chore: sync with upstream goharbor/harbor#127
Conversation
Remove the unused function MostMatchSorter, it should not be implemented in golang, should be implement in the db query. Remove the unused function onBoardCommonUserGroup() fixes goharbor#22573 Signed-off-by: stonezdj <stonezdj@gmail.com>
refine apitest Signed-off-by: my036811 <miner.yang@broadcom.com>
…bor#22535) * add per-endpoint CA certificate support for registry endpoints fixes goharbor#22203 Allowing Harbor to trust self-signed or private CA certificates for individual registry endpoints without modifying the system-level trust store. 1. Database schema changes, API updates with PEM validation. 2. HTTP transport layer modifications across all the registry adapters. 3. UI field to fill in the certificate. The feature is backward compatible - existing installations using system-level CA trust will continue to work without any changes. Signed-off-by: wang yan <yan-yw.wang@broadcom.com> * resolve lint failures Signed-off-by: wang yan <yan-yw.wang@broadcom.com> * add i18n changes Signed-off-by: wang yan <yan-yw.wang@broadcom.com> * resolve review comments Signed-off-by: wang yan <yan-yw.wang@broadcom.com> * make the input as non-required and updates i18n Signed-off-by: wang yan <yan-yw.wang@broadcom.com> * resolve comments Signed-off-by: wang yan <yan-yw.wang@broadcom.com> --------- Signed-off-by: wang yan <yan-yw.wang@broadcom.com> Co-authored-by: wang yan <yan-yw.wang@broadcom.com>
) * feat: implement keyless signing in release workflow - Move signing from build to release workflow - Use .sigstore.json naming convention (Sigstore standard) - update signature verification documentation and readme file - Update workflows to sign artifacts at release time only Signed-off-by: Aloui-Ikram <ikram@container-registry.com> * WIP: update release workflow and utils Signed-off-by: Aloui-Ikram <ikram@container-registry.com> * Add Cosign signing and fix accidental deletions - Add Cosign signing to releases for security - Revert to using getAssets function - Restore latest installer uploads - Restore pre-release comment Signed-off-by: Aloui-Ikram <ikram@container-registry.com> * Remove braces from variable names for consistency Signed-off-by: Aloui-Ikram <ikram@container-registry.com> * Remove unnecessary permissions from build-package.yml Signed-off-by: Aloui-Ikram <ikram@container-registry.com> --------- Signed-off-by: Aloui-Ikram <ikram@container-registry.com> Co-authored-by: Aloui-Ikram <ikram@container-registry.com> Co-authored-by: Daniel Jiang <daniel.jiang@broadcom.com>
…ngle group (goharbor#22723) Signed-off-by: Lars Francke <git@lars-francke.de>
Signed-off-by: liuyueyangxmu <liuyueyangxmu@outlook.com>
Signed-off-by: Yohei Yamamoto <yhymmt123@gmail.com>
…rbor#22732) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@v3.7.0...v4.0.0) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Support oci repository type for jfrog registry replication Fixes goharbor#22218 Signed-off-by: stonezdj <stonezdj@gmail.com>
Signed-off-by: Daniel Jiang <daniel.jiang@broadcom.com>
Signed-off-by: chlins <chlins.zhang@gmail.com>
Signed-off-by: chlins <chlins.zhang@gmail.com>
fix goharbor#22582 Harbor doesn't support for creating a immutable tag. Updates the swagger to limit name field only for tag creation. There is no breaking change. Signed-off-by: wang yan <yan-yw.wang@broadcom.com> Co-authored-by: wang yan <yan-yw.wang@broadcom.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
This commit fixes the style issues introduced in a4265fc according to the output from Gofumpt and Prettier. Details: container-registry/harbor-next#127
|
Please retry analysis of this Pull-Request directly on SonarQube Cloud |
There was a problem hiding this comment.
5 issues found across 82 files
Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="src/pkg/reg/adapter/jfrog/adapter.go">
<violation number="1" location="src/pkg/reg/adapter/jfrog/adapter.go:282">
P2: All ListTags failures are swallowed, so when every supported type errors this returns an empty artifact list instead of propagating the failure. That hides registry issues and makes replications look like empty repositories.</violation>
</file>
<file name="src/portal/src/i18n/lang/zh-cn-lang.json">
<violation number="1" location="src/portal/src/i18n/lang/zh-cn-lang.json:671">
P1: Adding new keys after "PLACEHOLDER" without adding a trailing comma on the previous line makes this JSON invalid. Add a comma after the "PLACEHOLDER" entry.</violation>
<violation number="2" location="src/portal/src/i18n/lang/zh-cn-lang.json:672">
P1: The tooltip string contains unescaped double quotes around 验证远程证书, which breaks JSON parsing. Escape the inner quotes.</violation>
</file>
<file name="src/controller/event/handler/util/util.go">
<violation number="1" location="src/controller/event/handler/util/util.go:72">
P2: strings.Cut returns an empty string when no "/" is present, whereas the previous implementation returned the full repo. This is a behavior change that can drop valid repo names without a slash. Preserve the old fallback when the separator isn’t found.</violation>
</file>
<file name="src/common/http/transport.go">
<violation number="1" location="src/common/http/transport.go:171">
P2: Using x509.NewCertPool() discards the system root CAs, so providing a custom CA will break trust for all normally trusted certificates. Consider starting from the system cert pool and appending the custom certs instead.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| "CANNOT_EDIT": "当复制规则启用时目标无法修改。", | ||
| "PLACEHOLDER": "未发现任何复制目标!" | ||
| "CA_CERTIFICATE": "CA 证书", | ||
| "CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用"验证远程证书"时可用。", |
There was a problem hiding this comment.
P1: The tooltip string contains unescaped double quotes around 验证远程证书, which breaks JSON parsing. Escape the inner quotes.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/portal/src/i18n/lang/zh-cn-lang.json, line 672:
<comment>The tooltip string contains unescaped double quotes around 验证远程证书, which breaks JSON parsing. Escape the inner quotes.</comment>
<file context>
@@ -668,6 +668,9 @@
"CANNOT_EDIT": "当复制规则启用时目标无法修改。",
"PLACEHOLDER": "未发现任何复制目标!"
+ "CA_CERTIFICATE": "CA 证书",
+ "CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用"验证远程证书"时可用。",
+ "CA_CERTIFICATE_HELPER": "可选。在此粘贴 PEM 编码的 CA 证书,以信任此端点的自签名或私有 CA 证书。如果留空,Harbor 将使用系统 CA 池。"
},
</file context>
| "CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用"验证远程证书"时可用。", | |
| "CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用\"验证远程证书\"时可用。", |
| "DELETED_FAILED": "删除目标失败。", | ||
| "CANNOT_EDIT": "当复制规则启用时目标无法修改。", | ||
| "PLACEHOLDER": "未发现任何复制目标!" | ||
| "CA_CERTIFICATE": "CA 证书", |
There was a problem hiding this comment.
P1: Adding new keys after "PLACEHOLDER" without adding a trailing comma on the previous line makes this JSON invalid. Add a comma after the "PLACEHOLDER" entry.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/portal/src/i18n/lang/zh-cn-lang.json, line 671:
<comment>Adding new keys after "PLACEHOLDER" without adding a trailing comma on the previous line makes this JSON invalid. Add a comma after the "PLACEHOLDER" entry.</comment>
<file context>
@@ -668,6 +668,9 @@
"DELETED_FAILED": "删除目标失败。",
"CANNOT_EDIT": "当复制规则启用时目标无法修改。",
"PLACEHOLDER": "未发现任何复制目标!"
+ "CA_CERTIFICATE": "CA 证书",
+ "CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用"验证远程证书"时可用。",
+ "CA_CERTIFICATE_HELPER": "可选。在此粘贴 PEM 编码的 CA 证书,以信任此端点的自签名或私有 CA 证书。如果留空,Harbor 将使用系统 CA 池。"
</file context>
| regClient := registry.NewClientWithAuthorizer(url, basic.NewAuthorizer(a.client.username, a.client.password), a.client.insecure, a.registry.CACertificate) | ||
| var err error | ||
| tags, err = regClient.ListTags(repoName) | ||
| if err != nil { |
There was a problem hiding this comment.
P2: All ListTags failures are swallowed, so when every supported type errors this returns an empty artifact list instead of propagating the failure. That hides registry issues and makes replications look like empty repositories.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/pkg/reg/adapter/jfrog/adapter.go, line 282:
<comment>All ListTags failures are swallowed, so when every supported type errors this returns an empty artifact list instead of propagating the failure. That hides registry issues and makes replications look like empty repositories.</comment>
<file context>
@@ -254,11 +271,19 @@ func (a *adapter) listArtifacts(repository string, filters []*model.Filter) ([]*
+ regClient := registry.NewClientWithAuthorizer(url, basic.NewAuthorizer(a.client.username, a.client.password), a.client.insecure, a.registry.CACertificate)
+ var err error
+ tags, err = regClient.ListTags(repoName)
+ if err != nil {
+ log.Debugf("List tags for repository %s with type %s error: %v", repository, t, err)
+ continue
</file context>
| func GetNameFromImgRepoFullName(repo string) string { | ||
| idx := strings.Index(repo, "/") | ||
| return repo[idx+1:] | ||
| _, after, _ := strings.Cut(repo, "/") |
There was a problem hiding this comment.
P2: strings.Cut returns an empty string when no "/" is present, whereas the previous implementation returned the full repo. This is a behavior change that can drop valid repo names without a slash. Preserve the old fallback when the separator isn’t found.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/controller/event/handler/util/util.go, line 72:
<comment>strings.Cut returns an empty string when no "/" is present, whereas the previous implementation returned the full repo. This is a behavior change that can drop valid repo names without a slash. Preserve the old fallback when the separator isn’t found.</comment>
<file context>
@@ -69,8 +69,8 @@ func SendHookWithPolicies(ctx context.Context, policies []*policy_model.Policy,
func GetNameFromImgRepoFullName(repo string) string {
- idx := strings.Index(repo, "/")
- return repo[idx+1:]
+ _, after, _ := strings.Cut(repo, "/")
+ return after
}
</file context>
| return | ||
| } | ||
|
|
||
| caCertPool := x509.NewCertPool() |
There was a problem hiding this comment.
P2: Using x509.NewCertPool() discards the system root CAs, so providing a custom CA will break trust for all normally trusted certificates. Consider starting from the system cert pool and appending the custom certs instead.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/common/http/transport.go, line 171:
<comment>Using x509.NewCertPool() discards the system root CAs, so providing a custom CA will break trust for all normally trusted certificates. Consider starting from the system cert pool and appending the custom certs instead.</comment>
<file context>
@@ -87,17 +93,92 @@ func WithInsecureSkipVerify(skipVerify bool) func(*http.Transport) {
+ return
+ }
+
+ caCertPool := x509.NewCertPool()
+ for _, cert := range certs {
+ caCertPool.AddCert(cert)
</file context>
Automated PR to sync 14 new commit(s) from upstream goharbor/harbor main branch.
Merge strategy: Our changes in
nextare preserved on conflicts (upstream changes are additive only).Note: The
.githubfolder is preserved and not synced from upstream.Summary by cubic
Sync with upstream Harbor main to add per-endpoint CA certificate support for registries, Cosign release signature verification docs, and improvements to search and OIDC group handling.
New Features
Bug Fixes
Written for commit 624978d. Summary will update on new commits.