-
Notifications
You must be signed in to change notification settings - Fork 4.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'release/1.15.x' into backport/gh-19720-empty-server-met…
…adata/naturally-composed-kodiak
- Loading branch information
Showing
6,648 changed files
with
29,200 additions
and
1,183 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| ```release-note:security | ||
| Upgrade OpenShift container images to use `ubi9-minimal:9.3` as the base image. | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| schema_version = 1 | ||
|
|
||
| project { | ||
| license = "BUSL-1.1" | ||
| copyright_year = 2024 | ||
|
|
||
| # (OPTIONAL) A list of globs that should not have copyright/license headers. | ||
| # Supports doublestar glob patterns for more flexibility in defining which | ||
| # files or folders should be ignored | ||
| header_ignore = [ | ||
| # Forked and modified UI libs | ||
| "ui/packages/consul-ui/app/utils/dom/event-target/**", | ||
| "ui/packages/consul-ui/lib/rehype-prism/**", | ||
| "ui/packages/consul-ui/lib/block-slots/**", | ||
|
|
||
| # UI file that do not render properly with copyright headers | ||
| "ui/packages/consul-ui/app/components/brand-loader/enterprise.hbs", | ||
| "ui/packages/consul-ui/app/components/brand-loader/index.hbs", | ||
|
|
||
| # ignore specific test data files | ||
| "agent/uiserver/testdata/**", | ||
|
|
||
| # generated files | ||
| "agent/structs/structs.deepcopy.go", | ||
| "agent/proxycfg/proxycfg.deepcopy.go", | ||
| "agent/grpc-middleware/rate_limit_mappings.gen.go", | ||
| "agent/uiserver/dist/**", | ||
| "agent/consul/state/catalog_schema.deepcopy.go", | ||
| "agent/config/config.deepcopy.go", | ||
| "agent/grpc-middleware/testutil/testservice/simple.pb.go", | ||
| "proto-public/annotations/ratelimit/ratelimit.pb.go", | ||
| "proto-public/pbacl/acl.pb.go", | ||
| "proto-public/pbconnectca/ca.pb.go", | ||
| "proto-public/pbdataplane/dataplane.pb.go", | ||
| "proto-public/pbdns/dns.pb.go", | ||
| "proto-public/pbserverdiscovery/serverdiscovery.pb.go", | ||
| "proto/pbacl/acl.pb.go", | ||
| "proto/pbautoconf/auto_config.pb.go", | ||
| "proto/pbcommon/common.pb.go", | ||
| "proto/pbconfig/config.pb.go", | ||
| "proto/pbconfigentry/config_entry.pb.go", | ||
| "proto/pbconnect/connect.pb.go", | ||
| "proto/pboperator/operator.pb.go", | ||
| "proto/pbpeering/peering.pb.go", | ||
| "proto/pbpeerstream/peerstream.pb.go", | ||
| "proto/pbservice/healthcheck.pb.go", | ||
| "proto/pbservice/node.pb.go", | ||
| "proto/pbservice/service.pb.go", | ||
| "proto/pbsubscribe/subscribe.pb.go", | ||
|
|
||
| # licensed under MPL - ignoring for now until the copywrite tool can support | ||
| # multiple licenses per repo. | ||
| "sdk/**", | ||
| "api/**", | ||
| "proto-public/**", | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,6 @@ | ||
| # Copyright (c) HashiCorp, Inc. | ||
| # SPDX-License-Identifier: BUSL-1.1 | ||
|
|
||
| pr/dependencies: | ||
| - vendor/**/* | ||
| - go.* | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,7 @@ | ||
| #!/bin/bash | ||
| # Copyright (c) HashiCorp, Inc. | ||
| # SPDX-License-Identifier: BUSL-1.1 | ||
|
|
||
|
|
||
| set -euo pipefail | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,7 @@ | ||
| #!/usr/bin/env bash | ||
| # Copyright (c) HashiCorp, Inc. | ||
| # SPDX-License-Identifier: BUSL-1.1 | ||
|
|
||
|
|
||
| set -uo pipefail | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,7 @@ | ||
| #!/bin/bash | ||
| # Copyright (c) HashiCorp, Inc. | ||
| # SPDX-License-Identifier: BUSL-1.1 | ||
|
|
||
|
|
||
| set -euo pipefail | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,7 @@ | ||
| #!/bin/bash | ||
| # Copyright (c) HashiCorp, Inc. | ||
| # SPDX-License-Identifier: BUSL-1.1 | ||
|
|
||
|
|
||
| set -euo pipefail | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,7 @@ | ||
| #!/bin/bash | ||
| # Copyright (c) HashiCorp, Inc. | ||
| # SPDX-License-Identifier: BUSL-1.1 | ||
|
|
||
|
|
||
| set -euo pipefail | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,7 @@ | ||
| #!/bin/bash | ||
| # Copyright (c) HashiCorp, Inc. | ||
| # SPDX-License-Identifier: BUSL-1.1 | ||
|
|
||
|
|
||
| set -euo pipefail | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,7 @@ | ||
| #!/bin/bash | ||
| # Copyright (c) HashiCorp, Inc. | ||
| # SPDX-License-Identifier: BUSL-1.1 | ||
|
|
||
|
|
||
| set -euo pipefail | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| name: Check Copywrite Headers | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened, ready_for_review] | ||
| push: | ||
| branches: | ||
| - main | ||
| - release/** | ||
| jobs: | ||
| copywrite: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | ||
| - uses: hashicorp/setup-copywrite@867a1a2a064a0626db322392806428f7dc59cb3e # v1.1.2 | ||
| name: Setup Copywrite | ||
| with: | ||
| version: v0.16.4 | ||
| archive-checksum: c299f830e6eef7e126a3c6ef99ac6f43a3c132d830c769e0d36fa347fa1af254 | ||
| - name: Check Header Compliance | ||
| run: make copywrite-headers | ||
| permissions: | ||
| contents: read |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| name: Security Scan | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| - release/** | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| - release/** | ||
|
|
||
| # cancel existing runs of the same workflow on the same ref | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| conditional-skip: | ||
| runs-on: ubuntu-latest | ||
| name: Get files changed and conditionally skip CI | ||
| outputs: | ||
| skip-ci: ${{ steps.read-files.outputs.skip-ci }} | ||
| steps: | ||
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Get changed files | ||
| id: read-files | ||
| run: ./.github/scripts/filter_changed_files_go_test.sh | ||
|
|
||
| setup: | ||
| needs: [conditional-skip] | ||
| name: Setup | ||
| if: needs.conditional-skip.outputs.skip-ci != 'true' | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| compute-small: ${{ steps.setup-outputs.outputs.compute-small }} | ||
| compute-medium: ${{ steps.setup-outputs.outputs.compute-medium }} | ||
| compute-large: ${{ steps.setup-outputs.outputs.compute-large }} | ||
| compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }} | ||
| steps: | ||
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | ||
| - id: setup-outputs | ||
| name: Setup outputs | ||
| run: ./.github/scripts/get_runner_classes.sh | ||
|
|
||
| scan: | ||
| needs: [setup] | ||
| runs-on: ${{ fromJSON(needs.setup.outputs.compute-xl) }} | ||
| # The first check ensures this doesn't run on community-contributed PRs, who | ||
| # won't have the permissions to run this job. | ||
| if: ${{ (github.repository != 'hashicorp/consul' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)) | ||
| && (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }} | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 | ||
| with: | ||
| cache: true | ||
| go-version: 1.20.12 #TODO move CI build config and this to .go-version or .go-mod | ||
|
|
||
| - name: Clone Security Scanner repo | ||
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | ||
| with: | ||
| repository: hashicorp/security-scanner | ||
| token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }} | ||
| path: security-scanner | ||
| ref: main | ||
|
|
||
| - name: Scan | ||
| id: scan | ||
| uses: ./security-scanner | ||
| with: | ||
| repository: "$PWD" | ||
| # See scan.hcl at repository root for config. | ||
|
|
||
| - name: SARIF Output | ||
| shell: bash | ||
| run: | | ||
| cat results.sarif | jq | ||
| - name: Upload SARIF file | ||
| uses: github/codeql-action/upload-sarif@46a6823b81f2d7c67ddf123851eea88365bc8a67 # codeql-bundle-v2.13.5 | ||
| with: | ||
| sarif_file: results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,6 @@ | ||
| # Copyright (c) HashiCorp, Inc. | ||
| # SPDX-License-Identifier: BUSL-1.1 | ||
|
|
||
| schema = "1" | ||
|
|
||
| project "consul" { | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,47 @@ | ||
| # Copyright (c) HashiCorp, Inc. | ||
| # SPDX-License-Identifier: BUSL-1.1 | ||
|
|
||
| # These scan results are run as part of CRT workflows. | ||
|
|
||
| # Un-triaged results will block release. See `security-scanner` docs for more | ||
| # information on how to add `triage` config to unblock releases for specific results. | ||
| # In most cases, we should not need to disable the entire scanner to unblock a release. | ||
|
|
||
| # To run manually, install scanner and then from the repository root run | ||
| # `SECURITY_SCANNER_CONFIG_FILE=.release/security-scan.hcl scan ...` | ||
| # To scan a local container, add `local_daemon = true` to the `container` block below. | ||
| # See `security-scanner` docs or run with `--help` for scan target syntax. | ||
|
|
||
|
|
||
| container { | ||
| dependencies = true | ||
| alpine_secdb = false | ||
| secrets = false | ||
| alpine_secdb = true | ||
|
|
||
| secrets { | ||
| all = true | ||
| } | ||
|
|
||
| # Triage items that are _safe_ to ignore here. Note that this list should be | ||
| # periodically cleaned up to remove items that are no longer found by the scanner. | ||
| triage { | ||
| suppress { | ||
| # N.b. `vulnerabilites` is the correct spelling for this tool. | ||
| vulnerabilites = [ | ||
| "CVE-2023-46218", # curl@8.4.0-r0 | ||
| "CVE-2023-46219", # curl@8.4.0-r0 | ||
| "CVE-2023-5678", # openssl@3.1.4-r0 | ||
| ] | ||
| } | ||
| } | ||
| } | ||
|
|
||
| binary { | ||
| secrets = false | ||
| go_modules = false | ||
| go_modules = true | ||
| osv = true | ||
| # TODO(spatel): CE refactor | ||
| oss_index = true | ||
| nvd = true | ||
| # We can't enable npm for binary targets today because we don't yet embed the relevant file | ||
| # (yarn.lock) in the Consul binary. This is something we may investigate in the future. | ||
|
|
||
| secrets { | ||
| all = true | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.