* Updating go version from 1.24.8 to 1.24.9 (#10291)
* update changelog
Signed-off-by: Ryan Cragun <me@ryan.ec>
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: ericjones <eric.jones@hashicorp.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* change what performance replication checker script is checking
* fix lint errors
* enable consul backends for ent build samples
* fix up samples
* fix linting
* update release samples
* fix linting again
* output to stderr
Co-authored-by: Josh Black <raskchanky@gmail.com>
* Upgrade jsondiffpatch dependency version (#9651)
* update jsondiffpatch dep + use webpack to convert into UMD format
* do not lint vendor files
* update test
* lint fix
* fix merge conflict error
* revert extra changes
* update header
---------
Co-authored-by: lane-wetmore <lane.wetmore@hashicorp.com>
When a pull request is created against a CE branch and it has changed any files in the `gotoolchain` group we'll automatically trigger the diff for every Go module file in the repo against the equivalent in the corresponding enterprise branch. If there's a delta in like configuration it will automatically fail the `build/ce-checks` job. It will also write a complete explanation of the diff to the step output and also to the `build/ce-checks` job step summary.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* [VAULT-40165] pipeline(github): add `check go-mod-diff` command
Add `pipeline github check go-mod-diff` command that is capable of
creating a Go module diff between one-or-more go.mod files in two
different Github branches. There are flags for the owner, repo, and
branch for both the A and B sides of the diff, as well as the `--path`
or `-p` flag that can be specified any number of times with relative
paths in the repository of go.mod files to compare. We assume that the
path is the same in both repositories.
This work will be followed up with another PR that removes the
enterprise only go.mod file and enables Go module diff checking on pull
requests to CE branches that change the go toolchain.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* headers: update headers to IBM Corp. on release/1.20.x
* fix MPL-2.0 header in golangci-lint config
* remove ignore directive since 1.20 is still on Go 1.24
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* [VAULT-40043]: pipeline: add `go diff mod` command
Add a `pipeline go diff mod` command that is capable of comparing two
go.mod files at a directive level. We also support strict or lax
comparisons of several directives to flexible diff comparisons. This is
especially useful when you want to compare two go.mod files that have
some different dependencies (CE vs. Ent) but still want to compare
versions of like dependencies.
This command is not currently used in the pipeline but was useful in
developing the diff library that is used. Subsequent work will use the
library and be integrated into CI.
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* license: update headers to IBM Corp.
* `make proto`
* update offset because source file changed
* update licenses in files that were not included in backport
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Backport pipeline(changed-files): fix false positives for some files into release/1.20.x+ent (#10244)
* pipeline(changed-files): fix false positives for some files (#10239)
* make fmt
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Migrate all slack notifications to the `ibm-hashicorp` workspace. This
required creating three new `incoming-webhook` configurations which are
capable of posting into three different Slack channels, depending on the
workflow.
As they all use the `incoming-webhook` event, many of our integrations
had to be migrated from `chat.postMessage` and those changes are
reflected here.
Of note, there are lots of changes to the `release-procedure-ent`
workflow as it has by far the most uses of the Slack integrations. In
some cases it was to appease `actionlint` issues, in others I made small
idiomatic tweaks. I translated all of the payload messages to YAML
instead of JSON, which fits better into our existing workflows and also
because most of the payload messages were invalid JSON all together.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* adding new locks
* adding initial testing
* changelog
* Update changelog/_9336.txt
* fixing test to use proper error output
* added additional locks on pops and last push.
* fixing tests since I cant use t.Fatalf in a go func
* adding rotation window, removing lock as reached a deadlock in test
* removing locking from the OnFailure
* removing unused locks.
---------
Co-authored-by: JMGoldsmith <spartanaudio@gmail.com>
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
* adding int check
* change to assertion rather than reflect.
* adding changelog
* grammar
* adding tests as an example
* removing excessive testing
* fixing test for leases and expected values
* adding godoc
Co-authored-by: JMGoldsmith <spartanaudio@gmail.com>
* VAULT-35084, VAULT-36948, VAULT-36952: Small tasks left over from the recovery work (#10083)
* small tasks left over from the recovery work
* changelog
* fix test
* fix error
---------
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
* [VAULT-39424] pipeline(close-origin-pr): add support for closing the origin of copied PRs
When we copy a community contributed Pull Request to Enterprise the
source PR is effectively orphaned, leaving the original PR still
opened, the author unsure of what state the copied PR is in, and any
issues associated with it open.
When the copied PR is closed we ought to close the origin PR if it's
still open, and any other issues that might be associated with either
the origin PR or the copied PR.
We can also add comments to both PRs that include links to each other
and the squash commit to make discovery of the work visible to those
with access to both repos. Unfortunately there is no way to know what
the SHA will be when it's synced so we have to rely on the
'Co-Authored-By:' trailers in commit message.
There are some challenges to this:
- The automation should only execute when copied PRs are closed
- How to determine the origin PR from only the copied PR
- How to determine the PR's linked issues (which the v3 REST API does not expose)
We solved them by:
- Requiring the PR HEAD ref to start with `copy/`
- Encoding the origin PR information in the PR HEAD ref.
e.g. `copy/hashicorp/vault/31580/ryan/VAULT-39424-test-ce`
- Using the V4 GraphQL API to determine "closed issue references"
The result is a new `pipeline` CLI command that can close the origin PR,
all of the issues, and write status comments on each PR with links to
everything to establish omnidirectional linking in the Github UI.
```bash
pipeline github close origin-pull-request 9903
```
* fix feedback
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Our service users now have compatible use-case's that allow us to use
the service user credentials everywhere. Drop `action-doormat` so that
our workflows execute correctly in the `hashicorp/vault` context.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* go: bump .go-version to 1.24.8 on release/1.20.x+ent (#9989)
* go: bump .go-version to 1.24.8
* go: handle changes to net/url parsing enforcement in Go 1.24.8
The fixes for CVE-2025-47912 (https://go.dev/issue/75678) change
behavior when parsing invalid IPv4 addresses. Update the test to
for these changes.
Signed-off-by: Ryan Cragun <me@ryan.ec>
* go mod tidy
Signed-off-by: Ryan Cragun <me@ryan.ec>
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* [VAULT-39150]: actions(copy-pr): add step summary to copy PR workflow (#9828)
When we copy a Pull Request from CE to Ent we already add a status
comment to the origin PR but we don't actually bubble up the information
to the workflow summary. Instead, render the copy PR output as a
markdown table and write it to the step summary.
Conflicts:
.github/workflows/copy-external-contributor-pull-request-ent.yml
---------
Co-authored-by: Ryan Cragun <me@ryan.ec>
Occasionally it seems that the tools will get built and linked against
the platform glibc. We definitely do not want that.
Now we always disable CGO when building tools. While doing this I
realized that we could also strip debug symbols and reduce the size of
the tools significantly, so that is included as well.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Initial implementation
* Use rotation_statements, handle both password and private_key
* Remove debug prints
* Merge in main
* Remove duplicated error text
* Rename keypair root rotation function
* Use NewRotateRootCredentialsWALPasswordEntry
* Add changelog file
* Move back to original file for now, for review
* put generatePassword into function
* Fix names, call helper for generatePassword
* Generalize the rotation flow and keypair path
* Fix conditional check, remove new file
* Fix changelog
* Add test file
* Fix username check var name
* Fix name variable
* Return an error when both fields are set during rotation, and return an error if somehow walEntry is nil
* Fix test godoc
* Remove print
* change rotated key bits to 4096
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
* update the order of the requests handlers
* switch back to maxrequestsize, prevent the error by restricting the buffer size
* add test
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
* Copy https://github.com/hashicorp/vault/pull/31354 into release/1.20.x+ent
* backport of commit 8309387230524d320dcda3cb923f877b6c675e6a
---------
Co-authored-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: Tony Wittinger <anwittin@users.noreply.github.com>
