mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
bce2aa30b528e990ef8a30f85fece64a9f04e1ab
1367 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Thomas Eizinger
|
199766ccf9 |
ci(rust): improve proptest coverage checks (#10918)
The current coverage checks for paths that we hit during our proptests fail as soon as one of them is not satisfied. When iterating on the proptests, it is useful to see in one go, which paths are currently not hit to generate the missing regression seeds. Hence, we refactor the script to perform all checks and fail if any of them are not hit, outputting all missing ones. |
||
|
Thomas Eizinger
|
32df4b399a |
chore: modularize .tool-versions (#10919)
Not all tools are needed for all parts of the codebase. In order to avoid installing all tools, we create nested `.tool-versions` files that list the specific dev-tools needed for a certain part of the product. |
||
|
dependabot[bot]
|
9dc68e5844 |
build(deps): bump peter-evans/create-issue-from-file from 5.0.1 to 6.0.0 (#10842)
Bumps [peter-evans/create-issue-from-file](https://github.com/peter-evans/create-issue-from-file) from 5.0.1 to 6.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/peter-evans/create-issue-from-file/releases">peter-evans/create-issue-from-file's releases</a>.</em></p> <blockquote> <h2>Create Issue From File v6.0.0</h2> <p>⚙️ Requires <a href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions Runner v2.327.1</a> or later if you are using a self-hosted runner for Node 24 support.</p> <h2>What's Changed</h2> <ul> <li>Bump <code>@types/node</code> from 18.19.50 to 18.19.53 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1717">peter-evans/create-issue-from-file#1717</a></li> <li>Bump <code>@vercel/ncc</code> from 0.38.1 to 0.38.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1718">peter-evans/create-issue-from-file#1718</a></li> <li>Update distribution by <a href="https://github.com/actions-bot"><code>@actions-bot</code></a> in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1727">peter-evans/create-issue-from-file#1727</a></li> <li>Bump <code>@actions/core</code> from 1.10.1 to 1.11.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1733">peter-evans/create-issue-from-file#1733</a></li> <li>Bump <code>@types/node</code> from 18.19.53 to 18.19.54 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1732">peter-evans/create-issue-from-file#1732</a></li> <li>Update distribution by <a href="https://github.com/actions-bot"><code>@actions-bot</code></a> in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1742">peter-evans/create-issue-from-file#1742</a></li> <li>Bump <code>@types/node</code> from 18.19.54 to 18.19.55 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1749">peter-evans/create-issue-from-file#1749</a></li> <li>Bump <code>@actions/core</code> from 1.11.0 to 1.11.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1750">peter-evans/create-issue-from-file#1750</a></li> <li>Update distribution by <a href="https://github.com/actions-bot"><code>@actions-bot</code></a> in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1759">peter-evans/create-issue-from-file#1759</a></li> <li>Bump <code>@types/node</code> from 18.19.55 to 18.19.56 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1764">peter-evans/create-issue-from-file#1764</a></li> <li>Bump <code>@types/node</code> from 18.19.56 to 18.19.59 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1769">peter-evans/create-issue-from-file#1769</a></li> <li>Bump <code>@types/node</code> from 18.19.59 to 18.19.63 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1774">peter-evans/create-issue-from-file#1774</a></li> <li>Bump <code>@types/node</code> from 18.19.63 to 18.19.64 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1779">peter-evans/create-issue-from-file#1779</a></li> <li>Bump <code>@vercel/ncc</code> from 0.38.2 to 0.38.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1784">peter-evans/create-issue-from-file#1784</a></li> <li>Bump prettier from 3.3.3 to 3.4.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1789">peter-evans/create-issue-from-file#1789</a></li> <li>Bump <code>@types/node</code> from 18.19.64 to 18.19.67 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1790">peter-evans/create-issue-from-file#1790</a></li> <li>Bump prettier from 3.4.1 to 3.4.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1799">peter-evans/create-issue-from-file#1799</a></li> <li>Bump <code>@types/node</code> from 18.19.67 to 18.19.68 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1804">peter-evans/create-issue-from-file#1804</a></li> <li>Bump <code>@types/node</code> from 18.19.68 to 18.19.69 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1809">peter-evans/create-issue-from-file#1809</a></li> <li>Bump <code>@types/node</code> from 18.19.69 to 18.19.70 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1814">peter-evans/create-issue-from-file#1814</a></li> <li>Bump <code>@types/node</code> from 18.19.70 to 18.19.71 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1820">peter-evans/create-issue-from-file#1820</a></li> <li>Bump eslint-plugin-prettier from 5.2.1 to 5.2.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1821">peter-evans/create-issue-from-file#1821</a></li> <li>Bump eslint-plugin-prettier from 5.2.2 to 5.2.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1830">peter-evans/create-issue-from-file#1830</a></li> <li>Bump <code>@types/node</code> from 18.19.71 to 18.19.74 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1831">peter-evans/create-issue-from-file#1831</a></li> <li>Bump <code>@types/node</code> from 18.19.74 to 18.19.75 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1840">peter-evans/create-issue-from-file#1840</a></li> <li>Bump prettier from 3.4.2 to 3.5.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1846">peter-evans/create-issue-from-file#1846</a></li> <li>Bump <code>@types/node</code> from 18.19.75 to 18.19.76 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1845">peter-evans/create-issue-from-file#1845</a></li> <li>Bump <code>@octokit/request-error</code> and <code>@actions/github</code> by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1855">peter-evans/create-issue-from-file#1855</a></li> <li>Update distribution by <a href="https://github.com/actions-bot"><code>@actions-bot</code></a> in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1860">peter-evans/create-issue-from-file#1860</a></li> <li>Bump <code>@octokit/plugin-paginate-rest</code> from 9.2.1 to 9.2.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1865">peter-evans/create-issue-from-file#1865</a></li> <li>Update distribution by <a href="https://github.com/actions-bot"><code>@actions-bot</code></a> in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1870">peter-evans/create-issue-from-file#1870</a></li> <li>Bump prettier from 3.5.1 to 3.5.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1875">peter-evans/create-issue-from-file#1875</a></li> <li>Bump <code>@octokit/request</code> from 8.4.0 to 8.4.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1880">peter-evans/create-issue-from-file#1880</a></li> <li>Update distribution by <a href="https://github.com/actions-bot"><code>@actions-bot</code></a> in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1885">peter-evans/create-issue-from-file#1885</a></li> <li>Bump <code>@types/node</code> from 18.19.76 to 18.19.79 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1893">peter-evans/create-issue-from-file#1893</a></li> <li>Bump prettier from 3.5.2 to 3.5.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1894">peter-evans/create-issue-from-file#1894</a></li> <li>Bump <code>@types/node</code> from 18.19.79 to 18.19.80 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1903">peter-evans/create-issue-from-file#1903</a></li> <li>Bump <code>@types/node</code> from 18.19.80 to 18.19.81 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1908">peter-evans/create-issue-from-file#1908</a></li> <li>Bump <code>@types/node</code> from 18.19.81 to 18.19.84 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1913">peter-evans/create-issue-from-file#1913</a></li> <li>Bump eslint-plugin-prettier from 5.2.3 to 5.2.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1914">peter-evans/create-issue-from-file#1914</a></li> <li>Bump eslint-plugin-prettier from 5.2.5 to 5.2.6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1924">peter-evans/create-issue-from-file#1924</a></li> <li>Bump <code>@types/node</code> from 18.19.84 to 18.19.86 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1923">peter-evans/create-issue-from-file#1923</a></li> <li>Bump <code>@types/node</code> from 18.19.86 to 18.19.87 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1933">peter-evans/create-issue-from-file#1933</a></li> <li>Bump eslint-plugin-prettier from 5.2.6 to 5.4.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1938">peter-evans/create-issue-from-file#1938</a></li> <li>Bump <code>@types/node</code> from 18.19.87 to 18.19.100 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1939">peter-evans/create-issue-from-file#1939</a></li> <li>Bump <code>@actions/github</code> from 6.0.0 to 6.0.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/peter-evans/create-issue-from-file/pull/1940">peter-evans/create-issue-from-file#1940</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
7688dd1862 |
build(deps): bump docker/login-action from 3.4.0 to 3.6.0 (#10838)
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.4.0 to 3.6.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/login-action/releases">docker/login-action's releases</a>.</em></p> <blockquote> <h2>v3.6.0</h2> <ul> <li>Add <code>registry-auth</code> input for raw authentication to registries by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/887">docker/login-action#887</a></li> <li>Bump <code>@aws-sdk/client-ecr</code> to 3.890.0 in <a href="https://redirect.github.com/docker/login-action/pull/882">docker/login-action#882</a> <a href="https://redirect.github.com/docker/login-action/pull/890">docker/login-action#890</a></li> <li>Bump <code>@aws-sdk/client-ecr-public</code> to 3.890.0 in <a href="https://redirect.github.com/docker/login-action/pull/882">docker/login-action#882</a> <a href="https://redirect.github.com/docker/login-action/pull/890">docker/login-action#890</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.62.1 to 0.63.0 in <a href="https://redirect.github.com/docker/login-action/pull/883">docker/login-action#883</a></li> <li>Bump brace-expansion from 1.1.11 to 1.1.12 in <a href="https://redirect.github.com/docker/login-action/pull/880">docker/login-action#880</a></li> <li>Bump undici from 5.28.4 to 5.29.0 in <a href="https://redirect.github.com/docker/login-action/pull/879">docker/login-action#879</a></li> <li>Bump tmp from 0.2.3 to 0.2.4 in <a href="https://redirect.github.com/docker/login-action/pull/881">docker/login-action#881</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v3.5.0...v3.6.0">https://github.com/docker/login-action/compare/v3.5.0...v3.6.0</a></p> <h2>v3.5.0</h2> <ul> <li>Support dual-stack endpoints for AWS ECR by <a href="https://github.com/Spacefish"><code>@Spacefish</code></a> <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/874">docker/login-action#874</a> <a href="https://redirect.github.com/docker/login-action/pull/876">docker/login-action#876</a></li> <li>Bump <code>@aws-sdk/client-ecr</code> to 3.859.0 in <a href="https://redirect.github.com/docker/login-action/pull/860">docker/login-action#860</a> <a href="https://redirect.github.com/docker/login-action/pull/878">docker/login-action#878</a></li> <li>Bump <code>@aws-sdk/client-ecr-public</code> to 3.859.0 in <a href="https://redirect.github.com/docker/login-action/pull/860">docker/login-action#860</a> <a href="https://redirect.github.com/docker/login-action/pull/878">docker/login-action#878</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.57.0 to 0.62.1 in <a href="https://redirect.github.com/docker/login-action/pull/870">docker/login-action#870</a></li> <li>Bump form-data from 2.5.1 to 2.5.5 in <a href="https://redirect.github.com/docker/login-action/pull/875">docker/login-action#875</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v3.4.0...v3.5.0">https://github.com/docker/login-action/compare/v3.4.0...v3.5.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
103aa16b2f | fix: use our own docker install action (#10877) | ||
|
Thomas Eizinger
|
49b7701536 |
ci: promote preview .deb to stable on release (#10846)
The current CI job expects the release to have the `.deb` files attached. Since writing that workflow, I've changed my mind on attaching the `.deb` files there. Instead, they are only uploaded to the repository. Without documentation on how to use them, these `.deb` files are unlikely to provide a good user experience. We change the job to instead promote the latest "preview` archives to the stable repo. |
||
|
Firezone Bot
|
5ae2707719 | chore: publish gateway 1.4.18 (#10823) | ||
|
Jamil
|
54e6f8bc0f |
chore(ci): replace macos-13 runners with macos-26 (#10753)
https://github.com/actions/runner-images/issues/13046 Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Firezone Bot
|
04f4415344 |
chore: publish android-client 1.5.6 (#10745)
Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
4e95dd1cb6 |
ci: fail fast inside the merge queue (#10746)
Setting `fail-fast: false` unsurprisingly makes our CI fail pretty slowly. This is especially noticable in the merge queue where a long-running job could still hold up the entire queue even though a different job has failed already and the PR is never going to make it in anyway. To avoid this scenario, we set `fail-fast: true` whenever we are in the merge queue. |
||
|
dependabot[bot]
|
29aede5e79 |
build(deps): bump actions/cache from 4.2.3 to 4.3.0 (#10734)
Bumps [actions/cache](https://github.com/actions/cache) from 4.2.3 to 4.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p> <blockquote> <h2>v4.3.0</h2> <h2>What's Changed</h2> <ul> <li>Add note on runner versions by <a href="https://github.com/GhadimiR"><code>@GhadimiR</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1642">actions/cache#1642</a></li> <li>Prepare <code>v4.3.0</code> release by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1655">actions/cache#1655</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/GhadimiR"><code>@GhadimiR</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1642">actions/cache#1642</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v4...v4.3.0">https://github.com/actions/cache/compare/v4...v4.3.0</a></p> <h2>v4.2.4</h2> <h2>What's Changed</h2> <ul> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1620">actions/cache#1620</a></li> <li>Upgrade <code>@actions/cache</code> to <code>4.0.5</code> and move <code>@protobuf-ts/plugin</code> to dev depdencies by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1634">actions/cache#1634</a></li> <li>Prepare release <code>4.2.4</code> by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1636">actions/cache#1636</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/nebuk89"><code>@nebuk89</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1620">actions/cache#1620</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v4...v4.2.4">https://github.com/actions/cache/compare/v4...v4.2.4</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's changelog</a>.</em></p> <blockquote> <h1>Releases</h1> <h3>4.3.0</h3> <ul> <li>Bump <code>@actions/cache</code> to <a href="https://redirect.github.com/actions/toolkit/pull/2132">v4.1.0</a></li> </ul> <h3>4.2.4</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.5</li> </ul> <h3>4.2.3</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.3 (obfuscates SAS token in debug logs for cache entries)</li> </ul> <h3>4.2.2</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.2</li> </ul> <h3>4.2.1</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.1</li> </ul> <h3>4.2.0</h3> <p>TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. <a href="https://github.com/actions/cache">actions/cache</a> now integrates with the new cache service (v2) APIs.</p> <p>The new service will gradually roll out as of <strong>February 1st, 2025</strong>. The legacy service will also be sunset on the same date. Changes in these release are <strong>fully backward compatible</strong>.</p> <p><strong>We are deprecating some versions of this action</strong>. We recommend upgrading to version <code>v4</code> or <code>v3</code> as soon as possible before <strong>February 1st, 2025.</strong> (Upgrade instructions below).</p> <p>If you are using pinned SHAs, please use the SHAs of versions <code>v4.2.0</code> or <code>v3.4.0</code></p> <p>If you do not upgrade, all workflow runs using any of the deprecated <a href="https://github.com/actions/cache">actions/cache</a> will fail.</p> <p>Upgrading to the recommended versions will not break your workflows.</p> <h3>4.1.2</h3> <ul> <li>Add GitHub Enterprise Cloud instances hostname filters to inform API endpoint choices - <a href="https://redirect.github.com/actions/cache/pull/1474">#1474</a></li> <li>Security fix: Bump braces from 3.0.2 to 3.0.3 - <a href="https://redirect.github.com/actions/cache/pull/1475">#1475</a></li> </ul> <h3>4.1.1</h3> <ul> <li>Restore original behavior of <code>cache-hit</code> output - <a href="https://redirect.github.com/actions/cache/pull/1467">#1467</a></li> </ul> <h3>4.1.0</h3> <ul> <li>Ensure <code>cache-hit</code> output is set when a cache is missed - <a href="https://redirect.github.com/actions/cache/pull/1404">#1404</a></li> <li>Deprecate <code>save-always</code> input - <a href="https://redirect.github.com/actions/cache/pull/1452">#1452</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
57cad57a84 |
ci: run all jobs in merge queue (#10744)
Trying to be clever as to which jobs to run inside the merge queue doesn't seem to work. Therefore, we now revert to just running all jobs in there. |
||
|
Thomas Eizinger
|
f2088fcf43 |
ci: use base_ref instead of base_sha (#10743)
CI sometimes appears to have issues where it cannot find a certain commit. Referencing the `ref` directly should fix this. |
||
|
Thomas Eizinger
|
6fb7fe1c21 |
ci: remove polling from required-check (#10740)
Currently, we launch the `required_check` right away with all others and poll the GitHub API to see if all others have completed already. This eats into our API quota. An easier way to do the same thing is to declare a dependency of the `required_check` onto all other jobs. Normally, this wouldn't work because we skip certain jobs if the related files haven't been modified. We can opt out of this default behaviour by telling GitHub to `always()` run our job. That way, it naturally gets scheduled after all others, even if some of the jobs have been skipped. |
||
|
Thomas Eizinger
|
bb846e1be1 |
fix(ci): remove comment in multi-line command (#10714)
This comment breaks the multi-line command. The debian archive will be available from the APT repository so uploading that to the releases page is not actually necessary. We can still do it later if we want to though. For now, remove the comment to make the workflow work again. |
||
|
Thomas Eizinger
|
0d2ddd8497 |
feat(gateway): create debian package (#10537)
With this PR we add `cargo-deb` to our CI pipeline and build a debian package for the Gateway. The debian package comes with several configuration files that make it easy for admins to start and maintain a Gateway installation: - The embedded systemd unit file is essentially the same one as what we currently install with the install script with some minor modifications. - The token is read from `/etc/firezone/gateway-token` and passed as a systemd credential. This allows us to set the permissions for this file to `0400` and have it owned by `root:root`. - The configuration is read from `/etc/firezone/gateway-env`. - Both of these changes basically mean the user should never need to touch the unit file itself. - The `sysusers` configuration file ensures the `firezone` user and group are present on the system. - The `tmpfiles` configuration file ensures the necessary directories are present. All of the above is automatically installed and configured using the post-installation script which is called by `apt` once the package is installed. In addition to the Gateway, we also package a first version of the `firezone-cli`. Right now, `firezone-cli` (installed as `firezone`) has three subcommands: - `gateway authenticate`: Asks for the Gateway's token and installs it at `/etc/firezone/gateway-token`. The user doesn't have to know how we manage this token and can trust that we are using safe defaults. - `gateway enable`: Enables and starts the systemd service. - `gateway disable`: Disables the systemd service. Right now, the `.deb` file is only uploaded to the preview APT repository and not attached to the release. It should therefore not yet be user-visible unless somebody pokes around a lot, meaning we can defer documentation to a later PR and start testing it from the preview repository for our own purposes. Related: #10598 Resolves: #8484 Resolves: #10681 |
||
|
Thomas Eizinger
|
18a8877add |
ci: upload draft releases from GUI client to preview repository (#10696)
Similarly to #10537, we upload the `.deb` files attached to the draft releases to the APT preview repository. This makes it easier to install these preview releases on test machines. Related: #10681 |
||
|
Thomas Eizinger
|
28ea0730b6 |
feat(apt): import .deb files from import- directory (#10694)
Currently, the `sync-apt.sh` script just generates metadata for all packages found in the `.deb` directory. Unfortunately, this requires the packages to already be uploaded with a certain naming convention, otherwise `apt-ftparchive packages` doesn't actually detect them and creates an empty `Packages` file. The solution here is to extend the `sync-apt.sh` script to normalize the filename to what we need it to be. This requires us to upload the new `.deb` files to the `pool` directory. Instead of messing around with the existing files in there, we slightly change how the `sync-apt.sh` script works. In its new version, it expects packages to be in the `import-stable` and `import-preview` directories. It will then download these, normalize their names and move them to a local `pool-stable` and `pool-preview` directory respectively (potentially overwriting and existing one that is already there, this allows for updating packages). As a final step, it will generate the metadata for all packages in `pool-stable` and `pool-preview`, upload both directories, upload the metadata and then delete the imported `.deb` files. |
||
|
Thomas Eizinger
|
883d95c2c8 |
feat(apt): sign contents of APT repository (#10688)
In order to secure an APT repository, the `Release` file containing the hashes of all packages needs to be signed with a GPG key. These signatures simply need to be synced back up to the repository. The rest is handled by `apt` itself. Resolves: #10599 |
||
|
Thomas Eizinger
|
67e376eb02 |
ci: only check for completed jobs every 60s (#10686)
According to GitHub support, this API call is responsible for most of our API usage. Until we find a better way of organising this, checking every only minute should be fine too, even if it slows down the merge queue a bit. Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
ed2bc0bd25 |
feat(gateway): revise handling of DNS resolution errors (#10623)
Even prior to #10373, failures in resolving a name on the Gateway for a DNS resource resulted in a failure of setting up the DNS resource NAT. Without the DNS resource NAT, packets for that resource bounced on the Gateway because we didn't have any traffic filters. A non-existent filter is being treated as a "traffic not allowed" error and we respond with an ICMP permission denied error. For domains where both the A and AAAA query result in NXDOMAIN, that isn't necessarily appropriate. Instead, I am proposing that for such cases, we want to return a regular "address/host unreachable" ICMP error instead of the more specific "permission denied" variant. To achieve that, we refactor the Gateway's peer state to be able to hold an `Option<IpAddr>` inside the `TranslationState`. This allows us to always insert an entry for each proxy IP, even if we did not resolve any IPs for it. Then, when receiving traffic for a proxy IP where the resolved IP is `None`, we reply with the appropriate ICMP error. As part of this, we also simplify the assignment of the proxy IPs. With the NAT64 module removed, there is no more reason to cross-assign IPv4 and IPv6 addresses. We can simply leave the mappings for e.g. IPv6 proxy addresses empty if the AAAA query didn't resolve anything. From the Client's perspective, not much changes. The DNS resource NAT setup will now succeed, even for domains that don't resolve to anything. This doesn't change any behaviour though as we are currently already passing packets through for failed DNS resource NAT setups. The main change is that we now send back a different ICMP error. Most importantly, the "address/host unreachable variant" does not trigger #10462. |
||
|
Thomas Eizinger
|
c197d37aaa |
ci: install latest Azure CLI for APT sync (#10678)
Whichever version of the CLI is installed on the GitHub runners doesn't appear to be able to run our script (which works just fine locally). |
||
|
Thomas Eizinger
|
6a538368cb |
feat(gateway): add flow-logs MVP (#10576)
Network flow logs are a common feature of VPNs. Due to the nature of a shared exit node, it is of great interest to a network analyst, which TCP connections are getting routed through the tunnel, who is initiating them, for long do they last and how much traffic is sent across them. With this PR, the Firezone Gateway gains the ability of detecting the TCP and UDP flows that are being routed through it. The information we want to attach to these flows is spread out over several layers of the packet handling code. To simplify the implementation and not complicate the APIs unnecessarily, we chose to rely on TLS (thread-local storage) for gathering all the necessary data as a packet gets passed through the various layers. When using a const initializer, the overhead of a TLS variable over an actual local variable is basically zero. The entire routing state of the Gateway is also never sent across any threads, making TLS variables a particularly good choice for this problem. In its MVP form, the detected flows are only emitted on stdout and also that only if `flow_logs=trace` is set using `RUST_LOG`. Early adopters of this feature are encouraged to enable these logs as described and then ingest the Gateway's logs into the SIEM of their choice for further analysis. Related: #8353 |
||
|
Thomas Eizinger
|
a59f7ee2e2 |
chore: install JDK via .tool-versions (#10663)
For working on the Android app, we need an installation of the JDK. Currently, that is being installed separately in CI. We already have `.tool-versions` which is designed to take care of this so we add OpenJDK 17 to the list of required tools and remove the dedicated CI step. |
||
|
Firezone Bot
|
76d86545a6 | chore: publish apple-client 1.5.9 (#10654) | ||
|
Firezone Bot
|
9b6ebb01ed | chore: publish android-client 1.5.5 (#10614) | ||
|
Thomas Eizinger
|
928d8a2512 |
fix(connlib): handle resources changing site (#10604)
Similar to how resources can be edited to change their address, IP stack or other properties, they can also be moved between different sites. Currently, `connlib` requires the portal to explicitly remove the resource and then re-add it for this to work. Our system gets more robust if we also detect that the sites of a resource have changed and handle it like other addressability changes. To ensure that this works correctly, we also extend the proptests to simulate addressability changes of resources. Resolves: #9881 Related: #10593 |
||
|
Thomas Eizinger
|
7e5ec7c2d7 |
ci: upload .deb from releases to APT repository (#10587)
This PR creates the necessary CI infrastructure to copy `.deb` packages from releases to our APT repository. Re-generation of the index is separated out into a dedicated workflow to avoid concurrency issues and so we can re-generate it without making a release. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Firezone Bot
|
5272e0c992 | chore: publish headless-client 1.5.4 (#10590) | ||
|
Firezone Bot
|
f78cccea1b | chore: publish gui-client 1.5.8 (#10591) | ||
|
Firezone Bot
|
e3bb2fb931 | chore: publish gateway 1.4.17 (#10584) | ||
|
Jamil
|
ad69864e41 |
chore(ci): use bin/ prefix for binary artifacts (#10582)
We'll be using a consistent `artifacts` storage account for these built binaries, so we've renamed the container to `binaries`. The apt packages would be under the `apt` container at `artifacts.firezone.dev/apt/` accordingly. Related: firezone/infra#182 |
||
|
Thomas Eizinger
|
b3b92faf45 |
ci: merge publish workflows (#10568)
All of these jobs should run every time we publish a release. It makes sense to merge them into one workflow. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
35a53ae675 |
ci: add workflow inputs for _build-data-plane.yml (#10570)
In #10542, we split out a dedicated workflow for building the data plane artifacts. Unfortunately, we forgot to add an input section to the `workflow_dispatch` trigger. This is necessary to correctly build the artifacts for e.g. an upcoming release. Here is a test-run: https://github.com/firezone/firezone/actions/runs/18485551622 |
||
|
Thomas Eizinger
|
448499b13e |
ci: only create data-plane draft release on trigger (#10542)
Right now, draft releases for Gateways and headless-clients are created on each merge to main. For all other components, we only create those when we trigger the workflow for a specific commit. To align this functionality, we split the `_build_artifacts.yml` workflow into two: - `_control-plane.yml` - `_data-plane.yml` Apart from the `sha` input, all inputs only concern the data-plane, therefore massively simplifying the control-plane workflow. Additionally, the control-plane also doesn't have a manual trigger because its artifacts never get released on GitHub. Resolves: #10541 |
||
|
Jamil
|
d11bd14fce |
fix(ci): send PR swift builds to testflight (#10536)
Fixes a bug introduced in #8778 that disabled uploading release builds on PR runs to the App Store for TestFlight distribution. |
||
|
dependabot[bot]
|
709ca25ba0 |
build(deps): bump actions/setup-python from 5.6.0 to 6.0.0 (#10528)
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.6.0 to 6.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-python/releases">actions/setup-python's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <h2>What's Changed</h2> <h3>Breaking Changes</h3> <ul> <li>Upgrade to node 24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/setup-python/pull/1164">actions/setup-python#1164</a></li> </ul> <p>Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. <a href="https://github.com/actions/runner/releases/tag/v2.327.1">See Release Notes</a></p> <h3>Enhancements:</h3> <ul> <li>Add support for <code>pip-version</code> by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-python/pull/1129">actions/setup-python#1129</a></li> <li>Enhance reading from .python-version by <a href="https://github.com/krystof-k"><code>@krystof-k</code></a> in <a href="https://redirect.github.com/actions/setup-python/pull/787">actions/setup-python#787</a></li> <li>Add version parsing from Pipfile by <a href="https://github.com/aradkdj"><code>@aradkdj</code></a> in <a href="https://redirect.github.com/actions/setup-python/pull/1067">actions/setup-python#1067</a></li> </ul> <h3>Bug fixes:</h3> <ul> <li>Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-python/pull/1183">actions/setup-python#1183</a></li> <li>Change missing cache directory error to warning by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-python/pull/1182">actions/setup-python#1182</a></li> <li>Add Architecture-Specific PATH Management for Python with --user Flag on Windows by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-python/pull/1122">actions/setup-python#1122</a></li> <li>Include python version in PyPy python-version output by <a href="https://github.com/cdce8p"><code>@cdce8p</code></a> in <a href="https://redirect.github.com/actions/setup-python/pull/1110">actions/setup-python#1110</a></li> <li>Update docs: clarification on pip authentication with setup-python by <a href="https://github.com/priya-kinthali"><code>@priya-kinthali</code></a> in <a href="https://redirect.github.com/actions/setup-python/pull/1156">actions/setup-python#1156</a></li> </ul> <h3>Dependency updates:</h3> <ul> <li>Upgrade idna from 2.9 to 3.7 in /<strong>tests</strong>/data by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-python/pull/843">actions/setup-python#843</a></li> <li>Upgrade form-data to fix critical vulnerabilities <a href="https://redirect.github.com/actions/setup-python/issues/182">#182</a> & <a href="https://redirect.github.com/actions/setup-python/issues/183">#183</a> by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-python/pull/1163">actions/setup-python#1163</a></li> <li>Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-python/pull/1165">actions/setup-python#1165</a></li> <li>Upgrade actions/checkout from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-python/pull/1181">actions/setup-python#1181</a></li> <li>Upgrade <code>@actions/tool-cache</code> from 2.0.1 to 2.0.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-python/pull/1095">actions/setup-python#1095</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/krystof-k"><code>@krystof-k</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-python/pull/787">actions/setup-python#787</a></li> <li><a href="https://github.com/cdce8p"><code>@cdce8p</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-python/pull/1110">actions/setup-python#1110</a></li> <li><a href="https://github.com/aradkdj"><code>@aradkdj</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-python/pull/1067">actions/setup-python#1067</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-python/compare/v5...v6.0.0">https://github.com/actions/setup-python/compare/v5...v6.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
4ef827b611 |
ci: revise Rust caching configuration (#10512)
We primarily rely on sccache for speeding up our Rust builds. The `setup-rust-toolchain` action configures `rust-cache` in addition but tries to set it up for the root of the repository which doesn't work in our scenario. It is also unnecessary to set up additional caching for the `target` directory because we use `sccache` anyway. sccache only caches compile artifacts but it can also be beneficial to cache the downloaded Rust sources. Those aren't very big so we use the `rust-cache` action for that but disable the `target` cache. This config option isn't forwarded by `setup-rust-toolchain` so we disable its cache integration and use `rust-cache` directly. |
||
|
Thomas Eizinger
|
a1b2ca195c |
ci(apple): explicitly select Xcode 26.0 (#10511)
In order to build the iOS app with the Xcode version that is installed on the GitHub runners, we need to select the Xcode version by major and minor version. Currently, the iOS builds are failing because Xcode 26.1 also exists but iOS 26.1 isn't supported (or released?). See https://github.com/firezone/firezone/actions/runs/18239282351/job/51938727311. |
||
|
Mariusz Klochowicz
|
13851c8fd7 |
chore: bump Xcode version (#10499)
Use latest Xcode 26.0, which is now officially available on the same macos-15 runner. |
||
|
Thomas Eizinger
|
b4fae701ec |
ci: silence 429s errors in link checker (#10495)
Until https://github.com/lycheeverse/lychee/pull/1844 is shipped, we silence 429s as valid status codes whenever links are being checked by lychee. |
||
|
dependabot[bot]
|
ac85b70a43 |
build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 (#10429)
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 5.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/download-artifact/releases">actions/download-artifact's releases</a>.</em></p> <blockquote> <h2>v5.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/407">actions/download-artifact#407</a></li> <li>BREAKING fix: inconsistent path behavior for single artifact downloads by ID by <a href="https://github.com/GrantBirki"><code>@GrantBirki</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/416">actions/download-artifact#416</a></li> </ul> <h2>v5.0.0</h2> <h3>🚨 Breaking Change</h3> <p>This release fixes an inconsistency in path behavior for single artifact downloads by ID. <strong>If you're downloading single artifacts by ID, the output path may change.</strong></p> <h4>What Changed</h4> <p>Previously, <strong>single artifact downloads</strong> behaved differently depending on how you specified the artifact:</p> <ul> <li><strong>By name</strong>: <code>name: my-artifact</code> → extracted to <code>path/</code> (direct)</li> <li><strong>By ID</strong>: <code>artifact-ids: 12345</code> → extracted to <code>path/my-artifact/</code> (nested)</li> </ul> <p>Now both methods are consistent:</p> <ul> <li><strong>By name</strong>: <code>name: my-artifact</code> → extracted to <code>path/</code> (unchanged)</li> <li><strong>By ID</strong>: <code>artifact-ids: 12345</code> → extracted to <code>path/</code> (fixed - now direct)</li> </ul> <h4>Migration Guide</h4> <h5>✅ No Action Needed If:</h5> <ul> <li>You download artifacts by <strong>name</strong></li> <li>You download <strong>multiple</strong> artifacts by ID</li> <li>You already use <code>merge-multiple: true</code> as a workaround</li> </ul> <h5>⚠️ Action Required If:</h5> <p>You download <strong>single artifacts by ID</strong> and your workflows expect the nested directory structure.</p> <p><strong>Before v5 (nested structure):</strong></p> <pre lang="yaml"><code>- uses: actions/download-artifact@v4 with: artifact-ids: 12345 path: dist # Files were in: dist/my-artifact/ </code></pre> <blockquote> <p>Where <code>my-artifact</code> is the name of the artifact you previously uploaded</p> </blockquote> <p><strong>To maintain old behavior (if needed):</strong></p> <pre lang="yaml"><code></tr></table> </code></pre> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
e5d0f3570a |
build(deps): bump lycheeverse/lychee-action from 2.4.1 to 2.6.1 (#10476)
Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.4.1 to 2.6.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lycheeverse/lychee-action/releases">lycheeverse/lychee-action's releases</a>.</em></p> <blockquote> <h2>Version 2.6.1</h2> <h2>What's Changed</h2> <ul> <li>Update lycheeVersion to v0.20.1 by <a href="https://github.com/github-actions"><code>@github-actions</code></a>[bot] in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/306">lycheeverse/lychee-action#306</a>, which contains a hotfix for <a href="https://redirect.github.com/lycheeverse/lychee-action/issues/305">lycheeverse/lychee-action#305</a>.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/lycheeverse/lychee-action/compare/v2...v2.6.1">https://github.com/lycheeverse/lychee-action/compare/v2...v2.6.1</a></p> <h2>Version 2.6.0</h2> <h2>What's Changed</h2> <ul> <li>Update lychee version to v0.20.0 by <a href="https://github.com/github-actions"><code>@github-actions</code></a>[bot] in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/304">lycheeverse/lychee-action#304</a></li> <li>Bump actions/checkout from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/303">lycheeverse/lychee-action#303</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/lycheeverse/lychee-action/compare/v2...v2.6.0">https://github.com/lycheeverse/lychee-action/compare/v2...v2.6.0</a></p> <h2>Version 2.5.0</h2> <h2>Summary</h2> <p>Most notably with this release the deprecated <code>--exclude-mail</code> flag was removed and the behavior of the <code>--accept</code> flag was updated. Previously, status codes such as 200 OK were always accepted. Now they are only accepted by default. This means providing the argument <code>--accept 201</code> now rejects status code 200 OK.</p> <h2>What's Changed</h2> <ul> <li>Update lycheeVersion to v0.19.1 by <a href="https://github.com/github-actions"><code>@github-actions</code></a>[bot] in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/300">lycheeverse/lychee-action#300</a></li> <li>See the lychee changes here: <a href="https://github.com/lycheeverse/lychee/releases/tag/lychee-v0.19.1">https://github.com/lycheeverse/lychee/releases/tag/lychee-v0.19.1</a>, <a href="https://github.com/lycheeverse/lychee/releases/tag/lychee-v0.19.0">https://github.com/lycheeverse/lychee/releases/tag/lychee-v0.19.0</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/lycheeverse/lychee-action/compare/v2...v2.5.0">https://github.com/lycheeverse/lychee-action/compare/v2...v2.5.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
b11adfcfe4 |
feat(connlib): create flow on ICMP error "prohibited" (#10462)
In Firezone, a Client requests an "access authorization" for a Resource on the fly when it sees the first packet for said Resource going through the tunnel. If we don't have a connection to the Gateway yet, this is also where we will establish a connection and create the WireGuard tunnel. In order for this to work, the access authorization state between the Client and the Gateway MUST NOT get out of sync. If the Client thinks it has access to a Resource, it will just route the traffic to the Gateway. If the access authorization on the Gateway has expired or vanished otherwise, the packets will be black-holed. Starting with #9816, the Gateway sends ICMP errors back to the application whenever it filters a packet. This can happen either because the access authorization is gone or because the traffic wasn't allowed by the specific filter rules on the Resource. With this patch, the Client will attempt to create a new flow (i.e. re-authorize) traffic for this resource whenever it sees such an ICMP error, therefore acting as a way of synchronizing the view of the world between Client and Gateway should they ever run out of sync. Testing turned out to be a bit tricky. If we let the authorization on the Gateway lapse naturally, we portal will also toggle the Resource off and on on the Client, resulting in "flushing" the current authorizations. Additionally, it the Client had only access to one Resource, then the Gateway will gracefully close the connection, also resulting in the Client creating a new flow for the next packet. To actually trigger this new behaviour we need to: - Access at least two resources via the same Gateway - Directly send `reject_access` to the Gateway for this particular resource To achieve this, we dynamically eval some code on the API node and instruct the Gateway channel to send `reject_access`. The connection stays intact because there is still another active access authorization but packets for the other resource are answered with ICMP errors. To achieve a safe roll-out, the new behaviour is feature-flagged. In order to still test it, we now also allow feature flags to be set via env variables. Resolves: #10074 --------- Co-authored-by: Mariusz Klochowicz <mariusz@klochowicz.com> |
||
|
dependabot[bot]
|
9a677f08cf |
build(deps): bump google-github-actions/auth from 2.1.10 to 3.0.0 (#10471)
Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 2.1.10 to 3.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/google-github-actions/auth/releases">google-github-actions/auth's releases</a>.</em></p> <blockquote> <h2>v3.0.0</h2> <h2>What's Changed</h2> <ul> <li>Bump to Node 24 and remove old parameters by <a href="https://github.com/sethvargo"><code>@sethvargo</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/508">google-github-actions/auth#508</a></li> <li>Remove hacky script by <a href="https://github.com/sethvargo"><code>@sethvargo</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/509">google-github-actions/auth#509</a></li> <li>Release: v3.0.0 by <a href="https://github.com/google-github-actions-bot"><code>@google-github-actions-bot</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/510">google-github-actions/auth#510</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/google-github-actions/auth/compare/v2...v3.0.0">https://github.com/google-github-actions/auth/compare/v2...v3.0.0</a></p> <h2>v2.1.13</h2> <h2>What's Changed</h2> <ul> <li>Update deps by <a href="https://github.com/sethvargo"><code>@sethvargo</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/506">google-github-actions/auth#506</a></li> <li>Release: v2.1.13 by <a href="https://github.com/google-github-actions-bot"><code>@google-github-actions-bot</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/507">google-github-actions/auth#507</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/google-github-actions/auth/compare/v2.1.12...v2.1.13">https://github.com/google-github-actions/auth/compare/v2.1.12...v2.1.13</a></p> <h2>v2.1.12</h2> <h2>What's Changed</h2> <ul> <li>Add retries for getIDToken by <a href="https://github.com/sethvargo"><code>@sethvargo</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/502">google-github-actions/auth#502</a></li> <li>Release: v2.1.12 by <a href="https://github.com/google-github-actions-bot"><code>@google-github-actions-bot</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/503">google-github-actions/auth#503</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/google-github-actions/auth/compare/v2.1.11...v2.1.12">https://github.com/google-github-actions/auth/compare/v2.1.11...v2.1.12</a></p> <h2>v2.1.11</h2> <h2>What's Changed</h2> <ul> <li>Update troubleshooting docs for Python by <a href="https://github.com/sethvargo"><code>@sethvargo</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/488">google-github-actions/auth#488</a></li> <li>Add linters by <a href="https://github.com/sethvargo"><code>@sethvargo</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/499">google-github-actions/auth#499</a></li> <li>Update deps by <a href="https://github.com/sethvargo"><code>@sethvargo</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/500">google-github-actions/auth#500</a></li> <li>Release: v2.1.11 by <a href="https://github.com/google-github-actions-bot"><code>@google-github-actions-bot</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/501">google-github-actions/auth#501</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/google-github-actions/auth/compare/v2.1.10...v2.1.11">https://github.com/google-github-actions/auth/compare/v2.1.10...v2.1.11</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
9865e03343 |
ci: fix double symmetric NAT test failure (#10410)
As it turns out, the flaky test was caused by a bug in the eBPF kernel where we read the old channel data header from the wrong offset. This made us essentially read garbage data for the channel number, causing us to: a. Compute a bad checksum b. Send the packet on a completely wrong channel The reason this caused a flaky test is that it requires on side to pick IPv4 to talk to the relay and the other side IPv6. The happy-eyeballs approach of the `allocation` module made that non-deterministic, only exposing this bug occasionally. To ensure these kind of things are detected earlier in the future, I am adding an additional CI step that checks all packets emitted by the eBPF kernel for checksum errors. Fixes: #10404 Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
dependabot[bot]
|
40aba05742 |
build(deps): bump actions/checkout from 4 to 5 (#10440)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v5.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update actions checkout to use node 24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li> <li>Prepare v5.0.0 release by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2238">actions/checkout#2238</a></li> </ul> <h2>⚠️ Minimum Compatible Runner Version</h2> <p><strong>v2.327.1</strong><br /> <a href="https://github.com/actions/runner/releases/tag/v2.327.1">Release Notes</a></p> <p>Make sure your runner is updated to this version or newer to use this release.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4...v5.0.0">https://github.com/actions/checkout/compare/v4...v5.0.0</a></p> <h2>v4.3.0</h2> <h2>What's Changed</h2> <ul> <li>docs: update README.md by <a href="https://github.com/motss"><code>@motss</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li> <li>Add internal repos for checking out multiple repositories by <a href="https://github.com/mouismail"><code>@mouismail</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li> <li>Documentation update - add recommended permissions to Readme by <a href="https://github.com/benwells"><code>@benwells</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li> <li>Adjust positioning of user email note and permissions heading by <a href="https://github.com/joshmgross"><code>@joshmgross</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li> <li>Update CODEOWNERS for actions by <a href="https://github.com/TingluoHuang"><code>@TingluoHuang</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li> <li>Update package dependencies by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li> <li>Prepare release v4.3.0 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2237">actions/checkout#2237</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/motss"><code>@motss</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li> <li><a href="https://github.com/mouismail"><code>@mouismail</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li> <li><a href="https://github.com/benwells"><code>@benwells</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li> <li><a href="https://github.com/nebuk89"><code>@nebuk89</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li> <li><a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4...v4.3.0">https://github.com/actions/checkout/compare/v4...v4.3.0</a></p> <h2>v4.2.2</h2> <h2>What's Changed</h2> <ul> <li><code>url-helper.ts</code> now leverages well-known environment variables by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li> <li>Expand unit test coverage for <code>isGhes</code> by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4.2.1...v4.2.2">https://github.com/actions/checkout/compare/v4.2.1...v4.2.2</a></p> <h2>v4.2.1</h2> <h2>What's Changed</h2> <ul> <li>Check out other refs/* by commit if provided, fall back to ref by <a href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Jcambass"><code>@Jcambass</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1919">actions/checkout#1919</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4.2.0...v4.2.1">https://github.com/actions/checkout/compare/v4.2.0...v4.2.1</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
69dd7a5c67 |
build(deps): bump amannn/action-semantic-pull-request from 5.5.3 to 6.1.1 (#10444)
Bumps [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) from 5.5.3 to 6.1.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/amannn/action-semantic-pull-request/releases">amannn/action-semantic-pull-request's releases</a>.</em></p> <blockquote> <h2>v6.1.1</h2> <h2><a href="https://github.com/amannn/action-semantic-pull-request/compare/v6.1.0...v6.1.1">6.1.1</a> (2025-08-22)</h2> <h3>Bug Fixes</h3> <ul> <li>Parse <code>headerPatternCorrespondence</code> properly (<a href="https://redirect.github.com/amannn/action-semantic-pull-request/issues/295">#295</a>) (<a href=" |
||
|
Thomas Eizinger
|
f09232e983 |
ci: disable flaky integration test (#10427)
Until we can figure out why this is flaky, comment it out to allow for stable CI. |
||
|
Thomas Eizinger
|
e6a9b7cd41 |
ci: optimise log levels (#10409)
The majority of the log levels stated in the docker-compose file are stale because those crates have long been deleted or renamed. Additionally, the `wire` logs have already been disabled in release builds, meaning we no longer need to patch them out before the perf tests. |