Merge main branch #2397
Open
LakshK98 wants to merge 449 commits into
Open
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v6.0.2</h2> <h2>What's Changed</h2> <ul> <li>Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by <a href="https://github.com/TingluoHuang"><code>@TingluoHuang</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2355">actions/checkout#2355</a></li> <li>Fix tag handling: preserve annotations and explicit fetch-tags by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v6.0.1...v6.0.2">https://github.com/actions/checkout/compare/v6.0.1...v6.0.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/checkout/commit/de0fac2e4500dabe0009e67214ff5f5447ce83dd"><code>de0fac2</code></a> Fix tag handling: preserve annotations and explicit fetch-tags (<a href="https://redirect.github.com/actions/checkout/issues/2356">#2356</a>)</li> <li><a href="https://github.com/actions/checkout/commit/064fe7f3312418007dea2b49a19844a9ee378f49"><code>064fe7f</code></a> Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...</li> <li>See full diff in <a href="https://github.com/actions/checkout/compare/v6.0.1...v6.0.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
# Description Add `bpftrace` to retina shell. ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. ## Checklist - [ ] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [ ] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [ ] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Tests executed: ```bash # 1. Build binary with: make retina-shell-image # 2. Push image to registry # 3. Run kubectl retina shell: $ ./artifacts/kubectl-retina shell aks-nodepool1-42816995-vmss000000 --capabilities=NET_ADMIN,SYS_ADMIN,SYS_RESOURCE,BPF,MKNOD,SYS_CHROOT --retina-shell-image-version=v0.0.36-3006-5 --retina-shell-image-repo=ghcr.io/alexcastilio/retina/retina-shell --apparmor-unconfined --seccomp-unconfined --mount-host-filesystem # 4. bpftrace commands executed: root@aks-nodepool1-42816995-vmss000000 [ / ]# bpftrace -e 'kprobe:tcp_v4_rcv { printf("tcp packet received\n"); }' Attaching 1 probe... tcp packet received tcp packet received tcp packet received tcp packet received tcp packet received ^C root@aks-nodepool1-42816995-vmss000000 [ / ]# bpftrace -e 'tracepoint:syscalls:sys_enter_connect { printf("connect\n"); }' Attaching 1 probe... connect connect connect connect connect connect connect connect connect ^C # for this test, open another terminal and run some commands that make dns calls (e.g. curl, wget) root@aks-nodepool1-42816995-vmss000000 [ / ]# bpftrace -e 'uprobe:/usr/lib/libc.so.6:getaddrinfo { @start[tid] = nsecs; } uretprobe:/usr/lib/libc.so.6:getaddrinfo { @Latency = hist((nsecs - @start[tid]) / 1000); delete(@start[tid]); }' Attaching 2 probes... ^C root@aks-nodepool1-42816995-vmss000000 [ / ]# @Latency: [2K, 4K) 1 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@| [4K, 8K) 1 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@| [8K, 16K) 0 | | [16K, 32K) 1 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@| ``` ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Alex Castilio dos Santos <alexsantos@microsoft.com>
# Description Use native arm64 runners (`ubuntu-24.04-arm`) for arm64 shell image builds instead of QEMU emulation on x86_64 runners. The shell image build was getting stuck for 2+ hours when building arm64 images because installing `bpftrace` and its dependencies (LLVM 18.1, clang - 527MB total) under QEMU is extremely slow. The v1.0.3 release workflow has been stuck/retried 15+ times due to this. Changes: - Use native arm64 runners for shell image builds in `images.yaml` and `release-images.yaml` - Skip local export for shell image in Makefile (no artifacts needed, speeds up build) ## Related Issue Unblocks v1.0.3 release ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Tested locally - shell image builds in ~47 seconds without local export. Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
…and_yarn group across 1 directory (microsoft#2025) Bumps the npm_and_yarn group with 1 update in the /site directory: [webpack](https://github.com/webpack/webpack). Updates `webpack` from 5.96.1 to 5.105.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/webpack/webpack/releases">webpack's releases</a>.</em></p> <blockquote> <h2>v5.105.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>Allow resolving worker module by export condition name when using <code>new Worker()</code> (by <a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20353">#20353</a>)</p> </li> <li> <p>Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by <a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20320">#20320</a>)</p> </li> <li> <p>Added the <code>tsconfig</code> option for the <code>resolver</code> options (replacement for <code>tsconfig-paths-webpack-plugin</code>). Can be <code>false</code> (disabled), <code>true</code> (use the default <code>tsconfig.json</code> file to search for it), a string path to <code>tsconfig.json</code>, or an object with <code>configFile</code> and <code>references</code> options. (by <a href="https://github.com/alexander-akait"><code>@alexander-akait</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20400">#20400</a>)</p> </li> <li> <p>Support <code>import.defer()</code> for context modules. (by <a href="https://github.com/ahabhgk"><code>@ahabhgk</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20399">#20399</a>)</p> </li> <li> <p>Added support for array values to the <code>devtool</code> option. (by <a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20191">#20191</a>)</p> </li> <li> <p>Improve rendering node built-in modules for ECMA module output. (by <a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20255">#20255</a>)</p> </li> <li> <p>Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20312">#20312</a>)</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>Fixed ESM default export handling for <code>.mjs</code> files in Module Federation (by <a href="https://github.com/y-okt"><code>@y-okt</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20189">#20189</a>)</p> </li> <li> <p>Optimized <code>import.meta.env</code> handling in destructuring assignments by using cached stringified environment definitions. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20313">#20313</a>)</p> </li> <li> <p>Respect the <code>stats.errorStack</code> option in stats output. (by <a href="https://github.com/samarthsinh2660"><code>@samarthsinh2660</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20258">#20258</a>)</p> </li> <li> <p>Fixed a bug where declaring a <code>module</code> variable in module scope would conflict with the default <code>moduleArgument</code>. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20265">#20265</a>)</p> </li> <li> <p>Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g., <code>virtual:routes</code>), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20390">#20390</a>)</p> </li> <li> <p>Fixed Worker self-import handling to support various URL patterns (e.g., <code>import.meta.url</code>, <code>new URL(import.meta.url)</code>, <code>new URL(import.meta.url, import.meta.url)</code>, <code>new URL("./index.js", import.meta.url)</code>). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20381">#20381</a>)</p> </li> <li> <p>Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20345">#20345</a>)</p> </li> <li> <p>Fixed a bug where a self-referencing dependency would have an unused export name when imported inside a web worker. (by <a href="https://github.com/samarthsinh2660"><code>@samarthsinh2660</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20251">#20251</a>)</p> </li> <li> <p>Fix missing export generation when concatenated modules in different chunks share the same runtime in module library bundles. (by <a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20346">#20346</a>)</p> </li> <li> <p>Fixed <code>import.meta.env.xxx</code> behavior: when accessing a non-existent property, it now returns empty object instead of full object at runtime. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20289">#20289</a>)</p> </li> <li> <p>Improved parsing error reporting by adding a link to the loader documentation. (by <a href="https://github.com/gaurav10gg"><code>@gaurav10gg</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20244">#20244</a>)</p> </li> <li> <p>Fix typescript types. (by <a href="https://github.com/alexander-akait"><code>@alexander-akait</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20305">#20305</a>)</p> </li> <li> <p>Add declaration for unused harmony import specifier. (by <a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20286">#20286</a>)</p> </li> <li> <p>Fix compressibility of modules while retaining portability. (by <a href="https://github.com/dmichon-msft"><code>@dmichon-msft</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20287">#20287</a>)</p> </li> <li> <p>Optimize source map generation: only include <code>ignoreList</code> property when it has content, avoiding empty arrays in source maps. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20319">#20319</a>)</p> </li> <li> <p>Preserve star exports for dependencies in ECMA module output. (by <a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20293">#20293</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/webpack/webpack/blob/main/CHANGELOG.md">webpack's changelog</a>.</em></p> <blockquote> <h2>5.105.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>Allow resolving worker module by export condition name when using <code>new Worker()</code> (by <a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20353">#20353</a>)</p> </li> <li> <p>Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by <a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20320">#20320</a>)</p> </li> <li> <p>Added the <code>tsconfig</code> option for the <code>resolver</code> options (replacement for <code>tsconfig-paths-webpack-plugin</code>). Can be <code>false</code> (disabled), <code>true</code> (use the default <code>tsconfig.json</code> file to search for it), a string path to <code>tsconfig.json</code>, or an object with <code>configFile</code> and <code>references</code> options. (by <a href="https://github.com/alexander-akait"><code>@alexander-akait</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20400">#20400</a>)</p> </li> <li> <p>Support <code>import.defer()</code> for context modules. (by <a href="https://github.com/ahabhgk"><code>@ahabhgk</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20399">#20399</a>)</p> </li> <li> <p>Added support for array values to the <code>devtool</code> option. (by <a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20191">#20191</a>)</p> </li> <li> <p>Improve rendering node built-in modules for ECMA module output. (by <a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20255">#20255</a>)</p> </li> <li> <p>Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20312">#20312</a>)</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>Fixed ESM default export handling for <code>.mjs</code> files in Module Federation (by <a href="https://github.com/y-okt"><code>@y-okt</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20189">#20189</a>)</p> </li> <li> <p>Optimized <code>import.meta.env</code> handling in destructuring assignments by using cached stringified environment definitions. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20313">#20313</a>)</p> </li> <li> <p>Respect the <code>stats.errorStack</code> option in stats output. (by <a href="https://github.com/samarthsinh2660"><code>@samarthsinh2660</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20258">#20258</a>)</p> </li> <li> <p>Fixed a bug where declaring a <code>module</code> variable in module scope would conflict with the default <code>moduleArgument</code>. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20265">#20265</a>)</p> </li> <li> <p>Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g., <code>virtual:routes</code>), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20390">#20390</a>)</p> </li> <li> <p>Fixed Worker self-import handling to support various URL patterns (e.g., <code>import.meta.url</code>, <code>new URL(import.meta.url)</code>, <code>new URL(import.meta.url, import.meta.url)</code>, <code>new URL("./index.js", import.meta.url)</code>). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20381">#20381</a>)</p> </li> <li> <p>Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20345">#20345</a>)</p> </li> <li> <p>Fixed a bug where a self-referencing dependency would have an unused export name when imported inside a web worker. (by <a href="https://github.com/samarthsinh2660"><code>@samarthsinh2660</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20251">#20251</a>)</p> </li> <li> <p>Fix missing export generation when concatenated modules in different chunks share the same runtime in module library bundles. (by <a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20346">#20346</a>)</p> </li> <li> <p>Fixed <code>import.meta.env.xxx</code> behavior: when accessing a non-existent property, it now returns empty object instead of full object at runtime. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20289">#20289</a>)</p> </li> <li> <p>Improved parsing error reporting by adding a link to the loader documentation. (by <a href="https://github.com/gaurav10gg"><code>@gaurav10gg</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20244">#20244</a>)</p> </li> <li> <p>Fix typescript types. (by <a href="https://github.com/alexander-akait"><code>@alexander-akait</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20305">#20305</a>)</p> </li> <li> <p>Add declaration for unused harmony import specifier. (by <a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20286">#20286</a>)</p> </li> <li> <p>Fix compressibility of modules while retaining portability. (by <a href="https://github.com/dmichon-msft"><code>@dmichon-msft</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20287">#20287</a>)</p> </li> <li> <p>Optimize source map generation: only include <code>ignoreList</code> property when it has content, avoiding empty arrays in source maps. (by <a href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a href="https://redirect.github.com/webpack/webpack/pull/20319">#20319</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/webpack/webpack/commit/1486f9aacca11d79dbb7ddbceed29b7e6df7a7ab"><code>1486f9a</code></a> chore(release): new release</li> <li><a href="https://github.com/webpack/webpack/commit/1a517f665aae7b4d3d29c8b408d09488a21fbf94"><code>1a517f6</code></a> feat: added the <code>tsconfig</code> option for the <code>resolver</code> options (<a href="https://redirect.github.com/webpack/webpack/issues/20400">#20400</a>)</li> <li><a href="https://github.com/webpack/webpack/commit/7b3b0f795df377a9d0073822a2d60c1390d03109"><code>7b3b0f7</code></a> feat: support <code>import.defer()</code> for context modules</li> <li><a href="https://github.com/webpack/webpack/commit/c4a6a922de4af37a92d05c0ddc975b5348cfa9a1"><code>c4a6a92</code></a> refactor: more types and increase types coverage</li> <li><a href="https://github.com/webpack/webpack/commit/5ecc58d722da7715ede7de59b97108dd715d1bfa"><code>5ecc58d</code></a> feat: consider asset module as side-effect-free (<a href="https://redirect.github.com/webpack/webpack/issues/20352">#20352</a>)</li> <li><a href="https://github.com/webpack/webpack/commit/cce0f6989888771ec279777ab8f8dce8e39198a0"><code>cce0f69</code></a> test: avoid comma operator in BinaryMiddleware test (<a href="https://redirect.github.com/webpack/webpack/issues/20398">#20398</a>)</li> <li><a href="https://github.com/webpack/webpack/commit/cd4793d50e8e1e519ecd07b76d9e5dc06357341e"><code>cd4793d</code></a> feat: support import specifier guard (<a href="https://redirect.github.com/webpack/webpack/issues/20320">#20320</a>)</li> <li><a href="https://github.com/webpack/webpack/commit/fe486552d060f6d2815a39a6bd0fb351d348658c"><code>fe48655</code></a> docs: update examples (<a href="https://redirect.github.com/webpack/webpack/issues/20397">#20397</a>)</li> <li><a href="https://github.com/webpack/webpack/commit/de107f8767a2a11759f8261ed1ac49bcddec34b6"><code>de107f8</code></a> fix(VirtualUrlPlugin): set resourceData.context to avoid invalid fallback (<a href="https://redirect.github.com/webpack/webpack/issues/2">#2</a>...</li> <li><a href="https://github.com/webpack/webpack/commit/a656ab1fd1064ef8dd3eef1a2f3071fc176b948f"><code>a656ab1</code></a> test: add self-import test case for dynamic import (<a href="https://redirect.github.com/webpack/webpack/issues/20389">#20389</a>)</li> <li>Additional commits viewable in <a href="https://github.com/webpack/webpack/compare/v5.96.1...v5.105.0">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for webpack since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/retina/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
# Description These CRD manifest updates were missed in previous PRs, reconcile the drift. ## Checklist - [X] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [X] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [X] I have correctly attributed the author(s) of the code. - [X] I have tested the changes locally. - [X] I have followed the project's style guidelines. - [X] I have updated the documentation, if necessary. - [X] I have added tests, if applicable. ## Additional Notes These new definitions were added in microsoft#1990 and microsoft#1649 and already include relevant tests. This simply updates the deployed CRDs to match the expected types. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Matthew McKeen <matthew.mckeen@fastly.com>
…oft#2019) # Description - Add darwin metadata proto and generated types so `RetinaMetadata`/`DNSType` compile on darwin targets. - Update proto generation to run per-OS protos and include darwin output. ## Testing - make proto-gen ## Related Issue - Fixes microsoft#2018 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.
…2028) # Description - Add darwin implementation of `GetDropReasonDesc` to fix GoReleaser darwin builds. ## Context - GoReleaser builds darwin targets; utils package lacked darwin implementation, causing undefined symbol. ## Testing - Not run (build-only change). ## Related Issue See issue in this job run (for an unrelated PR) https://github.com/microsoft/retina/actions/runs/21755953385/job/62766139385?pr=1981 ## Checklist - [ ] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [ ] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [ ] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.
…icrosoft#2048) # Description Fix unit test reliability issues causing CI flakiness, silent 600-second timeouts, and test-image build failures. ## cache_test.go — Flaky gomock race condition (~50% failure rate) `cache.publish()` fires `Publish` calls in goroutines. Tests used `time.Sleep(1ms)` to wait for completion, but this was a race condition — `ctrl.Finish()` often ran before the goroutines completed, causing "missing call(s) to Publish" errors. **Fix:** Replace `time.Sleep` with `sync.WaitGroup` + gomock `.Do()` callbacks to properly synchronize with async publishes. ## ciliumeventobserver — 600s timeout on every CI run (issue microsoft#1688) The `ciliumeventobserver` test package timed out at 600 seconds on every single CI run, silently reporting as green. Multiple bugs contributed: 1. **`monitorLoop` select/default antipattern**: Used `select { case <-ctx.Done(): ... default: DecodeBinary() }` where the blocking `DecodeBinary` call prevented context cancellation from ever being checked. Replaced with a direct blocking read followed by `ctx.Err()` check after errors. 2. **Goroutine leaks in tests**: Tests never closed `net.Pipe` connections, so `monitorLoop` goroutines remained stuck in blocking reads after tests completed, causing the test process to hang until the 10-minute Go test timeout. 3. **Invalid test payload**: `getPayload()` called `CreateL3L4Payload` without Ethernet/IP/TCP layers, causing the Hubble parser to fail with "Ethernet packet too small". Events never reached the external channel, so tests blocked forever on channel reads. 4. **Missing test config**: `TestStart` didn't set `retryDelay`, defaulting to 12 seconds in `connect()`. 5. **Unbuffered channel race**: `externalChannel` was unbuffered, causing a race with the non-blocking send in `parserLoop`. Events were silently dropped, hitting an uninitialized metrics counter (nil pointer panic). ## setup-envtest — GCS 401 Unauthorized breaking test-image CI The `setup-envtest` tool pinned at `v0.0.0-20211110210527-619e6b92dab9` (Nov 2021) downloads etcd/kube-apiserver binaries from a GCS bucket using unauthenticated access. GCS recently started returning `401 Unauthorized`, causing `KUBEBUILDER_ASSETS=""` and failing the `TestAPIs` envtest-based test in `pkg/controllers/daemon/retinaendpoint`. **Fix:** Update `setup-envtest` to `v0.0.0-20250517180713-32e5e9e948a5` (release-0.20 branch), which uses GitHub-based downloads instead of deprecated GCS. ## Lint fixes - Fixed `nilerr` lint: `monitorLoop` checked `ctx.Err() != nil` but returned `nil` — now returns `ctx.Err()`. - Fixed `errcheck` lint: unchecked return value of `tcp.SetNetworkLayerForChecksum` in test. ## Related Issue Fixes microsoft#1688 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Testing Completed - `cache_test.go`: Ran 50 iterations (`-count=50`), all 400 test executions pass with 0 failures. - `ciliumeventobserver`: Ran 5 iterations (`-count=5`) with 30s timeout. All 20 tests pass in ~5 seconds total (previously timed out at 600s). - `setup-envtest`: Verified locally that updated version successfully downloads binaries via GitHub (no more GCS 401). ## Additional Notes The `monitorLoop` production code change (removing the `select/default` antipattern) is necessary because the old pattern made it impossible to cancel the monitor loop when `DecodeBinary` was blocking. In production, `Stop()` closes the connection which unblocks the read, and the new `ctx.Err()` check ensures clean shutdown. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
…oft#2015) # Description Replace `RetinaMetadata` with `structpb.Struct` for flow extensions to enable Hubble CLI JSON marshaling without type registration Changes: - Add `NewExtensions()` and `SetExtensions()` helper functions - Update Add* functions to take `*structpb.Struct` instead of `*RetinaMetadata` - Update accessor functions to read from Struct - Update all plugins and tests to use new API ## Related Issue Closes microsoft#1080 ## Checklist - [ ] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [ ] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [ ] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed ```bash {"flow":{"time":"2026-01-31T17:10:38.030385093Z","verdict":"FORWARDED","IP":{"source":"10.10.0.5","destination":"192.168.0.73","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":4244,"destination_port":38112,"flags":{"SYN":true,"ACK":true}}},"source":{"ID":1,"identity":1,"labels":["reserved:host"]},"destination":{"ID":51516,"identity":51516,"namespace":"kube-system","labels":["k8s:io.cilium.k8s.namespace.labels.kubernetes.azure.com/managedby=aks","k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system","k8s:io.cilium.k8s.policy.cluster=default","k8s:k8s-app=hubble-relay","k8s:io.cilium.k8s.namespace.labels.addonmanager.kubernetes.io/mode=Reconcile","k8s:io.cilium.k8s.namespace.labels.control-plane=true","k8s:io.cilium.k8s.namespace.labels.kubernetes.io/cluster-service=true","k8s:io.cilium.k8s.policy.serviceaccount=hubble-relay","k8s:io.kubernetes.pod.namespace=kube-system","k8s:pod-template-hash=6b7c54d9ff","k8s:app.kubernetes.io/name=hubble-relay","k8s:app.kubernetes.io/part-of=cilium"],"pod_name":"hubble-relay-6b7c54d9ff-2lsqj"},"Type":"L3_L4","event_type":{"type":4},"traffic_direction":"EGRESS","trace_observation_point":"TO_ENDPOINT","is_reply":true,"Summary":"TCP Flags: SYN:true ACK:true","extensions":{"@type":"type.googleapis.com/google.protobuf.Struct","value":{"bytes":74,"previously_observed_tcp_flags":{"ACK":0,"CWR":0,"ECE":0,"FIN":0,"NS":0,"PSH":0,"RST":0,"SYN":0,"URG":0}}}},"time":"2026-01-31T17:10:38.030385093Z"} {"flow":{"time":"2026-01-31T17:10:38.030403862Z","verdict":"FORWARDED","IP":{"source":"192.168.0.73","destination":"10.10.0.5","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":38112,"destination_port":4244,"flags":{"ACK":true}}},"source":{"ID":51516,"identity":51516,"namespace":"kube-system","labels":["k8s:io.cilium.k8s.namespace.labels.kubernetes.azure.com/managedby=aks","k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system","k8s:io.cilium.k8s.policy.cluster=default","k8s:k8s-app=hubble-relay","k8s:io.cilium.k8s.namespace.labels.addonmanager.kubernetes.io/mode=Reconcile","k8s:io.cilium.k8s.namespace.labels.control-plane=true","k8s:io.cilium.k8s.namespace.labels.kubernetes.io/cluster-service=true","k8s:io.cilium.k8s.policy.serviceaccount=hubble-relay","k8s:io.kubernetes.pod.namespace=kube-system","k8s:pod-template-hash=6b7c54d9ff","k8s:app.kubernetes.io/name=hubble-relay","k8s:app.kubernetes.io/part-of=cilium"],"pod_name":"hubble-relay-6b7c54d9ff-2lsqj"},"destination":{"ID":1,"identity":1,"labels":["reserved:host"]},"Type":"L3_L4","event_type":{"type":4,"sub_type":3},"traffic_direction":"EGRESS","trace_observation_point":"TO_STACK","is_reply":false,"Summary":"TCP Flags: ACK:true","extensions":{"@type":"type.googleapis.com/google.protobuf.Struct","value":{"bytes":66,"previously_observed_tcp_flags":{"ACK":0,"CWR":0,"ECE":0,"FIN":0,"NS":0,"PSH":0,"RST":0,"SYN":0,"URG":0}}}},"time":"2026-01-31T17:10:38.030403862Z"} {"flow":{"time":"2026-01-31T17:10:38.030513168Z","verdict":"DROPPED","IP":{"source":"0.0.0.0","destination":"0.0.0.0","ipVersion":"IPv4"},"source":{"ID":2,"identity":2,"labels":["reserved:world"]},"destination":{"ID":2,"identity":2,"labels":["reserved:world"]},"Type":"L3_L4","event_type":{"type":1},"traffic_direction":"INGRESS","trace_observation_point":"FROM_NETWORK","Summary":"Drop Reason: TCP_ACCEPT_BASIC\nNote: This reason is most accurate. Prefer over others while using Hubble CLI.","extensions":{"@type":"type.googleapis.com/google.protobuf.Struct","value":{"drop_reason":"TCP_ACCEPT_BASIC"}}},"time":"2026-01-31T17:10:38.030513168Z"} {"flow":{"time":"2026-01-31T17:10:38.030525215Z","verdict":"FORWARDED","IP":{"source":"192.168.0.73","destination":"10.10.0.5","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":38112,"destination_port":4244,"flags":{"PSH":true,"ACK":true}}},"source":{"ID":51516,"identity":51516,"namespace":"kube-system","labels":["k8s:io.cilium.k8s.namespace.labels.kubernetes.azure.com/managedby=aks","k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system","k8s:io.cilium.k8s.policy.cluster=default","k8s:k8s-app=hubble-relay","k8s:io.cilium.k8s.namespace.labels.addonmanager.kubernetes.io/mode=Reconcile","k8s:io.cilium.k8s.namespace.labels.control-plane=true","k8s:io.cilium.k8s.namespace.labels.kubernetes.io/cluster-service=true","k8s:io.cilium.k8s.policy.serviceaccount=hubble-relay","k8s:io.kubernetes.pod.namespace=kube-system","k8s:pod-template-hash=6b7c54d9ff","k8s:app.kubernetes.io/name=hubble-relay","k8s:app.kubernetes.io/part-of=cilium"],"pod_name":"hubble-relay-6b7c54d9ff-2lsqj"},"destination":{"ID":1,"identity":1,"labels":["reserved:host"]},"Type":"L3_L4","event_type":{"type":4,"sub_type":3},"traffic_direction":"EGRESS","trace_observation_point":"TO_STACK","is_reply":false,"Summary":"TCP Flags: PSH:true ACK:true","extensions":{"@type":"type.googleapis.com/google.protobuf.Struct","value":{"bytes":90,"previously_observed_tcp_flags":{"ACK":0,"CWR":0,"ECE":0,"FIN":0,"NS":0,"PSH":0,"RST":0,"SYN":0,"URG":0}}}},"time":"2026-01-31T17:10:38.030525215Z"} ``` <img width="2871" height="526" alt="image" src="https://github.com/user-attachments/assets/80d5b4a7-1ba8-47f6-9285-a9c82e9519bc" /> ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
# Description Switch remaining ARM64 image build jobs to native `ubuntu-24.04-arm` runners instead of QEMU emulation on x86 `ubuntu-latest`. This follows the same pattern established for `retina-shell-images` in PR microsoft#2024. ## Related Issue Follows up on microsoft#2024 (fix(ci): use native arm64 runners for shell image build). ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed YAML syntax validated. Changes are consistent with the existing `retina-shell-images` pattern already running in CI. **Jobs migrated (6 total across 2 files):** | Job | File | |-----|------| | `retina-images` | `images.yaml` | | `operator-images` | `images.yaml` | | `kubectl-retina-images` | `images.yaml` | | `retina-images` | `release-images.yaml` | | `operator-images` | `release-images.yaml` | | `kubectl-retina-images` | `release-images.yaml` | **Changes per job:** - `runs-on`: `ubuntu-latest` → `${{ matrix.runner }}` - Matrix converted from simple arrays to explicit `include` entries with `runner` field (`ubuntu-latest` for amd64, `ubuntu-24.04-arm` for arm64) - Removed `docker/setup-qemu-action` step (no longer needed for native builds) - Updated job names to include `(${{ matrix.platform }}, ${{ matrix.arch }})` for clarity **Not changed:** - `manifests` jobs — still use QEMU as needed for multi-arch manifest inspection - `retina-shell-images` — already migrated in microsoft#2024 ## Additional Notes The only remaining `setup-qemu-action` references are in the `manifests` jobs, which correctly still need it. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
….19.7 (microsoft#2014) Bumps [github.com/aws/aws-sdk-go-v2/credentials](https://github.com/aws/aws-sdk-go-v2) from 1.18.10 to 1.19.7. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/e2e9697d8ebe330a7435716c2f31b1cea4dff3c0"><code>e2e9697</code></a> Release 2025-01-31</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/6576a0939a79d5f31eef10164750faedd78a45d4"><code>6576a09</code></a> Regenerated Clients</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/f762573ab5d9286d9751d49091f6a240c12c0742"><code>f762573</code></a> Update API model</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/c94df29ecd457e8ec40931fd2fe54d8da2f93ce2"><code>c94df29</code></a> add transfer manager doc header (<a href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/2990">#2990</a>)</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/880543ce2034570eb3b93c4811289c3b0e55600f"><code>880543c</code></a> revert the revert on the transfer manager beta (<a href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/2993">#2993</a>)</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/8da49e527e317a77ef0f1b2f52b4dc72a4fbd720"><code>8da49e5</code></a> switch to code-generated waiters for remaining services (<a href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/2994">#2994</a>)</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/c7c68659ce67e5b7e18f31bc66068cec9e3d790d"><code>c7c6865</code></a> Release 2025-01-30</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/70f736c5dc0b8652c5fe5c387b2165c3b9beddb1"><code>70f736c</code></a> Regenerated Clients</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/28731c2bdef3c2555a95632396b6d4936e58099d"><code>28731c2</code></a> Update endpoints model</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/3505e4b255c327a1fa38f870612c327b93302dc0"><code>3505e4b</code></a> Update API model</li> <li>Additional commits viewable in <a href="https://github.com/aws/aws-sdk-go-v2/compare/config/v1.18.10...service/m2/v1.19.7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Description Comprehensive CI hardening across all workflow files, devcontainer fixes, and coverage reporting. ### Actions pinned to SHA - Pin all 50+ GitHub Action references to SHA digests with version comments - Bump to latest versions: CodeQL v4.32.3, golangci-lint-action v9.2.0, goreleaser-action v6.4.0, markdownlint-cli2-action v22.0.0, trivy-action 0.34.0, create-pull-request v8.1.0, stale v10.1.1, and others - Eliminates supply chain risk from mutable version tags (including `actions/stale@main`) ### Workflow hardening - **Concurrency groups** added to 8 workflows to cancel duplicate runs - **timeout-minutes** added to all 37 jobs across all workflows - **Explicit permissions** added to workflows missing them (commit-message, test-multicloud, markdownlint, release-validation) - **Permissions reduced** in test.yaml (removed unnecessary issues/pull-requests/security-events write) - **Path filters** added to docs and markdownlint workflows ### Bug fixes - **Trivy**: skip scan when triggering release workflow failed (eliminates ~82% of trivy failures); use latest release tag for scheduled/manual scans instead of HEAD SHA - **Merge queue bypass removed**: golangci-lint and CodeQL now run on merge_group events - **Shell expansion fix**: `$(make version)` and `$(curl ...)` in YAML `with:` blocks don't execute — restructured perf-schedule.yaml with a `get-tag` job and fixed images.yaml perf-test calls - **Release validation**: only runs when triggering workflow succeeded - **Stale outputs**: quoted to prevent injection - **Coverage scripts**: fixed hardcoded `owner = "azure"` → `"microsoft"`, fixed workflow filename `"retina-test.yaml"` → `"test.yaml"`, added guard for empty workflow runs - **Makefile coverage target**: fixed grep pattern that silently failed to filter `_generated.go` files (mixed escaped/unescaped `|` in BRE mode) ### Test coverage reporting - **Step summary**: every test run now posts total coverage percentage and lowest-coverage packages to `$GITHUB_STEP_SUMMARY` - **PR comment**: on pull requests, fetches main branch coverage, diffs it, and posts/updates a coverage comparison comment showing per-file increases/decreases - Handles 403 gracefully for fork PRs (insufficient `GITHUB_TOKEN` permissions) — falls back to step summary - Wires up the existing but disconnected `scripts/coverage/` infrastructure ### GoReleaser - Added `checksum` and `sboms` sections for release artifact integrity ### Devcontainer - Upgraded base image from Ubuntu Jammy (22.04) to Noble (24.04) - Pinned Go version to 1.24.11 (matches go.mod) - Fixed LLVM/Clang from version 14 to 16 (matches project requirements) - Added `clang` and `llvm-strip` symlinks - Installed `gofumpt` (required by `make fmt`) - Added docker readiness check before `kind create cluster` - Hardened install script with `set -euo pipefail` - Removed redundant `common-utils` feature ## Related Issue N/A — proactive hardening based on CI failure analysis. ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed - Verified zero unpinned actions remain (`grep` for `@v\d` and `@main` returns no matches) - Verified zero `IS_NOT_MERGE_GROUP` references remain - Verified all 37 jobs have `timeout-minutes` set - YAML syntax validated across all workflow files Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
Bumps [actions/stale](https://github.com/actions/stale) from 10.1.1 to 10.2.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/stale/releases">actions/stale's releases</a>.</em></p> <blockquote> <h2>v10.2.0</h2> <h2>What's Changed</h2> <h3>Bug Fix</h3> <ul> <li>Fix checking state cache (fix <a href="https://redirect.github.com/actions/stale/issues/1136">#1136</a>) and switch to Octokit helper methods by <a href="https://github.com/itchyny"><code>@itchyny</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1152">actions/stale#1152</a></li> </ul> <h3>Dependency Updates</h3> <ul> <li>Upgrade js-yaml from 4.1.0 to 4.1.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1304">actions/stale#1304</a></li> <li>Upgrade lodash from 4.17.21 to 4.17.23 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1313">actions/stale#1313</a></li> <li>Upgrade actions/cache from 4.0.3 to 5.0.2 and actions/github from 5.1.1 to 7.0.0 by <a href="https://github.com/chiranjib-swain"><code>@chiranjib-swain</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1312">actions/stale#1312</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/itchyny"><code>@itchyny</code></a> made their first contribution in <a href="https://redirect.github.com/actions/stale/pull/1152">actions/stale#1152</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/stale/compare/v10...v10.2.0">https://github.com/actions/stale/compare/v10...v10.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/stale/commit/b5d41d4e1d5dceea10e7104786b73624c18a190f"><code>b5d41d4</code></a> build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (<a href="https://redirect.github.com/actions/stale/issues/1313">#1313</a>)</li> <li><a href="https://github.com/actions/stale/commit/dcd2b9469d2220b7e8d08aedc00c105d277fd46b"><code>dcd2b94</code></a> Fix punycode and url.parse Deprecation Warnings (<a href="https://redirect.github.com/actions/stale/issues/1312">#1312</a>)</li> <li><a href="https://github.com/actions/stale/commit/d6f8a33132340b15a7006f552936e4b9b39c00ec"><code>d6f8a33</code></a> build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (<a href="https://redirect.github.com/actions/stale/issues/1304">#1304</a>)</li> <li><a href="https://github.com/actions/stale/commit/a21a0816299b11691f9592ef0d63d08e02f06d9d"><code>a21a081</code></a> Fix checking state cache (fix <a href="https://redirect.github.com/actions/stale/issues/1136">#1136</a>), also switch to octokit methods (<a href="https://redirect.github.com/actions/stale/issues/1152">#1152</a>)</li> <li>See full diff in <a href="https://github.com/actions/stale/compare/997185467fa4f803885201cee163a9f38240193d...b5d41d4e1d5dceea10e7104786b73624c18a190f">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Description Bump shell tool versions: - **pwru**: v1.0.9 → v1.0.11 ([release notes](https://github.com/cilium/pwru/releases/tag/v1.0.11)) - **hubble CLI**: v1.18.3 → v1.18.6 ([release notes](https://github.com/cilium/hubble/releases/tag/v1.18.6)) ## Related Issue N/A ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed - Verified pwru v1.0.11 release asset URL resolves: `curl -sfIL "https://github.com/cilium/pwru/releases/download/v1.0.11/pwru-linux-amd64.tar.gz"` - Verified hubble v1.18.6 release exists on GitHub Signed-off-by: Quang Nguyen <quang@nddq.dev> Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
## Description Bump all Docusaurus site dependencies to latest compatible versions to resolve 2 high-severity `qs` vulnerabilities. ## Related Issue N/A ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed - `npm audit` → 0 vulnerabilities - `npm run build` → clean build, no warnings Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
…time (microsoft#1921) # Description With advanced metrics, high-cardinality labels can cause the metrics export to bloat leading to unbounded memory and resource usage. This PR sets up an optional TTL for advanced metrics defined in the `MetricsConfiguration` CRD. By default, the TTL is infinite and cleanup is not tracked or done. When defined, on a period equal to the TTL metrics which have not been updated within the last TTL duration will be removed from the metrics export. For counters and gauges that look like counters, this will be treated by Prometheus similar to any other missing metric (for example from an application restart). As long as functions like `rate` or `increase` are used, calculations will remain accurate. This also includes a refactor of the base metrics object as an interface, allowing mocking in tests and a clean API contract with child objects that compose it. ## Related Issue microsoft#1692 ## Checklist - [X] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [X] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [X] I have correctly attributed the author(s) of the code. - [X] I have tested the changes locally. - [X] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Deployed, modified CRD to enable/disable and change the TTL. Metrics are re-initialized as expected. Made sure that CRD validation rejects invalid TTL values. Also, added comprehensive tests for the TTL-based cleanup logic. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Matthew McKeen <matthew.mckeen@fastly.com>
Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.13.0 to 1.14.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/helm/kind-action/releases">helm/kind-action's releases</a>.</em></p> <blockquote> <h2>v1.14.0</h2> <h2>What's Changed</h2> <ul> <li>Bump actions/checkout from 5.0.0 to 6.0.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/helm/kind-action/pull/153">helm/kind-action#153</a></li> <li>bump kind to v0.31.0 and k8s to v1.35.0 by <a href="https://github.com/MrFreezeex"><code>@MrFreezeex</code></a> in <a href="https://redirect.github.com/helm/kind-action/pull/155">helm/kind-action#155</a></li> <li>Bump actions/checkout from 6.0.1 to 6.0.2 in the actions group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/helm/kind-action/pull/156">helm/kind-action#156</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/MrFreezeex"><code>@MrFreezeex</code></a> made their first contribution in <a href="https://redirect.github.com/helm/kind-action/pull/155">helm/kind-action#155</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/helm/kind-action/compare/v1...v1.14.0">https://github.com/helm/kind-action/compare/v1...v1.14.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/helm/kind-action/commit/ef37e7f390d99f746eb8b610417061a60e82a6cc"><code>ef37e7f</code></a> Bump actions/checkout from 6.0.1 to 6.0.2 in the actions group (<a href="https://redirect.github.com/helm/kind-action/issues/156">#156</a>)</li> <li><a href="https://github.com/helm/kind-action/commit/f5f117a566cacf2b7e54d9ddbfa40584fdf3b127"><code>f5f117a</code></a> bump kind to v0.31.0 and k8s to v1.35.0 (<a href="https://redirect.github.com/helm/kind-action/issues/155">#155</a>)</li> <li><a href="https://github.com/helm/kind-action/commit/2cd8ada7be24dd8f8446296d86376de928fe2df5"><code>2cd8ada</code></a> Bump actions/checkout from 5.0.0 to 6.0.1 (<a href="https://redirect.github.com/helm/kind-action/issues/153">#153</a>)</li> <li>See full diff in <a href="https://github.com/helm/kind-action/compare/92086f6be054225fa813e0a4b13787fc9088faab...ef37e7f390d99f746eb8b610417061a60e82a6cc">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Summary - remove Windows Server 2019 support across build/test targets - align Windows image defaults to 2022+ and update manifests - clean up related CLI mappings, scripts, and docs ## Changes - drop 2019 from Windows build matrices and manifest targets - remove Windows 2019 Dockerfiles and base image references - remove 2019 OS image mapping and tests in capture download - update AKS deploy script and README note - update image metadata artifacts to remove ltsc2019 ## Testing - not run (not requested) ## Notes - Windows builds remain enabled for 2022+ only ## Related Issue - Fixes microsoft#2075 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes -This PR is required to unblock CI, see for example https://github.com/microsoft/retina/actions/runs/22350794227/job/64686829439 --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.
…ump (microsoft#2067) # Description The v9 → v22 bump of `markdownlint-cli2-action` in microsoft#2060 broke the Markdown Lint CI check for all PRs. The `command` input was removed in v22 and replaced with a dedicated `config` input. The old invocation silently ignored both `command: config` and the config file path inside `globs`, causing all files to be linted with default rules — including MD013 (line-length) which the project explicitly disables in `.github/.markdownlint.json`. This PR switches to the v22 `config` input so the config file is actually applied. ## Related Issue N/A ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed CI will validate — this is a workflow-only change. The fix is self-verifying: if the config is applied correctly, MD013 violations from existing files (e.g., `SECURITY.md`, `test/e2e/README.md`) will stop appearing. ## Additional Notes N/A Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
…oft#2078) ## Description This PR updates the markdown linter configuration to disable the following rules: - **MD058**: Omit break at the end of a block. - **MD059**: Omit break inside a block. - **MD060**: Omit break after a header. These changes reduce noise in the linting process for existing documentation. ## Related Issue - See CI job failure: https://github.com/microsoft/retina/actions/runs/22402204231/job/64851720792?pr=1981 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.
…k issue tracing (microsoft#2061) # Description ## Summary New `bpftrace` subcommand for real-time tracing of network issues on Kubernetes nodes using eBPF/bpftrace. ## Use Cases - Debug packet drops on a node (e.g., NetworkPolicy blocks, routing issues) - Trace TCP connection failures (RST sent/received, connection refused) - Identify retransmissions indicating packet loss or congestion - Filter events by IP or subnet to focus on specific endpoints ```bash # Trace all events (default) kubectl retina bpftrace <node> # Trace only drops and RSTs for a specific IP kubectl retina bpftrace <node> --drops --rst --ip 10.244.1.15 # Trace retransmits for a subnet kubectl retina bpftrace <node> --retransmits --cidr 10.244.0.0/16 ``` ## What's Implemented ### New CLI Command: `kubectl retina bpftrace <node-name>` Traces network issues on a specified Kubernetes node with the following capabilities: **Event Types Captured:** | Type | Probe | Description | |------|-------|-------------| | DROP | `kfree_skb` | Packet drops with kernel reason codes (e.g., NETFILTER_DROP for NetworkPolicy) | | RST_SENT | `tcp_send_reset` | TCP RST packets sent by this host | | RST_RECV | `tcp_receive_reset` | TCP RST packets received by this host | | SOCK_ERR | `inet_sk_error_report` | Socket errors (ECONNREFUSED, ETIMEDOUT, etc.) | | RETRANS | `tcp_retransmit_skb` | TCP retransmissions indicating packet loss | ## Flags | Flag | Description | |------|-------------| | `--ip` | Filter by IP address (src or dst) | | `--cidr` | Filter by CIDR (src or dst) | | `--drops` | Enable only packet drop events | | `--rst` | Enable only TCP RST events | | `--errors` | Enable only socket error events | | `--retransmits` | Enable only retransmit events | | `--all` | Enable all events (default) | | `--duration` | Trace duration (0 = until Ctrl-C) | | `--startup-timeout` | Pod startup timeout | | `-o, --output` | Output format: `table` or `json` | When no event flags are specified, all events are traced. ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. ## Checklist - [ ] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [ ] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [ ] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed <img width="956" height="893" alt="image" src="https://github.com/user-attachments/assets/cfefd21a-03a7-4518-88c5-66a28d3a4145" /> ## Additional Notes ## Limitations - **IPv4 only**: IPv6 not supported - **Linux only**: Windows nodes not supported - **Cilium CNI**: DROP events won't capture Cilium policy drops (Cilium uses eBPF datapath, not netfilter/kfree_skb) ## Testing ```bash # Build go build -o kubectl-retina ./cli # E2E test (validates all 4 event types) ./test/e2e/test_bpftrace_drops.sh # Manual NODE=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}') ./kubectl-retina bpftrace $NODE --duration 30s --retina-shell-image-version v1.0.3 ``` ## Security - IP/CIDR inputs validated and converted to hex (injection-safe) - Commands executed via array-based exec (no shell) - Pod uses minimal capabilities for bpftrace --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. --------- Signed-off-by: Alex Castilio dos Santos <alexsantos@microsoft.com>
…arn group across 1 directory (microsoft#2070) Bumps the npm_and_yarn group with 1 update in the /site directory: [ajv](https://github.com/ajv-validator/ajv). Updates `ajv` from 6.12.6 to 6.14.0 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ajv-validator/ajv/commit/e3af0a723b4b7ad86eff43be355c706d31e0e915"><code>e3af0a7</code></a> 6.14.0</li> <li><a href="https://github.com/ajv-validator/ajv/commit/b552ed66191eb338498df3196065c777e3bb71f2"><code>b552ed6</code></a> add regExp option to address $data exploit via a regular expression (CVE-2025...</li> <li><a href="https://github.com/ajv-validator/ajv/commit/72f228665859eed5e2be3a66f8c4a7aff6b34dcf"><code>72f2286</code></a> docs: update v7 info</li> <li><a href="https://github.com/ajv-validator/ajv/commit/231e52b3bca62559202b95e5fb5cee02145b226a"><code>231e52b</code></a> Merge pull request <a href="https://redirect.github.com/ajv-validator/ajv/issues/1320">#1320</a> from philsturgeon/patch-1</li> <li><a href="https://github.com/ajv-validator/ajv/commit/d3475fc20416c33fe030c8aa3b09fa411f325bbd"><code>d3475fc</code></a> Add spectral, an AJV util from a sponsor</li> <li><a href="https://github.com/ajv-validator/ajv/commit/413afe01f518ea74d1740a7cb211df787c585544"><code>413afe0</code></a> docs: v7.0.0-beta.3</li> <li><a href="https://github.com/ajv-validator/ajv/commit/11e997bda2f3eecb445c1e5a07d96ef7e81c5f5d"><code>11e997b</code></a> update readme for v7</li> <li>See full diff in <a href="https://github.com/ajv-validator/ajv/compare/v6.12.6...v6.14.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/retina/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.3 to 4.32.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action's releases</a>.</em></p> <blockquote> <h2>v4.32.4</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2">2.24.2</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3493">#3493</a></li> <li>Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. <a href="https://redirect.github.com/github/codeql-action/pull/3473">#3473</a></li> <li>When the CodeQL Action is run <a href="https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup">with debugging enabled in Default Setup</a> and <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. <a href="https://redirect.github.com/github/codeql-action/pull/3486">#3486</a></li> <li>Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3485">#3485</a></li> <li>Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a <a href="https://github.com/dsp-testing/codeql-cli-nightlies">nightly CodeQL CLI release</a> instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3484">#3484</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>4.32.4 - 20 Feb 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2">2.24.2</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3493">#3493</a></li> <li>Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. <a href="https://redirect.github.com/github/codeql-action/pull/3473">#3473</a></li> <li>When the CodeQL Action is run <a href="https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup">with debugging enabled in Default Setup</a> and <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. <a href="https://redirect.github.com/github/codeql-action/pull/3486">#3486</a></li> <li>Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3485">#3485</a></li> <li>Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a <a href="https://github.com/dsp-testing/codeql-cli-nightlies">nightly CodeQL CLI release</a> instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3484">#3484</a></li> </ul> <h2>4.32.3 - 13 Feb 2026</h2> <ul> <li>Added experimental support for testing connections to <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries</a>. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. <a href="https://redirect.github.com/github/codeql-action/pull/3466">#3466</a></li> </ul> <h2>4.32.2 - 05 Feb 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1">2.24.1</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3460">#3460</a></li> </ul> <h2>4.32.1 - 02 Feb 2026</h2> <ul> <li>A warning is now shown in Default Setup workflow logs if a <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registry is configured</a> using a GitHub Personal Access Token (PAT), but no username is configured. <a href="https://redirect.github.com/github/codeql-action/pull/3422">#3422</a></li> <li>Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. <a href="https://redirect.github.com/github/codeql-action/pull/3421">#3421</a></li> </ul> <h2>4.32.0 - 26 Jan 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0">2.24.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3425">#3425</a></li> </ul> <h2>4.31.11 - 23 Jan 2026</h2> <ul> <li>When running a Default Setup workflow with <a href="https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging">Actions debugging enabled</a>, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. <a href="https://redirect.github.com/github/codeql-action/pull/3409">#3409</a></li> <li>Improved error handling throughout the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3415">#3415</a></li> <li>Added experimental support for automatically excluding <a href="https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github">generated files</a> from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. <a href="https://redirect.github.com/github/codeql-action/pull/3318">#3318</a></li> <li>The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. <a href="https://redirect.github.com/github/codeql-action/pull/3403">#3403</a></li> </ul> <h2>4.31.10 - 12 Jan 2026</h2> <ul> <li>Update default CodeQL bundle version to 2.23.9. <a href="https://redirect.github.com/github/codeql-action/pull/3393">#3393</a></li> </ul> <h2>4.31.9 - 16 Dec 2025</h2> <p>No user facing changes.</p> <h2>4.31.8 - 11 Dec 2025</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/89a39a4e59826350b863aa6b6252a07ad50cf83e"><code>89a39a4</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3494">#3494</a> from github/update-v4.32.4-39ba80c47</li> <li><a href="https://github.com/github/codeql-action/commit/e5d84c885c00d506f7816d26a298534dbbffac6d"><code>e5d84c8</code></a> Apply remaining review suggestions</li> <li><a href="https://github.com/github/codeql-action/commit/0c202097b5de484e2a3725d4467f9cb7e3107881"><code>0c20209</code></a> Apply suggestions from code review</li> <li><a href="https://github.com/github/codeql-action/commit/314172e5a1e1691ba4ad232b3d0230ceaf3d9239"><code>314172e</code></a> Fix typo</li> <li><a href="https://github.com/github/codeql-action/commit/cdda72d36b93310932b0afe1784acd0209d190dd"><code>cdda72d</code></a> Add changelog entries</li> <li><a href="https://github.com/github/codeql-action/commit/cfda84cc5509282e2adc1570c3cf29c3167ae87f"><code>cfda84c</code></a> Update changelog for v4.32.4</li> <li><a href="https://github.com/github/codeql-action/commit/39ba80c47550c834104c0f222b502461ac312c29"><code>39ba80c</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3493">#3493</a> from github/update-bundle/codeql-bundle-v2.24.2</li> <li><a href="https://github.com/github/codeql-action/commit/00150dad957fc9c1cba52bdab82e458ae5c09fe5"><code>00150da</code></a> Add changelog note</li> <li><a href="https://github.com/github/codeql-action/commit/d97dce6561ae3dd4e4db9bfa95479f7572bd7566"><code>d97dce6</code></a> Update default bundle to codeql-bundle-v2.24.2</li> <li><a href="https://github.com/github/codeql-action/commit/50fdbb9ec845c41d6d3509d794e3a28af7032c59"><code>50fdbb9</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3492">#3492</a> from github/henrymercer/new-repository-properties-ff</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/9e907b5e64f6b83e7804b09294d44122997950d6...89a39a4e59826350b863aa6b6252a07ad50cf83e">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…t#2074) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 6.4.0 to 7.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/goreleaser/goreleaser-action/releases">goreleaser/goreleaser-action's releases</a>.</em></p> <blockquote> <h2>v7.0.0</h2> <h2>What's Changed</h2> <ul> <li>feat!: node 24, update deps, rm yarn, ESM by <a href="https://github.com/caarlos0"><code>@caarlos0</code></a> in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/533">goreleaser/goreleaser-action#533</a></li> <li>sec: pin github action versions by <a href="https://github.com/caarlos0"><code>@caarlos0</code></a> in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/514">goreleaser/goreleaser-action#514</a></li> <li>docs: Upgrade checkout GitHub Action in README.md by <a href="https://github.com/dunglas"><code>@dunglas</code></a> in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/507">goreleaser/goreleaser-action#507</a></li> <li>chore(deps): bump actions/checkout from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/504">goreleaser/goreleaser-action#504</a></li> <li>ci(deps): bump the actions group with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/517">goreleaser/goreleaser-action#517</a></li> <li>ci(deps): bump the actions group with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/523">goreleaser/goreleaser-action#523</a></li> <li>ci(deps): bump docker/bake-action from 6.9.0 to 6.10.0 in the actions group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/526">goreleaser/goreleaser-action#526</a></li> <li>ci(deps): bump the actions group across 1 directory with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/532">goreleaser/goreleaser-action#532</a></li> <li>ci(deps): bump actions/checkout from 6.0.1 to 6.0.2 in the actions group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/534">goreleaser/goreleaser-action#534</a></li> <li>chore(deps): bump the npm group across 1 directory with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/536">goreleaser/goreleaser-action#536</a></li> <li>chore(deps): bump <code>@actions/http-client</code> from 3.0.2 to 4.0.0 in the npm group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/537">goreleaser/goreleaser-action#537</a></li> <li>ci(deps): bump docker/setup-buildx-action from 3.10.0 to 3.12.0 in the actions group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/538">goreleaser/goreleaser-action#538</a></li> <li>chore(deps): bump semver from 7.7.3 to 7.7.4 in the npm group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/539">goreleaser/goreleaser-action#539</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/goreleaser/goreleaser-action/compare/v6...v7.0.0">https://github.com/goreleaser/goreleaser-action/compare/v6...v7.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/ec59f474b9834571250b370d4735c50f8e2d1e29"><code>ec59f47</code></a> fix: yargs usage</li> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/752dedee3d734a650f4cc280f78173f420900df9"><code>752dede</code></a> fix: gitignore</li> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/1881ae035d414b6146c8228c12290fa3c856f536"><code>1881ae0</code></a> ci: update dependabot settings</li> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/fdc5e662bb47216e7262db37c92fc968f3853c65"><code>fdc5e66</code></a> chore: gitignore provenance.json</li> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/51b5b35c3c313b84ba90e097d0ad2cf1bce101bc"><code>51b5b35</code></a> chore(deps): bump semver from 7.7.3 to 7.7.4 in the npm group (<a href="https://redirect.github.com/goreleaser/goreleaser-action/issues/539">#539</a>)</li> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/4247c53b304edb39a4e6a0808f415d3eebad450a"><code>4247c53</code></a> ci(deps): bump docker/setup-buildx-action in the actions group (<a href="https://redirect.github.com/goreleaser/goreleaser-action/issues/538">#538</a>)</li> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/c169bfd5ae289fddb2e8b0b28a73a4baa2f55466"><code>c169bfd</code></a> chore(deps): bump <code>@actions/http-client</code> from 3.0.2 to 4.0.0 in the npm group (...</li> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/902ab4a70dd43cbbbe029e9917e939ba355a50dd"><code>902ab4a</code></a> chore(deps): bump the npm group across 1 directory with 4 updates (<a href="https://redirect.github.com/goreleaser/goreleaser-action/issues/536">#536</a>)</li> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/c59a691319d27b75766143e4cd37a08ac6d400f8"><code>c59a691</code></a> chore: gitignore</li> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/56cc8b2737e5dd9a4ebdeaf930b51aa0231efd3d"><code>56cc8b2</code></a> ci: add job to automate dependabot pre-checkin/vendor</li> <li>Additional commits viewable in <a href="https://github.com/goreleaser/goreleaser-action/compare/e435ccd777264be153ace6237001ef4d979d3a7a...ec59f474b9834571250b370d4735c50f8e2d1e29">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ft#1981) # Description This PR introduces support for `BPF_MAP_TYPE_RINGBUF` in the `packetparser` plugin as a configurable alternative to `BPF_MAP_TYPE_PERF_EVENT_ARRAY`. Ring Buffers offer better performance and memory efficiency, especially on high-core systems, by using a shared buffer across CPUs rather than per-CPU buffers. ### Changes - **Configuration**: Added `packetParserRingBuffer` (enum: `enabled`/`disabled`; `auto` reserved) and `packetParserRingBufferSize` (uint32) to the Retina configuration and Helm charts. - **BPF**: Updated `packetparser.c` to conditionally compile with `BPF_MAP_TYPE_RINGBUF` when enabled. - **Userspace**: Updated `packetparser_linux.go` to: - Pass `-DUSE_RING_BUFFER` and `-DRING_BUFFER_SIZE` flags during BPF compilation. - Implement a `ringBufReaderWrapper` to adapt the `cilium/ebpf/ringbuf` reader to the existing reader interface. - Add logging to indicate which buffer type is active. - **Testing**: Updated unit tests to mock metrics correctly and added a new test case to verify compilation with Ring Buffer enabled. - **Userspace (follow-up)**: - Decoupled the reader interface from `cilium/ebpf/perf.Record` by introducing a custom `perfRecord` struct to support both perf array and ring buffer paths cleanly. - Added a `perfReaderWrapper` and updated `ringBufReaderWrapper` to convert records into the new `perfRecord` type. - **Kernel gating**: - Added shared kernel version parsing/comparison helpers and reusable kernel release retrieval utils. - Enforced a minimum kernel version when ring buffer mode is enabled. - Updated telemetry to reuse the shared kernel release helper. - **Docs/config**: Updated config docs and Helm `values.yaml` to reflect `packetParserRingBuffer`. - **Tests**: - Added unit tests for kernel release parsing and version comparison helpers. - Limited the ring buffer config test to Linux builds. - Adjusted packetparser tests to align with the new `perfRecord` reader interface. - **Chore/lint**: Addressed linting by using safe page-size casts, wrapping perf errors, and splitting long lines. ### Verification - Verified unit tests pass: `go test -v ./pkg/plugin/packetparser/...` - Manual verification on Kind: - Built image with `enablePacketParserRingBuffer: true`. - Deployed to Kind cluster. - Verified logs show "Initializing Ring Buffer reader". - Verified BPF map type is `ringbuf` using `bpftool`. ## Related Issues/PRs - microsoft#655 - fixes microsoft#1966 - microsoft#1965 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed <img width="1335" height="1448" alt="image" src="https://github.com/user-attachments/assets/7b775c40-6683-4faa-aa2d-4748ea7277be" /> <img width="1913" height="355" alt="Screenshot 2025-12-15 093850" src="https://github.com/user-attachments/assets/83701a79-2b3f-46d6-8d87-8ff5e3aa9318" /> <img width="2517" height="1351" alt="Screenshot 2025-12-15 093819" src="https://github.com/user-attachments/assets/4a81b526-cc1d-41e2-b06d-5a8d90061ad6" /> ## Additional Notes Once this PR gets reviewed and merged, I will update the site docs accordingly. See issue microsoft#2016 In addition, I created an issue to implement an auto option to let retina decide at runtime whether to use `BPF_MAP_TYPE_RINGBUF` or not. See microsoft#2017 I stuck with `BPF_MAP_TYPE_PERF_EVENT_ARRAY` (Perf Buffers) as the default implementation because we still have a requirement to support Linux Kernel 5.4+, as noted in our [intro docs](https://retina.sh/docs/Introduction/intro). Since Ring Buffers (`BPF_MAP_TYPE_RINGBUF`) weren't introduced until kernel 5.8, making them the default would break Retina on older LTS environments (like Ubuntu 20.04) that we're currently committed to supporting. We also haven't had a chance to benchmark the performance difference on high-core clusters yet. The [upstream documentation](https://docs.ebpf.io/linux/map-type/BPF_MAP_TYPE_RINGBUF/) is clear that while `BPF_MAP_TYPE_RINGBUF` is generally more efficient, it uses a single shared ring buffer whereas `BPF_MAP_TYPE_PERF_EVENT_ARRAY` uses a per-CPU approach, which has different scalability characteristics. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. --------- Signed-off-by: Simone Rodigari <srodigari@microsoft.com>
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.2.0 to 6.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-go/releases">actions/setup-go's releases</a>.</em></p> <blockquote> <h2>v6.3.0</h2> <h2>What's Changed</h2> <ul> <li>Update default Go module caching to use go.mod by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/705">actions/setup-go#705</a></li> <li>Fix golang download url to go.dev by <a href="https://github.com/178inaba"><code>@178inaba</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/469">actions/setup-go#469</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-go/compare/v6...v6.3.0">https://github.com/actions/setup-go/compare/v6...v6.3.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/setup-go/commit/4b73464bb391d4059bd26b0524d20df3927bd417"><code>4b73464</code></a> Fix golang download url to go.dev (<a href="https://redirect.github.com/actions/setup-go/issues/469">#469</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/a5f9b05d2d216f63e13859e0d847461041025775"><code>a5f9b05</code></a> Update default Go module caching to use go.mod (<a href="https://redirect.github.com/actions/setup-go/issues/705">#705</a>)</li> <li>See full diff in <a href="https://github.com/actions/setup-go/compare/7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5...4b73464bb391d4059bd26b0524d20df3927bd417">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#2071) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.34.0 to 0.34.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/aquasecurity/trivy-action/releases">aquasecurity/trivy-action's releases</a>.</em></p> <blockquote> <h2>v0.34.1</h2> <h2>What's Changed</h2> <ul> <li>ci(test): add zizmor security linter for GitHub Actions by <a href="https://github.com/DmitriyLewen"><code>@DmitriyLewen</code></a> in <a href="https://redirect.github.com/aquasecurity/trivy-action/pull/502">aquasecurity/trivy-action#502</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/aquasecurity/trivy-action/compare/0.34.0...0.34.1">https://github.com/aquasecurity/trivy-action/compare/0.34.0...0.34.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aquasecurity/trivy-action/commit/e368e328979b113139d6f9068e03accaed98a518"><code>e368e32</code></a> ci(test): add zizmor security linter for GitHub Actions (<a href="https://redirect.github.com/aquasecurity/trivy-action/issues/502">#502</a>)</li> <li>See full diff in <a href="https://github.com/aquasecurity/trivy-action/compare/c1824fd6edce30d7ab345a9989de00bbd46ef284...e368e328979b113139d6f9068e03accaed98a518">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…oft#2073) Bumps [rajatjindal/krew-release-bot](https://github.com/rajatjindal/krew-release-bot) from 0.0.47 to 0.0.50. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rajatjindal/krew-release-bot/releases">rajatjindal/krew-release-bot's releases</a>.</em></p> <blockquote> <h2>v0.0.50</h2> <h2>What's Changed</h2> <ul> <li>fix(goreleaser): also test goreleaser in CI by <a href="https://github.com/rajatjindal"><code>@rajatjindal</code></a> in <a href="https://redirect.github.com/rajatjindal/krew-release-bot/pull/86">rajatjindal/krew-release-bot#86</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/rajatjindal/krew-release-bot/compare/v0.0.49...v0.0.50">https://github.com/rajatjindal/krew-release-bot/compare/v0.0.49...v0.0.50</a></p> <h2>Release v0.0.49</h2> <h2>What's Changed</h2> <ul> <li>update golang and actions version by <a href="https://github.com/rajatjindal"><code>@rajatjindal</code></a> in <a href="https://redirect.github.com/rajatjindal/krew-release-bot/pull/85">rajatjindal/krew-release-bot#85</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/rajatjindal/krew-release-bot/compare/v0.0.48...v0.0.49">https://github.com/rajatjindal/krew-release-bot/compare/v0.0.48...v0.0.49</a></p> <h2>Release v0.0.48</h2> <h2>What's Changed</h2> <ul> <li>chore(git): ignore .idea paraphernalia by <a href="https://github.com/mbobrovskyi"><code>@mbobrovskyi</code></a> in <a href="https://redirect.github.com/rajatjindal/krew-release-bot/pull/81">rajatjindal/krew-release-bot#81</a></li> <li>chore(make): add test target by <a href="https://github.com/mbobrovskyi"><code>@mbobrovskyi</code></a> in <a href="https://redirect.github.com/rajatjindal/krew-release-bot/pull/82">rajatjindal/krew-release-bot#82</a></li> <li>fix(action): use latest tagged image version by <a href="https://github.com/rajatjindal"><code>@rajatjindal</code></a> in <a href="https://redirect.github.com/rajatjindal/krew-release-bot/pull/84">rajatjindal/krew-release-bot#84</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/mbobrovskyi"><code>@mbobrovskyi</code></a> made their first contribution in <a href="https://redirect.github.com/rajatjindal/krew-release-bot/pull/81">rajatjindal/krew-release-bot#81</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/rajatjindal/krew-release-bot/compare/v0.0.47...v0.0.48">https://github.com/rajatjindal/krew-release-bot/compare/v0.0.47...v0.0.48</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rajatjindal/krew-release-bot/commit/a7e82ae57ca41a16fca2691ef00e8a8d35bc77d4"><code>a7e82ae</code></a> fix(goreleaser): also test goreleaser in CI (<a href="https://redirect.github.com/rajatjindal/krew-release-bot/issues/86">#86</a>)</li> <li><a href="https://github.com/rajatjindal/krew-release-bot/commit/c0984d327e6d0cfa533ba19ab34af80e99c0cf8a"><code>c0984d3</code></a> update golang and actions version (<a href="https://redirect.github.com/rajatjindal/krew-release-bot/issues/85">#85</a>)</li> <li><a href="https://github.com/rajatjindal/krew-release-bot/commit/ecba13d639f884cbecd5136cbf01b11a2fdfab7f"><code>ecba13d</code></a> fix(action): use latest tagged image version (<a href="https://redirect.github.com/rajatjindal/krew-release-bot/issues/84">#84</a>)</li> <li><a href="https://github.com/rajatjindal/krew-release-bot/commit/e2d6f27e6d51bdc2a0a92c1347810134c903c273"><code>e2d6f27</code></a> chore(make): add test target (<a href="https://redirect.github.com/rajatjindal/krew-release-bot/issues/82">#82</a>)</li> <li><a href="https://github.com/rajatjindal/krew-release-bot/commit/8d76bf0a9ff538097b42dec965f1ee450271d2d4"><code>8d76bf0</code></a> chore(git): ignore .idea paraphernalia (<a href="https://redirect.github.com/rajatjindal/krew-release-bot/issues/81">#81</a>)</li> <li><a href="https://github.com/rajatjindal/krew-release-bot/commit/35e214f2fa04337a651df5e7896bc7dac1783c58"><code>35e214f</code></a> fix(netlify): vendor dir is no longer used</li> <li><a href="https://github.com/rajatjindal/krew-release-bot/commit/ccdd6b19e997281147f4e9e3f74811cbea84bf69"><code>ccdd6b1</code></a> chore(netlify): update go version requested for build in netlify</li> <li>See full diff in <a href="https://github.com/rajatjindal/krew-release-bot/compare/3d9faef30a82761d610544f62afddca00993eef9...a7e82ae57ca41a16fca2691ef00e8a8d35bc77d4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…rosoft#2081) # Description The goreleaser workflow fails at the SBOM cataloging step because `syft` is not installed on the runner. `.goreleaser.yaml` declares `sboms: [artifacts: archive]` which requires Syft, but the workflow never installs it. This was surfaced by the [v1.1.0 release run](https://github.com/microsoft/retina/actions/runs/22452857876): ``` ⨯ release failed after 9m34s error=exec: "syft": executable file not found in $PATH ``` Add `anchore/sbom-action/download-syft@v0.23.0` (pinned to SHA) to both the `build` and `release` jobs. ## Related Issue N/A ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed CI workflow change — will be validated by the next tag push or PR build. ## Additional Notes N/A Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v7.0.0</h2> <h2>v7 What's new</h2> <h3>Direct Uploads</h3> <p>Adds support for uploading single files directly (unzipped). Callers can set the new <code>archive</code> parameter to <code>false</code> to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The <code>name</code> parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.</p> <h3>ESM</h3> <p>To support new versions of the <code>@actions/*</code> packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Add proxy integration test by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> <li>Upgrade the module to ESM and bump dependencies by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/762">actions/upload-artifact#762</a></li> <li>Support direct file uploads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/764">actions/upload-artifact#764</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Link"><code>@Link</code></a>- made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v6...v7.0.0">https://github.com/actions/upload-artifact/compare/v6...v7.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f"><code>bbbca2d</code></a> Support direct file uploads (<a href="https://redirect.github.com/actions/upload-artifact/issues/764">#764</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/589182c5a4cec8920b8c1bce3e2fab1c97a02296"><code>589182c</code></a> Upgrade the module to ESM and bump dependencies (<a href="https://redirect.github.com/actions/upload-artifact/issues/762">#762</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/47309c993abb98030a35d55ef7ff34b7fa1074b5"><code>47309c9</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/754">#754</a> from actions/Link-/add-proxy-integration-tests</li> <li><a href="https://github.com/actions/upload-artifact/commit/02a8460834e70dab0ce194c64360c59dc1475ef0"><code>02a8460</code></a> Add proxy integration test</li> <li>See full diff in <a href="https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.81.0 to 1.81.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's releases</a>.</em></p> <blockquote> <h2>Release 1.81.1</h2> <h1>Security</h1> <ul> <li>xds/rbac: Fix a potential authorization bypass caused by incorrectly falling through URI/DNS SANs to Subject Distinguished Name (DN) when matching the authenticated principal name. With this fix, only the first non-empty identity source will be used, as per <a href="https://github.com/grpc/proposal/blob/master/A41-xds-rbac.md">gRFC A41</a>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9111">#9111</a>) <ul> <li>Special Thanks: <a href="https://github.com/al4an444"><code>@al4an444</code></a></li> </ul> </li> </ul> <h1>Bug Fixes</h1> <ul> <li>otel: Segregate client and server RPC information used for metrics and traces, to avoid one overwriting the other. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9081">#9081</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/grpc/grpc-go/commit/caf0772c2bcb8bc15d43eb53448e921f34f0b7e8"><code>caf0772</code></a> Change version from 1.81.1-dev to 1.81.1 (<a href="https://redirect.github.com/grpc/grpc-go/issues/9122">#9122</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/6ccbeebf058ede71e43a5ac28fada2a736573215"><code>6ccbeeb</code></a> Cherry-pick <a href="https://redirect.github.com/grpc/grpc-go/issues/9111">#9111</a> into v1.81.x (<a href="https://redirect.github.com/grpc/grpc-go/issues/9121">#9121</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/b33c29e41b438e371c8504de9bdf64a80098cc29"><code>b33c29e</code></a> Cherry-pick <a href="https://redirect.github.com/grpc/grpc-go/issues/9081">#9081</a> into v1.81.x (<a href="https://redirect.github.com/grpc/grpc-go/issues/9102">#9102</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/c45fae6d06a5c192b7b96418a2bc26a96b856834"><code>c45fae6</code></a> Change version to 1.81.1-dev (<a href="https://redirect.github.com/grpc/grpc-go/issues/9063">#9063</a>)</li> <li>See full diff in <a href="https://github.com/grpc/grpc-go/compare/v1.81.0...v1.81.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ft#2335) ## Problem `Capture.spec.outputConfiguration.hostPath` was passed unchecked into `corev1.HostPathVolumeSource.Path`. Any user able to create a `Capture` CR could mount an arbitrary host directory RW into a privileged pod and write artifacts anywhere on the node. ## Fix `HostPath` is now a **relative subpath name**. The operator mounts `${baseDir}/${hostPath}`, where `baseDir` is set by the cluster operator via Helm value `capture.hostPathBaseDir` (default `/var/log/retina/captures`). CR authors cannot influence `baseDir`. Validation rejects (loudly, no silent rewrite): - empty / `.` - absolute paths (POSIX `/`, Windows `C:\`, leading `\`) - any `..` segment, before or after `filepath.Clean` - defense-in-depth: cleaned join must stay under `baseDir` The resolved path is used for `HostPathVolumeSource.Path`, the container `VolumeMount.MountPath`, and the `CAPTURE_OUTPUT_LOCATION_HOST_PATH` env var. ## Key changes - New `pkg/capture/hostpath_validation.go` + tests (`validateHostPath`, sentinel errors, `DefaultHostPathBaseDir`). - `pkg/capture/crd_to_job.go`: `validateCapture` rejects early; `initJobTemplate` and `obtainCaptureOutputEnv` use the resolved path. - `pkg/config/capture.go` + `operator/config/config.go`: new `CaptureHostPathBaseDir` (defaulted, cleaned, must be absolute). - Helm: `capture.hostPathBaseDir` in `values.yaml` and `operator-configmap.yaml`. - CLI: `--host-path` default is now `retina`; new `--host-path-base-dir` flag; auto-allow hack removed. - CRD godoc + manifest regenerated; samples and docs updated. ## Breaking change Capture CRs with an absolute `hostPath` (e.g. `/tmp/retina`) are rejected. Migration: use a bare name (`retina`); the mount becomes `/var/log/retina/captures/retina`. Operators needing a different root set `capture.hostPathBaseDir`. ## Test - `go test ./pkg/capture/ ./pkg/config/ ./operator/config/ ./cli/...` — pass - `go vet ./pkg/capture/ ./pkg/config/ ./operator/config/ ./cli/...` — clean - Unit cases: empty, `.`, POSIX/Windows absolute, pre-clean `..`, post-clean `foo/../bar`, escape, accepted nested subpaths. - Manual kind run: absolute / `..` / `foo/../bar` rejected with no Job created and a single `CaptureError` condition; bare subpath mounts at `${baseDir}/${name}`; overriding `capture.hostPathBaseDir` relocates the mount without changing the CR. ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed ### Negative — absolute HostPath is rejected loudly <img width="2526" height="1280" alt="Screenshot 2026-05-18 164606" src="https://github.com/user-attachments/assets/29c51291-73e8-4668-adca-ad5a4c7f1731" /> ### Negative — parent segment is rejected <img width="2531" height="1243" alt="Screenshot 2026-05-18 164729" src="https://github.com/user-attachments/assets/ee7784e8-380b-46b7-8bc8-575f3c8d992f" /> ### Negative — post-clean traversal is rejected <img width="2514" height="1305" alt="Screenshot 2026-05-18 164804" src="https://github.com/user-attachments/assets/35225395-9528-46fd-8505-36516844e930" /> ### Positive — bare subpath is accepted <img width="2534" height="1174" alt="Screenshot 2026-05-18 165003" src="https://github.com/user-attachments/assets/4ff229f1-937c-4a04-824a-ca9a82c0cd5e" /> ### Override the base directory <img width="2030" height="1321" alt="Screenshot 2026-05-18 165500" src="https://github.com/user-attachments/assets/202c8fab-3760-49aa-90f7-2a704cc7cd1d" /> ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.
# Security Enhancement - Command Injection Fix & API Modernization ## Vulnerability Summary ### Original Issue The `tcpdumpFilter` field in Capture CRD allowed command injection through malicious filter values: - **Attack Vector**: Attackers with `captures.retina.sh` create permission could escalate to node-root/SYSTEM access - **Example Exploit**: `tcpdumpFilter: "-z /evil.sh"` would execute arbitrary scripts with root privileges - **Platforms Affected**: Both Linux (tcpdump) and Windows (netsh) implementations ### Attack Surface 1. **Linux tcpdump**: Flag injection via `-z`, `-w`, `-r`, `-G` and other dangerous flags 2. **Windows netsh**: Shell metacharacter injection via `&`, `|`, `;`, `$()`, etc. 3. **Filter bypass**: Whitespace-only or empty filters to bypass validation --- ## Overview Security fix with API modernization - deprecated the vulnerable `tcpdumpFilter` field in favor of type-safe structured options under `captureOption`. **Note:** Despite the field name, Windows nodes **do not use tcpdump**. The filter fields are interpreted as: - **Unix/Linux**: BPF filter syntax for tcpdump - **Windows**: netsh filter syntax for netsh trace **Key Changes:** 1. **New Structured API**: Introduced `captureOption.pcapFilter` field with enum-based flags for type-safe capture configuration 2. **NEW: 3 Enum Fields** for tcpdump display options (Linux/Unix only): - `verbosity`: `""` (normal), `"verbose"` (tcpdump -v), `"extra"` (tcpdump -vv), `"max"` (tcpdump -vvv) - `printDataFormat`: `""` (none), `"hex"` (tcpdump -x), `"hex-with-link"` (tcpdump -xx), `"ascii"` (tcpdump -A), `"ascii-with-link"` (tcpdump -AA) - `timestampFormat`: `""` (default), `"none"` (tcpdump -t), `"unformatted"` (tcpdump -tt), `"delta"` (tcpdump -ttt), `"date"` (tcpdump -tttt), `"delta-since-first"` (tcpdump -ttttt) 3. **CLI Enhancement**: Added enum-based flags to `kubectl retina capture create` (`--verbosity`, `--print-data`, `--timestamp-format`) 4. **Unix/Linux - BPF Syntax Validation**: Uses `tcpdump -d` to validate filter syntax before capture execution 5. **Windows - Regex Validation**: Blocks shell metacharacters in netsh trace filters (enum flags ignored on Windows) 6. **Backward Compatibility**: Deprecated `tcpdumpFilter` still works with validation, but `pcapFilter` takes precedence 7. **Defense in Depth**: Multiple independent validation layers block dangerous content and malformed filters 8. **Clear Error Messages**: Users receive specific feedback about validation failures --- ## Implementation ### New Structured API **CRD Changes** (`crd/api/v1alpha1/capture_types.go`) - **New Field**: `captureOption.pcapFilter` (string) - BPF/netsh filter syntax (replaces `tcpdumpFilter`) - **New Enum Fields** (**Linux/Unix only**) - Type-safe options for tcpdump display formatting: **`verbosity` (string enum)** - Controls tcpdump verbosity level (mutually exclusive): - `""` → Normal output (no -v flags) - `"verbose"` → `-v` (verbose output) - `"extra"` → `-vv` (extra verbose output) - `"max"` → `-vvv` (maximum verbose output) - **kubebuilder validation**: `+kubebuilder:validation:Enum="";verbose;extra;max` **`printDataFormat` (string enum)** - Controls packet data printing format (mutually exclusive): - `""` → No packet data printing - `"hex"` → `-x` (hex packet data) - `"hex-with-link"` → `-xx` (hex with link-level headers) - `"ascii"` → `-A` (ASCII packet data) - `"ascii-with-link"` → `-AA` (ASCII with link-level headers) - **kubebuilder validation**: `+kubebuilder:validation:Enum="";hex;hex-with-link;ascii;ascii-with-link` **`timestampFormat` (string enum)** - Controls timestamp display format (mutually exclusive): - `""` → Default timestamp format - `"none"` → `-t` (no timestamps) - `"unformatted"` → `-tt` (Unix timestamp) - `"delta"` → `-ttt` (time since previous packet) - `"date"` → `-tttt` (date and time) - `"delta-since-first"` → `-ttttt` (time since first packet) - **kubebuilder validation**: `+kubebuilder:validation:Enum="";none;unformatted;delta;date;delta-since-first` - **Remaining Boolean Flags** (non-mutually-exclusive options): - `noPromiscuous` → `-p` (don't capture in promiscuous mode) - `packetBuffered` → `-U` (packet-buffered output) - `immediateMode` → `--immediate-mode` (immediate packet delivery) - `noResolveDNS` → `-n` (don't resolve addresses) - `noResolvePort` → `-nn` (don't resolve addresses or ports) - `printLinkHeader` → `-e` (print link-level header) - `quietOutput` → `-q` (quick/quiet output) - `absoluteSeq` → `-S` (absolute TCP sequence numbers) - `dontVerifyChecksum` → `-K` (don't verify checksums) - **Note**: All flags are ignored on Windows (netsh trace has no equivalent formatting options) - **Deprecated Field**: `tcpdumpFilter` (still works for backward compatibility) - **Precedence**: `pcapFilter` takes precedence over `tcpdumpFilter` when both are set - **MaxLength**: 1024 characters on filter fields prevents resource exhaustion ### Three Validation Layers **Layer 1: Type Safety** (CRD Level) - **Enum validation**: Kubebuilder annotations enforce valid enum values at API server level - **Mutually exclusive**: Single enum field prevents conflicting options (e.g., can't set both "verbose" and "max") - **String-based enums**: Direct mapping to tcpdump flags with clear semantics - No user-provided flags can reach the command line **Layer 2: Filter Syntax Validation** (Unix/Linux - `network_capture_unix.go`) - Validates BPF filter syntax using `tcpdump -d` before execution - Catches invalid ports, unknown protocols, malformed syntax - Prevents injection attempts disguised as filter syntax **Layer 3: Legacy Path Validation** (Backward Compatibility) - Deprecated `tcpdumpFilter` still validated with warning logs - Same BPF/netsh syntax validation applied ### Windows: Filter Validation Only **Implementation** (`network_capture_win.go`) - **Uses netsh trace** (tcpdump is not available on Windows) - **Enum flags not supported** - netsh trace does not have formatting options like tcpdump - Enum and boolean flags are silently ignored on Windows (no error, but no effect) - Output formatting happens post-capture using tools like Network Monitor or Wireshark - **Filter validation only**: `pcapFilter` interpreted as netsh filter syntax (key=value format, e.g., `IPv4.Address=10.0.0.1`) - Regex pattern validates filter contains only safe characters: `^[A-Za-z0-9.=():, ]+$` - **Blocks shell metacharacters**: `&`, `|`, `^`, `<`, `>`, `%`, `"`, `'`, `;`, `$`, `` ` ``, `\`, newlines - Filter tokens split on spaces and passed as separate arguments to netsh **Security Features:** - Uses `exec.Command` with explicit Args (no shell parsing) - Validates filter content before adding to command - Clear error message: "filter contains invalid characters; only alphanumeric, dots, colons, parentheses, commas, equals, and spaces are allowed" --- ## Test Results **7 test cases covering new enum-based API, backward compatibility, and CLI:** | Test ID | Test Case | Configuration | Expected | Result | |---------|-----------|---------------|----------|--------| | **TC-01** | Enum - Verbose + Hex + Date | `verbosity: "verbose"` + `printDataFormat: "hex"` + `timestampFormat: "date"` + `pcapFilter: "tcp port 443"` | `-v -x -tttt tcp port 443` | ✅ PASS | | **TC-02** | Enum - Max Verbosity + ASCII + Delta | `verbosity: "max"` + `printDataFormat: "ascii"` + `timestampFormat: "delta"` + other flags | `-vvv -A -ttt tcp port 443` | ✅ PASS | | **TC-03** | Enum - Extra Verbose + Hex with Link + No Timestamps | `verbosity: "extra"` + `printDataFormat: "hex-with-link"` + `timestampFormat: "none"` | `-vv -xx -t tcp` | ✅ PASS | | **TC-04** | Enum - Default Values (Empty Strings) | `verbosity: ""` + `printDataFormat: ""` + `timestampFormat: ""` + boolean flags | No enum flags, only boolean flags applied | ✅ PASS | | **TC-05** | CLI - Enum Flags | `kubectl retina capture create --verbosity verbose --print-data hex --timestamp-format date` | CRD created with enum values set correctly | ✅ PASS | | **TC-06** | Deprecated Field Still Works | `tcpdumpFilter: "icmp"` (no enums) | Warning logged + `icmp` filter applied | ✅ PASS | | **TC-07** | Precedence Test | `tcpdumpFilter: "tcp port 8080"` + `pcapFilter: "tcp port 80"` | `pcapFilter` used: `tcp port 80` | ✅ PASS | | **TC-08** | '-' rejection in pcapFilter & tcpdumpFilter | `tcpdumpFilter: "-n tcp port 8080"` + `pcapFilter: "-n tcp port 80"` | Validation fail | ✅ PASS | **Overall Results:** - **New Enum-Based API**: 4/4 tests passed (TC-01, TC-02, TC-03, TC-04) - **CLI with Enums**: 1/1 test passed (TC-05) - **Backward Compatibility**: 1/1 test passed (TC-06) - **Precedence Logic**: 1/1 test passed (TC-07) - **Overall**: 7/7 tests passed (100%) CLI command: ``` /usr/local/bin/kubectl-retina capture create \ --name test-enum-cli-v3 \ --duration 3m \ --verbosity verbose \ --print-data hex \ --timestamp-format date \ --no-resolve-dns \ --no-resolve-port \ --host-path "/tmp/retina/cli-test" \ --node-selectors "kubernetes.io/os=linux" ``` One of CRD's with filters: <img width="572" height="531" alt="image" src="https://github.com/user-attachments/assets/18004493-ded6-4973-86fb-df1d611bd952" /> **Screenshots:** TC-05: CLI with Enum Flags: <img width="1905" height="700" alt="image" src="https://github.com/user-attachments/assets/579395cc-01e1-4916-a75f-a4273e28f1ed" /> TC-06: Deprecated Filter: <img width="1725" height="405" alt="image" src="https://github.com/user-attachments/assets/a031a892-9c7c-4353-966d-26b83bfe5818" /> TC-07: Filter Precedence: <img width="1890" height="650" alt="image" src="https://github.com/user-attachments/assets/4bd7813f-689c-4bd5-bbbd-b6b2ed6504bc" /> TC-01: Filter Flags: <img width="1882" height="776" alt="image" src="https://github.com/user-attachments/assets/a3ca2153-495e-47a7-be28-5254f772a814" /> TC-08: Disallow '-' flags tcpdumpfilter: <img width="1889" height="206" alt="image" src="https://github.com/user-attachments/assets/c2d634ef-b6a3-4ef0-9e1d-a1d5a6e02675" /> pcapfilter: <img width="1874" height="188" alt="image" src="https://github.com/user-attachments/assets/787fc319-1f35-442c-8e03-e03cfc7ad6d6" /> CRD: <img width="913" height="428" alt="image" src="https://github.com/user-attachments/assets/81f3d632-7e3b-42b7-a708-842b5f7f79c2" /> **Test Files for Validation:** - `test-enum-capture.yaml` - Comprehensive example with all three enum fields set - `test-enum-examples.yaml` - Five different examples showing various enum combinations - `TESTING-ENUMS.md` - Complete testing guide with enum→tcpdump flag mapping table and validation tests --- ## Bug Fix: Filters Concatenated Without AND Operator ### Issue Old code concatenated user and system filters without `and` operator, creating invalid BPF syntax. Only true for when `tcpdumpfilter` and `podselector` or `include/exclude` combination was present. **Old (INVALID):** ```bash tcpdump -i any tcp port 443 ((host 192.168.0.1) or (host 10.244.0.5)) ``` **New (VALID):** ```bash tcpdump -i any "tcp port 443 and ((host 192.168.0.1) or (host 10.244.0.5))" ``` ### Impact - User filters now work with system filters - Proper BPF combination using `and` operator - Both new `PcapFilter` and deprecated `TcpdumpFilter` functional --- ## Design Decisions ### Why Enum-Based Fields for Display Options? Enums provide a cleaner API for mutually exclusive tcpdump options: - **Mutually Exclusive by Design**: Single field prevents conflicting options (e.g., can't set both "verbose" and "max") - **API Validation**: Kubebuilder enum validation enforces valid values at Kubernetes API server level - **Clear Intent**: `verbosity: "max"` is self-documenting - **Type Safety**: Enum values constrained to predefined safe strings, preventing command injection --- ## Impact **No Breaking Changes** - New enum fields added alongside existing options **What's New:** - 3 enum fields for tcpdump display options: `verbosity`, `printDataFormat`, `timestampFormat` - CLI flags: `--verbosity`, `--print-data`, `--timestamp-format` - Kubebuilder enum validation at API level - Prevents setting conflicting options (e.g., both verbose and max verbosity) **Security:** - Type-safe enum values prevent command injection - Filter syntax validation using `tcpdump -d` (Linux) or regex (Windows) - No user-provided flags reach command line --------- Signed-off-by: mereta <mereta.degutyte@hotmail.co.uk>
…icrosoft#2370) Bumps the golang-base group with 1 update in the /cli directory: oss/go/microsoft/golang. Bumps the golang-base group with 1 update in the /controller directory: oss/go/microsoft/golang. Bumps the golang-base group with 1 update in the /hack/tools/kapinger directory: oss/go/microsoft/golang. Bumps the golang-base group with 1 update in the /hack/tools/toolbox directory: oss/go/microsoft/golang. Bumps the golang-base group with 1 update in the /operator directory: oss/go/microsoft/golang. Bumps the golang-base group with 1 update in the /test/image directory: oss/go/microsoft/golang. Updates `oss/go/microsoft/golang` from 1.26.3-azurelinux3.0 to 1.26.3-1-azurelinux3.0 Updates `oss/go/microsoft/golang` from 1.26.3-windowsservercore-ltsc2022 to 1.26.3-1-windowsservercore-ltsc2022 Updates `oss/go/microsoft/golang` from 1.26.3 to 1.26.3-1 Updates `oss/go/microsoft/golang` from 1.26.3 to 1.26.3-1 Updates `oss/go/microsoft/golang` from 1.26.3-azurelinux3.0 to 1.26.3-1-azurelinux3.0 Updates `oss/go/microsoft/golang` from 1.26.3-azurelinux3.0 to 1.26.3-1-azurelinux3.0 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…tions-patch group (microsoft#2369) Bumps the actions-patch group with 1 update: [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action). Updates `goreleaser/goreleaser-action` from 7.2.1 to 7.2.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/goreleaser/goreleaser-action/releases">goreleaser/goreleaser-action's releases</a>.</em></p> <blockquote> <h2>v7.2.2</h2> <h2>What's Changed</h2> <ul> <li>ci(deps): bump the actions group with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/560">goreleaser/goreleaser-action#560</a></li> <li>fix: nightly resolution to select newest published release by <a href="https://github.com/Copilot"><code>@Copilot</code></a> in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/562">goreleaser/goreleaser-action#562</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Copilot"><code>@Copilot</code></a> made their first contribution in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/562">goreleaser/goreleaser-action#562</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/goreleaser/goreleaser-action/compare/v7...v7.2.2">https://github.com/goreleaser/goreleaser-action/compare/v7...v7.2.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89"><code>5daf1e9</code></a> fix: nightly resolution to select newest published release (<a href="https://redirect.github.com/goreleaser/goreleaser-action/issues/562">#562</a>)</li> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/5cc7ebb73d78b8f1d7b03c568e7df999c2889ccf"><code>5cc7ebb</code></a> ci: update actions</li> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/702f5f91c9334614254ddeabeebaf820d707f0d6"><code>702f5f9</code></a> ci(deps): bump the actions group with 3 updates (<a href="https://redirect.github.com/goreleaser/goreleaser-action/issues/560">#560</a>)</li> <li>See full diff in <a href="https://github.com/goreleaser/goreleaser-action/compare/1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8...5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
… cleanup (microsoft#2367) # Description Adds a `--cleanup-after-upload` flag to `kubectl retina capture create` that enables automatic cleanup of capture jobs, secrets, and host-path files after successful upload to remote storage (blob, S3, or PVC). **Key behaviors:** - **TTL on jobs** (no-wait mode): When `--cleanup-after-upload` is combined with `--no-wait=true` and a remote destination, jobs get a `TTLSecondsAfterFinished` (5 min) so Kubernetes garbage-collects them automatically. - **Secret ownerReferences** (always): Secrets created for blob/S3 uploads always get ownerReferences pointing to the capture job, ensuring they are cleaned up when the job is deleted—whether by TTL, manual delete, or the controller. - **Controller auto-delete**: The operator's `CaptureReconciler` now deletes the Capture resource once all jobs succeed and `CleanUpAfterUpload` is true with remote storage configured (blob, S3, or PVC). - **ActiveDeadlineSeconds**: Jobs now get a hard deadline (`duration + 30min`) to prevent indefinite hangs. - **Wait timeout fix**: `waitUntilJobsComplete` deadline is now `duration + 5min` (floored at 5min), fixing premature timeouts for short captures. - **NotFound tolerance**: `deleteSecret` and `capture delete` now tolerate `NotFound` errors caused by ownerRef garbage collection racing with explicit deletion. ## Related Issue N/A — feature request for safer automated capture workflows. ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed ### Unit Tests All tests pass in the affected packages. The new logic is 100% covered by the new CLI and Operator controller tests added. ### Manual Testing | # | Scenario | Command | Expected | Result | |---|----------|---------|----------|--------| | 1 | `--cleanup-after-upload` without remote | `./bin/kubectl-retina capture create --name test1 --node-names aks-nodepool1-... --host-path /tmp/captures --cleanup-after-upload --duration 5s` | Error: requires remote storage | **PASS** — error returned immediately | | 2 | No-wait + blob + cleanup | `./bin/kubectl-retina capture create --name test2 --node-names aks-nodepool1-... --blob-upload "<SAS URL>" --cleanup-after-upload --no-wait=true --duration 10s` | CLI exits immediately, job has TTL, secret has ownerRef | **PASS** — verified via `kubectl get job -o yaml` (TTL=300), `kubectl get secret -o yaml` (ownerReferences present), job auto-deleted after ~5 min | | 3 | Wait + blob + cleanup | `./bin/kubectl-retina capture create --name test3 --node-names aks-nodepool1-... --blob-upload "<SAS URL>" --cleanup-after-upload --no-wait=false --duration 10s` | CLI waits, uploads blob, then deletes jobs/secrets | **PASS** — CLI printed completion, `kubectl get jobs` showed no jobs remaining, blob appeared in storage account, secret deleted | | 4 | Wait + blob WITHOUT cleanup | `./bin/kubectl-retina capture create --name test4 --node-names aks-nodepool1-... --blob-upload "<SAS URL>" --no-wait=false --duration 10s` | CLI waits, uploads, jobs/secrets remain | **PASS** — jobs and secrets preserved after CLI exit | | 5 | Host-path only + no-wait (no cleanup flag) | `./bin/kubectl-retina capture create --name test5 --node-names aks-nodepool1-... --host-path /tmp/captures --no-wait=true --duration 5s` | No TTL set, jobs remain | **PASS** — `kubectl get job -o yaml` showed no TTLSecondsAfterFinished | **Wait timeout fix verified:** Test 3 used `--duration 10s` and the CLI completed within ~75s (10s capture + upload time), confirming the new `duration + 5min` deadline works correctly for short captures (previously would timeout at 2×duration = 20s before upload finished). **NotFound tolerance verified:** In test 2, running `kubectl retina capture delete --name test2` after TTL had already garbage-collected the job+secret returned success (no "secret not found" error). ## Additional Notes - The `CleanUpAfterUpload` field is added to the CRD spec as optional with `+kubebuilder:default=false`. Existing Captures are unaffected. - `JobActiveDeadlineBufferSeconds` (30 min) is generous to accommodate large captures uploading over slow links or Windows nodes with slow image pulls. - The operator controller cleanup path only triggers when ALL jobs succeed — any failure preserves everything for debugging. - The controller's remote storage check includes all three types: `BlobUpload`, `S3Upload`, and `PersistentVolumeClaim`.
…#2244) # Description Scopes the retina operator's leader election lease to the Helm release namespace instead of the hardcoded `kube-system`, and tightens the associated RBAC from a `ClusterRole` to a namespaced `Role`. * Moved lease permissions from ClusterRole (cluster-wide) to a namespaced Role, scoped to the release namespace * Removed hardcoded kube-system, auto-detected from the service account token or overridable via `--leader-election-namespace` / `operator.leaderElectionNamespace` Helm value * Exposed `operator.replicas` as a Helm value instead of being hardcoded to 1 ## Breaking Changes RBAC scope reduced from `ClusterRole` to namespaced `Role` Lease permissions are no longer granted cluster-wide. The `ClusterRole` `retina-operator-clusterrole` is replaced by a namespaced `Role` `retina-operator-role` scoped to the release namespace. Leader election lease moved from `kube-system` to the release namespace The `cilium-operator-resource-lock` lease will no longer be created in `kube-system`. The stale lease must be manually removed after upgrading: ```bash kubectl delete lease cilium-operator-resource-lock -n kube-system ``` `--leader-election-namespace` is now required for all deployments. Raw `kubectl apply`, Kustomize, or any other non-Helm deployment method must explicitly pass `--leader-election-namespace` or the operator will fail to start. ### Migration Path For a no-op upgrade (zero disruption, preserves existing behaviour), set the following in your Helm values before upgrading: ```yaml operator: leaderElectionNamespace: kube-system ``` ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed ### leader-election-namespace ``` $ kubectl get deployment retina-operator -n retina -o jsonpath='{.spec.template.spec.containers[0].command} {.spec.template.spec.containers[0].args}' ["/retina-operator"] ["manage-cilium-crds","--config-dir","/retina","--leader-election-namespace=retina"]% $ kubectl get lease -n retina NAME HOLDER AGE cilium-operator-resource-lock retina-operator-64978b666b-j6fcv-npZoUmPWHB 7m10s $ kubectl logs -n retina -l control-plane=retina-operator --tail=-1 | grep cilium-operator-resource-lock time=2026-05-15T20:16:14.278736868Z level=info msg="\"Attempting to acquire leader lease...\" lock=\"retina/cilium-operator-resource-lock\"" subsys=klog time=2026-05-15T20:16:14.292364352Z level=info msg="\"Successfully acquired lease\" lock=\"retina/cilium-operator-resource-lock\"" subsys=klog ``` ### Missing leader-election-namespace argument error ``` $ kubectl logs -n retina -l control-plane=retina-operator --tail=-1 | grep leader-election-namespace ts=2026-05-15T20:36:55.905Z level=info caller=option/config.go:1134 msg=" --leader-election-namespace=''" subsys=retina-operator ts=2026-05-15T20:36:55.908Z level=error caller=cell/invoke.go:52 msg="Invoke failed" error="--leader-election-namespace must be set" errorVerbose="--leader-election-namespace must be set\ngithub.com/microsoft/retina/operator/cmd/cilium-crds.init\n\t<autogenerated>:1\nruntime.doInit1\n\t/usr/local/go/src/runtime/proc.go:8103\nruntime.doInit\n\t/usr/local/go/src/runtime/proc.go:8070\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:258\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1771" function="cilium-crds.registerOperatorHooks (cmd/cilium-crds/root_linux.go:66)" stacktrace="log/slog.(*Logger).Error\n\t/usr/local/go/src/log/slog/logger.go:229\ngithub.com/cilium/hive/cell.(*invoker).invoke\n\t/go/pkg/mod/github.com/cilium/hive@v0.0.0-20260108104938-97756f6ff54c/cell/invoke.go:52\ngithub.com/cilium/hive/cell.(*invoker).Apply.func1\n\t/go/pkg/mod/github.com/cilium/hive@v0.0.0-20260108104938-97756f6ff54c/cell/invoke.go:67\ngithub.com/cilium/hive.(*Hive).Populate\n\t/go/pkg/mod/github.com/cilium/hive@v0.0.0-20260108104938-97756f6ff54c/hive.go:349\ngithub.com/cilium/hive.(*Hive).Start\n\t/go/pkg/mod/github.com/cilium/hive@v0.0.0-20260108104938-97756f6ff54c/hive.go:379\ngithub.com/cilium/hive.(*Hive).Run\n\t/go/pkg/mod/github.com/cilium/hive@v0.0.0-20260108104938-97756f6ff54c/hive.go:259\ngithub.com/microsoft/retina/operator/cmd/cilium-crds.Execute\n\t/workspace/operator/cmd/cilium-crds/root_linux.go:61\ngithub.com/microsoft/retina/operator/cmd.init.func1\n\t/workspace/operator/cmd/cilium_crds_cmd_linux.go:23\ngithub.com/spf13/cobra.(*Command).execute\n\t/go/pkg/mod/github.com/spf13/cobra@v1.10.2/command.go:1019\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\t/go/pkg/mod/github.com/spf13/cobra@v1.10.2/command.go:1148\ngithub.com/spf13/cobra.(*Command).Execute\n\t/go/pkg/mod/github.com/spf13/cobra@v1.10.2/command.go:1071\ngithub.com/microsoft/retina/operator/cmd.Execute\n\t/workspace/operator/cmd/root.go:49\nmain.main\n\t/workspace/operator/main.go:9\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:290" ts=2026-05-15T20:36:55.908Z level=error caller=logging/slog.go:159 msg="failed to start: failed to populate object graph: --leader-election-namespace must be set" subsys=retina-operator stacktrace="log/slog.(*Logger).Log\n\t/usr/local/go/src/log/slog/logger.go:189\ngithub.com/cilium/cilium/pkg/logging.Fatal\n\t/go/pkg/mod/github.com/cilium/cilium@v1.19.3/pkg/logging/slog.go:159\ngithub.com/microsoft/retina/operator/cmd/cilium-crds.Execute\n\t/workspace/operator/cmd/cilium-crds/root_linux.go:62\ngithub.com/microsoft/retina/operator/cmd.init.func1\n\t/workspace/operator/cmd/cilium_crds_cmd_linux.go:23\ngithub.com/spf13/cobra.(*Command).execute\n\t/go/pkg/mod/github.com/spf13/cobra@v1.10.2/command.go:1019\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\t/go/pkg/mod/github.com/spf13/cobra@v1.10.2/command.go:1148\ngithub.com/spf13/cobra.(*Command).Execute\n\t/go/pkg/mod/github.com/spf13/cobra@v1.10.2/command.go:1071\ngithub.com/microsoft/retina/operator/cmd.Execute\n\t/workspace/operator/cmd/root.go:49\nmain.main\n\t/workspace/operator/main.go:9\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:290" ``` ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. --------- Signed-off-by: Sébastien Larivière <sebastien@lariviere.me> Co-authored-by: Quang Nguyen <nguyenquang@microsoft.com>
…tes (microsoft#2371) Bumps the azurelinux-base group with 2 updates in the /cli directory: azurelinux/base/core and azurelinux/distroless/minimal. Bumps the azurelinux-base group with 2 updates in the /controller directory: azurelinux/base/core and azurelinux/distroless/minimal. Bumps the azurelinux-base group with 1 update in the /operator directory: azurelinux/distroless/minimal. Bumps the azurelinux-base group with 1 update in the /shell directory: azurelinux/base/core. Updates `azurelinux/base/core` from 3.0 to 3.0.20260517 Updates `azurelinux/distroless/minimal` from 3.0 to 3.0.20260517 Updates `azurelinux/base/core` from 3.0 to 3.0.20260517 Updates `azurelinux/distroless/minimal` from 3.0 to 3.0.20260517 Updates `azurelinux/distroless/minimal` from 3.0 to 3.0.20260517 Updates `azurelinux/base/core` from 3.0 to 3.0.20260517 Updates `azurelinux/base/core` from 3.0 to 3.0.20260517 Updates `azurelinux/distroless/minimal` from 3.0 to 3.0.20260517 Updates `azurelinux/base/core` from 3.0 to 3.0.20260517 Updates `azurelinux/distroless/minimal` from 3.0 to 3.0.20260517 Updates `azurelinux/distroless/minimal` from 3.0 to 3.0.20260517 Updates `azurelinux/base/core` from 3.0 to 3.0.20260517 Updates `azurelinux/distroless/minimal` from 3.0 to 3.0.20260517 Updates `azurelinux/distroless/minimal` from 3.0 to 3.0.20260517 Updates `azurelinux/distroless/minimal` from 3.0 to 3.0.20260517 Updates `azurelinux/base/core` from 3.0 to 3.0.20260517 Updates `azurelinux/base/core` from 3.0 to 3.0.20260517 Updates `azurelinux/base/core` from 3.0 to 3.0.20260517 Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…crosoft#2372) Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.30 to 1.7.32. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/containerd/containerd/releases">github.com/containerd/containerd's releases</a>.</em></p> <blockquote> <h2>containerd 1.7.32</h2> <p>Welcome to the v1.7.32 release of containerd!</p> <p><br /> The thirty-second patch release for containerd 1.7 contains various fixes and updates including a security patch.</p> <ul> <li> <p><strong>containerd</strong></p> <ul> <li><a href="https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w"><strong>CVE-2026-46680</strong></a></li> </ul> </li> <li> <p>Allow hosts.toml to contain only root-level fields without an explicit [host] section (<a href="https://redirect.github.com/containerd/containerd/pull/10028">#10028</a>)</p> </li> <li> <p>Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (<a href="https://redirect.github.com/containerd/containerd/pull/13450">#13450</a>)</p> </li> <li> <p>Apply hardening to block AF_ALG in default socket policy (<a href="https://redirect.github.com/containerd/containerd/pull/13406">#13406</a>)</p> </li> <li> <p>Support both "volatile" and "fsync=volatile" mount options for volatile snapshotter (<a href="https://redirect.github.com/containerd/containerd/pull/13299">#13299</a>)</p> </li> <li> <p>Set AppArmor abi conditionally to support versions < 3.0 (<a href="https://redirect.github.com/containerd/containerd/pull/13273">#13273</a>)</p> </li> </ul> <p>Please try out the release binaries and report any issues at <a href="https://github.com/containerd/containerd/issues">https://github.com/containerd/containerd/issues</a>.</p> <ul> <li>Maksym Pavlenko</li> <li>Chris Henzie</li> <li>Derek McGowan</li> <li>Paweł Gronowski</li> <li>Samuel Karp</li> <li>Wei Fu</li> <li>Brad Davidson</li> <li>Brian Goff</li> <li>LEI WANG</li> <li>Phil Estes</li> </ul> <!-- raw HTML omitted --> <ul> <li><a href="https://github.com/containerd/containerd/commit/bc87d865cf39e0cc55a5e628d95cf8eef52787ad"><code>bc87d865c</code></a> Prepare release notes for v1.7.32</li> <li>oci: return explicit error for out-of-range USER values (<a href="https://redirect.github.com/containerd/containerd/pull/13450">#13450</a>) <ul> <li><a href="https://github.com/containerd/containerd/commit/503f479466b432bd16fd9f14e10b6d4b09812730"><code>503f47946</code></a> oci: return explicit error for out-of-range USER values</li> </ul> </li> <li>seccomp: Block AF_ALG in default socket policy (<a href="https://redirect.github.com/containerd/containerd/pull/13406">#13406</a>) <ul> <li><a href="https://github.com/containerd/containerd/commit/e55b747d3496763d54b6c7670f4290c1e7183a36"><code>e55b747d3</code></a> seccomp: Block AF_ALG in default socket policy</li> <li><a href="https://github.com/containerd/containerd/commit/4627a65f8a92ce704e40b4b42df4fbfb2ceae2b9"><code>4627a65f8</code></a> seccomp: Document socket rule scope and socketcall limitation</li> </ul> </li> <li>Fix issue with empty host tree in hosts.toml (<a href="https://redirect.github.com/containerd/containerd/pull/10028">#10028</a>) <ul> <li><a href="https://github.com/containerd/containerd/commit/24007441d3bb191e0045b83fce5890a67aa98449"><code>24007441d</code></a> Fix error parsing hosts.toml without any <code>host</code> tree</li> </ul> </li> <li>Support both styles of volatile mount option (<a href="https://redirect.github.com/containerd/containerd/pull/13299">#13299</a>) <ul> <li><a href="https://github.com/containerd/containerd/commit/940733149271449293e063148e220faf885a01b9"><code>940733149</code></a> Support both styles of volatile mount option</li> </ul> </li> <li>apparmor: Set abi conditionally (<a href="https://redirect.github.com/containerd/containerd/pull/13273">#13273</a>) <ul> <li><a href="https://github.com/containerd/containerd/commit/2b732c8925a92b10300a3dc21dbfd37cafea76dd"><code>2b732c892</code></a> apparmor: Set abi conditionally</li> </ul> </li> <li>Add GitHub Action for k8s node e2e tests (<a href="https://redirect.github.com/containerd/containerd/pull/13258">#13258</a>) <ul> <li><a href="https://github.com/containerd/containerd/commit/0db1e143a11de38b8f088684ce4f26a2b487d517"><code>0db1e143a</code></a> Add GitHub Action for k8s node e2e tests</li> </ul> </li> <li>Update release process after 1.7 (<a href="https://redirect.github.com/containerd/containerd/pull/13236">#13236</a>) <ul> <li><a href="https://github.com/containerd/containerd/commit/3223a75c20f06d0da7985a49ac42ed6ff67c5433"><code>3223a75c2</code></a> Update for latest updates to release tool</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/containerd/containerd/commit/180a7b7385ae633344ff3db0db7eea11a4164f00"><code>180a7b7</code></a> Merge pull request <a href="https://redirect.github.com/containerd/containerd/issues/13452">#13452</a> from samuelkarp/prepare-1.7.32</li> <li><a href="https://github.com/containerd/containerd/commit/bc87d865cf39e0cc55a5e628d95cf8eef52787ad"><code>bc87d86</code></a> Prepare release notes for v1.7.32</li> <li><a href="https://github.com/containerd/containerd/commit/6a05ddd119ec81beb36d504ce844bdd11bfcb22c"><code>6a05ddd</code></a> Merge pull request <a href="https://redirect.github.com/containerd/containerd/issues/13450">#13450</a> from samuelkarp/oci-withuser-errrange-1.7</li> <li><a href="https://github.com/containerd/containerd/commit/9c3d01b3f113fa421be5ef02dbeb31c02a7a5991"><code>9c3d01b</code></a> Merge pull request <a href="https://redirect.github.com/containerd/containerd/issues/13406">#13406</a> from k8s-infra-cherrypick-robot/cherry-pick-13327-t...</li> <li><a href="https://github.com/containerd/containerd/commit/e55b747d3496763d54b6c7670f4290c1e7183a36"><code>e55b747</code></a> seccomp: Block AF_ALG in default socket policy</li> <li><a href="https://github.com/containerd/containerd/commit/4627a65f8a92ce704e40b4b42df4fbfb2ceae2b9"><code>4627a65</code></a> seccomp: Document socket rule scope and socketcall limitation</li> <li><a href="https://github.com/containerd/containerd/commit/33d9e242ca41d47ac749555aae0572cd71942d75"><code>33d9e24</code></a> Merge pull request <a href="https://redirect.github.com/containerd/containerd/issues/10028">#10028</a> from brandond/fix-hosts-toml</li> <li><a href="https://github.com/containerd/containerd/commit/503f479466b432bd16fd9f14e10b6d4b09812730"><code>503f479</code></a> oci: return explicit error for out-of-range USER values</li> <li><a href="https://github.com/containerd/containerd/commit/4393e22af7553a80141b7f8a73859764ede1ffcb"><code>4393e22</code></a> Merge pull request <a href="https://redirect.github.com/containerd/containerd/issues/13299">#13299</a> from chrishenzie/release/1.7-volatile</li> <li><a href="https://github.com/containerd/containerd/commit/940733149271449293e063148e220faf885a01b9"><code>9407331</code></a> Support both styles of volatile mount option</li> <li>Additional commits viewable in <a href="https://github.com/containerd/containerd/compare/v1.7.30...v1.7.32">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/retina/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…t#2374) Bumps [github.com/gopacket/gopacket](https://github.com/gopacket/gopacket) from 1.5.0 to 1.6.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/gopacket/gopacket/releases">github.com/gopacket/gopacket's releases</a>.</em></p> <blockquote> <h2>v1.6.0</h2> <h2>What's Changed</h2> <ul> <li>DNS parsing: handle naming authority pointer RFC3403 by <a href="https://github.com/dreadl0ck"><code>@dreadl0ck</code></a> in <a href="https://redirect.github.com/gopacket/gopacket/pull/141">gopacket/gopacket#141</a></li> <li>Diameter protocol parsing support by <a href="https://github.com/dreadl0ck"><code>@dreadl0ck</code></a> in <a href="https://redirect.github.com/gopacket/gopacket/pull/140">gopacket/gopacket#140</a></li> <li>Bump actions/checkout from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gopacket/gopacket/pull/144">gopacket/gopacket#144</a></li> <li>Add MPTCP option length check by <a href="https://github.com/A14m0"><code>@A14m0</code></a> in <a href="https://redirect.github.com/gopacket/gopacket/pull/145">gopacket/gopacket#145</a></li> <li>Industrial Protocols Round 2: Modbus, EN/IP, CIP by <a href="https://github.com/dreadl0ck"><code>@dreadl0ck</code></a> in <a href="https://redirect.github.com/gopacket/gopacket/pull/142">gopacket/gopacket#142</a></li> <li>fix(geneve): clear Options slice to prevent indefinite growth on reuse by <a href="https://github.com/deeproot-cloud"><code>@deeproot-cloud</code></a> in <a href="https://redirect.github.com/gopacket/gopacket/pull/146">gopacket/gopacket#146</a></li> <li>Differentiate between expected and unexpected EOFs in NgReader by <a href="https://github.com/ericpauley"><code>@ericpauley</code></a> in <a href="https://redirect.github.com/gopacket/gopacket/pull/150">gopacket/gopacket#150</a></li> <li>fix(lcm): add bounds check around fingerprint by <a href="https://github.com/Edholm"><code>@Edholm</code></a> in <a href="https://redirect.github.com/gopacket/gopacket/pull/152">gopacket/gopacket#152</a></li> <li>ip6defrag: implements an IPv6 defragmenter by <a href="https://github.com/txthinking"><code>@txthinking</code></a> in <a href="https://redirect.github.com/gopacket/gopacket/pull/151">gopacket/gopacket#151</a></li> <li>feat: apple pktapv1 support by <a href="https://github.com/ruokeqx1"><code>@ruokeqx1</code></a> in <a href="https://redirect.github.com/gopacket/gopacket/pull/153">gopacket/gopacket#153</a></li> <li>gre: add bounds checking by <a href="https://github.com/mattypiper"><code>@mattypiper</code></a> in <a href="https://redirect.github.com/gopacket/gopacket/pull/154">gopacket/gopacket#154</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/A14m0"><code>@A14m0</code></a> made their first contribution in <a href="https://redirect.github.com/gopacket/gopacket/pull/145">gopacket/gopacket#145</a></li> <li><a href="https://github.com/deeproot-cloud"><code>@deeproot-cloud</code></a> made their first contribution in <a href="https://redirect.github.com/gopacket/gopacket/pull/146">gopacket/gopacket#146</a></li> <li><a href="https://github.com/ericpauley"><code>@ericpauley</code></a> made their first contribution in <a href="https://redirect.github.com/gopacket/gopacket/pull/150">gopacket/gopacket#150</a></li> <li><a href="https://github.com/Edholm"><code>@Edholm</code></a> made their first contribution in <a href="https://redirect.github.com/gopacket/gopacket/pull/152">gopacket/gopacket#152</a></li> <li><a href="https://github.com/txthinking"><code>@txthinking</code></a> made their first contribution in <a href="https://redirect.github.com/gopacket/gopacket/pull/151">gopacket/gopacket#151</a></li> <li><a href="https://github.com/ruokeqx1"><code>@ruokeqx1</code></a> made their first contribution in <a href="https://redirect.github.com/gopacket/gopacket/pull/153">gopacket/gopacket#153</a></li> <li><a href="https://github.com/mattypiper"><code>@mattypiper</code></a> made their first contribution in <a href="https://redirect.github.com/gopacket/gopacket/pull/154">gopacket/gopacket#154</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/gopacket/gopacket/compare/v1.5.0...v1.6.0">https://github.com/gopacket/gopacket/compare/v1.5.0...v1.6.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/gopacket/gopacket/commit/95d1ae3e197eee3a25d24abb7b079a60b578854d"><code>95d1ae3</code></a> gre: add bounds checking (<a href="https://redirect.github.com/gopacket/gopacket/issues/154">#154</a>)</li> <li><a href="https://github.com/gopacket/gopacket/commit/7d7d99886603711d5c1c718372724d23c1bfde32"><code>7d7d998</code></a> feat: apple pktapv1 support (<a href="https://redirect.github.com/gopacket/gopacket/issues/153">#153</a>)</li> <li><a href="https://github.com/gopacket/gopacket/commit/600bed85dd6ee4667fc39a3d397627977ae11ba4"><code>600bed8</code></a> ip6defrag: implements an IPv6 defragmenter (<a href="https://redirect.github.com/gopacket/gopacket/issues/151">#151</a>)</li> <li><a href="https://github.com/gopacket/gopacket/commit/f64f2a0b69402ed9ca7c6aad97b8391efa5ea790"><code>f64f2a0</code></a> fix(lcm): add bounds check around fingerprint (<a href="https://redirect.github.com/gopacket/gopacket/issues/152">#152</a>)</li> <li><a href="https://github.com/gopacket/gopacket/commit/8c51e31f1bfcf2377dbf1bc2ceb1dfb97bef6fb4"><code>8c51e31</code></a> Differentiate between expected and unexpected EOFs in NgReader (<a href="https://redirect.github.com/gopacket/gopacket/issues/150">#150</a>)</li> <li><a href="https://github.com/gopacket/gopacket/commit/67ec1c706998a6b5e808c3234440082406fcb26d"><code>67ec1c7</code></a> fix(geneve): clear Options slice to prevent indefinite growth on reuse (<a href="https://redirect.github.com/gopacket/gopacket/issues/146">#146</a>)</li> <li><a href="https://github.com/gopacket/gopacket/commit/9a7f3522a0630c3523a43c4e041cbcebfa248b2c"><code>9a7f352</code></a> Industrial Protocols Round 2: Modbus, EN/IP, CIP (<a href="https://redirect.github.com/gopacket/gopacket/issues/142">#142</a>)</li> <li><a href="https://github.com/gopacket/gopacket/commit/dd6e32d2a74d9e914929e88c6e4cf2a6b721e474"><code>dd6e32d</code></a> Added MPTCP option length check (<a href="https://redirect.github.com/gopacket/gopacket/issues/145">#145</a>)</li> <li><a href="https://github.com/gopacket/gopacket/commit/ad573f1b90842af850654120ec6dbf6053fd5518"><code>ad573f1</code></a> Bump actions/checkout from 5 to 6 (<a href="https://redirect.github.com/gopacket/gopacket/issues/144">#144</a>)</li> <li><a href="https://github.com/gopacket/gopacket/commit/fe11a243b3365bf877ddd91f9ba37206c25d96df"><code>fe11a24</code></a> Diameter protocol parsing support (<a href="https://redirect.github.com/gopacket/gopacket/issues/140">#140</a>)</li> <li>Additional commits viewable in <a href="https://github.com/gopacket/gopacket/compare/v1.5.0...v1.6.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…1.6.4 to 1.7.0 (microsoft#2375) Bumps [github.com/Azure/azure-sdk-for-go/sdk/storage/azblob](https://github.com/Azure/azure-sdk-for-go) from 1.6.4 to 1.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Azure/azure-sdk-for-go/releases">github.com/Azure/azure-sdk-for-go/sdk/storage/azblob's releases</a>.</em></p> <blockquote> <h2>sdk/storage/azblob/v1.7.0</h2> <h2>1.7.0 (2026-05-14)</h2> <h3>Features Added</h3> <ul> <li>Includes all features from <code>1.7.0-beta.1</code></li> </ul> <h2>sdk/storage/azblob/v1.7.0-beta.1</h2> <h2>1.7.0-beta.1 (2026-04-23)</h2> <h3>Features Added</h3> <ul> <li>Added support for service version 2026-04-06.</li> <li>Added support for Delete Blob Conditional Tier.</li> <li>Added support for Server-side Encryption Rekeying.</li> <li>Added cross-tenant support for Principal-Bound User Delegation SAS.</li> <li>Added support for Dynamic User Delegation SAS.</li> </ul> <h3>Bugs Fixed</h3> <ul> <li>Added support for error code <code>IncrementalCopyOfEarlierSnapshotNotAllowed</code>. This replaces <code>IncrementalCopyOfEralierVersionSnapshotNotAllowed</code> which has been deprecated.</li> <li>Added support for missing SKU name values.</li> </ul> <h2>sdk/storage/azfile/v1.7.0-beta.1</h2> <h2>1.7.0-beta.1 (2026-05-05)</h2> <h3>Features Added</h3> <ul> <li>Added support for service version 2026-06-06.</li> <li>Added support for uploading up to 4 MiB of data with Create File API.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Azure/azure-sdk-for-go/commit/624babab3d2e3a95628afa61d1474a035cc7d094"><code>624baba</code></a> bump azcore version number</li> <li><a href="https://github.com/Azure/azure-sdk-for-go/commit/ce7217c3f5f5a2f88f3a5d1ded48da338f3d8d06"><code>ce7217c</code></a> Prep for azcore v1.7.0 release (<a href="https://redirect.github.com/Azure/azure-sdk-for-go/issues/21149">#21149</a>)</li> <li><a href="https://github.com/Azure/azure-sdk-for-go/commit/62a8079d41783914d9a5f585bcdb6f6b91223e5c"><code>62a8079</code></a> Add support for shallow cloning azcore.Client instances (<a href="https://redirect.github.com/Azure/azure-sdk-for-go/issues/21065">#21065</a>) (<a href="https://redirect.github.com/Azure/azure-sdk-for-go/issues/21098">#21098</a>)</li> <li><a href="https://github.com/Azure/azure-sdk-for-go/commit/47286b065b0e3aa7d367fb20212aad3a143e6343"><code>47286b0</code></a> Add flag to enable skipping of dependency checks (<a href="https://redirect.github.com/Azure/azure-sdk-for-go/issues/21146">#21146</a>)</li> <li><a href="https://github.com/Azure/azure-sdk-for-go/commit/ee762d4420eb57051cdebe55e55b107dae4f6bfc"><code>ee762d4</code></a> Fix populating module name in telemetry policy (<a href="https://redirect.github.com/Azure/azure-sdk-for-go/issues/20967">#20967</a>) (<a href="https://redirect.github.com/Azure/azure-sdk-for-go/issues/20971">#20971</a>)</li> <li><a href="https://github.com/Azure/azure-sdk-for-go/commit/02431759c00a99a31e159e9905c392b8f430c897"><code>0243175</code></a> Prep azcore v1.6.1 for release (<a href="https://redirect.github.com/Azure/azure-sdk-for-go/issues/20961">#20961</a>)</li> <li><a href="https://github.com/Azure/azure-sdk-for-go/commit/9c9d62a1d612cf1f9e6902ddd3c538abd90b955c"><code>9c9d62a</code></a> Increment package version after release of azcore (<a href="https://redirect.github.com/Azure/azure-sdk-for-go/issues/20740">#20740</a>)</li> <li><a href="https://github.com/Azure/azure-sdk-for-go/commit/36f766d2feba70f64bed923c23b57602998e16c8"><code>36f766d</code></a> add sdk/resourcemanager/cosmos/armcosmos live test (<a href="https://redirect.github.com/Azure/azure-sdk-for-go/issues/20705">#20705</a>)</li> <li><a href="https://github.com/Azure/azure-sdk-for-go/commit/c005ed6159fdf2104077694b5f89e7063a0cc586"><code>c005ed6</code></a> sdk/resourcemanager/network/armnetwork live test (<a href="https://redirect.github.com/Azure/azure-sdk-for-go/issues/20331">#20331</a>)</li> <li><a href="https://github.com/Azure/azure-sdk-for-go/commit/5fa7df4852a100f4a7502d5064ae54b0aceb8260"><code>5fa7df4</code></a> add sdk/resourcemanager/compute/armcompute live test (<a href="https://redirect.github.com/Azure/azure-sdk-for-go/issues/20048">#20048</a>)</li> <li>Additional commits viewable in <a href="https://github.com/Azure/azure-sdk-for-go/compare/sdk/storage/azblob/v1.6.4...sdk/azcore/v1.7.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [qs](https://github.com/ljharb/qs) from 6.15.1 to 6.15.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's changelog</a>.</em></p> <blockquote> <h2><strong>6.15.2</strong></h2> <ul> <li>[Fix] <code>stringify</code>: skip null/undefined entries in <code>arrayFormat: 'comma'</code> + <code>encodeValuesOnly</code> instead of crashing in <code>encoder</code></li> <li>[Fix] <code>stringify</code>: use configured <code>delimiter</code> after <code>charsetSentinel</code> (<a href="https://redirect.github.com/ljharb/qs/issues/555">#555</a>)</li> <li>[Fix] <code>stringify</code>: apply <code>formatter</code> to encoded key under <code>strictNullHandling</code> (<a href="https://redirect.github.com/ljharb/qs/issues/554">#554</a>)</li> <li>[Fix] <code>stringify</code>: skip null/undefined filter-array entries instead of crashing in <code>encoder</code> (<a href="https://redirect.github.com/ljharb/qs/issues/551">#551</a>)</li> <li>[Fix] <code>parse</code>: handle nested bracket groups and add regression tests (<a href="https://redirect.github.com/ljharb/qs/issues/530">#530</a>)</li> <li>[readme] fix grammar (<a href="https://redirect.github.com/ljharb/qs/issues/550">#550</a>)</li> <li>[Dev Deps] update <code>@ljharb/eslint-config</code></li> <li>[Tests] add regression tests for keys containing percent-encoded bracket text</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ljharb/qs/commit/9aca4076fe788338c67cf7e115f0be6bc58d85a8"><code>9aca407</code></a> v6.15.2</li> <li><a href="https://github.com/ljharb/qs/commit/5e33d33447ed0bf1ddab9abc41d27dea4687d992"><code>5e33d33</code></a> [Dev Deps] update <code>@ljharb/eslint-config</code></li> <li><a href="https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41"><code>21f80b3</code></a> [Fix] <code>stringify</code>: skip null/undefined entries in <code>arrayFormat: 'comma'</code> + `e...</li> <li><a href="https://github.com/ljharb/qs/commit/a0a81ea2071acce3eff41a040f719ac8f5c4f64c"><code>a0a81ea</code></a> [Fix] <code>stringify</code>: use configured <code>delimiter</code> after <code>charsetSentinel</code></li> <li><a href="https://github.com/ljharb/qs/commit/e3062f78f5233b338ceeb8e8dfa5a07dea4b32a8"><code>e3062f7</code></a> [Fix] <code>stringify</code>: apply <code>formatter</code> to encoded key under <code>strictNullHandling</code></li> <li><a href="https://github.com/ljharb/qs/commit/0c180a40adb8c6703fffc85b2ff06ca209f5c1e0"><code>0c180a4</code></a> [Fix] <code>stringify</code>: skip null/undefined filter-array entries instead of crashi...</li> <li><a href="https://github.com/ljharb/qs/commit/3a8b94aec19bd664720f6f6b1e66c4a0dfe4b656"><code>3a8b94a</code></a> [Tests] add regression tests for keys containing percent-encoded bracket text</li> <li><a href="https://github.com/ljharb/qs/commit/96755abd357c0e534dd3442a84a04d08864bfe0d"><code>96755ab</code></a> [readme] fix grammar</li> <li><a href="https://github.com/ljharb/qs/commit/a419ce5bbfcdb98a299f1a0bb47ea055baef20e6"><code>a419ce5</code></a> [Fix] <code>parse</code>: handle nested bracket groups and add regression tests</li> <li>See full diff in <a href="https://github.com/ljharb/qs/compare/v6.15.1...v6.15.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/retina/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 7.1.0 to 7.2.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/build-push-action/releases">docker/build-push-action's releases</a>.</em></p> <blockquote> <h2>v7.2.0</h2> <ul> <li>Bump <code>@actions/core</code> from 3.0.0 to 3.0.1 in <a href="https://redirect.github.com/docker/build-push-action/pull/1525">docker/build-push-action#1525</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.87.0 to 0.90.0 in <a href="https://redirect.github.com/docker/build-push-action/pull/1517">docker/build-push-action#1517</a></li> <li>Bump brace-expansion from 2.0.2 to 5.0.6 in <a href="https://redirect.github.com/docker/build-push-action/pull/1534">docker/build-push-action#1534</a></li> <li>Bump fast-xml-builder from 1.1.4 to 1.2.0 in <a href="https://redirect.github.com/docker/build-push-action/pull/1529">docker/build-push-action#1529</a></li> <li>Bump fast-xml-parser from 5.5.7 to 5.8.0 in <a href="https://redirect.github.com/docker/build-push-action/pull/1521">docker/build-push-action#1521</a></li> <li>Bump postcss from 8.5.6 to 8.5.10 in <a href="https://redirect.github.com/docker/build-push-action/pull/1526">docker/build-push-action#1526</a></li> <li>Bump tar from 6.2.1 to 7.5.15 in <a href="https://redirect.github.com/docker/build-push-action/pull/1533">docker/build-push-action#1533</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v7.1.0...v7.2.0">https://github.com/docker/build-push-action/compare/v7.1.0...v7.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/build-push-action/commit/f9f3042f7e2789586610d6e8b85c8f03e5195baf"><code>f9f3042</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1517">#1517</a> from docker/dependabot/npm_and_yarn/docker/actions-t...</li> <li><a href="https://github.com/docker/build-push-action/commit/812d5fd9212a4c5d419e5be02fd8e9bb435c5d76"><code>812d5fd</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/build-push-action/commit/b6f66930769f2917a3275dc4d81f15583ac7e105"><code>b6f6693</code></a> chore(deps): Bump <code>@docker/actions-toolkit</code> from 0.87.0 to 0.90.0</li> <li><a href="https://github.com/docker/build-push-action/commit/c1c626eced73a500ec65c4256c620b3b9e8278c0"><code>c1c626e</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1525">#1525</a> from docker/dependabot/npm_and_yarn/actions/core-3.0.1</li> <li><a href="https://github.com/docker/build-push-action/commit/51bb284cd4d05650aa6f5e4e22cb96d2cbfe62b7"><code>51bb284</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/build-push-action/commit/5f7884def8f133e8ef40c53d003d1471c05621c6"><code>5f7884d</code></a> chore(deps): Bump <code>@actions/core</code> from 3.0.0 to 3.0.1</li> <li><a href="https://github.com/docker/build-push-action/commit/e01deff7d956c756a20f3e19ff7ddc0e4a50fc1d"><code>e01deff</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1521">#1521</a> from docker/dependabot/npm_and_yarn/fast-xml-parser-...</li> <li><a href="https://github.com/docker/build-push-action/commit/3804d497934b39bd591ee9d1c6c9e593b4488a67"><code>3804d49</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/build-push-action/commit/71e8947aac5dad23ce83a43e9c98f750e02de2f3"><code>71e8947</code></a> chore(deps): Bump fast-xml-parser from 5.5.7 to 5.8.0</li> <li><a href="https://github.com/docker/build-push-action/commit/4925ad24cdbc42ff492d76cf9fe7a30b79976b60"><code>4925ad2</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1526">#1526</a> from docker/dependabot/npm_and_yarn/postcss-8.5.10</li> <li>Additional commits viewable in <a href="https://github.com/docker/build-push-action/compare/bcafcacb16a39f128d818304e6c9c0c18556b85f...f9f3042f7e2789586610d6e8b85c8f03e5195baf">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.40.0 to 1.41.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/onsi/gomega/blob/master/CHANGELOG.md">github.com/onsi/gomega's changelog</a>.</em></p> <blockquote> <h2>1.41.0</h2> <h3>Features</h3> <p>Add <code>BeASlice</code> and <code>BeAnArray</code> matchers</p> <h3>Fixes</h3> <p>Object formatting now detects pointer cycles to avoid runaway formatting output.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/onsi/gomega/commit/af2bccb5831cbcc56cfc16ca3056077cdec4798b"><code>af2bccb</code></a> v1.41.0</li> <li><a href="https://github.com/onsi/gomega/commit/73e81f6f054c825d1743bf4090ac0a9e1d5605af"><code>73e81f6</code></a> v1.41.0 (full)</li> <li><a href="https://github.com/onsi/gomega/commit/e35a84f24113255aaeea62fe7c47e09adf39109b"><code>e35a84f</code></a> feat: devcontainer configuration with local pkgsite and GH pages</li> <li><a href="https://github.com/onsi/gomega/commit/f12e5e1bc7167fae21ef37b0d9d358d51063ff5e"><code>f12e5e1</code></a> fix(format): detect pointer cycles to avoid runaway formatting output</li> <li><a href="https://github.com/onsi/gomega/commit/e14831fefa86313f2b01fb803b2ac937e49d08b6"><code>e14831f</code></a> Add optionalDescription docs to AsyncAssertion and Assertion interfaces</li> <li><a href="https://github.com/onsi/gomega/commit/344b94dae7e0df0e2d087574b4c2b1b1597a6943"><code>344b94d</code></a> Add BeASlice and BeAnArray matchers</li> <li>See full diff in <a href="https://github.com/onsi/gomega/compare/v1.40.0...v1.41.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/stale](https://github.com/actions/stale) from 10.2.0 to 10.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/stale/releases">actions/stale's releases</a>.</em></p> <blockquote> <h2>v10.3.0</h2> <h2>What's Changed</h2> <h3>Bug Fix</h3> <ul> <li>Enhancement: ignore stale labeling events by <a href="https://github.com/shamoon"><code>@shamoon</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1311">actions/stale#1311</a></li> </ul> <h3>Dependency Updates</h3> <ul> <li>Upgrade dependencies (<code>@actions/core</code>, <code>@octokit/plugin-retry</code>, <a href="https://github.com/typescript-eslint"><code>@typescript-eslint</code></a>) by <a href="https://github.com/Copilot"><code>@Copilot</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1335">actions/stale#1335</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/shamoon"><code>@shamoon</code></a> made their first contribution in <a href="https://redirect.github.com/actions/stale/pull/1311">actions/stale#1311</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/stale/compare/v10...v10.3.0">https://github.com/actions/stale/compare/v10...v10.3.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/stale/commit/eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899"><code>eb5cf3a</code></a> chore: upgrade dependencies and bump version to 10.3.0 (<a href="https://redirect.github.com/actions/stale/issues/1335">#1335</a>)</li> <li><a href="https://github.com/actions/stale/commit/db5d06a4c82d5e94513c09c406638111df61f63e"><code>db5d06a</code></a> Enhancement: ignore stale labeling events (<a href="https://redirect.github.com/actions/stale/issues/1311">#1311</a>)</li> <li>See full diff in <a href="https://github.com/actions/stale/compare/b5d41d4e1d5dceea10e7104786b73624c18a190f...eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.5 to 4.36.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action's releases</a>.</em></p> <blockquote> <h2>v4.36.0</h2> <ul> <li><em>Breaking change</em>: Bump the minimum required CodeQL bundle version to 2.19.4. <a href="https://redirect.github.com/github/codeql-action/pull/3894">#3894</a></li> <li>Add support for SHA-256 Git object IDs. <a href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5">2.25.5</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3926">#3926</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>4.36.0 - 22 May 2026</h2> <ul> <li><em>Breaking change</em>: Bump the minimum required CodeQL bundle version to 2.19.4. <a href="https://redirect.github.com/github/codeql-action/pull/3894">#3894</a></li> <li>Add support for SHA-256 Git object IDs. <a href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5">2.25.5</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3926">#3926</a></li> </ul> <h2>4.35.5 - 15 May 2026</h2> <ul> <li>We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3899">#3899</a></li> <li>For performance and accuracy reasons, <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. <a href="https://redirect.github.com/github/codeql-action/pull/3791">#3791</a></li> <li>If multiple inputs are provided for the GitHub-internal <code>analysis-kinds</code> input, only <code>code-scanning</code> will be enabled. The <code>analysis-kinds</code> input is experimental, for GitHub-internal use only, and may change without notice at any time. <a href="https://redirect.github.com/github/codeql-action/pull/3892">#3892</a></li> <li>Added an experimental change which, when running a Code Scanning analysis for a PR with <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. <a href="https://redirect.github.com/github/codeql-action/pull/3880">#3880</a></li> </ul> <h2>4.35.4 - 07 May 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li> </ul> <h2>4.35.3 - 01 May 2026</h2> <ul> <li><em>Upcoming breaking change</em>: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li> <li>Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. <a href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li> <li>Best-effort connection tests for private registries now use <code>GET</code> requests instead of <code>HEAD</code> for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. <a href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li> <li>Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. <a href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3">2.25.3</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3865">#3865</a></li> </ul> <h2>4.35.2 - 15 Apr 2026</h2> <ul> <li>The undocumented TRAP cache cleanup feature that could be enabled using the <code>CODEQL_ACTION_CLEANUP_TRAP_CACHES</code> environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the <code>trap-caching: false</code> input to the <code>init</code> Action. <a href="https://redirect.github.com/github/codeql-action/pull/3795">#3795</a></li> <li>The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. <a href="https://redirect.github.com/github/codeql-action/pull/3789">#3789</a></li> <li>Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. <a href="https://redirect.github.com/github/codeql-action/pull/3794">#3794</a></li> <li>Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. <a href="https://redirect.github.com/github/codeql-action/pull/3807">#3807</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2">2.25.2</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3823">#3823</a></li> </ul> <h2>4.35.1 - 27 Mar 2026</h2> <ul> <li>Fix incorrect minimum required Git version for <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a>: it should have been 2.36.0, not 2.11.0. <a href="https://redirect.github.com/github/codeql-action/pull/3781">#3781</a></li> </ul> <h2>4.35.0 - 27 Mar 2026</h2> <ul> <li>Reduced the minimum Git version required for <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> from 2.38.0 to 2.11.0. <a href="https://redirect.github.com/github/codeql-action/pull/3767">#3767</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1">2.25.1</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3773">#3773</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/7211b7c8077ea37d8641b6271f6a365a22a5fbfa"><code>7211b7c</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3927">#3927</a> from github/update-v4.36.0-ebc2d9e2b</li> <li><a href="https://github.com/github/codeql-action/commit/7740f2fb21add1d46278215acea47540db22f022"><code>7740f2f</code></a> Update changelog for v4.36.0</li> <li><a href="https://github.com/github/codeql-action/commit/ebc2d9e2bc247eec51bee8d4df806c4030eb0761"><code>ebc2d9e</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3926">#3926</a> from github/update-bundle/codeql-bundle-v2.25.5</li> <li><a href="https://github.com/github/codeql-action/commit/d1f74b777c95c777bf4f42ce4b250bc916e745c7"><code>d1f74b7</code></a> Add changelog note</li> <li><a href="https://github.com/github/codeql-action/commit/2dc40cec39bdc63d3561d74fa6100cebb0418ff4"><code>2dc40ce</code></a> Update default bundle to codeql-bundle-v2.25.5</li> <li><a href="https://github.com/github/codeql-action/commit/84498526a009a99c875e83ef4821a8ba52de7c22"><code>8449852</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3910">#3910</a> from github/henrymercer/repo-size-diff-check</li> <li><a href="https://github.com/github/codeql-action/commit/72ac23c6d16b29fbe801e87e3439941558c53094"><code>72ac23c</code></a> Update excluded required check list</li> <li><a href="https://github.com/github/codeql-action/commit/c5297a28a2c3e6a8062041b58858bd7117cebe37"><code>c5297a2</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3919">#3919</a> from github/henrymercer/workflow-concurrency</li> <li><a href="https://github.com/github/codeql-action/commit/8ffeae7d05bc1b914a009d197e64e4f5c9e14503"><code>8ffeae7</code></a> CI: Automatically cancel non-generated workflows</li> <li><a href="https://github.com/github/codeql-action/commit/f3f52bf568dc44a1069faafa538caa6b1fec40c9"><code>f3f52bf</code></a> Revert <code>getErrorMessage</code> import</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/9e0d7b8d25671d64c341c19c0152d693099fb5ba...7211b7c8077ea37d8641b6271f6a365a22a5fbfa">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ft#2378) Bumps [github.com/mdlayher/netlink](https://github.com/mdlayher/netlink) from 1.11.1 to 1.11.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/mdlayher/netlink/releases">github.com/mdlayher/netlink's releases</a>.</em></p> <blockquote> <h2>v1.11.2</h2> <p>See <a href="https://github.com/mdlayher/netlink/blob/main/CHANGELOG.md#v1112">https://github.com/mdlayher/netlink/blob/main/CHANGELOG.md#v1112</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/mdlayher/netlink/blob/main/CHANGELOG.md">github.com/mdlayher/netlink's changelog</a>.</em></p> <blockquote> <h2>v1.11.2</h2> <ul> <li>[Bug Fix]: <a href="https://redirect.github.com/mdlayher/netlink/pull/291">#291</a> fixed a bug where <code>netlink.Conn.Receive</code> would block concurrent calls to <code>netlink.Conn.Send</code> when blocking in <code>recvmsg</code>.</li> <li>[Improvement]: <a href="https://redirect.github.com/mdlayher/netlink/pull/289">#289</a> updated <code>golang.org/x/net</code> and <code>golang.org/x/sys</code> dependencies.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/mdlayher/netlink/commit/847c7b8181120b0e93dd7174b64914995edcfade"><code>847c7b8</code></a> CHANGELOG: release v1.11.2 (<a href="https://redirect.github.com/mdlayher/netlink/issues/292">#292</a>)</li> <li><a href="https://github.com/mdlayher/netlink/commit/2a7605488839f5531fe4f401888e1f98a4352e64"><code>2a76054</code></a> conn: fix Receive blocking Send (<a href="https://redirect.github.com/mdlayher/netlink/issues/291">#291</a>)</li> <li><a href="https://github.com/mdlayher/netlink/commit/388141689045121ccb2f3ea0821713be2f562a1b"><code>3881416</code></a> build(deps): bump golang.org/x/net in / (<a href="https://redirect.github.com/mdlayher/netlink/issues/289">#289</a>)</li> <li>See full diff in <a href="https://github.com/mdlayher/netlink/compare/v1.11.1...v1.11.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…2381) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 4.0.0 to 4.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/setup-buildx-action/releases">docker/setup-buildx-action's releases</a>.</em></p> <blockquote> <h2>v4.1.0</h2> <ul> <li>Bump <code>@docker/actions-toolkit</code> from 0.79.0 to 0.90.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/489">docker/setup-buildx-action#489</a></li> <li>Bump brace-expansion from 1.1.12 to 5.0.6 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/547">docker/setup-buildx-action#547</a> <a href="https://redirect.github.com/docker/setup-buildx-action/pull/508">docker/setup-buildx-action#508</a></li> <li>Bump fast-xml-builder from 1.0.0 to 1.2.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/540">docker/setup-buildx-action#540</a></li> <li>Bump fast-xml-parser from 5.4.2 to 5.8.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/496">docker/setup-buildx-action#496</a></li> <li>Bump flatted from 3.3.3 to 3.4.2 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/499">docker/setup-buildx-action#499</a></li> <li>Bump glob from 10.3.12 to 13.0.6 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/495">docker/setup-buildx-action#495</a></li> <li>Bump handlebars from 4.7.8 to 4.7.9 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/504">docker/setup-buildx-action#504</a></li> <li>Bump lodash from 4.17.23 to 4.18.1 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/523">docker/setup-buildx-action#523</a></li> <li>Bump picomatch from 4.0.3 to 4.0.4 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/503">docker/setup-buildx-action#503</a></li> <li>Bump postcss from 8.5.6 to 8.5.10 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/537">docker/setup-buildx-action#537</a></li> <li>Bump tar from 6.2.1 to 7.5.15 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/545">docker/setup-buildx-action#545</a></li> <li>Bump undici from 6.23.0 to 6.25.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/492">docker/setup-buildx-action#492</a></li> <li>Bump vite from 7.3.1 to 7.3.2 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/520">docker/setup-buildx-action#520</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/setup-buildx-action/compare/v4.0.0...v4.1.0">https://github.com/docker/setup-buildx-action/compare/v4.0.0...v4.1.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/setup-buildx-action/commit/d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5"><code>d7f5e7f</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/489">#489</a> from docker/dependabot/npm_and_yarn/docker/actions-to...</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/92bc5c9777806d0a73d9d668ba2114fa1177f164"><code>92bc5c9</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/da11e35abee0f20cb4f1c1b7c461d37c29be52f5"><code>da11e35</code></a> build(deps): bump <code>@docker/actions-toolkit</code> from 0.79.0 to 0.90.0</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/f021e162ef95b6fba51af1c6674f537f25bce851"><code>f021e16</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/492">#492</a> from docker/dependabot/npm_and_yarn/undici-6.24.1</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/b5af94fab700aee0c64d6077e0e34ae987815b67"><code>b5af94f</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/16ad9776a801d0c47f0a05f007b88a3789aa8ab6"><code>16ad977</code></a> build(deps): bump undici from 6.23.0 to 6.25.0</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/d7a12d7df895b33bd02a9b4bf62a12f2b9a24458"><code>d7a12d7</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/495">#495</a> from docker/dependabot/npm_and_yarn/glob-10.5.0</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/28ff27de4eed7518d361591f2cd1dfb69c34a7cb"><code>28ff27d</code></a> build(deps): bump glob from 10.3.12 to 13.0.6</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/daf436b50e13d9053b9730cbc16516891878b019"><code>daf436b</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/496">#496</a> from docker/dependabot/npm_and_yarn/fast-xml-parser-5...</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/9725348367859764880f2f2e688a6b0c353e3f35"><code>9725348</code></a> chore: update generated content</li> <li>Additional commits viewable in <a href="https://github.com/docker/setup-buildx-action/compare/4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd...d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#2379) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.28.3 to 2.29.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/onsi/ginkgo/releases">github.com/onsi/ginkgo/v2's releases</a>.</em></p> <blockquote> <h2>v2.29.0</h2> <h2>2.29.0</h2> <p><code>GinkgoHelperGo</code> makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.</p> <p><code>ginkgo outline</code> now includes entries defined in <code>DescribeTableSubtree</code></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md">github.com/onsi/ginkgo/v2's changelog</a>.</em></p> <blockquote> <h2>2.29.0</h2> <p><code>GinkgoHelperGo</code> makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.</p> <p><code>ginkgo outline</code> now includes entries defined in <code>DescribeTableSubtree</code></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/onsi/ginkgo/commit/04b5bcbe4eee911a1baf506eda1e7e811c978937"><code>04b5bcb</code></a> v2.29.0</li> <li><a href="https://github.com/onsi/ginkgo/commit/124232a4531c77a7f31a036e0150e06fa78b2af8"><code>124232a</code></a> docs: GinkgoHelperGo</li> <li><a href="https://github.com/onsi/ginkgo/commit/ad9cee80bdfda573e94f1b05f2bd4afa1a2fe815"><code>ad9cee8</code></a> feat: GinkgoHelperGo, with integration tests</li> <li><a href="https://github.com/onsi/ginkgo/commit/9e56a0a2a090eb83af696381161bdb996c69bcac"><code>9e56a0a</code></a> chore: refactor devcontainer for better maintenance</li> <li><a href="https://github.com/onsi/ginkgo/commit/3d235a96ac05d9e855048c66528d2fdbfb9101f7"><code>3d235a9</code></a> chore: ignore internal/tmp_*/ integration suite temporary dirs</li> <li><a href="https://github.com/onsi/ginkgo/commit/782666ae83c2bc804f28b1333bf91a21b093d946"><code>782666a</code></a> feat: devcontainer configuration with local pkgsite and GH pages</li> <li><a href="https://github.com/onsi/ginkgo/commit/009dd04de2d18f00c3c812d2caab713a165a1f7c"><code>009dd04</code></a> Support DescribeTableSubtree in ginkgo outline</li> <li>See full diff in <a href="https://github.com/onsi/ginkgo/compare/v2.28.3...v2.29.0">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
# Description Fix Windows capture ctx. Stop Network capture parent ctx is expired by the time `stopNetworkCapture` is called. Please provide a brief description of the changes made in this pull request. ## Related Issue microsoft#2298 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed <img width="1247" height="692" alt="image" src="https://github.com/user-attachments/assets/751f4df6-08c8-46ac-b169-df3094994642" /> <img width="1885" height="407" alt="image" src="https://github.com/user-attachments/assets/3470c845-0364-4bc5-b121-3abd720009b4" /> ## Additional Notes Issue introduced: microsoft#2322 https://github.com/microsoft/retina/pull/2322/changes#diff-bd1c3510276019b2f8f85384d4963e4fa366a428acad36280432a841079a9bf2 --------- Signed-off-by: mereta <mereta.degutyte@hotmail.co.uk>
…to 0.20.4 in the azure-sdk group (microsoft#2387) Bumps the azure-sdk group with 1 update: [sigs.k8s.io/cloud-provider-azure/pkg/azclient](https://github.com/kubernetes-sigs/cloud-provider-azure). Updates `sigs.k8s.io/cloud-provider-azure/pkg/azclient` from 0.20.3 to 0.20.4 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/904c0e283591b03531a99364dcf20a50c6b93ceb"><code>904c0e2</code></a> build(deps): bump the all group in /pkg/azclient with 2 updates (<a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/10395">#10395</a>)</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/de33aeb2a7707b610d25b66650064feb5c1bd0fc"><code>de33aeb</code></a> build(deps): bump the all group with 2 updates (<a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/10400">#10400</a>)</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/b46ff35d87b3f546567fb4a5db51e8c9bfac6151"><code>b46ff35</code></a> build(deps): bump the all group in /kubetest2-aks with 2 updates (<a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/10394">#10394</a>)</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/a3c548d1c7d2388150fc2bf4f215144cc27381b5"><code>a3c548d</code></a> fix(multi-slb): serialize backendPoolUpdater with service reconcile loop (<a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/10">#10</a>...</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/ce0c4f39978b64147229c3c011ec841addcfa411"><code>ce0c4f3</code></a> fix: update generate-release-note script (<a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/10350">#10350</a>)</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/593a7fdc85b0559a8e6ad5be172257a2fe0ae23d"><code>593a7fd</code></a> build(deps): bump oss/go/microsoft/golang in the all group (<a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/10311">#10311</a>)</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/9352d6dc09c0ee50d03bc8647c9fdf575bb342e6"><code>9352d6d</code></a> build(deps): bump the all group across 1 directory with 5 updates (<a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/10379">#10379</a>)</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/50222201f7586c179260961cbe2c1162c4389706"><code>5022220</code></a> build(deps): bump the all group across 1 directory with 8 updates (<a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/10313">#10313</a>)</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/37264c3d3165b10473aac0ae9b87dedbf5a4b8f5"><code>37264c3</code></a> docs: split agent guide into references (<a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/10374">#10374</a>)</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/11093ba5c96a7b79ccda8d6225b2ea49e8b23be0"><code>11093ba</code></a> docs: document Dependabot rebase handling (<a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/10369">#10369</a>)</li> <li>Additional commits viewable in <a href="https://github.com/kubernetes-sigs/cloud-provider-azure/compare/pkg/azclient/v0.20.3...pkg/azclient/v0.20.4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ugin (microsoft#2386) # Description ### Drops Analysis Dashboard 1. Focused view for identifying and troubleshooting packet drops 2. Includes drop rate analysis by reason, direction, pod, and namespace 3. Features stat tiles for at-a-glance metrics and detailed visualizations (heatmaps, pie charts, correlation charts) ### Overview Dashboard 1. High-level operational view with 6 key metric stat tiles 2. Displays total forward traffic (packets/bytes), drops, drop percentage, and active resources 3. Top 10 pod analysis for incoming/outgoing traffic 4. TCP flags distribution and traffic heatmaps for pattern identification ### Namespace Deep Dive Dashboard 1. Detailed pod-level analysis scoped to specific namespaces 2. Pod traffic summary with sparklines and gauges 3. Workload type breakdown (DaemonSet, Deployment, etc.) 4. Direction-based traffic analysis with comprehensive heatmaps ### Screenshots (if applicable) or Testing Completed <img width="1824" height="1299" alt="image" src="https://github.com/user-attachments/assets/be7db5d2-4f2b-4a6e-a40d-2d667f3baa39" /> ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [ ] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.
) Bumps [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) from 19.2.14 to 19.2.15. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…icrosoft#2392) Bumps the golang-base group with 1 update in the /cli directory: oss/go/microsoft/golang. Bumps the golang-base group with 1 update in the /controller directory: oss/go/microsoft/golang. Bumps the golang-base group with 1 update in the /hack/tools/kapinger directory: oss/go/microsoft/golang. Bumps the golang-base group with 1 update in the /hack/tools/toolbox directory: oss/go/microsoft/golang. Bumps the golang-base group with 1 update in the /operator directory: oss/go/microsoft/golang. Bumps the golang-base group with 1 update in the /test/image directory: oss/go/microsoft/golang. Updates `oss/go/microsoft/golang` from `75a5c75` to `ef48075` Updates `oss/go/microsoft/golang` from `75a5c75` to `ef48075` Updates `oss/go/microsoft/golang` from `e6e1c95` to `bd013a5` Updates `oss/go/microsoft/golang` from `e6e1c95` to `bd013a5` Updates `oss/go/microsoft/golang` from `75a5c75` to `ef48075` Updates `oss/go/microsoft/golang` from `75a5c75` to `ef48075` Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
LakshK98
force-pushed
the
laksh/merge-main
branch
from
90e7d30 to
fd8a819
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Merged main branch into dev/v0.0.33-windows
Related Issue
If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request.
Checklist
git commit -S -s ...). See this documentation on signing commits.Screenshots (if applicable) or Testing Completed
Please add any relevant screenshots or GIFs to showcase the changes made.
Additional Notes
Add any additional notes or context about the pull request here.
Please refer to the CONTRIBUTING.md file for more information on how to contribute to this project.