Skip to content
This repository was archived by the owner on Jan 24, 2026. It is now read-only.

chore: sync with upstream goharbor/harbor#127

Open
github-actions[bot] wants to merge 17 commits into
nextfrom
sync-upstream-t0tj0va
Open

chore: sync with upstream goharbor/harbor#127
github-actions[bot] wants to merge 17 commits into
nextfrom
sync-upstream-t0tj0va

Conversation

@github-actions

@github-actions github-actions Bot commented Jan 22, 2026

Copy link
Copy Markdown

Automated PR to sync 14 new commit(s) from upstream goharbor/harbor main branch.

Merge strategy: Our changes in next are preserved on conflicts (upstream changes are additive only).

Note: The .github folder is preserved and not synced from upstream.


Summary by cubic

Sync with upstream Harbor main to add per-endpoint CA certificate support for registries, Cosign release signature verification docs, and improvements to search and OIDC group handling.

  • New Features

    • Registry endpoints can include a PEM CA certificate; validated in API and used by HTTP transports across adapters. UI adds an optional CA certificate field. Schema adds registry.ca_certificate. Backward compatible.
    • API/swagger updates: ca_certificate fields on registry models; use NewTag for tag creation.
    • JFrog adapter supports OCI/helm repository types and configurable types via JFROG_SUPPORTED_REPOSITORY_TYPES.
    • Added docs and README steps to verify release artifacts with Cosign keyless signing.
    • Dependency bumps: Trivy v0.68.2 and trivy-adapter v0.34.2.
  • Bug Fixes

    • OIDC groups claim now handles a single string value as well as arrays.
    • User and user group search moved to DB-driven fuzzy search; removed MostMatchSorter and updated handlers to use SearchByName.
    • Fixed SessionRegenerate to use the correct data type.
    • CI/tests and scripts hardened for newer Docker output, proxy environments, and timing; minor typo fixes.

Written for commit 624978d. Summary will update on new commits.

stonezdj and others added 16 commits December 31, 2025 22:14
Remove the unused function MostMatchSorter, it should not be implemented in golang, should be implement in the db query.
Remove the unused function onBoardCommonUserGroup()
fixes goharbor#22573

Signed-off-by: stonezdj <stonezdj@gmail.com>
refine apitest

Signed-off-by: my036811 <miner.yang@broadcom.com>
…bor#22535)

* add per-endpoint CA certificate support for registry endpoints

fixes goharbor#22203

Allowing Harbor to trust self-signed or private CA certificates for individual registry endpoints without modifying the system-level trust store.

1. Database schema changes, API updates with PEM validation.
2. HTTP transport layer modifications across all the registry adapters.
3. UI field to fill in the certificate.

The feature is backward compatible - existing installations using system-level CA trust will continue to work without any changes.

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>

* resolve lint failures

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>

* add i18n changes

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>

* resolve review comments

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>

* make the input as non-required and updates i18n

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>

* resolve comments

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>

---------

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>
Co-authored-by: wang yan <yan-yw.wang@broadcom.com>
)

* feat: implement keyless signing in release workflow

- Move signing from build to release workflow
- Use .sigstore.json naming convention (Sigstore standard)
- update signature verification documentation and readme file
- Update workflows to sign artifacts at release time only

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>

* WIP: update release workflow and utils

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>

* Add Cosign signing and fix accidental deletions

- Add Cosign signing to releases for security
- Revert to using getAssets function
- Restore latest installer uploads
- Restore pre-release comment

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>

* Remove braces from variable names for consistency

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>

* Remove unnecessary permissions from build-package.yml

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>

---------

Signed-off-by: Aloui-Ikram <ikram@container-registry.com>
Co-authored-by: Aloui-Ikram <ikram@container-registry.com>
Co-authored-by: Daniel Jiang <daniel.jiang@broadcom.com>
…ngle group (goharbor#22723)

Signed-off-by: Lars Francke <git@lars-francke.de>
Signed-off-by: liuyueyangxmu <liuyueyangxmu@outlook.com>
Signed-off-by: Yohei Yamamoto <yhymmt123@gmail.com>
)

Signed-off-by: Bin Liu <lb203159@antfin.com>
Co-authored-by: Bin Liu <lb203159@antfin.com>
…rbor#22732)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.7.0 to 4.0.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@v3.7.0...v4.0.0)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Support oci repository type for jfrog registry replication

  Fixes goharbor#22218

Signed-off-by: stonezdj <stonezdj@gmail.com>
Signed-off-by: Daniel Jiang <daniel.jiang@broadcom.com>
Signed-off-by: chlins <chlins.zhang@gmail.com>
fix goharbor#22582

Harbor doesn't support for creating a immutable tag. Updates the swagger to limit name field only for tag creation.
There is no breaking change.

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>
Co-authored-by: wang yan <yan-yw.wang@broadcom.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Jan 22, 2026

Copy link
Copy Markdown

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.


Comment @coderabbitai help to get the list of available commands and usage tips.

This commit fixes the style issues introduced in a4265fc according to the output
from Gofumpt and Prettier.

Details: container-registry/harbor-next#127
@sonarqubecloud

Copy link
Copy Markdown

Please retry analysis of this Pull-Request directly on SonarQube Cloud

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5 issues found across 82 files

Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="src/pkg/reg/adapter/jfrog/adapter.go">

<violation number="1" location="src/pkg/reg/adapter/jfrog/adapter.go:282">
P2: All ListTags failures are swallowed, so when every supported type errors this returns an empty artifact list instead of propagating the failure. That hides registry issues and makes replications look like empty repositories.</violation>
</file>

<file name="src/portal/src/i18n/lang/zh-cn-lang.json">

<violation number="1" location="src/portal/src/i18n/lang/zh-cn-lang.json:671">
P1: Adding new keys after "PLACEHOLDER" without adding a trailing comma on the previous line makes this JSON invalid. Add a comma after the "PLACEHOLDER" entry.</violation>

<violation number="2" location="src/portal/src/i18n/lang/zh-cn-lang.json:672">
P1: The tooltip string contains unescaped double quotes around 验证远程证书, which breaks JSON parsing. Escape the inner quotes.</violation>
</file>

<file name="src/controller/event/handler/util/util.go">

<violation number="1" location="src/controller/event/handler/util/util.go:72">
P2: strings.Cut returns an empty string when no "/" is present, whereas the previous implementation returned the full repo. This is a behavior change that can drop valid repo names without a slash. Preserve the old fallback when the separator isn’t found.</violation>
</file>

<file name="src/common/http/transport.go">

<violation number="1" location="src/common/http/transport.go:171">
P2: Using x509.NewCertPool() discards the system root CAs, so providing a custom CA will break trust for all normally trusted certificates. Consider starting from the system cert pool and appending the custom certs instead.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

"CANNOT_EDIT": "当复制规则启用时目标无法修改。",
"PLACEHOLDER": "未发现任何复制目标!"
"CA_CERTIFICATE": "CA 证书",
"CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用"验证远程证书"时可用。",

@cubic-dev-ai cubic-dev-ai Bot Jan 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: The tooltip string contains unescaped double quotes around 验证远程证书, which breaks JSON parsing. Escape the inner quotes.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/portal/src/i18n/lang/zh-cn-lang.json, line 672:

<comment>The tooltip string contains unescaped double quotes around 验证远程证书, which breaks JSON parsing. Escape the inner quotes.</comment>

<file context>
@@ -668,6 +668,9 @@
         "CANNOT_EDIT": "当复制规则启用时目标无法修改。",
         "PLACEHOLDER": "未发现任何复制目标!"
+        "CA_CERTIFICATE": "CA 证书",
+        "CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用"验证远程证书"时可用。",
+        "CA_CERTIFICATE_HELPER": "可选。在此粘贴 PEM 编码的 CA 证书,以信任此端点的自签名或私有 CA 证书。如果留空,Harbor 将使用系统 CA 池。"
     },
</file context>
Suggested change
"CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用"验证远程证书"时可用。",
"CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用\"验证远程证书\"时可用。",
Fix with Cubic

"DELETED_FAILED": "删除目标失败。",
"CANNOT_EDIT": "当复制规则启用时目标无法修改。",
"PLACEHOLDER": "未发现任何复制目标!"
"CA_CERTIFICATE": "CA 证书",

@cubic-dev-ai cubic-dev-ai Bot Jan 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Adding new keys after "PLACEHOLDER" without adding a trailing comma on the previous line makes this JSON invalid. Add a comma after the "PLACEHOLDER" entry.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/portal/src/i18n/lang/zh-cn-lang.json, line 671:

<comment>Adding new keys after "PLACEHOLDER" without adding a trailing comma on the previous line makes this JSON invalid. Add a comma after the "PLACEHOLDER" entry.</comment>

<file context>
@@ -668,6 +668,9 @@
         "DELETED_FAILED": "删除目标失败。",
         "CANNOT_EDIT": "当复制规则启用时目标无法修改。",
         "PLACEHOLDER": "未发现任何复制目标!"
+        "CA_CERTIFICATE": "CA 证书",
+        "CA_CERTIFICATE_TOOLTIP": "提供 PEM 编码的 CA 证书以验证仓库的 TLS 证书。留空将使用系统 CA 池。此字段仅在启用"验证远程证书"时可用。",
+        "CA_CERTIFICATE_HELPER": "可选。在此粘贴 PEM 编码的 CA 证书,以信任此端点的自签名或私有 CA 证书。如果留空,Harbor 将使用系统 CA 池。"
</file context>
Fix with Cubic

regClient := registry.NewClientWithAuthorizer(url, basic.NewAuthorizer(a.client.username, a.client.password), a.client.insecure, a.registry.CACertificate)
var err error
tags, err = regClient.ListTags(repoName)
if err != nil {

@cubic-dev-ai cubic-dev-ai Bot Jan 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: All ListTags failures are swallowed, so when every supported type errors this returns an empty artifact list instead of propagating the failure. That hides registry issues and makes replications look like empty repositories.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/pkg/reg/adapter/jfrog/adapter.go, line 282:

<comment>All ListTags failures are swallowed, so when every supported type errors this returns an empty artifact list instead of propagating the failure. That hides registry issues and makes replications look like empty repositories.</comment>

<file context>
@@ -254,11 +271,19 @@ func (a *adapter) listArtifacts(repository string, filters []*model.Filter) ([]*
+		regClient := registry.NewClientWithAuthorizer(url, basic.NewAuthorizer(a.client.username, a.client.password), a.client.insecure, a.registry.CACertificate)
+		var err error
+		tags, err = regClient.ListTags(repoName)
+		if err != nil {
+			log.Debugf("List tags for repository %s with type %s error: %v", repository, t, err)
+			continue
</file context>
Fix with Cubic

func GetNameFromImgRepoFullName(repo string) string {
idx := strings.Index(repo, "/")
return repo[idx+1:]
_, after, _ := strings.Cut(repo, "/")

@cubic-dev-ai cubic-dev-ai Bot Jan 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: strings.Cut returns an empty string when no "/" is present, whereas the previous implementation returned the full repo. This is a behavior change that can drop valid repo names without a slash. Preserve the old fallback when the separator isn’t found.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/controller/event/handler/util/util.go, line 72:

<comment>strings.Cut returns an empty string when no "/" is present, whereas the previous implementation returned the full repo. This is a behavior change that can drop valid repo names without a slash. Preserve the old fallback when the separator isn’t found.</comment>

<file context>
@@ -69,8 +69,8 @@ func SendHookWithPolicies(ctx context.Context, policies []*policy_model.Policy,
 func GetNameFromImgRepoFullName(repo string) string {
-	idx := strings.Index(repo, "/")
-	return repo[idx+1:]
+	_, after, _ := strings.Cut(repo, "/")
+	return after
 }
</file context>
Fix with Cubic

return
}

caCertPool := x509.NewCertPool()

@cubic-dev-ai cubic-dev-ai Bot Jan 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Using x509.NewCertPool() discards the system root CAs, so providing a custom CA will break trust for all normally trusted certificates. Consider starting from the system cert pool and appending the custom certs instead.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/common/http/transport.go, line 171:

<comment>Using x509.NewCertPool() discards the system root CAs, so providing a custom CA will break trust for all normally trusted certificates. Consider starting from the system cert pool and appending the custom certs instead.</comment>

<file context>
@@ -87,17 +93,92 @@ func WithInsecureSkipVerify(skipVerify bool) func(*http.Transport) {
+			return
+		}
+
+		caCertPool := x509.NewCertPool()
+		for _, cert := range certs {
+			caCertPool.AddCert(cert)
</file context>
Fix with Cubic

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.