Merge branch 'main' into proj/aclp-linode-alerts

Author: yec-akamai

.github/PULL_REQUEST_TEMPLATE.md

@@ -7,7 +7,3 @@
 **What are the steps to reproduce the issue or verify the changes?**
 
 **How do I run the relevant unit/integration tests?**
-
-## 📷 Preview
-
-**If applicable, include a screenshot or code snippet of this change. Otherwise, please remove this section.**

.github/workflows/ci.yml

@@ -1,7 +1,16 @@
 name: Continuous Integration
 
 on:
-  workflow_dispatch: null
+  workflow_dispatch:
+    inputs:
+      test_report_upload:
+        description: 'Indicates whether to upload the test report to object storage. Defaults to "false"'
+        type: choice
+        required: false
+        default: 'false'
+        options:
+          - 'true'
+          - 'false'
   push:
     branches:
       - main
@@ -10,7 +19,35 @@ on:
 jobs:
   lint-tidy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
+      # Enforce TPT-1234: prefix on PR titles, with the following exemptions:
+      # - PRs labeled 'dependencies' (e.g. Dependabot PRs)
+      # - PRs labeled 'hotfix' (urgent fixes that may not have a ticket)
+      # - PRs labeled 'community-contribution' (external contributors without TPT tickets)
+      # - PRs labeled 'ignore-for-release' (release PRs that don't need a ticket prefix)
+      - name: Validate PR Title
+        if: github.event_name == 'pull_request'
+        uses: amannn/action-semantic-pull-request@v6
+        with:
+          types: |
+            TPT-\d+
+          requireScope: false
+          # Override the default header pattern to allow hyphens and digits in the type
+          # (e.g. "TPT-4298: Description"). The default pattern only matches word
+          # characters (\w) which excludes hyphens.
+          headerPattern: '^([\w-]+):\s?(.*)$'
+          headerPatternCorrespondence: type, subject
+          ignoreLabels: |
+            dependencies
+            hotfix
+            community-contribution
+            ignore-for-release
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
@@ -70,7 +107,7 @@ jobs:
           SKIP_LINT: 1
 
       - name: Upload test results to bucket
-        if: github.ref == 'refs/heads/main' && github.event_name == 'push' && always()
+        if: always() && github.repository == 'linode/linodego' && github.ref == 'refs/heads/main' && (github.event_name == 'push' || github.event_name == 'pull_request' || (github.event_name == 'workflow_dispatch' && inputs.test_report_upload == 'true'))
         run: |
           python3 e2e_scripts/tod_scripts/xml_to_obj_storage/scripts/add_gha_info_to_xml.py \
           --branch_name "${GITHUB_REF#refs/*/}" \

.github/workflows/clean-release-notes.yml

@@ -0,0 +1,37 @@
+name: Clean Release Notes
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  clean-release-notes:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Remove ticket prefixes from release notes
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const release = context.payload.release;
+
+            let body = release.body;
+
+            if (!body) {
+              console.log("Release body empty, nothing to clean.");
+              return;
+            }
+
+            // Remove ticket prefixes like "TPT-1234: " or "TPT-1234:"
+            body = body.replace(/TPT-\d+:\s*/g, '');
+
+            await github.rest.repos.updateRelease({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              release_id: release.id,
+              body: body
+            });
+
+            console.log("Release notes cleaned.");

.github/workflows/labeler.yml

@@ -21,7 +21,7 @@ jobs:
         uses: actions/checkout@v6
       -
         name: Run Labeler
-        uses: crazy-max/ghaction-github-labeler@24d110aa46a59976b8a7f35518cb7f14f434c916
+        uses: crazy-max/ghaction-github-labeler@548a7c3603594ec17c819e1239f281a3b801ab4d
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           yaml-file: .github/labels.yml

.github/workflows/security_pr.yml

@@ -29,4 +29,4 @@ jobs:
         with:
           # We need to temporarily exclude this as gosec doesn't
           # support using module files from subdirectories.
-          args: -exclude-dir=k8s ./...
+          args: -exclude-dir=k8s -exclude=G117 ./...

.golangci.yml

@@ -18,6 +18,7 @@ linters:
     - gochecknoglobals
     - gochecknoinits
     - godot
+    - godox
     - inamedparam
     - lll
     - musttag
@@ -51,6 +52,12 @@ linters:
       disable-all: false
   exclusions:
     generated: lax
+    rules:
+      - linters:
+          - gosec
+        # "matches secret pattern" linodego necessarily serializes and
+        # deserializes API structs that contain secrets
+        text: G117
     presets:
       - comments
       - common-false-positives

account_events.go

@@ -54,7 +54,6 @@ type Event struct {
 	Duration float64 `json:"duration"`
 
 	// The maintenance policy configured by the user for the event.
-	// NOTE: MaintenancePolicySet can only be used with v4beta.
 	MaintenancePolicySet string `json:"maintenance_policy_set"`
 
 	// Describes the nature of the event (e.g., whether it is scheduled or emergency).
@@ -258,6 +257,8 @@ const (
 	EntityImage          EntityType = "image"
 	EntityIPAddress      EntityType = "ipaddress"
 	EntityLinode         EntityType = "linode"
+	EntityLKECluster     EntityType = "lkecluster"
+	EntityLKENodePool    EntityType = "lkenodepool"
 	EntityLongview       EntityType = "longview"
 	EntityManagedService EntityType = "managed_service"
 	EntityNodebalancer   EntityType = "nodebalancer"

account_maintenance.go

@@ -15,7 +15,6 @@ type AccountMaintenance struct {
 	Status string  `json:"status"`
 	Type   string  `json:"type"`
 
-	// NOTE: MaintenancePolicySet can only be used with v4beta.
 	MaintenancePolicySet string `json:"maintenance_policy_set"`
 
 	Description  string     `json:"description"`

account_settings.go

@@ -35,7 +35,6 @@ type AccountSettings struct {
 	InterfacesForNewLinodes InterfacesForNewLinodes `json:"interfaces_for_new_linodes"`
 
 	// The slug of the maintenance policy associated with the account.
-	// NOTE: MaintenancePolicy can only be used with v4beta.
 	MaintenancePolicy string `json:"maintenance_policy"`
 }
 
@@ -52,7 +51,6 @@ type AccountSettingsUpdateOptions struct {
 	InterfacesForNewLinodes *InterfacesForNewLinodes `json:"interfaces_for_new_linodes"`
 
 	// The slug of the maintenance policy to set the account to.
-	// NOTE: MaintenancePolicy can only be used with v4beta.
 	MaintenancePolicy *string `json:"maintenance_policy,omitempty"`
 }
 

client.go

@@ -66,6 +66,12 @@ Body: {{.Body}}`))
 
 var envDebug = false
 
+// redactHeadersMap is a map of headers that should be redacted in logs,
+// mapping the header name to its redacted value.
+var redactHeadersMap = map[string]string{
+	"Authorization": "Bearer *******************************",
+}
+
 // Client is a wrapper around the Resty client
 type Client struct {
 	resty             *resty.Client
@@ -394,6 +400,19 @@ func (c *httpClient) applyAfterResponse(resp *http.Response) error {
 	return nil
 }
 
+// nolint:unused
+func redactHeaders(headers http.Header) http.Header {
+	redacted := headers.Clone()
+
+	for header, redactedValue := range redactHeadersMap {
+		if headers.Get(header) != "" {
+			redacted.Set(header, redactedValue)
+		}
+	}
+
+	return redacted
+}
+
 // nolint:unused
 func (c *httpClient) logRequest(req *http.Request, method, url string, bodyBuffer *bytes.Buffer) {
 	var reqBody string
@@ -408,7 +427,7 @@ func (c *httpClient) logRequest(req *http.Request, method, url string, bodyBuffe
 	err := reqLogTemplate.Execute(&logBuf, map[string]any{
 		"Method":  method,
 		"URL":     url,
-		"Headers": req.Header,
+		"Headers": redactHeaders(req.Header),
 		"Body":    reqBody,
 	})
 	if err == nil {
@@ -418,6 +437,7 @@ func (c *httpClient) logRequest(req *http.Request, method, url string, bodyBuffe
 
 // nolint:unused
 func (c *httpClient) sendRequest(req *http.Request) (*http.Response, error) {
+	// #nosec G704
 	resp, err := c.httpClient.Do(req)
 	if err != nil {
 		if c.debug && c.logger != nil {
@@ -455,7 +475,7 @@ func (c *httpClient) logResponse(resp *http.Response) (*http.Response, error) {
 
 	err := respLogTemplate.Execute(&logBuf, map[string]any{
 		"Status":  resp.Status,
-		"Headers": resp.Header,
+		"Headers": redactHeaders(resp.Header),
 		"Body":    respBody.String(),
 	})
 	if err == nil {
@@ -826,10 +846,22 @@ func (c *Client) updateHostURL() {
 	)
 }
 
+func redactLogHeaders(header http.Header) {
+	for h, redactedValue := range redactHeadersMap {
+		if header.Get(h) != "" {
+			header.Set(h, redactedValue)
+		}
+	}
+}
+
 func (c *Client) enableLogSanitization() *Client {
 	c.resty.OnRequestLog(func(r *resty.RequestLog) error {
-		// masking authorization header
-		r.Header.Set("Authorization", "Bearer *******************************")
+		redactLogHeaders(r.Header)
+		return nil
+	})
+
+	c.resty.OnResponseLog(func(r *resty.ResponseLog) error {
+		redactLogHeaders(r.Header)
 		return nil
 	})