mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
ccc736e63e5fb975e330c5d21536183f4515db9d
1395 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
dependabot[bot]
|
27c7d537bb |
build(deps): bump pnpm/action-setup from 4.0.0 to 4.1.0 in /.github/actions/setup-node (#9926)
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 4.0.0 to 4.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pnpm/action-setup/releases">pnpm/action-setup's releases</a>.</em></p> <blockquote> <h2>v4.1.0</h2> <p>Add support for <code>package.yaml</code> <a href="https://redirect.github.com/pnpm/action-setup/pull/156">#156</a>.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
d244a99c58 |
feat(connlib): always use all candidates (#9979)
In #6876, we added functionality that would only make use of new remote candidates whilst we haven't nominated a socket yet with the remote. The reason for that was because in the described edge-case where relays reboot or get replaced whilst the client is partitioned from the portal (or we experience a connection hiccup), only one of the two peers, i.e. Client or Gateway would migrate to the new relay, leaving the other one in an inconsistent state. Looking at recent customer logs, I've been seeing a lot of these messages: > Unknown connection or socket has already been nominated For this particular customer, these are then very quickly followed by ICE timeouts, leaving the connection unusable. Considering that, I no longer think that the above change was a good idea and we should instead always make use of all candidates that we are given. What we are seeing is that in deployment scenarios where the latency link between Client and Gateway is very short (5-10ms) yet the latency to the portal is longer (~30-50ms), we trigger a race condition where we are temporarily nominating a _peer-reflexive_ candidate pair instead of a regular one. This happens because with such a short latency link, Client and Gateway are _faster_ in sending back and forth several STUN bindings than the control plane is in delivering all the candidates. Due to the functionality added in #6876, this then results in us not accepting the candidates. It further appears that a nominated peer-reflexive candidate does not provide a stable connection which is why we then run into an ICE timeout, requiring Firezone to establish a new connection only to have the same thing happen again. This is very disruptive for the user experience as the connection only works for a few moments at a time. With #9793, we have actually added a feature that is also at play here. Now that we don't immediately act on an ICE timeout, it is actually possible for both Client and Gateway to migrate a connection to a different relay, should the one that they are using get disconnected. In #9793, we added a timeout of 2s for this. To make this fully work, we need to patch str0m to transition to `Checking` early. Presently, str0m would directly transition from `Disconnected` to `Connected` in this case which in some of the high-latency scenarios that we are testing in CI is not enough to recover the connection within 2s. By transitioning to `Checking` early, we abort this timer. Related: https://github.com/algesten/str0m/pull/676 |
||
|
Jamil
|
86954a4f4a |
fix(ci): don't version images until release (#9968)
Fixes #9967 |
||
|
Firezone Bot
|
a11983e4b3 | chore: publish gateway 1.4.13 (#9969) | ||
|
dependabot[bot]
|
4c0c605c72 |
build(deps): bump taiki-e/install-action from 2.55.3 to 2.56.19 (#9918)
Bumps [taiki-e/install-action](https://github.com/taiki-e/install-action) from 2.55.3 to 2.56.19. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/taiki-e/install-action/releases">taiki-e/install-action's releases</a>.</em></p> <blockquote> <h2>2.56.19</h2> <ul> <li>Update <code>cargo-llvm-cov@latest</code> to 0.6.18.</li> </ul> <h2>2.56.18</h2> <ul> <li>Update <code>just@latest</code> to 1.42.3.</li> </ul> <h2>2.56.17</h2> <ul> <li>Update <code>wasmtime@latest</code> to 34.0.2.</li> </ul> <h2>2.56.16</h2> <ul> <li> <p>Update <code>cargo-zigbuild@latest</code> to 0.20.1.</p> </li> <li> <p>Update <code>cargo-lambda@latest</code> to 1.8.6.</p> </li> <li> <p>Update <code>vacuum@latest</code> to 0.17.6.</p> </li> <li> <p>Update <code>earthly@latest</code> to 0.8.16.</p> </li> </ul> <h2>2.56.15</h2> <ul> <li> <p>Fix <code>cargo-valgrind</code> installation error due to their tag rename.</p> </li> <li> <p>Update <code>cargo-valgrind@latest</code> to 2.3.2.</p> </li> <li> <p>Update <code>just@latest</code> to 1.42.2.</p> </li> </ul> <h2>2.56.14</h2> <ul> <li> <p>Update <code>zola@latest</code> to 0.21.0.</p> </li> <li> <p>Update <code>wait-for-them@latest</code> to 0.5.1.</p> </li> <li> <p>Update <code>mdbook@latest</code> to 0.4.52.</p> </li> <li> <p>Update <code>just@latest</code> to 1.42.1.</p> </li> <li> <p>Update <code>cargo-shear@latest</code> to 1.4.0.</p> </li> <li> <p>Update <code>cyclonedx@latest</code> to 0.29.0.</p> </li> </ul> <h2>2.56.13</h2> <ul> <li>Update <code>cargo-nextest@latest</code> to 0.9.101.</li> </ul> <h2>2.56.12</h2> <ul> <li>Update <code>cargo-hack@latest</code> to 0.6.37.</li> </ul> <h2>2.56.11</h2> <ul> <li> <p>Update <code>osv-scanner@latest</code> to 2.1.0.</p> </li> <li> <p>Update <code>cargo-no-dev-deps@latest</code> to 0.2.16.</p> </li> <li> <p>Update <code>cargo-minimal-versions@latest</code> to 0.1.31.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md">taiki-e/install-action's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <p>All notable changes to this project will be documented in this file.</p> <p>This project adheres to <a href="https://semver.org">Semantic Versioning</a>.</p> <!-- raw HTML omitted --> <h2>[Unreleased]</h2> <h2>[2.56.19] - 2025-07-19</h2> <ul> <li>Update <code>cargo-llvm-cov@latest</code> to 0.6.18.</li> </ul> <h2>[2.56.18] - 2025-07-19</h2> <ul> <li>Update <code>just@latest</code> to 1.42.3.</li> </ul> <h2>[2.56.17] - 2025-07-18</h2> <ul> <li>Update <code>wasmtime@latest</code> to 34.0.2.</li> </ul> <h2>[2.56.16] - 2025-07-18</h2> <ul> <li> <p>Update <code>cargo-zigbuild@latest</code> to 0.20.1.</p> </li> <li> <p>Update <code>cargo-lambda@latest</code> to 1.8.6.</p> </li> <li> <p>Update <code>vacuum@latest</code> to 0.17.6.</p> </li> <li> <p>Update <code>earthly@latest</code> to 0.8.16.</p> </li> </ul> <h2>[2.56.15] - 2025-07-16</h2> <ul> <li> <p>Fix <code>cargo-valgrind</code> installation error due to their tag rename.</p> </li> <li> <p>Update <code>cargo-valgrind@latest</code> to 2.3.2.</p> </li> <li> <p>Update <code>just@latest</code> to 1.42.2.</p> </li> </ul> <h2>[2.56.14] - 2025-07-15</h2> <ul> <li> <p>Update <code>zola@latest</code> to 0.21.0.</p> </li> <li> <p>Update <code>wait-for-them@latest</code> to 0.5.1.</p> </li> <li> <p>Update <code>mdbook@latest</code> to 0.4.52.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
dff6495057 | fix(ci): use pinned musl toolchains (#9953) | ||
|
dependabot[bot]
|
c498d725f4 |
build(deps): bump actions/setup-node from 4.1.0 to 4.4.0 in /.github/actions/setup-node (#9924)
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.1.0 to 4.4.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-node/releases">actions/setup-node's releases</a>.</em></p> <blockquote> <h2>v4.4.0</h2> <h2>What's Changed</h2> <h3>Bug fixes:</h3> <ul> <li>Make eslint-compact matcher compatible with Stylelint by <a href="https://github.com/FloEdelmann"><code>@FloEdelmann</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/98">actions/setup-node#98</a></li> <li>Add support for indented eslint output by <a href="https://github.com/fregante"><code>@fregante</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1245">actions/setup-node#1245</a></li> </ul> <h3>Enhancement:</h3> <ul> <li>Support private mirrors by <a href="https://github.com/marco-ippolito"><code>@marco-ippolito</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1240">actions/setup-node#1240</a></li> </ul> <h3>Dependency update:</h3> <ul> <li>Upgrade <code>@action/cache</code> from 4.0.2 to 4.0.3 by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1262">actions/setup-node#1262</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/FloEdelmann"><code>@FloEdelmann</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/98">actions/setup-node#98</a></li> <li><a href="https://github.com/fregante"><code>@fregante</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1245">actions/setup-node#1245</a></li> <li><a href="https://github.com/marco-ippolito"><code>@marco-ippolito</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1240">actions/setup-node#1240</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v4...v4.4.0">https://github.com/actions/setup-node/compare/v4...v4.4.0</a></p> <h2>v4.3.0</h2> <h2>What's Changed</h2> <h3>Dependency updates</h3> <ul> <li>Upgrade <code>@actions/glob</code> from 0.4.0 to 0.5.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1200">actions/setup-node#1200</a></li> <li>Upgrade <code>@action/cache</code> from 4.0.0 to 4.0.2 by <a href="https://github.com/gowridurgad"><code>@gowridurgad</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1251">actions/setup-node#1251</a></li> <li>Upgrade <code>@vercel/ncc</code> from 0.38.1 to 0.38.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1203">actions/setup-node#1203</a></li> <li>Upgrade <code>@actions/tool-cache</code> from 2.0.1 to 2.0.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1220">actions/setup-node#1220</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/gowridurgad"><code>@gowridurgad</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1251">actions/setup-node#1251</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v4...v4.3.0">https://github.com/actions/setup-node/compare/v4...v4.3.0</a></p> <h2>v4.2.0</h2> <h2>What's Changed</h2> <ul> <li>Enhance workflows and upgrade publish-actions from 0.2.2 to 0.3.0 by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1174">actions/setup-node#1174</a></li> <li>Add recommended permissions section to readme by <a href="https://github.com/benwells"><code>@benwells</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1193">actions/setup-node#1193</a></li> <li>Configure Dependabot settings by <a href="https://github.com/HarithaVattikuti"><code>@HarithaVattikuti</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1192">actions/setup-node#1192</a></li> <li>Upgrade <code>@actions/cache</code> to <code>^4.0.0</code> by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1191">actions/setup-node#1191</a></li> <li>Upgrade pnpm/action-setup from 2 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1194">actions/setup-node#1194</a></li> <li>Upgrade actions/publish-immutable-action from 0.0.3 to 0.0.4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1195">actions/setup-node#1195</a></li> <li>Upgrade semver from 7.6.0 to 7.6.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1196">actions/setup-node#1196</a></li> <li>Upgrade <code>@types/jest</code> from 29.5.12 to 29.5.14 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1201">actions/setup-node#1201</a></li> <li>Upgrade undici from 5.28.4 to 5.28.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1205">actions/setup-node#1205</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/benwells"><code>@benwells</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1193">actions/setup-node#1193</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v4...v4.2.0">https://github.com/actions/setup-node/compare/v4...v4.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
2038a1bc22 |
chore(ci): Use GitHub Actions Cache for CI layer cache (#9941)
Since GCP artifact registry is cost-prohibitive, we can use the GitHub Actions Cache for docker layer caching for CI builds. See https://docs.docker.com/build/cache/backends/gha/ --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Jamil
|
79acfd698f |
fix(ci): remove copy binaries step (#9940)
A leftover from #9913 - we need to remove the copy binaries step. |
||
|
Jamil
|
a8f93d24a3 |
chore(infra): ditch gcp registry for ghcr.io (#9913)
Google Cloud Artifact registry and Cloud storage is a significant cost. GitHub, on the other hand, is completely free due to our being a public repository. Hence, it makes sense to ditch GCP for GHCR. To do this, we move all "staging" artifacts to GHCR. These will then be used in the infra repo to push to GCP for deploys - we probably still want pulls for our infra to hit GCP and not GitHub. One big element of this is that we potentially lose sccache, so I'll be checking the compile time of this PR and looking for alternatives that don't involve such a massive cloud bill. |
||
|
Thomas Eizinger
|
3e71a91667 |
feat(gateway): revoke unlisted authorizations upon init (#9896)
When receiving an `init` message from the portal, we will now revoke all authorizations not listed in the `authorizations` list of the `init` message. We (partly) test this by introducing a new transition in our proptests that de-authorizes a certain resource whilst the Gateway is simulated to be partitioned. It is difficult to test that we cannot make a connection once that has happened because we would have to simulate a malicious client that knows about resources / connections or ignores the "remove resource" message. Testing this is deferred to a dedicated task. We do test that we hit the code path of revoking the resource authorization and because the other resources keep working, we also test that we are at least not revoking the wrong ones. Resolves: #9892 |
||
|
Thomas Eizinger
|
cf2470ba1e |
test(iperf): install iptables rule inside of container (#9880)
In Docker environments, applying iptables rules to filter container-container traffic on the Docker bridged network is not reliable, leading to direct connections being established in our relayed tests. To fix this, we insert the rules directly from the client container itself. --------- Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
cb3f4c0884 |
ci: fail perf & integration tests on warnings (#9875)
We already do the same thing for our integration tests. It turns out that it wasn't working there either though. Related: #9874 |
||
|
Thomas Eizinger
|
d92e997878 |
ci: add work-around for apple-client tag (#9877)
The current Git tag for releases of the Apple client is out-of-line with the naming of rest of the repository. Ideally, the tag would be renamed to `apple-client-X.Y.Z` as it represents the version for both the macOS and iOS client. I am not familiar with the redirect system on our website to confidentially do this without breaking anything, so the easiest fix here is to employ the same hack we already do for Sentry where we special-case the `macos-client` tag. Resolves: #9871 |
||
|
Thomas Eizinger
|
66455ab0ef |
feat(gateway): translate TimeExceeded ICMP messages (#9812)
In the DNS resource NAT table, we track parts of the layer 4 protocol of
the connection in order to map packets back to the correct proxy IP in
case multiple DNS names resolve to the same real IP. The involvement of
layer 4 means we need to perform some packet inspection in case we
receive ICMP errors from an upstream router.
Presently, the only ICMP error we handle here is destination
unreachable. Those are generated e.g. when we are trying to contact an
IPv6 address but we don't have an IPv6 egress interface. An additional
error that we want to handle here is "time exceeded":
Time exceeded is sent when the TTL of a packet reaches 0. Typically,
TTLs are set high enough such that the packet makes it to its
destination. When using tools such as `tracepath` however, the TTL is
specifically only incremented one-by-one in order to resolve the exact
hops a packet is taking to a destination. Without handling the time
exceeded ICMP error, using `tracepath` through Firezone is broken
because the packets get dropped at the DNS resource NAT.
With this PR, we generalise the functionality of detecting destination
unreachable ICMP errors to also handle time-exceeded errors, allowing
tools such as `tracepath` to somewhat work:
```
❯ sudo docker compose exec --env RUST_LOG=info -it client /bin/sh -c 'tracepath -b example.com'
1?: [LOCALHOST] pmtu 1280
1: 100.82.110.64 (100.82.110.64) 0.795ms
1: 100.82.110.64 (100.82.110.64) 0.593ms
2: example.com (100.96.0.1) 0.696ms asymm 45
3: example.com (100.96.0.1) 5.788ms asymm 45
4: example.com (100.96.0.1) 7.787ms asymm 45
5: example.com (100.96.0.1) 8.412ms asymm 45
6: example.com (100.96.0.1) 9.545ms asymm 45
7: example.com (100.96.0.1) 7.312ms asymm 45
8: example.com (100.96.0.1) 8.779ms asymm 45
9: example.com (100.96.0.1) 9.455ms asymm 45
10: example.com (100.96.0.1) 14.410ms asymm 45
11: example.com (100.96.0.1) 24.244ms asymm 45
12: example.com (100.96.0.1) 31.286ms asymm 45
13: no reply
14: example.com (100.96.0.1) 303.860ms asymm 45
15: no reply
16: example.com (100.96.0.1) 135.616ms (This broken router returned corrupted payload) asymm 45
17: no reply
18: example.com (100.96.0.1) 161.647ms asymm 45
19: no reply
20: no reply
21: no reply
22: example.com (100.96.0.1) 238.066ms reached
Resume: pmtu 1280 hops 22 back 45
```
We say "somewhat work" because due to the NAT that is in place for DNS
resources, the output does not disclose the intermediary hops beyond the
Gateway.
Co-authored-by: Antoine Labarussias <antoinelabarussias@gmail.com>
---------
Co-authored-by: Antoine Labarussias <antoinelabarussias@gmail.com>
|
||
|
Thomas Eizinger
|
d6805d7e48 |
chore(rust): bump to Rust 1.88 (#9714)
Rust 1.88 has been released and brings with it a quite exciting feature: let-chains! It allows us to mix-and-match `if` and `let` expressions, therefore often reducing the "right-drift" of the relevant code, making it easier to read. Rust.188 also comes with a new clippy lint that warns when creating a mutable reference from an immutable pointer. Attempting to fix this revealed that this is exactly what we are doing in the eBPF kernel. Unfortunately, it doesn't seem to be possible to design this in a way that is both accepted by the borrow-checker AND by the eBPF verifier. Hence, we simply make the function `unsafe` and document for the programmer, what needs to be upheld. |
||
|
Jamil
|
12351e5985 | ci: publish apple 1.5.4 clients (#9842) | ||
|
Thomas Eizinger
|
55eaa7cdc7 |
test(connlib): establish real TCP connections in proptests (#9814)
With this patch, we sample a list of DNS resources on each test run and create a "TCP service" for each of their addresses. Using this list of resources, we then change the `SendTcpPayload` transition to `ConnectTcp` and establish TCP connections using `smoltcp` to these services. For now, we don't send any data on these connections but we do set the keep-alive interval to 5s, meaning `smoltcp` itself will keep these connections alive. We also set the timeout to 30s and after each transition in a test-run, we assert that all TCP sockets are still in their expected state: - `ESTABLISHED` for most of them. - `CLOSED` for all sockets where we ended up sampling an IPv4 address but the DNS resource only supports IPv6 addresses (or vice-versa). In these cases, we use the ICMP error to sent by the Gateway to assert that the socket is `CLOSED`. Unfortunately, `smoltcp` currently does not handle ICMP messages for its sockets, so we have to call `abort` ourselves. Overall, this should assert that regardless of whether we roam networks, switch relays or do other kind of stuff with the underlying connection, the tunneled TCP connection stays alive. In order to make this work, I had to tweak the timeouts when we are on-demand refreshing allocations. This only happens in one particular case: When we are being given new relays by the portal, we refresh all _other_ relays to make sure they are still present. In other words, all relays that we didn't remove and didn't just add but still had in-memory are refreshed. This is important for cases where we are network-partitioned from the portal whilst relays are deployed or reset their state otherwise. Instead of the previous 8s max elapsed time of the exponential backoff like we have it for other requests, we now only use a single message with a 1s timeout there. With the increased ICE timeout of 15s, a TCP connection with a 30s timeout would otherwise not survive such an event. This is because it takes the above mentioned 8s for us to remove a non-functioning relay, all whilst trying to establish a new connection (which also incurs its own ICE timeout then). With the reduced timeout on the on-demand refresh of 1s, we detect the disappeared relay much quicker and can immediately establish a new connection via one of the new ones. As always with reduced timeouts, this can create false-positives if the relay doesn't reply within 1s for some reason. Resolves: #9531 |
||
|
Thomas Eizinger
|
55aef6ae11 | chore: publish gui-client 1.5.5 (#9811) | ||
|
Thomas Eizinger
|
ced0579f93 |
fix(ci): use outcome instead of conclusion (#9792)
According to the documentation [0]: > When a `continue-on-error step` fails, the `outcome` is `failure`, but the final `conclusion` is `success`. We update the action accordingly to make our retry mechanism work. [0]: https://docs.github.com/es/actions/reference/contexts-reference#steps-context Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Jamil
|
4a02e89b43 | ci: publish headless 1.5.1 (#9791) | ||
|
Thomas Eizinger
|
f04c23c8d9 |
ci: retry authentication with GCP (#9786)
At present, it appears that `actions/toolkit` has a bug where it isn't always able to correctly fetch an ID token. See https://github.com/actions/toolkit/issues/2098 for the upstream issue. As a result, our CI often fails relatively often. A simple restart usually fixes the issue. This however is annoying because it means PRs get de-queued from the merge-queue or don't queue in the first place and therefore require baby-sitting. To fix this, we attempt to build a retry-mechanism from within the action. Using `continue-on-error`, we tell the "auth" step to continue, even if it fails. Following that, we try to authenticate again but only if the previous one failed. We do this up to 3 times before actually giving up. --------- Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
a556b39136 | chore: remove duplicate labels from actionlint configuration (#9789) | ||
|
Thomas Eizinger
|
cb9b087bf3 |
refactor(ci): reuse gcp-docker-login action (#9787)
It appears the code for authenticating with GCP is duplicated in some of our workflows. |
||
|
Thomas Eizinger
|
94660cbb2c |
chore(gui-smoke-test): wait for tunnel service to boot (#9766)
The tunnel service creates the Firezone ID upon start-up. With recent changes to the GUI client, we now require reading the ID file when starting the GUI client. This exposes a race condition in our smoke-tests where we start them both at roughly the same time. To fix this, we sleep for 500ms after starting the tunnel process. |
||
|
Thomas Eizinger
|
7e25027c73 | ci: fix automated PR creation on publish (#9739) | ||
|
dependabot[bot]
|
29eb16393a |
build(deps): bump gradle/actions from 4.4.0 to 4.4.1 in /.github/actions/setup-android (#9741)
Bumps [gradle/actions](https://github.com/gradle/actions) from 4.4.0 to 4.4.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/gradle/actions/releases">gradle/actions's releases</a>.</em></p> <blockquote> <h2>v4.4.1</h2> <p>This patch release fixes a bug in Develocity Injection with a custom plugin repository. The <code>gradle-plugin-repository-*</code> action parameters were not being correctly mapped to environment variables that are read by the Develocity Injection init script.</p> <p>This issue has been fixed by setting the correct environment variables:</p> <ul> <li><code>gradle-plugin-repository-url</code> is mapped to <code>DEVELOCITY_INJECTION_PLUGIN_REPOSITORY_URL</code></li> <li><code>gradle-plugin-repository-username</code> is mapped to <code>DEVELOCITY_INJECTION_PLUGIN_REPOSITORY_USERNAME</code></li> <li><code>gradle-plugin-repository-password</code> is mapped to <code>DEVELOCITY_INJECTION_PLUGIN_REPOSITORY_PASSWORD</code></li> </ul> <p>Additionally, these parameters can now be used to configure a custom plugin repository for the GitHub Dependency Graph Gradle Plugin, required for dependency submission.</p> <h2>What's Changed</h2> <ul> <li>Dependency updates by <a href="https://github.com/bigdaz"><code>@bigdaz</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/667">gradle/actions#667</a></li> <li>Fix plugin repository env vars by <a href="https://github.com/bigdaz"><code>@bigdaz</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/669">gradle/actions#669</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/gradle/actions/compare/v4.4.0...v4.4.1">https://github.com/gradle/actions/compare/v4.4.0...v4.4.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
8ed950fcc0 |
build(deps): bump docker/setup-buildx-action from 3.10.0 to 3.11.1 (#9745)
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.10.0 to 3.11.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/setup-buildx-action/releases">docker/setup-buildx-action's releases</a>.</em></p> <blockquote> <h2>v3.11.1</h2> <ul> <li>Fix <code>keep-state</code> not being respected by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/429">docker/setup-buildx-action#429</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/setup-buildx-action/compare/v3.11.0...v3.11.1">https://github.com/docker/setup-buildx-action/compare/v3.11.0...v3.11.1</a></p> <h2>v3.11.0</h2> <ul> <li>Keep BuildKit state support by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/427">docker/setup-buildx-action#427</a></li> <li>Remove aliases created when installing by default by <a href="https://github.com/hashhar"><code>@hashhar</code></a> in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/139">docker/setup-buildx-action#139</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.56.0 to 0.62.1 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/422">docker/setup-buildx-action#422</a> <a href="https://redirect.github.com/docker/setup-buildx-action/pull/425">docker/setup-buildx-action#425</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/setup-buildx-action/compare/v3.10.0...v3.11.0">https://github.com/docker/setup-buildx-action/compare/v3.10.0...v3.11.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
5440235d3e |
build(deps): bump actions/cache from 4.2.0 to 4.2.3 in /.github/actions/setup-elixir (#9742)
Bumps [actions/cache](https://github.com/actions/cache) from 4.2.0 to 4.2.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p> <blockquote> <h2>v4.2.3</h2> <h2>What's Changed</h2> <ul> <li>Update to use <code>@actions/cache</code> 4.0.3 package & prepare for new release by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1577">actions/cache#1577</a> (SAS tokens for cache entries are now masked in debug logs)</li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1577">actions/cache#1577</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v4.2.2...v4.2.3">https://github.com/actions/cache/compare/v4.2.2...v4.2.3</a></p> <h2>v4.2.2</h2> <h2>What's Changed</h2> <blockquote> <p>[!IMPORTANT] As a reminder, there were important backend changes to release v4.2.0, see <a href="https://github.com/actions/cache/releases/tag/v4.2.0">those release notes</a> and <a href="https://github.com/actions/cache/discussions/1510">the announcement</a> for more details.</p> </blockquote> <ul> <li>Bump <code>@actions/cache</code> to v4.0.2 by <a href="https://github.com/robherley"><code>@robherley</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1560">actions/cache#1560</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v4.2.1...v4.2.2">https://github.com/actions/cache/compare/v4.2.1...v4.2.2</a></p> <h2>v4.2.1</h2> <h2>What's Changed</h2> <blockquote> <p>[!IMPORTANT] As a reminder, there were important backend changes to release v4.2.0, see <a href="https://github.com/actions/cache/releases/tag/v4.2.0">those release notes</a> and <a href="https://github.com/actions/cache/discussions/1510">the announcement</a> for more details.</p> </blockquote> <ul> <li>docs: GitHub is spelled incorrectly in caching-strategies.md by <a href="https://github.com/janco-absa"><code>@janco-absa</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1526">actions/cache#1526</a></li> <li>docs: Make the "always save prime numbers" example more clear by <a href="https://github.com/Tobbe"><code>@Tobbe</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1525">actions/cache#1525</a></li> <li>Update force deletion docs due a recent deprecation by <a href="https://github.com/sebbalex"><code>@sebbalex</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1500">actions/cache#1500</a></li> <li>Bump <code>@actions/cache</code> to v4.0.1 by <a href="https://github.com/robherley"><code>@robherley</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1554">actions/cache#1554</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/janco-absa"><code>@janco-absa</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1526">actions/cache#1526</a></li> <li><a href="https://github.com/Tobbe"><code>@Tobbe</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1525">actions/cache#1525</a></li> <li><a href="https://github.com/sebbalex"><code>@sebbalex</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1500">actions/cache#1500</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v4.2.0...v4.2.1">https://github.com/actions/cache/compare/v4.2.0...v4.2.1</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's changelog</a>.</em></p> <blockquote> <h1>Releases</h1> <h3>4.2.3</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.3 (obfuscates SAS token in debug logs for cache entries)</li> </ul> <h3>4.2.2</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.2</li> </ul> <h3>4.2.1</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.1</li> </ul> <h3>4.2.0</h3> <p>TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. <a href="https://github.com/actions/cache">actions/cache</a> now integrates with the new cache service (v2) APIs.</p> <p>The new service will gradually roll out as of <strong>February 1st, 2025</strong>. The legacy service will also be sunset on the same date. Changes in these release are <strong>fully backward compatible</strong>.</p> <p><strong>We are deprecating some versions of this action</strong>. We recommend upgrading to version <code>v4</code> or <code>v3</code> as soon as possible before <strong>February 1st, 2025.</strong> (Upgrade instructions below).</p> <p>If you are using pinned SHAs, please use the SHAs of versions <code>v4.2.0</code> or <code>v3.4.0</code></p> <p>If you do not upgrade, all workflow runs using any of the deprecated <a href="https://github.com/actions/cache">actions/cache</a> will fail.</p> <p>Upgrading to the recommended versions will not break your workflows.</p> <h3>4.1.2</h3> <ul> <li>Add GitHub Enterprise Cloud instances hostname filters to inform API endpoint choices - <a href="https://redirect.github.com/actions/cache/pull/1474">#1474</a></li> <li>Security fix: Bump braces from 3.0.2 to 3.0.3 - <a href="https://redirect.github.com/actions/cache/pull/1475">#1475</a></li> </ul> <h3>4.1.1</h3> <ul> <li>Restore original behavior of <code>cache-hit</code> output - <a href="https://redirect.github.com/actions/cache/pull/1467">#1467</a></li> </ul> <h3>4.1.0</h3> <ul> <li>Ensure <code>cache-hit</code> output is set when a cache is missed - <a href="https://redirect.github.com/actions/cache/pull/1404">#1404</a></li> <li>Deprecate <code>save-always</code> input - <a href="https://redirect.github.com/actions/cache/pull/1452">#1452</a></li> </ul> <h3>4.0.2</h3> <ul> <li>Fixed restore <code>fail-on-cache-miss</code> not working.</li> </ul> <h3>4.0.1</h3> <ul> <li>Updated <code>isGhes</code> check</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
306d30271a |
build(deps): bump actions/cache from 4.2.0 to 4.2.3 in /.github/actions/setup-tauri-v2 (#9761)
Bumps [actions/cache](https://github.com/actions/cache) from 4.2.0 to 4.2.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p> <blockquote> <h2>v4.2.3</h2> <h2>What's Changed</h2> <ul> <li>Update to use <code>@actions/cache</code> 4.0.3 package & prepare for new release by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1577">actions/cache#1577</a> (SAS tokens for cache entries are now masked in debug logs)</li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1577">actions/cache#1577</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v4.2.2...v4.2.3">https://github.com/actions/cache/compare/v4.2.2...v4.2.3</a></p> <h2>v4.2.2</h2> <h2>What's Changed</h2> <blockquote> <p>[!IMPORTANT] As a reminder, there were important backend changes to release v4.2.0, see <a href="https://github.com/actions/cache/releases/tag/v4.2.0">those release notes</a> and <a href="https://github.com/actions/cache/discussions/1510">the announcement</a> for more details.</p> </blockquote> <ul> <li>Bump <code>@actions/cache</code> to v4.0.2 by <a href="https://github.com/robherley"><code>@robherley</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1560">actions/cache#1560</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v4.2.1...v4.2.2">https://github.com/actions/cache/compare/v4.2.1...v4.2.2</a></p> <h2>v4.2.1</h2> <h2>What's Changed</h2> <blockquote> <p>[!IMPORTANT] As a reminder, there were important backend changes to release v4.2.0, see <a href="https://github.com/actions/cache/releases/tag/v4.2.0">those release notes</a> and <a href="https://github.com/actions/cache/discussions/1510">the announcement</a> for more details.</p> </blockquote> <ul> <li>docs: GitHub is spelled incorrectly in caching-strategies.md by <a href="https://github.com/janco-absa"><code>@janco-absa</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1526">actions/cache#1526</a></li> <li>docs: Make the "always save prime numbers" example more clear by <a href="https://github.com/Tobbe"><code>@Tobbe</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1525">actions/cache#1525</a></li> <li>Update force deletion docs due a recent deprecation by <a href="https://github.com/sebbalex"><code>@sebbalex</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1500">actions/cache#1500</a></li> <li>Bump <code>@actions/cache</code> to v4.0.1 by <a href="https://github.com/robherley"><code>@robherley</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1554">actions/cache#1554</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/janco-absa"><code>@janco-absa</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1526">actions/cache#1526</a></li> <li><a href="https://github.com/Tobbe"><code>@Tobbe</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1525">actions/cache#1525</a></li> <li><a href="https://github.com/sebbalex"><code>@sebbalex</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1500">actions/cache#1500</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v4.2.0...v4.2.1">https://github.com/actions/cache/compare/v4.2.0...v4.2.1</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's changelog</a>.</em></p> <blockquote> <h1>Releases</h1> <h3>4.2.3</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.3 (obfuscates SAS token in debug logs for cache entries)</li> </ul> <h3>4.2.2</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.2</li> </ul> <h3>4.2.1</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.1</li> </ul> <h3>4.2.0</h3> <p>TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. <a href="https://github.com/actions/cache">actions/cache</a> now integrates with the new cache service (v2) APIs.</p> <p>The new service will gradually roll out as of <strong>February 1st, 2025</strong>. The legacy service will also be sunset on the same date. Changes in these release are <strong>fully backward compatible</strong>.</p> <p><strong>We are deprecating some versions of this action</strong>. We recommend upgrading to version <code>v4</code> or <code>v3</code> as soon as possible before <strong>February 1st, 2025.</strong> (Upgrade instructions below).</p> <p>If you are using pinned SHAs, please use the SHAs of versions <code>v4.2.0</code> or <code>v3.4.0</code></p> <p>If you do not upgrade, all workflow runs using any of the deprecated <a href="https://github.com/actions/cache">actions/cache</a> will fail.</p> <p>Upgrading to the recommended versions will not break your workflows.</p> <h3>4.1.2</h3> <ul> <li>Add GitHub Enterprise Cloud instances hostname filters to inform API endpoint choices - <a href="https://redirect.github.com/actions/cache/pull/1474">#1474</a></li> <li>Security fix: Bump braces from 3.0.2 to 3.0.3 - <a href="https://redirect.github.com/actions/cache/pull/1475">#1475</a></li> </ul> <h3>4.1.1</h3> <ul> <li>Restore original behavior of <code>cache-hit</code> output - <a href="https://redirect.github.com/actions/cache/pull/1467">#1467</a></li> </ul> <h3>4.1.0</h3> <ul> <li>Ensure <code>cache-hit</code> output is set when a cache is missed - <a href="https://redirect.github.com/actions/cache/pull/1404">#1404</a></li> <li>Deprecate <code>save-always</code> input - <a href="https://redirect.github.com/actions/cache/pull/1452">#1452</a></li> </ul> <h3>4.0.2</h3> <ul> <li>Fixed restore <code>fail-on-cache-miss</code> not working.</li> </ul> <h3>4.0.1</h3> <ul> <li>Updated <code>isGhes</code> check</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
b8b255c79f |
build(deps): bump taiki-e/install-action from 2.52.6 to 2.55.3 (#9749)
Bumps [taiki-e/install-action](https://github.com/taiki-e/install-action) from 2.52.6 to 2.55.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/taiki-e/install-action/releases">taiki-e/install-action's releases</a>.</em></p> <blockquote> <h2>2.55.3</h2> <ul> <li>Update <code>dprint@latest</code> to 0.50.1.</li> </ul> <h2>2.55.2</h2> <ul> <li> <p>Update <code>zizmor@latest</code> to 1.11.0.</p> </li> <li> <p>Update <code>cargo-dinghy@latest</code> to 0.8.1.</p> </li> </ul> <h2>2.55.1</h2> <ul> <li> <p>Update <code>vacuum@latest</code> to 0.17.1.</p> </li> <li> <p>Update <code>typos@latest</code> to 1.34.0.</p> </li> </ul> <h2>2.55.0</h2> <ul> <li> <p>Support <code>vacuum</code>. (<a href="https://redirect.github.com/taiki-e/install-action/pull/1016">#1016</a>, thanks <a href="https://github.com/jayvdb"><code>@jayvdb</code></a>)</p> </li> <li> <p>Update <code>cargo-shear@latest</code> to 1.3.2.</p> </li> </ul> <h2>2.54.3</h2> <ul> <li>Update <code>cargo-careful@latest</code> to 0.4.8.</li> </ul> <h2>2.54.2</h2> <ul> <li> <p>Update <code>rclone@latest</code> to 1.70.2.</p> </li> <li> <p>Update <code>zizmor@latest</code> to 1.10.0.</p> </li> </ul> <h2>2.54.1</h2> <ul> <li> <p>Update <code>wasmtime@latest</code> to 34.0.1.</p> </li> <li> <p>Update <code>cargo-tarpaulin@latest</code> to 0.32.8.</p> </li> <li> <p>Update <code>knope@latest</code> to 0.21.0.</p> </li> </ul> <h2>2.54.0</h2> <ul> <li> <p>Add <code>cyclonedx</code> (<a href="https://redirect.github.com/taiki-e/install-action/pull/1000">#1000</a>, thanks <a href="https://github.com/jayvdb"><code>@jayvdb</code></a>)</p> </li> <li> <p>Update <code>wasmtime@latest</code> to 34.0.0.</p> </li> <li> <p>Update <code>rclone@latest</code> to 1.70.1.</p> </li> <li> <p>Update <code>cargo-binstall@latest</code> to 1.14.1.</p> </li> <li> <p>Update <code>release-plz@latest</code> to 0.3.136.</p> </li> </ul> <h2>2.53.2</h2> <ul> <li> <p>Fix <code>cargo-nextest</code> installation failure on Ubuntu 24.04 due to HTTP 403 error on requests to crates.io. (<a href="https://redirect.github.com/taiki-e/install-action/pull/1007">#1007</a>)</p> </li> <li> <p>Update <code>rclone@latest</code> to 1.70.0.</p> </li> </ul> <h2>2.53.1</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md">taiki-e/install-action's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <p>All notable changes to this project will be documented in this file.</p> <p>This project adheres to <a href="https://semver.org">Semantic Versioning</a>.</p> <!-- raw HTML omitted --> <h2>[Unreleased]</h2> <ul> <li> <p>Update <code>trivy@latest</code> to 0.64.0.</p> </li> <li> <p>Update <code>just@latest</code> to 1.41.0.</p> </li> </ul> <h2>[2.55.3] - 2025-06-30</h2> <ul> <li>Update <code>dprint@latest</code> to 0.50.1.</li> </ul> <h2>[2.55.2] - 2025-06-30</h2> <ul> <li> <p>Update <code>zizmor@latest</code> to 1.11.0.</p> </li> <li> <p>Update <code>cargo-dinghy@latest</code> to 0.8.1.</p> </li> </ul> <h2>[2.55.1] - 2025-06-30</h2> <ul> <li> <p>Update <code>vacuum@latest</code> to 0.17.1.</p> </li> <li> <p>Update <code>typos@latest</code> to 1.34.0.</p> </li> </ul> <h2>[2.55.0] - 2025-06-30</h2> <ul> <li> <p>Support <code>vacuum</code>. (<a href="https://redirect.github.com/taiki-e/install-action/pull/1016">#1016</a>, thanks <a href="https://github.com/jayvdb"><code>@jayvdb</code></a>)</p> </li> <li> <p>Update <code>cargo-shear@latest</code> to 1.3.2.</p> </li> </ul> <h2>[2.54.3] - 2025-06-28</h2> <ul> <li>Update <code>cargo-careful@latest</code> to 0.4.8.</li> </ul> <h2>[2.54.2] - 2025-06-27</h2> <ul> <li> <p>Update <code>rclone@latest</code> to 1.70.2.</p> </li> <li> <p>Update <code>zizmor@latest</code> to 1.10.0.</p> </li> </ul> <h2>[2.54.1] - 2025-06-25</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
2dc34e9070 |
build(deps): bump getsentry/action-release from 3.1.1 to 3.2.0 in /.github/actions/create-sentry-release (#9751)
Bumps [getsentry/action-release](https://github.com/getsentry/action-release) from 3.1.1 to 3.2.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/getsentry/action-release/releases">getsentry/action-release's releases</a>.</em></p> <blockquote> <h2>3.2.0</h2> <h3>Various fixes & improvements</h3> <ul> <li>chore: Set docker tag for master [skip ci] (e8340952) by <a href="https://github.com/getsantry"><code>@getsantry</code></a>[bot]</li> <li>feat: Bump to node 20.19.2 (<a href="https://redirect.github.com/getsentry/action-release/issues/284">#284</a>) by <a href="https://github.com/andreiborza"><code>@andreiborza</code></a></li> <li>chore: Set docker tag for master [skip ci] (ec695e24) by <a href="https://github.com/getsantry"><code>@getsantry</code></a>[bot]</li> </ul> <h2>3.1.2</h2> <ul> <li>fix: Preserve existing Node version on macOS and Windows runners (<a href="https://redirect.github.com/getsentry/action-release/issues/280">#280</a>) by <a href="https://github.com/andreiborza"><code>@andreiborza</code></a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/getsentry/action-release/blob/master/CHANGELOG.md">getsentry/action-release's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2>3.2.0</h2> <h3>Various fixes & improvements</h3> <ul> <li>chore: Set docker tag for master [skip ci] (e8340952) by <a href="https://github.com/getsantry"><code>@getsantry</code></a>[bot]</li> <li>feat: Bump to node 20.19.2 (<a href="https://redirect.github.com/getsentry/action-release/issues/284">#284</a>) by <a href="https://github.com/andreiborza"><code>@andreiborza</code></a></li> <li>chore: Set docker tag for master [skip ci] (ec695e24) by <a href="https://github.com/getsantry"><code>@getsantry</code></a>[bot]</li> </ul> <h2>3.1.2</h2> <ul> <li>fix: Preserve existing Node version on macOS and Windows runners (<a href="https://redirect.github.com/getsentry/action-release/issues/280">#280</a>) by <a href="https://github.com/andreiborza"><code>@andreiborza</code></a></li> </ul> <h2>3.1.1</h2> <ul> <li>fix: Only pass <code>urlPrefix</code> to sentry-cli if it's not empty (<a href="https://redirect.github.com/getsentry/action-release/issues/275">#275</a>) by <a href="https://github.com/andreiborza"><code>@andreiborza</code></a></li> </ul> <h2>3.1.0</h2> <ul> <li>feat: Add <code>release</code> and <code>release_prefix</code> in favor of <code>version</code> and <code>version_prefix</code> (<a href="https://redirect.github.com/getsentry/action-release/issues/273">#273</a>) by <a href="https://github.com/andreiborza"><code>@andreiborza</code></a></li> </ul> <p>Input parameter <code>version</code> has been deprecated and will be removed in a future version in favor of a newly introduced <code>release</code> parameter.</p> <p>Input parameter <code>version_prefix</code> has been deprecated and will be removed in a future version in favor of a newly introduced <code>release_prefix</code> parameter.</p> <h2>3.0.0</h2> <p>Version <code>3.0.0</code> contains breaking changes:</p> <ul> <li>feat(sourcemaps)!: Enable injecting debug ids by default (<a href="https://redirect.github.com/getsentry/action-release/issues/272">#272</a>) by <a href="https://github.com/andreiborza"><code>@andreiborza</code></a></li> </ul> <p>The action now automatically injects Debug IDs into your JavaScript source files and source maps to ensure your stacktraces can be properly un-minified.</p> <p>This is a <strong>breaking change as it modifies your source files</strong>. You can disable this behavior by setting <code>inject: false</code>:</p> <pre lang="yaml"><code>- uses: getsentry/action-release@v3 with: environment: 'production' sourcemaps: './dist' inject: false </code></pre> <p>Read more about <a href="https://docs.sentry.io/platforms/javascript/sourcemaps/troubleshooting_js/artifact-bundles/">Artifact Bundles and Debug IDs here</a>.</p> <h2>1.11.0</h2> <ul> <li>feat: Use hybrid docker/composite action approach (<a href="https://redirect.github.com/getsentry/action-release/issues/265">#265</a>) by <a href="https://github.com/andreiborza"><code>@andreiborza</code></a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
4091457788 |
ci: publish android 1.5.2 (#9735)
**NOTE**: This is for last week's release of 1.5.2. We will still need to do a release to cut 1.5.3. |
||
|
Jamil
|
a4cf3ead0f | ci: publish gateway 1.4.12 (#9736) | ||
|
Jamil
|
ac34635db8 |
fix(ci): fix update-release-draft for gui-client (#9734)
Needs contents-write perms to create draft releases. Related: https://github.com/firezone/firezone/actions/runs/15990137167 |
||
|
Thomas Eizinger
|
4e78f6b17a |
ci: extend sccache startup timeout (#9713)
It appears that recently, our CI jobs are often timing out on attempting to startup up the sccache server for Rust caching. We attempt to fix this by increasing the timeout to 20s. |
||
|
Thomas Eizinger
|
3b0292d71d |
ci: bump sccache action (#9712)
Whilst investigating some ephemeral CI errors, I noticed that `sccache-action` is quite outdated. |
||
|
Jamil
|
b011563ca4 |
fix(ci): fix missing daemon.json to use GCR (#9704)
The docker registry is woefully unreliable due to rate limits and such. We have an action to use the GCP mirror, but it never took effect because of a minor bug - daemon.json is not present. Related: https://github.com/firezone/firezone/actions/runs/15945772933/job/44979632073?pr=9703 |
||
|
Jamil
|
0b09d9f2f5 |
refactor(portal): don't rely on flows.expires_at (#9692)
The `expires_at` column on the `flows` table was never used outside of
the context in which the flow was created in the Client Channel. This
ephemeral state, which is created in the `Domain.Flows.authorize_flow/4`
function, is never read from the DB in any meaningful capacity, so it
can be safely removed.
The `expire_flows_for` family of functions now simply reads the needed
fields from the flows table in order to broadcast `{:expire_flow,
flow_id, client_id, resource_id}` directly to the subscribed entities.
This PR is step 1 in removing the reliance on `Flows` to manage
ephemeral access state. In a subsequent PR we will actually change the
structure of what state is kept in the channel PIDs such that reliance
on this Flows table will no longer be necessary.
Additionally, in a few places, we were referencing a Flows.Show view
that was never available in production, so this dead code has been
removed.
Lastly, the `flows` table subscription and associated hook processing
has been completely removed as it is no longer needed. We've implemented
in #9667 logic to remove publications from removed table subscriptions,
so we can expect to get a couple ingest warnings when we deploy this as
the `Hooks.Flows` processor no longer exists, and the WAL data may have
lingering flows records in the queue. These can be safely ignored.
|
||
|
Jamil
|
2b154d88bf |
fix(ci): use relaxed naming for ignored checks (#9666)
These jobs have the `ci / ` prefix when run on main, but no prefix when run on PRs. To fix the ignored checks, we need to use `contains`. |
||
|
Jamil
|
75740e4377 |
fix(ci): check for correct ignored job names (#9665)
These need the `ci / ` prefix. |
||
|
Jamil
|
110d504516 |
fix(ci): maintain whitespace in sources list (#9663)
Another issue was introduced in #9590 - we need to maintain the whitespace in the sources list when generating them. Fixes https://github.com/firezone/firezone/actions/runs/15859521283/job/44713395755 |
||
|
Jamil
|
85e67f1925 |
fix(ci): preserve sources whitespace (#9661)
Fixes a whitespace issue introduced in #9590 |
||
|
Thomas Eizinger
|
40f0609d90 |
ci: lint GitHub workflows with actionlint (#9590)
[`actionlint`](https://github.com/rhysd/actionlint) is a static analysis tool for GitHub workflows and actions. It detects various issues ahead of time and runs shellcheck on all `run` blocks. It is worth noting that this does **not** lint the contents of composite actions so we still need to be vigilant when working with those. |
||
|
Jamil
|
56b70215a7 |
fix(ci): dont require upload-bencher (#9650)
Bencher is not the most reliable service, so this PR prevent us from failing CI runs on the `uploader-bencher` job. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
1bd3d2a382 |
chore(gateway): remove NAT64/46 module (#9626)
This has been disabled for several releases now and is not causing any problems in production. We can therefore safely remove it. It is about time we do this because our tests are actually still testing the variant without the feature flag and therefore deviate from what we do in production. We therefore have to convert the tests as well. Doing so uncovered a minor problem in our ICMP error parsing code: We attempted to parse the payload of an ICMP error as a fully-valid layer 4 header (e.g. TCP header or UDP header). However, per the RFC a node only needs to embed the first 8 bytes of the original packet in an ICMPv4 error. That is not enough to parse a valid TCP header as those are at least 20 bytes. I don't expect this to be a huge problem in production right now though. We only use this code to parse ICMP errors arriving on the Gateway and I _think_ most devices actually include more than 8 bytes. This only surfaced because we are very strict with only embedding exactly 8 bytes when we generate an ICMP error. Additionally, we change our ICMP errors to be sent from the resource IP rather than the Gateway's TUN device. Given that we perform NAT on these IPs anyway, I think this can still be argued to be RFC conform. The _proxy_ IP which we are trying to contact can be reached but it cannot be routed further. Therefore the destination is unreachable, yet the source of this error is the proxy IP itself. I think this is actually more correct than sending the packets from the Gateway's TUN device because the TUN device itself is not a routing hop per-se: its IP won't ever show up in the routing path. |
||
|
Thomas Eizinger
|
9616296ebc |
ci: run all jobs if docker-compose.yml changes (#9639)
|
||
|
Jamil
|
a68d46bd24 |
chore(ci): remove write perms on winget workflow (#9598)
This wasn't the issue - the issue was that @firezone-bot needed access to the firezone/winget-pkgs repo. Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Jamil
|
ec5c433f5b |
feat(ci): use larger runners for all jobs (#9646)
Append `-xlarge` to the previous runner labels to match new larger runners. |
||
|
Thomas Eizinger
|
259b8e2a32 | ci: fix Tauri workflow permissions (#9628) |