mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
8925d70ae16cfd8519eeff28aa77aaf4ec87ddd3
7815 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
dependabot[bot]
|
8925d70ae1 |
build(deps): bump the lifecycle group in /kotlin/android with 3 updates (#9919)
Bumps the lifecycle group in /kotlin/android with 3 updates: androidx.lifecycle:lifecycle-runtime-ktx, androidx.lifecycle:lifecycle-viewmodel-ktx and androidx.lifecycle:lifecycle-livedata-ktx. Updates `androidx.lifecycle:lifecycle-runtime-ktx` from 2.9.1 to 2.9.2 Updates `androidx.lifecycle:lifecycle-viewmodel-ktx` from 2.9.1 to 2.9.2 Updates `androidx.lifecycle:lifecycle-livedata-ktx` from 2.9.1 to 2.9.2 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
0df8c45f6c |
build(deps): bump serde_json from 1.0.140 to 1.0.141 in /rust (#9938)
Bumps [serde_json](https://github.com/serde-rs/json) from 1.0.140 to 1.0.141. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/serde-rs/json/releases">serde_json's releases</a>.</em></p> <blockquote> <h2>v1.0.141</h2> <ul> <li>Optimize string escaping during serialization (<a href="https://redirect.github.com/serde-rs/json/issues/1273">#1273</a>, thanks <a href="https://github.com/conradludgate"><code>@conradludgate</code></a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
bba4ebe0da |
build(deps): bump eslint from 9.29.0 to 9.31.0 in /rust/gui-client (#9936)
Bumps [eslint](https://github.com/eslint/eslint) from 9.29.0 to 9.31.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/eslint/eslint/releases">eslint's releases</a>.</em></p> <blockquote> <h2>v9.31.0</h2> <h2>Features</h2> <ul> <li><a href=" |
||
|
dependabot[bot]
|
09f64a6c1e |
build(deps): bump the navigation group in /kotlin/android with 4 updates (#9922)
Bumps the navigation group in /kotlin/android with 4 updates: androidx.navigation:navigation-safe-args-gradle-plugin, androidx.navigation:navigation-fragment-ktx, androidx.navigation:navigation-ui-ktx and androidx.navigation:navigation-testing. Updates `androidx.navigation:navigation-safe-args-gradle-plugin` from 2.9.0 to 2.9.2 Updates `androidx.navigation:navigation-fragment-ktx` from 2.9.0 to 2.9.2 Updates `androidx.navigation:navigation-ui-ktx` from 2.9.0 to 2.9.2 Updates `androidx.navigation:navigation-testing` from 2.9.0 to 2.9.2 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
c498d725f4 |
build(deps): bump actions/setup-node from 4.1.0 to 4.4.0 in /.github/actions/setup-node (#9924)
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.1.0 to 4.4.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-node/releases">actions/setup-node's releases</a>.</em></p> <blockquote> <h2>v4.4.0</h2> <h2>What's Changed</h2> <h3>Bug fixes:</h3> <ul> <li>Make eslint-compact matcher compatible with Stylelint by <a href="https://github.com/FloEdelmann"><code>@FloEdelmann</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/98">actions/setup-node#98</a></li> <li>Add support for indented eslint output by <a href="https://github.com/fregante"><code>@fregante</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1245">actions/setup-node#1245</a></li> </ul> <h3>Enhancement:</h3> <ul> <li>Support private mirrors by <a href="https://github.com/marco-ippolito"><code>@marco-ippolito</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1240">actions/setup-node#1240</a></li> </ul> <h3>Dependency update:</h3> <ul> <li>Upgrade <code>@action/cache</code> from 4.0.2 to 4.0.3 by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1262">actions/setup-node#1262</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/FloEdelmann"><code>@FloEdelmann</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/98">actions/setup-node#98</a></li> <li><a href="https://github.com/fregante"><code>@fregante</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1245">actions/setup-node#1245</a></li> <li><a href="https://github.com/marco-ippolito"><code>@marco-ippolito</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1240">actions/setup-node#1240</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v4...v4.4.0">https://github.com/actions/setup-node/compare/v4...v4.4.0</a></p> <h2>v4.3.0</h2> <h2>What's Changed</h2> <h3>Dependency updates</h3> <ul> <li>Upgrade <code>@actions/glob</code> from 0.4.0 to 0.5.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1200">actions/setup-node#1200</a></li> <li>Upgrade <code>@action/cache</code> from 4.0.0 to 4.0.2 by <a href="https://github.com/gowridurgad"><code>@gowridurgad</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1251">actions/setup-node#1251</a></li> <li>Upgrade <code>@vercel/ncc</code> from 0.38.1 to 0.38.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1203">actions/setup-node#1203</a></li> <li>Upgrade <code>@actions/tool-cache</code> from 2.0.1 to 2.0.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1220">actions/setup-node#1220</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/gowridurgad"><code>@gowridurgad</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1251">actions/setup-node#1251</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v4...v4.3.0">https://github.com/actions/setup-node/compare/v4...v4.3.0</a></p> <h2>v4.2.0</h2> <h2>What's Changed</h2> <ul> <li>Enhance workflows and upgrade publish-actions from 0.2.2 to 0.3.0 by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1174">actions/setup-node#1174</a></li> <li>Add recommended permissions section to readme by <a href="https://github.com/benwells"><code>@benwells</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1193">actions/setup-node#1193</a></li> <li>Configure Dependabot settings by <a href="https://github.com/HarithaVattikuti"><code>@HarithaVattikuti</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1192">actions/setup-node#1192</a></li> <li>Upgrade <code>@actions/cache</code> to <code>^4.0.0</code> by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1191">actions/setup-node#1191</a></li> <li>Upgrade pnpm/action-setup from 2 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1194">actions/setup-node#1194</a></li> <li>Upgrade actions/publish-immutable-action from 0.0.3 to 0.0.4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1195">actions/setup-node#1195</a></li> <li>Upgrade semver from 7.6.0 to 7.6.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1196">actions/setup-node#1196</a></li> <li>Upgrade <code>@types/jest</code> from 29.5.12 to 29.5.14 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1201">actions/setup-node#1201</a></li> <li>Upgrade undici from 5.28.4 to 5.28.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1205">actions/setup-node#1205</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/benwells"><code>@benwells</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1193">actions/setup-node#1193</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v4...v4.2.0">https://github.com/actions/setup-node/compare/v4...v4.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
7832068ab7 |
build(deps): bump the hilt group in /kotlin/android with 4 updates (#9925)
Bumps the hilt group in /kotlin/android with 4 updates: [com.google.dagger.hilt.android](https://github.com/google/dagger), [com.google.dagger:hilt-android](https://github.com/google/dagger), [com.google.dagger:hilt-android-compiler](https://github.com/google/dagger) and [com.google.dagger:hilt-android-testing](https://github.com/google/dagger). Updates `com.google.dagger.hilt.android` from 2.56.2 to 2.57 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/google/dagger/releases">com.google.dagger.hilt.android's releases</a>.</em></p> <blockquote> <h2>Dagger 2.57</h2> <h1>Potential breaking changes</h1> <p>The generated <code>Factory</code>/<code>MembersInjector</code> constructors have changed from public to private. This shouldn’t affect most users since these classes are only meant to be called by Dagger’s other generated code. If you do happen to be broken by this change, you should avoid calling Dagger’s generated <code>Factory</code>/<code>MembersInjector</code> classes directly. For a temporary solution, you can also switch to using the public static methods to create an instance. (165cf20ee)</p> <h1>Bug fixes</h1> <p>Fixes <a href="https://redirect.github.com/google/dagger/issues/4779">#4779</a>. Unshades the Kotlinx Metadata to support Kotlin 2.2.0 (bfa88b962)</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
4bb4360792 |
build(deps): bump the okhttp group in /kotlin/android with 2 updates (#9928)
Bumps the okhttp group in /kotlin/android with 2 updates: [com.squareup.okhttp3:okhttp](https://github.com/square/okhttp) and [com.squareup.okhttp3:logging-interceptor](https://github.com/square/okhttp). Updates `com.squareup.okhttp3:okhttp` from 4.12.0 to 5.1.0 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/square/okhttp/blob/master/CHANGELOG.md">com.squareup.okhttp3:okhttp's changelog</a>.</em></p> <blockquote> <h2>Version 5.1.0</h2> <p><em>2025-07-07</em></p> <ul> <li> <p>New: <code>Response.peekTrailers()</code>. When we changed <code>Response.trailers()</code> to block instead of throwing in 5.0.0, we inadvertently removed the ability for callers to peek the trailers (by catching the <code>IllegalStateException</code> if they weren't available). This new API restores that capability.</p> </li> <li> <p>Fix: Don't crash on <code>trailers()</code> if the response doesn't have a body. We broke [Retrofit] users who read the trailers on the <code>raw()</code> OkHttp response, after its body was decoded.</p> </li> </ul> <h2>Version 5.0.0</h2> <p><em>2025-07-02</em></p> <p>This is our first stable release of OkHttp since 2023. Here's the highlights if you're upgrading from OkHttp 4.x:</p> <p><strong>OkHttp is now packaged as separate JVM and Android artifacts.</strong> This allows us to offer platform-specific features and optimizations. If your build system handles [Gradle module metadata], this change should be automatic.</p> <p><strong>MockWebServer has a new coordinate and package name.</strong> We didn’t like that our old artifact depends on JUnit 4 so the new one doesn’t. It also has a better API built on immutable values. (We intend to continue publishing the old <code>okhttp3.mockwebserver</code> artifact so there’s no urgency to migrate.)</p> <table> <thead> <tr> <th align="left">Coordinate</th> <th align="left">Package Name</th> <th align="left">Description</th> </tr> </thead> <tbody> <tr> <td align="left">com.squareup.okhttp3:mockwebserver3:5.0.0</td> <td align="left">mockwebserver3</td> <td align="left">Core module. No JUnit dependency!</td> </tr> <tr> <td align="left">com.squareup.okhttp3:mockwebserver3-junit4:5.0.0</td> <td align="left">mockwebserver3.junit4</td> <td align="left">Optional JUnit 4 integration.</td> </tr> <tr> <td align="left">com.squareup.okhttp3:mockwebserver3-junit5:5.0.0</td> <td align="left">mockwebserver3.junit5</td> <td align="left">Optional JUnit 5 integration.</td> </tr> <tr> <td align="left">com.squareup.okhttp3:mockwebserver:5.0.0</td> <td align="left">okhttp3.mockwebserver</td> <td align="left">Obsolete. Depends on JUnit 4.</td> </tr> </tbody> </table> <p><strong>OkHttp now supports Happy Eyeballs ([RFC 8305][rfc_8305]) for IPv4+IPv6 networks.</strong> It attempts both IPv6 and IPv4 connections concurrently, keeping whichever connects first.</p> <p><strong>We’ve improved our Kotlin APIs.</strong> You can skip the builder:</p> <pre lang="kotlin"><code>val request = Request( url = "https://cash.app/".toHttpUrl(), ) </code></pre> <p><strong>OkHttp now supports [GraalVM].</strong></p> <p>Here’s what has changed since 5.0.0-alpha.17:</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
35cd96b481 |
fix(phoenix-channel): fail connection in invalid peer cert (#9946)
When being presented an invalid peer certificate, there is no reason why we should retry the connection, it is unlikely to fix itself. Plus, the certificate may get / be cached and a restart of the application is necessary. Resolves: #9944 |
||
|
Thomas Eizinger
|
47b35d6e3c |
ci: increase timeout for download roaming test (#9945)
Now that we don't tolerate any failures in the download, this test sometimes fails because the timeout is a bit too tight. |
||
|
Jamil
|
2038a1bc22 |
chore(ci): Use GitHub Actions Cache for CI layer cache (#9941)
Since GCP artifact registry is cost-prohibitive, we can use the GitHub Actions Cache for docker layer caching for CI builds. See https://docs.docker.com/build/cache/backends/gha/ --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Jamil
|
b5af132ae8 |
feat(portal): allow queue_target and queue_interval via ENV (#9943)
These parameters should be tuned to how long we expect "normal" queries to take against the SQL instance. For smaller instances, "normal" queries may take longer than 500ms, so we need to be able to configure these via our Terraform configuration. If not specified, the same defaults are used as before. Related: https://github.com/firezone/infra/pull/82 |
||
|
dependabot[bot]
|
5711807a3c |
build(deps): bump open_api_spex from 3.21.2 to 3.21.5 in /elixir (#9927)
Bumps [open_api_spex](https://github.com/open-api-spex/open_api_spex) from 3.21.2 to 3.21.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/open-api-spex/open_api_spex/releases">open_api_spex's releases</a>.</em></p> <blockquote> <h2>v3.21.5</h2> <h2>What's Changed</h2> <ul> <li>Fix assert_operation_response/2 references by <a href="https://github.com/zorbash"><code>@zorbash</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/673">open-api-spex/open_api_spex#673</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/open-api-spex/open_api_spex/compare/v3.21.4...v3.21.5">https://github.com/open-api-spex/open_api_spex/compare/v3.21.4...v3.21.5</a></p> <h2>v3.21.4</h2> <h2>What's Changed</h2> <ul> <li>Fix OTP-28 support by <a href="https://github.com/bopm"><code>@bopm</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/672">open-api-spex/open_api_spex#672</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/bopm"><code>@bopm</code></a> made their first contribution in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/672">open-api-spex/open_api_spex#672</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/open-api-spex/open_api_spex/compare/v3.21.3...v3.21.4">https://github.com/open-api-spex/open_api_spex/compare/v3.21.3...v3.21.4</a></p> <h2>v3.21.3</h2> <h2>What's Changed</h2> <ul> <li>Fix cast x-validate when decoded schema by <a href="https://github.com/GPrimola"><code>@GPrimola</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/647">open-api-spex/open_api_spex#647</a></li> <li>Bump CI dependencies by <a href="https://github.com/zorbash"><code>@zorbash</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/655">open-api-spex/open_api_spex#655</a></li> <li>Add examples property to Schema by <a href="https://github.com/madjar"><code>@madjar</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/654">open-api-spex/open_api_spex#654</a></li> <li>Document schema resolver duplicate titles behaviour by <a href="https://github.com/zorbash"><code>@zorbash</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/656">open-api-spex/open_api_spex#656</a></li> <li>Add spec.yaml tasks to example applications by <a href="https://github.com/zorbash"><code>@zorbash</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/657">open-api-spex/open_api_spex#657</a></li> <li>Fix 1.18 compilation warnings by <a href="https://github.com/zorbash"><code>@zorbash</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/665">open-api-spex/open_api_spex#665</a></li> <li>Check for ex_doc warnings in CI and bump devtest deps by <a href="https://github.com/zorbash"><code>@zorbash</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/666">open-api-spex/open_api_spex#666</a></li> <li>Test array query params in example phoenix app by <a href="https://github.com/zorbash"><code>@zorbash</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/667">open-api-spex/open_api_spex#667</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/GPrimola"><code>@GPrimola</code></a> made their first contribution in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/647">open-api-spex/open_api_spex#647</a></li> <li><a href="https://github.com/madjar"><code>@madjar</code></a> made their first contribution in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/654">open-api-spex/open_api_spex#654</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/open-api-spex/open_api_spex/compare/v3.21.2...v3.21.3">https://github.com/open-api-spex/open_api_spex/compare/v3.21.2...v3.21.3</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/open-api-spex/open_api_spex/blob/master/CHANGELOG.md">open_api_spex's changelog</a>.</em></p> <blockquote> <h2>v3.21.5 - 2025-07-08</h2> <ul> <li>Fix assert_operation_response/2 references by <a href="https://github.com/zorbash"><code>@zorbash</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/673">open-api-spex/open_api_spex#673</a></li> </ul> <h2>v3.21.4 - 2025-07-01</h2> <ul> <li>Fix OTP-28 support by <a href="https://github.com/bopm"><code>@bopm</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/672">open-api-spex/open_api_spex#672</a></li> </ul> <h2>v3.21.3 - 2025-06-25</h2> <ul> <li>Fix cast x-validate when decoded schema by <a href="https://github.com/GPrimola"><code>@GPrimola</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/647">open-api-spex/open_api_spex#647</a></li> <li>Add examples property to Schema by <a href="https://github.com/madjar"><code>@madjar</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/654">open-api-spex/open_api_spex#654</a></li> <li>Document schema resolver duplicate titles behaviour by <a href="https://github.com/zorbash"><code>@zorbash</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/656">open-api-spex/open_api_spex#656</a></li> <li>Fix 1.18 compilation warnings by <a href="https://github.com/zorbash"><code>@zorbash</code></a> in <a href="https://redirect.github.com/open-api-spex/open_api_spex/pull/665">open-api-spex/open_api_spex#665</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
79acfd698f |
fix(ci): remove copy binaries step (#9940)
A leftover from #9913 - we need to remove the copy binaries step. |
||
|
Jamil
|
a8f93d24a3 |
chore(infra): ditch gcp registry for ghcr.io (#9913)
Google Cloud Artifact registry and Cloud storage is a significant cost. GitHub, on the other hand, is completely free due to our being a public repository. Hence, it makes sense to ditch GCP for GHCR. To do this, we move all "staging" artifacts to GHCR. These will then be used in the infra repo to push to GCP for deploys - we probably still want pulls for our infra to hit GCP and not GitHub. One big element of this is that we potentially lose sccache, so I'll be checking the compile time of this PR and looking for alternatives that don't involve such a massive cloud bill. |
||
|
Thomas Eizinger
|
318ce24403 |
fix(connlib): resend AssignedIps on traffic for DNS resource (#9904)
This was exposed by #9846. It is being added here as a dedicated PR because the compatibility tests would fail or at least be flaky for the latest client release so we cannot add the integration test right away. |
||
|
Jamil
|
f379e85e9b |
refactor(portal): cache access state in channel pids (#9773)
When changes occur in the Firezone DB that trigger side effects, we need some mechanism to broadcast and handle these. Before, the system we used was: - Each process subscribes to a myriad of topics related to data it wants to receive. In some cases it would subscribe to new topics based on received events from existing topics (I.e. flows in the gateway channel), and sometimes in a loop. It would then need to be sure to _unsubscribe_ from these topics - Handle the side effect in the `after_commit` hook of the Ecto function call after it completes - Broadcast only a simply (thin) event message with a DB id - In the receiver, use the id(s) to re-evaluate, or lookup one or many records associated with the change - After the lookup completes, `push` the relevant message(s) to the LiveView, `client` pid, or `gateway` pid in their respective channel processes This system had a number of drawbacks ranging from scalability issues to undesirable access bugs: 1. The `after_commit` callback, on each App node, is not globally ordered. Since we broadcast a thin event schema and read from the DB to hydrate each event, this meant we had a `read after write` problem in our event architecture, leading to the potential for lost updates. Case in point: if a policy is updated from `resource_id-1` to `resource_id-2`, and then back to `resource_id-1`, it's possible that, given the right amount of delay, the gateway channel will receive two `reject_access` events for `resource_id-1`, as opposed to one for `resource_id-1` and one for `resource_id-2`, leading to the potential for unauthorized access. 1. It was very difficult to ensure that the correct topics were being subscribed to and unsubscribed from, and the correct number of times, leading to maintenance issues for other engineers. 1. We had a nasty N+1 query problem whenever memberships were added or removed that resolved in essentially all access related to that membership (so all Policies touching its actor group) to be re-evaluated, and broadcasted. This meant that any bulk addition or deletion of memberships would generate so many queries that they'd timeout or consume the entire connection pool. 1. We had no durability for side-effect processing. In some places, we were iterating over many returned records to send broadcasts. Broadcasting is not a zero-time operation, each call takes a small amount of CPU time to copy the message into the receiver's mailbox. If we deployed while this was happening, the state update would be lost forever. If this was a `reject_access` for a Gateway, the Gateway would never remove access for that particular flow. 1. On each flow authorization, we needed to hit `us-east1` not only to "authorize" the flow, but to log it as well. This incurs latency especially for users in other parts of the world, which happens on _each_ connection setup to a new resource. 1. Since we read and re-authorize access due to the thin events broadcasted from side effects, we risk hitting thundering herd problems (see the N+1 query problem above) where a single DB change could result in all receivers hitting the DB at once to "hydrate" their processing.ion 1. If an administrator modifies the DB directly, or, if we need to run a DB migration that involves side effects, they'll be lost, because the side effect triggers happened in `after_commit` hooks that are only available when querying the DB through Ecto. Manually deleting (or resurrecting) a policy, for example, would not have updated any connected clients or gateways with the new state. To fix all of the above, we move to the system introduced in this PR: - All changes are now serialized (for free) by Postgres and broadcasted as a single event stream - The number of topics has been reduced to just one, the `account_id` of an account. All receivers subscribe to this one topic for the lifetime of their pid and then only filter the events they want to act upon, ignoring all other messages - The events themselves have been turned into "fat" structs based on the schemas they present. By making them properly typed, we can apply things like the existing Policy authorizer functions to them as if we had just fetched them from the DB. - All flow creation now happens in memory and doesn't not need to incur a DB hit in `us-east1` to proceed. - Since clients and gateways now track state in a push-based manner from the DB, this means very few actual DB queries are needed to maintain state in the channel procs, and it also means we can be smarter about when to send `resource_deleted` and `resource_created_or_updated` appropriately, since we can always diff between what the client _had_ access to, and what they _now_ have access to. - All DB operations, whether they happen from the application code, a `psql` prompt, or even via Google SQL Studio in the GCP console, will trigger the _same_ side effects. - We now use a replication consumer based off Postgres logical decoding of the write-ahead log using a _durable slot_. This means that Postgres will retain _all events_ until they are acknowledged, giving us the ability to ensure at-least-once processing semantics for our system. Today, the ACK is simply, "did we broadcast this event successfully". But in the future, we can assert that replies are received before we acknowledge the event as processed back to Postgres. The tests in this PR have been updated to pass given the refactor. However, since we are tracking more state now in the channel procs, it would be a good idea to add more tests for those edge cases. That is saved as a later PR because (1) this one is already huge, and (2) we need to get this out to staging to smoke test everything anyhow. Fixes: #9908 Fixes: #9909 Fixes: #9910 Fixes: #9900 Related: #9501 |
||
|
Thomas Eizinger
|
82c4c39436 | chore(telemetry): don't start in local environment (#9905) | ||
|
Thomas Eizinger
|
d01456f451 |
docs: remove outdated license notice (#9906)
This directory no longer exists. Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
93ca701896 | chore(snownet): check remote key and creds on connection upsert (#9902) | ||
|
Thomas Eizinger
|
c8760d87ae | chore(connlib): log remote address on decapsulation error (#9903) | ||
|
Thomas Eizinger
|
c4457bf203 | feat(gateway): shutdown after 15m of portal disconnect (#9894) | ||
|
Thomas Eizinger
|
df2eeb16f8 |
docs: update changelog of #9896 (#9901)
Feedback from the PR. It merged before I could work in the changes. |
||
|
Thomas Eizinger
|
3e71a91667 |
feat(gateway): revoke unlisted authorizations upon init (#9896)
When receiving an `init` message from the portal, we will now revoke all authorizations not listed in the `authorizations` list of the `init` message. We (partly) test this by introducing a new transition in our proptests that de-authorizes a certain resource whilst the Gateway is simulated to be partitioned. It is difficult to test that we cannot make a connection once that has happened because we would have to simulate a malicious client that knows about resources / connections or ignores the "remove resource" message. Testing this is deferred to a dedicated task. We do test that we hit the code path of revoking the resource authorization and because the other resources keep working, we also test that we are at least not revoking the wrong ones. Resolves: #9892 |
||
|
Thomas Eizinger
|
a6ffdd2654 |
feat(snownet): reduce rekey-attempt-time to 15s (#9891)
From Sentry reports and user-submitted logs, we know that it is possible for Client and Gateway to de-sync in regards to what each other's public key is. In such a scenario, ICE will succeed to make a connection but `boringtun` will fail to handshake a tunnel. By default, `boringtun` tries for 90s to handshake a session before it gives up and expires it. In Firezone, the ICE agent takes care of establishing connectivity whereas `boringtun` itself just encrypts and decrypts packets. As such, if ICE is working, we know that packets aren't getting lost but instead, there must be some other issue as to why we cannot establish a session. To improve the UX in these error cases, we reduce the rekey-attempt-time to 15s. This roughly matches our ICE timeout. Those 15s count from the moment we send the first handshake which is just after ICE completes. Thus we can be sure that after at most 15s, we either have a working WireGuard session or the connection gets cleaned up. Related: #9890 Related: #9850 |
||
|
Thomas Eizinger
|
72fbe306b6 |
test: remove curl retry in favor of keep-alive (#9888)
At present, the `direct-download-roaming-network` integration test is a bit odd. It uses the `--retry` switch from `curl` to retry the download once it failed. However, what we want to show with this integration test is that a TCP connection can survive network roaming. We can show that successfully but only if we specify the `--keepalive-time` option, otherwise the download stalls. From inspecting the network logs, this is because `curl` simply waits for more data to be downloaded. After a network reset, the connection however is gone and the _client_ (in this case `curl`) needs to send at least 1 packet to re-establish the connection. By using the keep-alive option, we can send such a packet and the download completes successfully. |
||
|
Thomas Eizinger
|
cf2470ba1e |
test(iperf): install iptables rule inside of container (#9880)
In Docker environments, applying iptables rules to filter container-container traffic on the Docker bridged network is not reliable, leading to direct connections being established in our relayed tests. To fix this, we insert the rules directly from the client container itself. --------- Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
2fd56fb7ae |
chore: remove pull_policy from containers (#9887)
Having to pull these every time one does `docker compose up` is annoying and unnecessary. |
||
|
Thomas Eizinger
|
d8ca2b4f7e |
chore: fix invalid build stage in docker-compose.yml (#9886)
We have since removed the `dev` stage from the Rust Dockerfile. Resolves: #9768 |
||
|
Thomas Eizinger
|
116b518700 |
fix(snownet): discard channel-data messages from old allocations (#9885)
When we invalidate or discard an allocation, it may happen that a relay still sends channel-data messages to us. We don't recognize those and will therefore attempt to parse them as WireGuard packets, ultimately ending in an "Packet has unknown format" error. To avoid this, we check if the packet is a valid channel-data message even if we presently don't have an allocation on the relay that is sending us the packet. In those cases, we can stop processing the packet, thus avoiding these errors from being logged. |
||
|
Jamil
|
789a3012d6 |
fix(portal): only process jsonb strings (#9883)
As a followup to #9882, we need to ensure that `jsonb` columns that have value data other than strings are not decoded as jsonb. An example of when this happens is when Postgres sends an `:unchanged_toast` to indicate the data hasn't changed. |
||
|
Jamil
|
cce21a8dea |
fix(portal): handle jsonb for embedded schemas (#9882)
In #9664, we introduced the `Domain.struct_from_params/2` function which converts a set of params containing string keys into a provided struct representing a schema module. This is used to broadcast actual structs pertaining to WAL data as opposed to simple string encodings of the data. The problem is that function was a bit too naive and failed to properly cast embedded schemas, resulting in all embedded schema on the root struct being `nil` or `[]`. To fix this, we need to do two things: 1. We now decode JSON/JSONB fields from binaries (strings) into actual lists and maps in the replication consumer module for downstream processors to use 2. We update our `struct_from_params/2` function to properly cast embedded schemas from these lists and maps using Ecto.Changeset's `apply_changes` function, which uses the same logic to instantiate the schemas as if we were saving a form or API request. Lastly, tests are added to ensure this works under various scenarios, including nested embedded schemas which we use in some places. Fixes #9835 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
cb3f4c0884 |
ci: fail perf & integration tests on warnings (#9875)
We already do the same thing for our integration tests. It turns out that it wasn't working there either though. Related: #9874 |
||
|
Thomas Eizinger
|
29f81c64ff |
fix(snownet): wake idle connection on upsert (#9879)
When a connection is in idle-mode, it only sends a STUN request every 25 seconds. If the Client disconnects e.g. due to a network partition, it may send a new connection intent later. If the Gateway's connection is still around then because it was in idle mode, it won't send any candidates to the remote, making the Client's connection fail with "no candidates received". To alleviate this, we wake a connection out of idle mode every time it is being upserted. This ensures that the connection will fail within 15s IF the above scenario happens, allowing the Client to reconnect within a much shorter time-frame. Note that attempting to repair such a connection is likely pointless. It is much safer to discard it and let them both establish a new connection. Related: #9862 |
||
|
Thomas Eizinger
|
0f1c5f2818 |
refactor(relay): simplify auth module (#9873)
Whilst looking through the auth module of the relay, I noticed that we unnecessarily convert back and forth between expiry timestamps and username formats when we could just be using the already parsed version. |
||
|
Thomas Eizinger
|
ffcb269c8b |
chore(connlib): add "wake reason" to poll_timeout (#9876)
In order to debug timer interactions, it is useful to know when and why connlib wants to be woken to perform tasks. |
||
|
Thomas Eizinger
|
5141817134 |
feat(connlib): add reason argument to reset API (#9878)
In order to provide more detailed logs, why `connlib`'s network state is being reset, we add a `reason` parameter that is gets logged. Resolves: #9867 |
||
|
Thomas Eizinger
|
2b70596636 |
fix(rust): only apply filter to select tracing layers (#9872)
Applying a filter globally to the entire subscriber means it filters events for all layers. This prevents the Sentry layer from uploading DEBUG logs if configured. |
||
|
Thomas Eizinger
|
cb497a7435 |
fix(portal): use correct password generation algorithm (#9874)
In #9870, the password generation algorithm was broken. The correct order of the elements in the hash is: expiry, stamp_secret, salt. The relay expects this order when it re-generates the password to validate the message. Due to a different bug in our CI system, we weren't actually checking for warnings / errors in our perf-test suite: https://github.com/firezone/firezone/actions/runs/16285038111/job/45982241021#step:9:66 |
||
|
Thomas Eizinger
|
d92e997878 |
ci: add work-around for apple-client tag (#9877)
The current Git tag for releases of the Apple client is out-of-line with the naming of rest of the repository. Ideally, the tag would be renamed to `apple-client-X.Y.Z` as it represents the version for both the macOS and iOS client. I am not familiar with the redirect system on our website to confidentially do this without breaking anything, so the easiest fix here is to employ the same hack we already do for Sentry where we special-case the `macos-client` tag. Resolves: #9871 |
||
|
dependabot[bot]
|
b9302cdc2a |
build(deps): bump rustls from 0.23.28 to 0.23.29 in /rust (#9860)
Bumps [rustls](https://github.com/rustls/rustls) from 0.23.28 to 0.23.29. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
9ed7220520 |
build(deps): bump clap from 4.5.40 to 4.5.41 in /rust (#9861)
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.40 to 4.5.41. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's changelog</a>.</em></p> <blockquote> <h2>[4.5.41] - 2025-07-09</h2> <h3>Features</h3> <ul> <li>Add <code>Styles::context</code> and <code>Styles::context_value</code> to customize the styling of <code>[default: value]</code> like notes in the <code>--help</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
8dbb02e549 |
build(deps): bump zbus from 5.7.1 to 5.8.0 in /rust (#9863)
Bumps [zbus](https://github.com/dbus2/zbus) from 5.7.1 to 5.8.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dbus2/zbus/releases">zbus's releases</a>.</em></p> <blockquote> <h2>🔖 zbus 5.8.0</h2> <ul> <li>✨ <code>interface</code> macro now supports write-only properties.</li> <li>✨ Copy attributes over to <code>receive_*_changed</code> and <code>cached_*</code> methods in <code>proxy</code>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Brian Manifold
|
0d9e865ea8 |
feat(porat): Update portal telemetry (#9868)
Why: * Adding more BEAM VM metrics to give us better insight as to how our BEAM cluster is running since we're in the middle of making some moderately large architectural changes to the application. |
||
|
Jamil
|
17d7e29b81 |
fix(portal): use public key for TURN creds (#9870)
As a followup to #9856, after talking with @bmanifold, we determined using the public_key as the username for TURN credentials is a safer bet because: - It's by definition public and therefore does not need to be obfuscated - It's shorter-lived than the token, especially for the gateway - It essentially represents the data plane connection for client/gateway and naturally rotates along with the key state for those |
||
|
Jamil
|
1e577d31b9 |
fix(portal): use reproducible relay creds (#9857)
When giving TURN credentials to clients and gateways, it's important that they remain consistent across hiccups in the portal connection so that relayed connections are not interrupted during a deploy, or if the user's internet is flaky, or the GCP load balancer decides to disconnect the client/gateway. Prior to this PR, that was not the case because we essentially tied TURN credentials, required for data plane packet flows, to the WebSocket connection, a control plane element. This happened because we generated random `expires_at` and `salt` elements on _each_ connection to the portal. Instead, what we do now is make these reproducible and tied to the auth token by hashing then base64-encoding it. The expiry is tied to the auth-token's expiry. Fixes #9856 |
||
|
Thomas Eizinger
|
2e0ed018ee | chore: document metrics config switches as private API (#9865) | ||
|
Thomas Eizinger
|
f5425ac8e4 |
fix(snownet): fail connection on handshake decryption errors (#9850)
As per the WireGuard paper, `boringtun` tries to handshake with the remote peer for 90s before it gives up. This timeout is important because when a session is discarded due to e.g. missing replies, WireGuard attempts to handshake a new session. Without this timeout, we would then try to handshake a session forever. Unfortunately, `boringtun` does not distinguish a missing handshake response from a bad one. Decryption errors whilst decoding a handshake response are simply passed up to the upper layer, in our case `snownet`. I am not sure how we can actually fail to decrypt a handshake but the pattern we are seeing in customer logs is that this happens over and over again, so there is no point in having `boringtun` retry the handshake. Therefore, we immediately fail the connection when this happens. Failed connections are immediately removed, triggering the client send a new connection-intent to the portal. Such a new connection intent will then sync-up the state between Client and Gateway so both of them use the most recent public key. Resolves: #9845 |
||
|
Thomas Eizinger
|
cecca37073 |
feat(gateway): allow exporting metrics to an OTEL collector (#9838)
As a first step in preparation for sending OTEL metrics from Clients and Gateways to a cloud-hosted OTEL collector, we extend the CLI of the Gateway with configuration options to provide a gRPC endpoint to an OTEL collector. If `FIREZONE_METRICS` is set to `otel-collector` and an endpoint is configured via `OTLP_GRPC_ENDPOINT`, we will report our metrics to that collector. The future plan for extending this is such that if `FIREZONE_METRICS` is set to `otel-collector` (which will likely be the default) and no `OTLP_GRPC_ENDPOINT` is set, then we will use our own, hosted OTEL collector and report metrics IF the `export-metrics` feature-flag is set to `true`. This is a similar integration as we have done it with streaming logs to Sentry. We can therefore enable it on a similar granularity as we do with the logs and e.g. only enable it for the `firezone` account to start with. In meantime, customers can already make use of those metrics if they'd like by using the current integration. Resolves: #1550 Related: #7419 --------- Co-authored-by: Antoine Labarussias <antoinelabarussias@gmail.com> |
||
|
Thomas Eizinger
|
70e4b6572f |
chore(rust): log environment when updating feature flags (#9855)
It is useful to know, which environment we've updated the feature-flags for. |
||
|
Thomas Eizinger
|
eb4c54620c |
chore(linux): add more error context to TUN device (#9853)
When failing to create the TUN device, the error messages are currently pretty bare. Add a bit more context so users can self-diagnose easier what is wrong. |