL and will be unsupported by npm 12. Adds a Renovate custom manager so all workflow NODE_VERSION pins receive update PRs. * fix(security): disable dependency install scripts for all npm installs Adopts npm v12's secure default today: every npm ci/install call site (CI workflows, Dockerfile, Makefile, scripts, package.json pre-hooks) now passes --ignore-scripts, and unrs-resolver's postinstall is explicitly denied via allowScripts (it ships prebuilt binaries; the script is only a fallback build). Verified: clean installs, frontend build, type-check, and full unit suite all pass with scripts disabled. --------- Co-authored-by: GitHub Actions <actions@github.com> * chore: bump eslint-plugin-security to 4.0.1 * chore: bump npm to 11.17.0 * chore(frontend): bump lucide-react, tailwindcss, and eslint deps * chore: bump obug from 2.1.2 to 2.1.3 * chore(deps): bump modernc.org/libc from v1.73.0 to v1.73.1 * chore: fix renovate datasource config for expr-lang/expr * chore(deps): bump react-hook-form from 7.78.0 to 7.79.0 * chore(deps): update npm-non-major to ^10.5.0 (#1073) * chore(deps): update npm-non-major to ^10.5.0 * fix: regenerate frontend lock file to restore missing eslint@10.5.0 entries Renovate's automated update removed top-level node_modules entries for eslint@10.5.0 (and transitive deps eslint-visitor-keys, ignore) from frontend/package-lock.json, causing all CI jobs to fail at npm ci. --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: GitHub Actions <actions@github.com> * chore: bump regjsparser from 0.13.1 to 0.13.2 * chore: update go.work.sum with golang.org/x/term v0.44.0 * chore(deps): bump modernc.org/libc from v1.73.1 to v1.73.3 * chore: bump @csstools/css-color-parser to 4.1.4 * chore(deps): update eslint-plugin-unicorn to v66 and react-refresh to v0.5.3 * chore(docker): update GeoLite2-Country.mmdb checksum (#1074) Automated checksum update for GeoLite2-Country.mmdb database. Old: abce3a42f4f6bfb2c90cded582341da6764f5e152782ce6c832bc8fa1d873778 New: 11b88595d026953920668d91f6d531057b397f05170237fc98a13a8b051ab861 Auto-generated by: .github/workflows/update-geolite2.yml Co-authored-by: Wikid82 <176516789+Wikid82@users.noreply.github.com> --------- Co-authored-by: Jeremy <jhatfield82@gmail.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: GitHub Actions <actions@github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Wikid82 <176516789+Wikid82@users.noreply.github.com>
1 parent 70d3b3b commit cfb4a0f

34 files changed

Lines changed: 1537 additions & 1136 deletions

.docker/docker-entrypoint.sh

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -414,9 +414,18 @@ if [ ! -f "$bin_path" ]; then
414414
fi
415415

416416
if [ "$DEBUG_FLAG" = "1" ]; then
417+
# Verify that /usr/local/bin/dlv is a real Delve binary, not the production stub
418+
# (production images ship a shell stub that exits 1 to satisfy the COPY instruction
419+
# without embedding the vulnerable golang.org/x/sys < v0.27.0 — GO-2026-5024).
420+
# Real Delve exits 0 on `dlv version`; the stub exits 1.
421+
if ! /usr/local/bin/dlv version >/dev/null 2>&1; then
422+
echo "Note: Delve not available in this image (production build, GO-2026-5024 mitigation)."
423+
echo " Running Charon directly. To enable remote debugging, rebuild with:"
424+
echo " docker build --build-arg BUILD_DEBUG=1 ..."
425+
run_as_charon "$bin_path" &
417426
# Check if binary has debug symbols (required for Delve)
418427
# objdump -h lists section headers; .debug_info is present if DWARF symbols exist
419-
if command -v objdump >/dev/null 2>&1; then
428+
elif command -v objdump >/dev/null 2>&1; then
420429
if ! objdump -h "$bin_path" 2>/dev/null | grep -q '\.debug_info'; then
421430
echo "⚠️ WARNING: Binary lacks debug symbols (DWARF info stripped)."
422431
echo " Delve debugging will NOT work with this binary."

.github/renovate.json

Lines changed: 28 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,19 @@
225225
"datasourceTemplate": "golang-version",
226226
"versioningTemplate": "semver"
227227
},
228+
{
229+
"customType": "regex",
230+
"description": "Track NODE_VERSION in Actions workflows",
231+
"managerFilePatterns": [
232+
"/^\\.github/workflows/.*\\.yml$/"
233+
],
234+
"matchStrings": [
235+
"NODE_VERSION: ['\"]?(?<currentValue>[\\d\\.]+)['\"]?"
236+
],
237+
"depNameTemplate": "node",
238+
"datasourceTemplate": "node-version",
239+
"versioningTemplate": "node"
240+
},
228241
{
229242
"customType": "regex",
230243
"description": "Track GO_VERSION in Actions workflows",
@@ -414,41 +427,38 @@
414427
"groupSlug": "go-non-major"
415428
},
416429
{
417-
"description": "Group Go github-tags fallback updates from Dockerfile custom manager into Go non-major PR",
430+
"description": "Group NPM non-major updates into one PR",
418431
"matchDatasources": [
419-
"github-tags"
420-
],
421-
"matchManagers": [
422-
"custom.regex"
423-
],
424-
"matchFileNames": [
425-
"Dockerfile"
426-
],
427-
"matchPackageNames": [
428-
"jackc/pgx"
432+
"npm"
429433
],
430434
"matchUpdateTypes": [
431435
"minor",
432436
"patch",
433437
"pin",
434438
"digest"
435439
],
436-
"groupName": "go-non-major",
437-
"groupSlug": "go-non-major"
440+
"groupName": "npm-non-major",
441+
"groupSlug": "npm-non-major"
438442
},
439443
{
440-
"description": "Group NPM non-major updates into one PR",
441-
"matchDatasources": [
442-
"npm"
444+
"description": "Dockerfile ARG trackers (any datasource) group under Dockerfile, not Go/NPM — placed after the datasource group rules so it wins",
445+
"matchManagers": [
446+
"custom.regex"
447+
],
448+
"matchFileNames": [
449+
"Dockerfile"
443450
],
444451
"matchUpdateTypes": [
445452
"minor",
446453
"patch",
447454
"pin",
448455
"digest"
449456
],
450-
"groupName": "npm-non-major",
451-
"groupSlug": "npm-non-major"
457+
"groupName": "dockerfile-non-major",
458+
"groupSlug": "dockerfile-non-major",
459+
"addLabels": [
460+
"dockerfile"
461+
]
452462
},
453463
{
454464
"description": "Development branch: Auto-merge non-major updates after proven stable",

.github/skills/test-e2e-playwright-coverage-scripts/run.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -158,7 +158,7 @@ start_vite() {
158158
# Ensure dependencies are installed
159159
if [[ ! -d "node_modules" ]]; then
160160
log_info "Installing frontend dependencies..."
161-
npm ci --silent
161+
npm ci --silent --ignore-scripts
162162
fi
163163

164164
# Start Vite in background with explicit port

.github/workflows/codecov-upload.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,7 @@ jobs:
174174

175175
- name: Install dependencies
176176
working-directory: frontend
177-
run: npm ci
177+
run: npm ci --ignore-scripts
178178

179179
- name: Run frontend tests and coverage
180180
working-directory: ${{ github.workspace }}

.github/workflows/e2e-tests-split.yml

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,7 @@ on:
8282
pull_request:
8383

8484
env:
85-
NODE_VERSION: '20'
85+
NODE_VERSION: '24.12.0'
8686
GO_VERSION: '1.26.4'
8787
GOTOOLCHAIN: local
8888
DOCKERHUB_REGISTRY: docker.io
@@ -166,7 +166,7 @@ jobs:
166166

167167
- name: Install dependencies
168168
if: steps.resolve-image.outputs.image_source == 'build'
169-
run: npm ci
169+
run: npm ci --ignore-scripts
170170

171171
- name: Set up Docker Buildx
172172
if: steps.resolve-image.outputs.image_source == 'build'
@@ -184,6 +184,7 @@ jobs:
184184
tags: ${{ steps.resolve-image.outputs.image_tag }}
185185
cache-from: type=gha
186186
cache-to: type=gha,mode=max
187+
no-cache-filters: caddy-builder,crowdsec-builder
187188

188189
- name: Save Docker image
189190
if: steps.resolve-image.outputs.image_source == 'build'
@@ -303,7 +304,7 @@ jobs:
303304
exit 1
304305
305306
- name: Install dependencies
306-
run: npm ci
307+
run: npm ci --ignore-scripts
307308

308309
- name: Install Playwright Chromium
309310
run: |
@@ -505,7 +506,7 @@ jobs:
505506
exit 1
506507
507508
- name: Install dependencies
508-
run: npm ci
509+
run: npm ci --ignore-scripts
509510

510511
- name: Install Playwright Chromium (required by security-tests dependency)
511512
run: |
@@ -715,7 +716,7 @@ jobs:
715716
exit 1
716717
717718
- name: Install dependencies
718-
run: npm ci
719+
run: npm ci --ignore-scripts
719720

720721
- name: Install Playwright Chromium (required by security-tests dependency)
721722
run: |
@@ -952,7 +953,7 @@ jobs:
952953
exit 1
953954
954955
- name: Install dependencies
955-
run: npm ci
956+
run: npm ci --ignore-scripts
956957

957958
- name: Install Playwright Chromium
958959
run: |
@@ -1190,7 +1191,7 @@ jobs:
11901191
exit 1
11911192
11921193
- name: Install dependencies
1193-
run: npm ci
1194+
run: npm ci --ignore-scripts
11941195

11951196
- name: Install Playwright Chromium (required by security-tests dependency)
11961197
run: |
@@ -1436,7 +1437,7 @@ jobs:
14361437
exit 1
14371438
14381439
- name: Install dependencies
1439-
run: npm ci
1440+
run: npm ci --ignore-scripts
14401441

14411442
- name: Install Playwright Chromium (required by security-tests dependency)
14421443
run: |

.github/workflows/quality-checks.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -310,7 +310,7 @@ jobs:
310310
311311
- name: Install dependencies
312312
working-directory: frontend
313-
run: npm ci
313+
run: npm ci --ignore-scripts
314314

315315
- name: Run frontend tests and coverage
316316
id: frontend-tests

.github/workflows/release-goreleaser.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ jobs:
6262
# Inject version into frontend build from tag (if present)
6363
VERSION=${GITHUB_REF#refs/tags/}
6464
echo "VITE_APP_VERSION=${VERSION}" >> "$GITHUB_ENV"
65-
npm ci
65+
npm ci --ignore-scripts
6666
npm run build
6767
6868
- name: Install Cross-Compilation Tools (Zig)

.github/workflows/renovate.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ jobs:
3333
go-version-file: backend/go.mod
3434

3535
- name: Run Renovate
36-
uses: renovatebot/github-action@693b9ef15eec82123529a37c782242f091365961 # v46.1.14
36+
uses: renovatebot/github-action@8217b3fc286df088d7c27f3255fe8414463bc0fd # v46.1.15
3737
with:
3838
configurationFile: .github/renovate.json
3939
token: ${{ secrets.RENOVATE_TOKEN || secrets.GITHUB_TOKEN }}

.github/workflows/weekly-nightly-promotion.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -443,11 +443,12 @@ jobs:
443443
const nightlyHeadSha = nightlyBranch.commit.sha;
444444
core.info(`Current nightly HEAD for dispatch fallback: ${nightlyHeadSha}`);
445445
446+
const prNumber = '${{ needs.create-promotion-pr.outputs.pr_number }}';
446447
const requiredWorkflows = [
447448
{ id: 'e2e-tests-split.yml' },
448449
{ id: 'codeql.yml' },
449450
{ id: 'codecov-upload.yml', inputs: { run_backend: 'true', run_frontend: 'true' } },
450-
{ id: 'security-pr.yml' },
451+
{ id: 'security-pr.yml', inputs: { pr_number: prNumber } },
451452
{ id: 'supply-chain-verify.yml' },
452453
];
453454

Dockerfile

Lines changed: 39 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ ARG BUILD_DEBUG=0
1313
ARG GO_VERSION=1.26.4
1414

1515
# renovate: datasource=docker depName=alpine versioning=docker
16-
ARG ALPINE_IMAGE=alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11
16+
ARG ALPINE_IMAGE=alpine:3.24.0@sha256:a2d49ea686c2adfe3c992e47dc3b5e7fa6e6b5055609400dc2acaeb241c829f4
1717

1818
# ---- Shared CrowdSec Version ----
1919
# renovate: datasource=github-releases depName=crowdsecurity/crowdsec
@@ -22,22 +22,22 @@ ARG CROWDSEC_VERSION=1.7.8
2222
ARG CROWDSEC_RELEASE_SHA256=704e37121e7ac215991441cef0d8732e33fa3b1a2b2b88b53a0bfe5e38f863bd
2323

2424
# ---- Shared Go Security Patches ----
25-
# renovate: datasource=go depName=github.com/expr-lang/expr
25+
# renovate: datasource=github-tags depName=expr-lang/expr extractVersion=^v(?<version>.+)$
2626
ARG EXPR_LANG_VERSION=1.17.8
2727
# renovate: datasource=go depName=golang.org/x/net
28-
ARG XNET_VERSION=0.55.0
28+
ARG XNET_VERSION=0.56.0
2929
# renovate: datasource=go depName=golang.org/x/crypto
30-
ARG XCRYPTO_VERSION=0.52.0
30+
ARG XCRYPTO_VERSION=0.53.0
3131
# renovate: datasource=npm depName=npm
32-
ARG NPM_VERSION=11.16.0
32+
ARG NPM_VERSION=11.17.0
3333

3434
# Allow pinning Caddy version - Renovate will update this
3535
# Build the most recent Caddy 2.x release (keeps major pinned under v3).
3636
# Setting this to '2' tells xcaddy to resolve the latest v2.x tag so we
3737
# avoid accidentally pulling a v3 major release. Renovate can still update
3838
# this ARG to a specific v2.x tag when desired.
3939
## Try to build the requested Caddy v2.x tag (Renovate can update this ARG).
40-
## If the requested tag isn't available, fall back to a known-good v2.11.3 build.
40+
## If the requested tag isn't available, fall back to a known-good v2.11.4 build.
4141
# renovate: datasource=go depName=github.com/caddyserver/caddy/v2
4242
ARG CADDY_VERSION=2.11.4
4343
# renovate: datasource=go depName=github.com/caddyserver/caddy/v2
@@ -94,7 +94,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
9494
# ---- Frontend Builder ----
9595
# Build the frontend using the BUILDPLATFORM to avoid arm64 musl Rollup native issues
9696
# renovate: datasource=docker depName=node
97-
FROM --platform=$BUILDPLATFORM node:24.16.0-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14 AS frontend-builder
97+
FROM --platform=$BUILDPLATFORM node:24.16.0-alpine3.24@sha256:fb71d01345f11b708a3553c66e7c74074f2d506400ea81973343d915cb64eef0 AS frontend-builder
9898
WORKDIR /app/frontend
9999

100100
# Copy frontend package files
@@ -118,7 +118,7 @@ RUN apk upgrade --no-cache && \
118118
# hadolint ignore=DL3059
119119
RUN npm install -g picomatch@4.0.4 --no-fund --no-audit
120120

121-
RUN npm ci
121+
RUN npm ci --ignore-scripts
122122

123123
# Copy frontend source and build
124124
COPY frontend/ ./
@@ -164,18 +164,32 @@ RUN set -eux; \
164164
test -e "$LOADER"; \
165165
fi
166166

167-
# Install Delve (cross-compile for target)
168-
# Note: xx-go install puts binaries in /go/bin/TARGETOS_TARGETARCH/dlv if cross-compiling.
169-
# We find it and move it to /go/bin/dlv so it's in a consistent location for the next stage.
167+
# Install Delve (cross-compile for target) — debug builds only.
168+
# Security: dlv is only installed when BUILD_DEBUG=1. Production images (BUILD_DEBUG=0,
169+
# the default) receive a harmless stub so the unconditional COPY below still succeeds,
170+
# but no Delve binary with golang.org/x/sys < v0.27.0 (GO-2026-5024) is shipped.
171+
# When dlv IS needed, we build it inside a temporary module that pins
172+
# golang.org/x/sys to the patched version used by the rest of the project.
170173
# renovate: datasource=go depName=github.com/go-delve/delve
171174
ARG DLV_VERSION=1.26.3
172175
# hadolint ignore=DL3059,DL4006
173-
RUN CGO_ENABLED=0 xx-go install github.com/go-delve/delve/cmd/dlv@v${DLV_VERSION} && \
174-
DLV_PATH=$(find /go/bin -name dlv -type f | head -n 1) && \
175-
if [ -n "$DLV_PATH" ] && [ "$DLV_PATH" != "/go/bin/dlv" ]; then \
176-
mv "$DLV_PATH" /go/bin/dlv; \
177-
fi && \
178-
xx-verify /go/bin/dlv
176+
RUN if [ "$BUILD_DEBUG" = "1" ]; then \
177+
echo "DEBUG build: installing Delve v${DLV_VERSION} with patched golang.org/x/sys..."; \
178+
mkdir -p /tmp/dlv-install && cd /tmp/dlv-install && \
179+
go mod init dlv_install && \
180+
go get golang.org/x/sys@v0.46.0 && \
181+
CGO_ENABLED=0 GOFLAGS="-mod=mod" xx-go install github.com/go-delve/delve/cmd/dlv@v${DLV_VERSION} && \
182+
DLV_PATH=$(find /go/bin -name dlv -type f | head -n 1) && \
183+
if [ -n "$DLV_PATH" ] && [ "$DLV_PATH" != "/go/bin/dlv" ]; then \
184+
mv "$DLV_PATH" /go/bin/dlv; \
185+
fi && \
186+
xx-verify /go/bin/dlv && \
187+
cd / && rm -rf /tmp/dlv-install; \
188+
else \
189+
echo "Production build: skipping Delve install (GO-2026-5024 mitigation)"; \
190+
printf '#!/bin/sh\necho "Delve not available in production builds. Rebuild with BUILD_DEBUG=1." >&2\nexit 1\n' \
191+
> /go/bin/dlv && chmod +x /go/bin/dlv; \
192+
fi
179193

180194
# Copy Go module files
181195
COPY backend/go.mod backend/go.sum ./
@@ -466,7 +480,7 @@ RUN go get github.com/expr-lang/expr@v${EXPR_LANG_VERSION} && \
466480
# renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
467481
go get github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@v1.7.13 && \
468482
# renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs
469-
go get github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs@v1.75.1 && \
483+
go get github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs@v1.75.2 && \
470484
go get github.com/aws/aws-sdk-go-v2/service/kinesis@v1.43.7 && \
471485
go get github.com/aws/aws-sdk-go-v2/service/s3@v1.102.1 && \
472486
# CVE-2026-32952: go-ntlmssp DoS via malicious NTLM challenge response
@@ -477,7 +491,7 @@ RUN go get github.com/expr-lang/expr@v${EXPR_LANG_VERSION} && \
477491
# Affects /usr/local/bin/crowdsec and /usr/local/bin/cscli (CrowdSec embeds quic-go v0.57.0).
478492
# Fix available at v0.59.1. Caddy already resolves v0.59.1 through its own graph.
479493
# renovate: datasource=go depName=github.com/quic-go/quic-go
480-
go get github.com/quic-go/quic-go@v0.59.1 && \
494+
go get github.com/quic-go/quic-go@v0.60.0 && \
481495
# buger/jsonparser Delete() panic via negative slice index on malformed JSON.
482496
# Fix available at v1.2.0.
483497
# renovate: datasource=go depName=github.com/buger/jsonparser
@@ -579,7 +593,7 @@ SHELL ["/bin/ash", "-o", "pipefail", "-c"]
579593
# Note: In production, users should provide their own MaxMind license key
580594
# This uses the publicly available GeoLite2 database
581595
# In CI, timeout quickly rather than retrying to save build time
582-
ARG GEOLITE2_COUNTRY_SHA256=abce3a42f4f6bfb2c90cded582341da6764f5e152782ce6c832bc8fa1d873778
596+
ARG GEOLITE2_COUNTRY_SHA256=11b88595d026953920668d91f6d531057b397f05170237fc98a13a8b051ab861
583597
RUN mkdir -p /app/data/geoip && \
584598
if [ "$CI" = "true" ] || [ "$CI" = "1" ]; then \
585599
echo "⏱️ CI detected - quick download (10s timeout, no retries)"; \
@@ -664,7 +678,11 @@ RUN chmod +x /usr/local/bin/install_hub_items.sh /usr/local/bin/register_bouncer
664678
# Copy Go binary from backend builder
665679
COPY --from=backend-builder /app/backend/charon /app/charon
666680
RUN ln -s /app/charon /app/cpmp || true
667-
# Copy Delve debugger (xx-go install places it in /go/bin)
681+
# Copy Delve stub/binary from backend-builder.
682+
# Security (GO-2026-5024): production builds (BUILD_DEBUG=0) receive a harmless shell
683+
# stub that prints an error and exits 1 — no vulnerable golang.org/x/sys v0.26.0 binary
684+
# is present in production images. Debug builds (BUILD_DEBUG=1) receive the real dlv
685+
# compiled against golang.org/x/sys v0.46.0 (patched).
668686
COPY --from=backend-builder /go/bin/dlv /usr/local/bin/dlv
669687

670688
# Copy frontend build from frontend builder

0 commit comments

Comments
 (0)