Skip to content

Weekly: Promote nightly to main (2026-06-29)#1112

Merged
Wikid82 merged 213 commits into
mainfrom
nightly
Jun 29, 2026
Merged

Weekly: Promote nightly to main (2026-06-29)#1112
Wikid82 merged 213 commits into
mainfrom
nightly

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

🚀 Weekly Nightly to Main Promotion

Date: 2026-06-29
Trigger: Scheduled weekly promotion
Commits: 210 commits to promote
Changes: 104 files changed, 10556 insertions(+), 1253 deletions(-)


Commits Being Promoted

Showing first 50 of 210 commits:

8a08aec2 chore(deps): bump eslint-plugin-import-x and knip dev dependencies
6a710bb0 chore(docker): update GeoLite2-Country.mmdb checksum (#1111)
264fb090 chore(renovate): disable js-yaml auto-updates, managed manually
fbdcf9bf fix(renovate): add sourceUrl for prometheus/client_golang lookup
26c867f5 chore(deps): bump react-query to 5.101.2 and knip to 6.22.0
62e791c2 chore: bump prettier to 3.9.1 and tar to 7.5.19
8a730a8f chore: bump prometheus/procfs from v0.20.1 to v0.21.0
2ed761b7 chore(deps): update dependency anchore/syft to v1.46.0 (#1110)
2007c146 chore(deps): update dependency anchore/grype to v0.115.0 (#1109)
2507a939 chore(deps): bump i18next, eslint, and knip to latest versions
bd52310a chore: bump prettier and analyze-trace to latest patch versions
f1f5a431 chore(deps): bump modernc and golang.org/x indirect deps
e010a914 chore(deps): update actions/cache digest to 55cc834 (#1108)
b86c68f7 chore(deps): bump es-toolkit from 1.48.1 to 1.49.0
5f7a7c9e chore(deps): update release-drafter/release-drafter digest to 4d75298 (#1106)
5ad6c028 chore(deps): update module golang.org/x/vuln to v1.5.0 (#1107)
d6a13f75 docs(security): add CVE-2026-39824 analysis and CHANGELOG entry
1a6e52ea chore: remove test step from dep_update.sh module loop
cf55ecb7 refactor(scripts): merge go_update.sh and npm_update.sh into dep_update.sh
e8104136 chore: bump es-to-primitive from 1.3.1 to 1.3.3
0bbe9be4 chore: bump tar to 7.5.17 and expect-type to 1.4.0
25035b3a chore(deps): bump frontend dev dependencies to latest versions
db30285f chore(deps): update release-drafter/release-drafter digest to 73b95fa (#1104)
948e109d fix(deps): update module gorm.io/gorm to v1.31.2 (#1105)
bf059cc2 chore(deps): update dockerfile-non-major (#1103)
7572de6f chore(deps): bump eslint-plugin-unicorn from 68 to 69
ea5a388d chore(deps): update node.js to v24.18.0 (#1102)
6dec8a9e chore: bump go-pkcs12 from v0.7.2 to v0.7.3
68ddb01e chore: bump @types/node from 26.0.0 to 26.0.1
e587a1a9 chore(deps): update github-actions-non-major (#1100)
4d1cd387 chore(deps): update node.js to v24.18.0 (#1101)
f8a2171c chore(deps): update npm-non-major (#1099)
bdd83a6e chore(deps): update npm-non-major (#1098)
59a82ce8 chore: bump knip to 6.19.0 and smol-toml to 1.7.0
c60a52f7 chore: pin js-yaml to ^5 in npm update script
c0958a2c chore: ignore tempCodeRunnerFile.sh in scripts directory
3a08cb8a chore: update npm overrides deps in npm_update.sh
0b075bc9 chore(deps): bump go-toml/v2 from v2.4.1 to v2.4.2
9788272f chore(deps): bump i18next to 26.3.2 and rolldown to 1.1.3
2b79e3d6 chore: bump rolldown to 1.1.3 and napi-rs/wasm-runtime to 1.1.6
64f83536 fix: use axios for session validation to fix Firefox E2E auth test
ac0c5df2 chore: bump electron-to-chromium from 1.5.377 to 1.5.378
a3541bf5 chore(deps): update node.js to v24.18.0 (#1097)
c8771775 chore(deps): update github-actions-non-major (#1094)
bd757c22 test: increase login redirect timeout to 15s for Firefox CI
654565fb chore(deps): update actions/cache action to v6 (#1096)
a77ba6b5 chore(deps): update dockerfile-non-major (#1095)
73d80327 chore: bump playwright from 1.61.0 to 1.61.1
9743775e chore(frontend): bump frontend dependencies to latest versions
955a4263 chore: bump tldts, axe-core/playwright, and vite dependencies

...and 160 more commits


Pre-Merge Checklist

  • All status checks pass
  • No critical security issues identified
  • Changelog is up-to-date (auto-generated via workflow)
  • Version bump is appropriate (if applicable)

Merge Instructions

This PR promotes changes from nightly to main. Once all checks pass:

  1. Review the commit summary above
  2. Approve if changes look correct
  3. Merge using "Merge commit" to preserve history

This PR was automatically created by the Weekly Nightly Promotion workflow.

Wikid82 and others added 30 commits June 2, 2026 11:08
Propagate changes from main into development
chore(deps): update github-actions-non-major
…ntries

Renovate's automated update regenerated package-lock.json incorrectly,
omitting top-level node_modules entries for eslint and vite. This caused
npm ci to fail in CI during dependency installation. Regenerating with
Node v22.22.1 and npm v11.16.0 restores the correct entries.
The supply-chain Grype scan last ran on Feb 4, 2026 due to a cascade of
compounding failures. This commit resolves all root causes:

- Twelve .trivyignore CVE suppressions expired between Apr 30 and May 25,
  causing the Trivy PR gate to block all PR merges and starve the pipeline
  of push events. All entries extended 60–90 days with appropriate review
  comments; no entry exceeds Sep 1, 2026.

- Ten .grype.yaml suppressions also expired in May, meaning Grype scans
  that did run would immediately fail on HIGH findings and produce no fresh
  SARIF. All entries extended with matching dates.

- The supply-chain-pr.yml job condition had a dead workflow_run branch and
  was missing the push and schedule event names, silently skipping the
  verify-supply-chain job on every push to main. Added push and schedule to
  the condition.

- Added a weekly schedule trigger (Mondays at 02:00 UTC) so scans run
  regardless of PR activity. Added development to push branches to match
  docker-build.yml scope.

- Removed continue-on-error: true from the SARIF upload step so upload
  failures surface as visible workflow failures rather than silent no-ops.

- Simplified concurrency.group to remove dead workflow_run expressions.

Refs: GitHub Code Scanning "last scanned Feb 4, 2026" alert
Add anti-FOUC inline script to index.html that applies the stored theme
class synchronously before React mounts. Switch ThemeContext to useLayoutEffect
for synchronous class application, add explicit light-mode CSS overrides, update
CSP to allowlist the inline script hash, and add a Playwright regression suite.
Update GO_VERSION from 1.26.3 to 1.26.4 in all 9 CI workflow files and
fix go.goroot in .vscode/settings.json to point to /usr/local/go where
1.26.4 is installed, replacing the missing sdk/go1.26.4 path.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Switch setup-go from go-version env var to go-version-file: backend/go.mod
so the action reads the required version directly from go.mod instead of
relying on a cached toolchain version that may lag behind. Change
GOTOOLCHAIN from auto to local across all workflows so Go uses exactly the
version installed by setup-go without attempting auto-downloads that can
silently fall back to an older release.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Upgrades github.com/buger/jsonparser to v1.1.2 in the CrowdSec
dependency patch block to fix a panic in Delete() caused by a
negative slice index on malformed JSON input. Affects both the
crowdsec and cscli binaries.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
chore(deps): update go-non-major to v1.75.0
chore(deps): update go-non-major to v1.2.0
actions-user and others added 20 commits June 26, 2026 00:13
…te.sh

- Consolidate Go and npm update scripts into a single script
- Use repo-relative paths instead of hardcoded /projects/Charon
- Add type-check and test steps to npm update flow
- Allow npm audit fix and outdated to fail without aborting
Document golang.org/x/sys vulnerability assessment confirming v0.46.0
already exceeds the v0.44.0 fix; Linux-only deployment excludes the
vulnerable Windows code path entirely. Includes govulncheck clean-scan
evidence and Trivy false-positive explanation.
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…#1106)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Jeremy <jhatfield82@gmail.com>
Automated checksum update for GeoLite2-Country.mmdb database.

Old: 6e9212f23d3279a2454404d3b2a7ac30159fddbb9870ba33763014877296455c
New: 1522faf7b5f6a96c3a0128bca813bd4b0ae24dce38e9d37acdff0efaa75fcdd9

Auto-generated by: .github/workflows/update-geolite2.yml

Co-authored-by: Wikid82 <176516789+Wikid82@users.noreply.github.com>
@github-actions github-actions Bot added automated Automatically generated by CI/CD weekly-promotion Weekly promotion from nightly to main labels Jun 29, 2026
Resolve merge conflicts from diverged histories caused by prior weekly
promotion PRs being merged into main with merge commits (cfb4a0f,
70d3b3b). All conflicts resolved in favor of nightly, which is the
canonical source of truth for the nightly→main one-way flow.

Root cause: merge commit strategy on main creates commits that are not
present on nightly, causing git to treat the histories as diverged on
subsequent weekly promotions. Future promotions should use squash or
rebase merge strategy to keep main's history a strict subset of nightly.
Resolve remaining conflicts from diverged histories introduced by merge
commit 3687b94 on main. All conflicts resolved in favor of nightly,
which is the canonical source of truth for the nightly→main one-way flow.
Comment thread tests/theme.spec.ts Dismissed
@github-advanced-security

Copy link
Copy Markdown
Contributor

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@github-actions

Copy link
Copy Markdown
Contributor Author

✅ Supply Chain Verification Results

PASSED

📦 SBOM Summary

  • Components: 1485

🔍 Vulnerability Scan

Severity Count
🔴 Critical 0
🟠 High 0
🟡 Medium 4
🟢 Low 3
Total 7

📎 Artifacts

  • SBOM (CycloneDX JSON) and Grype results available in workflow artifacts

Generated by Supply Chain Verification workflow • View Details

@Wikid82 Wikid82 merged commit 9e14c28 into main Jun 29, 2026
47 of 48 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated Automatically generated by CI/CD weekly-promotion Weekly promotion from nightly to main

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants