Skip to content
This repository was archived by the owner on Jan 24, 2026. It is now read-only.

chore: sync with upstream goharbor/harbor#121

Open
github-actions[bot] wants to merge 9 commits into
nextfrom
sync-upstream-lyuoefk
Open

chore: sync with upstream goharbor/harbor#121
github-actions[bot] wants to merge 9 commits into
nextfrom
sync-upstream-lyuoefk

Conversation

@github-actions

@github-actions github-actions Bot commented Jan 18, 2026

Copy link
Copy Markdown

Automated PR to sync 6 new commit(s) from upstream goharbor/harbor main branch.

Merge strategy: Our changes in next are preserved on conflicts (upstream changes are additive only).

Note: The .github folder is preserved and not synced from upstream.


Summary by cubic

Syncs our branch with upstream Harbor to add per-endpoint CA certificate support, Cosign-based release signature verification, and improvements to user/group search and OIDC group handling. This strengthens registry connectivity and fixes search accuracy.

  • New Features

    • Registry endpoints can provide a PEM-encoded CA certificate. API and Swagger updated, DB migration adds ca_certificate, transport/adapters honor the custom CA, UI adds a CA Certificate field, and inputs are validated.
    • Release installers are signed with Cosign. README and docs include a simple verification guide.
  • Bug Fixes

    • User and group search returns best matches via DB query; removed the unused MostMatchSorter. Handlers use SearchByName; tests added.
    • OIDC group parsing supports single-string group claims.
    • Minor stability tweaks: safer image removal in pushimage.sh, proxy-friendly Cosign/Helm tests, more robust job dashboard and log rotation tests, and small release utils fixes.

Written for commit 34e14a2. Summary will update on new commits.

stonezdj and others added 8 commits December 31, 2025 22:14
Remove the unused function MostMatchSorter, it should not be implemented in golang, should be implement in the db query.
Remove the unused function onBoardCommonUserGroup()
fixes goharbor#22573

Signed-off-by: stonezdj <stonezdj@gmail.com>
refine apitest

Signed-off-by: my036811 <miner.yang@broadcom.com>
…bor#22535)

* add per-endpoint CA certificate support for registry endpoints

fixes goharbor#22203

Allowing Harbor to trust self-signed or private CA certificates for individual registry endpoints without modifying the system-level trust store.

1. Database schema changes, API updates with PEM validation.
2. HTTP transport layer modifications across all the registry adapters.
3. UI field to fill in the certificate.

The feature is backward compatible - existing installations using system-level CA trust will continue to work without any changes.

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>

* resolve lint failures

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>

* add i18n changes

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>

* resolve review comments

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>

* make the input as non-required and updates i18n

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>

* resolve comments

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>

---------

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>
Co-authored-by: wang yan <yan-yw.wang@broadcom.com>
)

* feat: implement keyless signing in release workflow

- Move signing from build to release workflow
- Use .sigstore.json naming convention (Sigstore standard)
- update signature verification documentation and readme file
- Update workflows to sign artifacts at release time only

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>

* WIP: update release workflow and utils

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>

* Add Cosign signing and fix accidental deletions

- Add Cosign signing to releases for security
- Revert to using getAssets function
- Restore latest installer uploads
- Restore pre-release comment

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>

* Remove braces from variable names for consistency

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>

* Remove unnecessary permissions from build-package.yml

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>

---------

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>
Co-authored-by: Aloui-Ikram <ikram@container-registry.com>
Co-authored-by: Daniel Jiang <daniel.jiang@broadcom.com>
…ngle group (goharbor#22723)

Signed-off-by: Lars Francke <git@lars-francke.de>
Signed-off-by: liuyueyangxmu <liuyueyangxmu@outlook.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Jan 18, 2026

Copy link
Copy Markdown

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.


Comment @coderabbitai help to get the list of available commands and usage tips.

This commit fixes the style issues introduced in 88b74ce according to the output
from Gofumpt and Prettier.

Details: container-registry/harbor-next#121
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
5.6% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 issues found across 73 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="src/controller/event/handler/util/util.go">

<violation number="1" location="src/controller/event/handler/util/util.go:72">
P2: Handle the case where the repo name has no "/"; strings.Cut returns an empty string then, unlike the previous behavior which returned the full repo.</violation>
</file>

<file name="src/portal/src/i18n/lang/zh-cn-lang.json">

<violation number="1" location="src/portal/src/i18n/lang/zh-cn-lang.json:671">
P1: Missing comma after "PLACEHOLDER" breaks JSON syntax for this locale file.</violation>

<violation number="2" location="src/portal/src/i18n/lang/zh-cn-lang.json:672">
P1: Unescaped double quotes inside the tooltip string break JSON parsing.</violation>
</file>

<file name="src/server/v2.0/handler/user.go">

<violation number="1" location="src/server/v2.0/handler/user.go:281">
P2: SearchUsers no longer applies the requested page offset. SearchByName only limits the result size, so page>1 requests will return the same first page while the response links/total suggest pagination is honored.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

"CANNOT_EDIT": "当复制规则启用时目标无法修改。",
"PLACEHOLDER": "未发现任何复制目标!"
"CA_CERTIFICATE": "CA 证书",
"CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用"验证远程证书"时可用。",

@cubic-dev-ai cubic-dev-ai Bot Jan 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Unescaped double quotes inside the tooltip string break JSON parsing.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/portal/src/i18n/lang/zh-cn-lang.json, line 672:

<comment>Unescaped double quotes inside the tooltip string break JSON parsing.</comment>

<file context>
@@ -668,6 +668,9 @@
         "CANNOT_EDIT": "当复制规则启用时目标无法修改。",
         "PLACEHOLDER": "未发现任何复制目标!"
+        "CA_CERTIFICATE": "CA 证书",
+        "CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用"验证远程证书"时可用。",
+        "CA_CERTIFICATE_HELPER": "可选。在此粘贴 PEM 编码的 CA 证书,以信任此端点的自签名或私有 CA 证书。如果留空,Harbor 将使用系统 CA 池。"
     },
</file context>
Suggested change
"CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用"验证远程证书"时可用。",
"CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用\"验证远程证书\"时可用。",
Fix with Cubic

"DELETED_FAILED": "删除目标失败。",
"CANNOT_EDIT": "当复制规则启用时目标无法修改。",
"PLACEHOLDER": "未发现任何复制目标!"
"CA_CERTIFICATE": "CA 证书",

@cubic-dev-ai cubic-dev-ai Bot Jan 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Missing comma after "PLACEHOLDER" breaks JSON syntax for this locale file.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/portal/src/i18n/lang/zh-cn-lang.json, line 671:

<comment>Missing comma after "PLACEHOLDER" breaks JSON syntax for this locale file.</comment>

<file context>
@@ -668,6 +668,9 @@
         "DELETED_FAILED": "删除目标失败。",
         "CANNOT_EDIT": "当复制规则启用时目标无法修改。",
         "PLACEHOLDER": "未发现任何复制目标!"
+        "CA_CERTIFICATE": "CA 证书",
+        "CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用"验证远程证书"时可用。",
+        "CA_CERTIFICATE_HELPER": "可选。在此粘贴 PEM 编码的 CA 证书,以信任此端点的自签名或私有 CA 证书。如果留空,Harbor 将使用系统 CA 池。"
</file context>
Fix with Cubic

Comment on lines +72 to +73
_, after, _ := strings.Cut(repo, "/")
return after

@cubic-dev-ai cubic-dev-ai Bot Jan 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Handle the case where the repo name has no "/"; strings.Cut returns an empty string then, unlike the previous behavior which returned the full repo.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/controller/event/handler/util/util.go, line 72:

<comment>Handle the case where the repo name has no "/"; strings.Cut returns an empty string then, unlike the previous behavior which returned the full repo.</comment>

<file context>
@@ -69,8 +69,8 @@ func SendHookWithPolicies(ctx context.Context, policies []*policy_model.Policy,
 func GetNameFromImgRepoFullName(repo string) string {
-	idx := strings.Index(repo, "/")
-	return repo[idx+1:]
+	_, after, _ := strings.Cut(repo, "/")
+	return after
 }
</file context>
Suggested change
_, after, _ := strings.Cut(repo, "/")
return after
_, after, found := strings.Cut(repo, "/")
if !found {
return repo
}
return after
Fix with Cubic

return operation.NewSearchUsersOK().WithXTotalCount(0).WithPayload([]*models.UserSearchRespItem{})
}
l, err := u.ctl.List(ctx, query)
l, err := u.ctl.SearchByName(ctx, params.Username, int(*params.PageSize))

@cubic-dev-ai cubic-dev-ai Bot Jan 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: SearchUsers no longer applies the requested page offset. SearchByName only limits the result size, so page>1 requests will return the same first page while the response links/total suggest pagination is honored.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/server/v2.0/handler/user.go, line 281:

<comment>SearchUsers no longer applies the requested page offset. SearchByName only limits the result size, so page>1 requests will return the same first page while the response links/total suggest pagination is honored.</comment>

<file context>
@@ -279,7 +278,7 @@ func (u *usersAPI) SearchUsers(ctx context.Context, params operation.SearchUsers
 		return operation.NewSearchUsersOK().WithXTotalCount(0).WithPayload([]*models.UserSearchRespItem{})
 	}
-	l, err := u.ctl.List(ctx, query)
+	l, err := u.ctl.SearchByName(ctx, params.Username, int(*params.PageSize))
 	if err != nil {
 		return u.SendError(ctx, err)
</file context>
Fix with Cubic

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants