Merge branch 'master' into security-page-refactor-2

Author: jvorcak

.github/workflows/fork-pr-dispatch.yml

@@ -0,0 +1,66 @@
+---
+name: Fork PR dispatch to enterprise
+on:
+  workflow_run:
+    workflows: ["PR verification (forks)"]
+    types: [completed]
+permissions:
+  id-token: write
+  contents: read
+  statuses: write
+jobs:
+  dispatch:
+    if: >
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.head_repository.fork == true
+    runs-on: blacksmith-2vcpu-ubuntu-2404
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ vars.RP_AWS_CRED_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
+      - uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: |
+            ,sdlc/prod/github/actions_bot_token
+          parse-json-secrets: true
+      - name: Build dispatch payload
+        id: payload
+        env:
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+          HEAD_REPO: ${{ github.event.workflow_run.head_repository.full_name }}
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const payload = {
+              branch: process.env.HEAD_BRANCH,
+              commit_sha: process.env.HEAD_SHA,
+              head_repository: process.env.HEAD_REPO,
+              is_fork: true,
+            };
+            core.setOutput('json', JSON.stringify(payload));
+            core.setOutput('sha', process.env.HEAD_SHA);
+      - name: Repository dispatch for fork PR
+        uses: peter-evans/repository-dispatch@caebe2a7c967e9f927ff8780fea8e16e50b5ce40
+        with:
+          token: ${{ env.ACTIONS_BOT_TOKEN }}
+          repository: redpanda-data/console-enterprise
+          event-type: push
+          client-payload: ${{ steps.payload.outputs.json }}
+      - name: Set pending enterprise CI status
+        env:
+          HEAD_SHA: ${{ steps.payload.outputs.sha }}
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ env.ACTIONS_BOT_TOKEN }}
+          script: |
+            await github.rest.repos.createCommitStatus({
+              owner: 'redpanda-data',
+              repo: 'console',
+              sha: process.env.HEAD_SHA,
+              state: 'pending',
+              description: 'Enterprise CI is running...',
+              context: 'Enterprise CI'
+            });

CHANGELOG.md

@@ -2,6 +2,15 @@
 
 ## Master / Unreleased
 
+## v3.7.2 / 2026-04-29
+- [BUGFIX] Hide unavailable "Infinite" retention option for topics with capped configurations and fix topic config UI layout.
+- [BUGFIX] Fix secrets list returning only the first page instead of all entries.
+- [BUGFIX] Fix ACL rule key collision in edit mode causing incorrect rule management.
+- [IMPROVEMENT] Show Group principals in ACLs and Permissions List.
+- [IMPROVEMENT] Add `lockPrincipal` query parameter to ACL create page to pre-fill and lock the principal field.
+- [IMPROVEMENT] UX copy and typography improvements across console UI.
+- [SECURITY] Resolve security vulnerabilities in frontend and backend dependencies.
+
 ## v3.7.1 / 2026-04-08
 - [IMPROVEMENT] Schema Registry pagination and sort order are now reflected in URL query parameters, enabling bookmarkable views.
 - [IMPROVEMENT] Add user-friendly Kafka error messages with detailed per-error context.

backend/pkg/console/config_extensions.go

@@ -52,6 +52,12 @@ type ConfigEntryExtension struct {
 	// the user the available compression methods for `compression.type`.
 	// The presented values may be dependent on the target Kafka cluster version.
 	EnumValues []string `json:"enumValues,omitempty"`
+
+	// NoInfiniteValue opts a config out of the "Infinite" button in the config
+	// editor. BYTE_SIZE and DURATION configs show Infinite by default; set this
+	// to true for configs where the broker rejects the infinite sentinel (e.g.
+	// max.message.bytes, segment.bytes, which have hard server-side caps).
+	NoInfiniteValue bool `json:"noInfiniteValue,omitempty"`
 }
 
 func loadConfigExtensions() (map[string]ConfigEntryExtension, error) {

backend/pkg/embed/kafka/apache_kafka_configs.json

@@ -60,7 +60,8 @@
     "type": "INT",
     "documentation": "This configuration controls the segment file size for the log. Retention and cleaning is always done a file at a time so a larger segment size means fewer files but less granular control over retention.",
     "category": "Storage Internals",
-    "frontendFormat": "BYTE_SIZE"
+    "frontendFormat": "BYTE_SIZE",
+    "noInfiniteValue": true
   },
   {
     "name": "retention.ms",
@@ -102,7 +103,8 @@
     "type": "INT",
     "documentation": "The largest record batch size allowed by Kafka (after compression if compression is enabled). If this is increased and there are consumers older than 0.10.2, the consumers' fetch size must also be increased so that they can fetch record batches this large. In the latest message format version, records are always grouped into batches for efficiency. In previous message format versions, uncompressed records are not grouped into batches and this limit only applies to a single record in that case.",
     "category": "Message Handling",
-    "frontendFormat": "BYTE_SIZE"
+    "frontendFormat": "BYTE_SIZE",
+    "noInfiniteValue": true
   },
   {
     "name": "min.compaction.lag.ms",

backend/pkg/protogen/redpanda/api/dataplane/v1alpha3/transcript.pb.go

@@ -159,7 +159,7 @@ export const RegisterModal = ({ isOpen, onClose }: RegisterModalProps) => {
               </Box>
               <VStack align="center" spacing={2}>
                 <Text fontSize="lg" fontWeight="bold" textAlign="center">
-                  This cluster has been successfully registered
+                  Cluster registered
                 </Text>
                 <Text color="gray.600" textAlign="center">
                   Enjoy 30 more days of enterprise features.
@@ -256,7 +256,7 @@ export const RegisterModal = ({ isOpen, onClose }: RegisterModalProps) => {
                       required: 'Email address is required',
                       pattern: {
                         value: EMAIL_VALIDATION_REGEX,
-                        message: 'Please enter a valid email address',
+                        message: 'Enter a valid email address',
                       },
                     }}
                   />

frontend/src/components/license/register-modal.tsx

@@ -31,17 +31,17 @@ function getErrorMessage(error: ConnectError): { title: string; description: str
     case Code.DeadlineExceeded:
       return {
         title: 'Request Timeout',
-        description: 'The server took too long to respond. Please try again.',
+        description: 'The server took too long to respond. Try again.',
       };
     case Code.Internal:
       return {
         title: 'Internal Server Error',
-        description: 'An unexpected error occurred on the server. Please try again.',
+        description: 'An unexpected error occurred on the server. Try again.',
       };
     default:
       return {
         title: 'Connection Error',
-        description: 'Unable to connect to the server. Please check your connection and try again.',
+        description: 'Unable to connect to the server. Check your connection and try again.',
       };
   }
 }

frontend/src/components/misc/connection-error-ui.tsx

@@ -261,7 +261,7 @@ const CopyToClipboardButton: FC<{ message: string; disabled: boolean; isLoading:
           .then(() => {
             toast({
               status: 'success',
-              description: 'All info copied to clipboard!',
+              description: 'All info copied to clipboard',
             });
           })
           .catch(navigatorClipboardErrorHandler);

frontend/src/components/misc/error-boundary.tsx

@@ -263,7 +263,7 @@ const LoginPage = () => {
                   {{
                     token_exchange_failed: 'OIDC authentication failed. Check backend logs for details.',
                     kafka_authentication_failed:
-                      'Authenticated via OIDC, but failed to authenticate with the Kafka API.',
+                      'Authenticated through OIDC, but failed to authenticate with the Kafka API.',
                     console_internal: 'An unexpected error occurred. Check backend logs.',
                     permission_denied: `This user is not authorized to use Console. An administrator should grant user ${searchParams.get('oidc_subject') ?? ''} permissions in the Console configuration to proceed.`,
                   }[searchParams.get('error_code') as string] || 'An unexpected error occurred. Check backend logs.'}

frontend/src/components/misc/login.tsx

@@ -17,7 +17,7 @@ import { isClipboardAvailable } from '../../utils/feature-detection';
 const popoverContent = (
   <>
     <p>Due to browser restrictions, the clipboard is not accessible on unsecure connections.</p>
-    <p>Please make sure to run Redpanda Console with SSL enabled to use this feature.</p>
+    <p>Run Redpanda Console with SSL enabled to use this feature.</p>
   </>
 );