feat(ci): Bump to upstream v1.98.5

.github/workflows/cigocacher.yml

@@ -24,7 +24,7 @@ jobs:
         ./tool/go build -o "${OUT}" ./cmd/cigocacher/
         tar -zcf cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}.tar.gz "${OUT}"
 
-    - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+    - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}
         path: cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}.tar.gz
@@ -36,7 +36,7 @@ jobs:
       contents: write
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           pattern: 'cigocacher-*'
           merge-multiple: true

.github/workflows/codeql-analysis.yml

@@ -55,7 +55,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+      uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,7 +66,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+      uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -80,4 +80,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+      uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1

.github/workflows/natlab-integrationtest.yml

@@ -22,12 +22,23 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Enable KVM
+        run: |
+          echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
+          sudo udevadm control --reload-rules
+          sudo udevadm trigger --name-match=kvm
       - name: Install qemu
         run: |
           sudo rm -f /var/lib/man-db/auto-update
           sudo apt-get -y update
           sudo apt-get -y remove man-db
           sudo apt-get install -y qemu-system-x86 qemu-utils
+      - name: Build VM image
+        # The test will build this if missing, but we do it explicitly
+        # to avoid cutting into the go test -timeout budget, and to
+        # fail earlier with a clearer error if the image build breaks.
+        run: |
+          make -C gokrazy natlab
       - name: Run natlab integration tests
         run: |
           ./tool/go test -v -run=^TestEasyEasy$ -timeout=3m -count=1 ./tstest/integration/nat  --run-vm-tests

.github/workflows/request-dataplane-review.yml

@@ -18,7 +18,7 @@ jobs:
       - name: Check out code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Get access token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: generate-token
         with:
           # Get token for app: https://github.com/apps/change-visibility-bot

.github/workflows/ssh-integrationtest.yml

@@ -1,5 +1,5 @@
-# Run the ssh integration tests with `make sshintegrationtest`.
-# These tests can also be running locally.
+# Run the ssh integration tests in various Docker containers.
+# These tests can also be run locally via `make sshintegrationtest`.
 name: "ssh-integrationtest"
 
 concurrency:
@@ -15,9 +15,25 @@ on:
 jobs:
   ssh-integrationtest:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - base: "ubuntu:focal"
+            tag: "ssh-ubuntu-focal"
+          - base: "ubuntu:jammy"
+            tag: "ssh-ubuntu-jammy"
+          - base: "ubuntu:noble"
+            tag: "ssh-ubuntu-noble"
+          - base: "alpine:latest"
+            tag: "ssh-alpine-latest"
     steps:
       - name: Check out code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Run SSH integration tests
+      - name: Build test binaries
         run: |
-          make sshintegrationtest
+          GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test
+          GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled
+      - name: Run SSH integration tests (${{ matrix.base }})
+        run: |
+          docker build --build-arg="BASE=${{ matrix.base }}" -t "${{ matrix.tag }}" ssh/tailssh/testcontainers

.github/workflows/update-flake.yml

@@ -23,11 +23,11 @@ jobs:
       - name: Check out code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Run update-flakes
-        run: ./update-flake.sh
+      - name: Run updateflakes
+        run: ./tool/go run ./tool/updateflakes
 
       - name: Get access token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: generate-token
         with:
           # Get token for app: https://github.com/apps/tailscale-code-updater
@@ -41,8 +41,8 @@ jobs:
           author: Flakes Updater <noreply+flakes-updater@tailscale.com>
           committer: Flakes Updater <noreply+flakes-updater@tailscale.com>
           branch: flakes
-          commit-message: "go.mod.sri: update SRI hash for go.mod changes"
-          title: "go.mod.sri: update SRI hash for go.mod changes"
+          commit-message: "flakehashes.json: update SRI hash for go.mod changes"
+          title: "flakehashes.json: update SRI hash for go.mod changes"
           body: Triggered by ${{ github.repository }}@${{ github.sha }}
           signoff: true
           delete-branch: true

.github/workflows/update-webclient-prebuilt.yml

@@ -23,7 +23,7 @@ jobs:
           ./tool/go mod tidy
 
       - name: Get access token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: generate-token
         with:
           # Get token for app: https://github.com/apps/tailscale-code-updater

.github/workflows/vet.yml

@@ -36,4 +36,10 @@ jobs:
 
       - name: Run 'go vet'
         working-directory: src
-        run: ./tool/go vet -vettool=/tmp/vettool tailscale.com/...
+        # Use listpkgs --ignore-3p to skip tempfork/ packages, which
+        # intentionally match upstream and may not follow our style rules.
+        # Must use ./... instead of tailscale.com/... because the latter will
+        # include the v2 go client (tailscale.com/client/tailscale/v2) if it's
+        # a dependency in our go.mod file. Possibly a go vet bug, but avoid
+        # cross-repo vetting for now so we can safely add the dependency.
+        run: ./tool/go vet -vettool=/tmp/vettool $(./tool/go run ./tool/listpkgs --ignore-3p ./...)

.gitignore

@@ -1,12 +1,15 @@
 # Binaries for programs and plugins
 *~
 *.tmp
-*.exe
 *.dll
 *.so
 *.dylib
 *.spk
 
+*.exe
+# tool/go.exe is built specially and committed.
+!/tool/go.exe
+
 cmd/tailscale/tailscale
 cmd/tailscaled/tailscaled
 ssh/tailssh/testcontainers/tailscaled

.golangci.yml

@@ -10,9 +10,15 @@ linters:
   enable:
     - bidichk
     - govet
+    - importas
     - misspell
     - revive
   settings:
+    importas:
+      no-unaliased: true
+      alias:
+        - pkg: github.com/tailscale/gliderssh
+          alias: gliderssh
     # Matches what we use in corp as of 2023-12-07
     govet:
       enable:

Makefile

@@ -10,7 +10,7 @@ vet: ## Run go vet
 
 tidy: ## Run go mod tidy and update nix flake hashes
 	./tool/go mod tidy
-	./update-flake.sh
+	./tool/go run ./tool/updateflakes
 
 lint: ## Run golangci-lint
 	./tool/go run github.com/golangci/golangci-lint/cmd/golangci-lint run
@@ -137,10 +137,12 @@ publishdevproxy: check-image-repo ## Build and publish k8s-proxy image to locati
 sshintegrationtest: ## Run the SSH integration tests in various Docker containers
 	@GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test && \
 	GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \
-	echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \
-	echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \
-	echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \
-	echo "Testing on alpine:latest" && docker build --build-arg="BASE=alpine:latest" -t ssh-alpine-latest ssh/tailssh/testcontainers
+	echo "Testing on ubuntu:focal, ubuntu:jammy, ubuntu:noble, alpine:latest (in parallel)" && \
+	docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers & \
+	docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers & \
+	docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers & \
+	docker build --build-arg="BASE=alpine:latest" -t ssh-alpine-latest ssh/tailssh/testcontainers & \
+	wait
 
 .PHONY: generate
 generate: ## Generate code

README.md

@@ -37,7 +37,7 @@ not open source.
 
 ## Building
 
-We always require the latest Go release, currently Go 1.25. (While we build
+We always require the latest Go release, currently Go 1.26. (While we build
 releases with our [Go fork](https://github.com/tailscale/go/), its use is not
 required.)
 

appc/appconnector_test.go

@@ -698,7 +698,7 @@ func TestRateLogger(t *testing.T) {
 		wasCalled = true
 	})
 
-	for i := 0; i < 3; i++ {
+	for range 3 {
 		clock.Advance(1 * time.Millisecond)
 		rl.update(0)
 		if wasCalled {
@@ -720,7 +720,7 @@ func TestRateLogger(t *testing.T) {
 		wasCalled = true
 	})
 
-	for i := 0; i < 3; i++ {
+	for range 3 {
 		clock.Advance(1 * time.Minute)
 		rl.update(0)
 		if wasCalled {
@@ -736,6 +736,7 @@ func TestRateLogger(t *testing.T) {
 }
 
 func TestRouteStoreMetrics(t *testing.T) {
+	clientmetric.ResetForTest(t)
 	metricStoreRoutes(1, 1)
 	metricStoreRoutes(1, 1)         // the 1 buckets value should be 2
 	metricStoreRoutes(5, 5)         // the 5 buckets value should be 1

appc/conn25.go

@@ -6,7 +6,9 @@ package appc
 import (
 	"cmp"
 	"slices"
+	"strings"
 
+	"tailscale.com/ipn/ipnext"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/appctype"
 	"tailscale.com/util/mak"
@@ -15,9 +17,46 @@ import (
 
 const AppConnectorsExperimentalAttrName = "tailscale.com/app-connectors-experimental"
 
+func isPeerEligibleConnector(peer tailcfg.NodeView) bool {
+	if !peer.Valid() || !peer.Hostinfo().Valid() {
+		return false
+	}
+	isConn, _ := peer.Hostinfo().AppConnector().Get()
+	return isConn
+}
+
+func sortByPreference(ns []tailcfg.NodeView) {
+	// The ordering of the nodes is semantic (callers use the first node they can
+	// get a peer api url for). We don't (currently 2026-02-27) have any
+	// preference over which node is chosen as long as it's consistent.  In the
+	// future we anticipate integrating with traffic steering.
+	slices.SortFunc(ns, func(a, b tailcfg.NodeView) int {
+		return cmp.Compare(a.ID(), b.ID())
+	})
+}
+
+// PickConnector returns peers the backend knows about that match the app, in order of preference to use as
+// a connector.
+func PickConnector(nb ipnext.NodeBackend, app appctype.Conn25Attr) []tailcfg.NodeView {
+	appTagsSet := set.SetOf(app.Connectors)
+	matches := nb.AppendMatchingPeers(nil, func(n tailcfg.NodeView) bool {
+		if !isPeerEligibleConnector(n) {
+			return false
+		}
+		for _, t := range n.Tags().All() {
+			if appTagsSet.Contains(t) {
+				return true
+			}
+		}
+		return false
+	})
+	sortByPreference(matches)
+	return matches
+}
+
 // PickSplitDNSPeers looks at the netmap peers capabilities and finds which peers
 // want to be connectors for which domains.
-func PickSplitDNSPeers(hasCap func(c tailcfg.NodeCapability) bool, self tailcfg.NodeView, peers map[tailcfg.NodeID]tailcfg.NodeView) map[string][]tailcfg.NodeView {
+func PickSplitDNSPeers(hasCap func(c tailcfg.NodeCapability) bool, self tailcfg.NodeView, peers map[tailcfg.NodeID]tailcfg.NodeView, isSelfEligibleConnector bool) map[string][]tailcfg.NodeView {
 	var m map[string][]tailcfg.NodeView
 	if !hasCap(AppConnectorsExperimentalAttrName) {
 		return m
@@ -26,25 +65,43 @@ func PickSplitDNSPeers(hasCap func(c tailcfg.NodeCapability) bool, self tailcfg.
 	if err != nil {
 		return m
 	}
-	tagToDomain := make(map[string][]string)
+
+	// We strip the leading *. from any domains because the OS treats all domains
+	// that we pass to it as wildcard domains, and the OS would treat the * character
+	// as a literal domain component instead of treating it as a wildcard.
+	// We also use a Set to deduplicate the domains we pass to the OS in case removing
+	// the *. prefix resulted in duplicate entries.
+	tagToDomain := make(map[string]set.Set[string])
+	selfTags := set.SetOf(self.Tags().AsSlice())
+	selfRoutedDomains := set.Set[string]{}
 	for _, app := range apps {
+		domains := make(set.Set[string])
+		for _, domain := range app.Domains {
+			domains.Add(strings.ToLower(strings.TrimPrefix(domain, "*.")))
+		}
 		for _, tag := range app.Connectors {
-			tagToDomain[tag] = append(tagToDomain[tag], app.Domains...)
+			if tagToDomain[tag] == nil {
+				tagToDomain[tag] = set.Set[string]{}
+			}
+			tagToDomain[tag].AddSet(domains)
+			if isSelfEligibleConnector && selfTags.Contains(tag) {
+				selfRoutedDomains.AddSet(domains)
+			}
 		}
 	}
 	// NodeIDs are Comparable, and we have a map of NodeID to NodeView anyway, so
 	// use a Set of NodeIDs to deduplicate, and populate into a []NodeView later.
 	var work map[string]set.Set[tailcfg.NodeID]
 	for _, peer := range peers {
-		if !peer.Valid() || !peer.Hostinfo().Valid() {
-			continue
-		}
-		if isConn, _ := peer.Hostinfo().AppConnector().Get(); !isConn {
+		if !isPeerEligibleConnector(peer) {
 			continue
 		}
 		for _, t := range peer.Tags().All() {
 			domains := tagToDomain[t]
-			for _, domain := range domains {
+			for domain := range domains {
+				if selfRoutedDomains.Contains(domain) {
+					continue
+				}
 				if work[domain] == nil {
 					mak.Set(&work, domain, set.Set[tailcfg.NodeID]{})
 				}
@@ -60,12 +117,7 @@ func PickSplitDNSPeers(hasCap func(c tailcfg.NodeCapability) bool, self tailcfg.
 		for id := range ids {
 			nodes = append(nodes, peers[id])
 		}
-		// The ordering of the nodes in the map vals is semantic (dnsConfigForNetmap uses the first node it can
-		// get a peer api url for as its split dns target). We can think of it as a preference order, except that
-		// we don't (currently 2026-01-14) have any preference over which node is chosen.
-		slices.SortFunc(nodes, func(a, b tailcfg.NodeView) int {
-			return cmp.Compare(a.ID(), b.ID())
-		})
+		sortByPreference(nodes)
 		mak.Set(&m, domain, nodes)
 	}
 	return m