Merge stable into develop#9494
Open
infrahub-github-bot-app[bot] wants to merge 19 commits into
Open
Conversation
The utilization query now resolves the deepest active edge per hop, so branches with additions or deletions report accurate values instead of inheriting or doubling main-branch state.
* docs: add SSO account-name fallback deprecation guide Adds a deprecation guide documenting the transitional sso_account_name_fallback setting (default enabled in 1.8.7 / 1.9.7 / 1.10.x, removed in 1.11). Covers the account-takeover exposure it addresses, who is affected, version-dependent exposure, the upgrade -> link -> disable migration sequence, a GraphQL verification query using is_externally_managed, and the removal timeline. Registers the guide in the docs sidebar. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs: drop advisory link from SSO fallback guide Remove the GHSA advisory links and note that a link to the security publication will be added once it is available. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs: remove unpublished advisory references from SSO fallback guide Drop the security-advisory mention and placeholder links since the advisory is not yet published; keep the implementing PR reference. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs: add IdP display-name condition to SSO fallback exposure The exposure also requires that the SSO provider lets end users set or change their own display name; add it to the conditions list. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs: align SSO fallback threat description with IdP display-name condition Reframe the threat so the enabling factor (the IdP letting users change their own display name) is part of the core description, consistent with the exposure conditions list. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bumps [github/gh-aw-actions](https://github.com/github/gh-aw-actions) from 0.77.5 to 0.78.3. - [Release notes](https://github.com/github/gh-aw-actions/releases) - [Changelog](https://github.com/github/gh-aw-actions/blob/main/CHANGELOG.md) - [Commits](github/gh-aw-actions@v0.77.5...8cfea5a) --- updated-dependencies: - dependency-name: github/gh-aw-actions dependency-version: 0.78.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…ationale (#9476) * docs: document generated-doc regeneration, gpg test trap, and SOLID rationale
…e/github/gh-aw-actions-0.78.3 chore(deps): bump github/gh-aw-actions from 0.77.5 to 0.78.3
…tion Add an informational, optional section to the production deployment guide listing the Neo4j and Redis privileges Infrahub actually needs, so operators can run it with restricted users instead of admin credentials. It is a reference note, not a mandatory step of the deployment process. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The least-privilege Redis ACL in the production deployment guide now includes +@transaction. Prefect's Redis-backed task manager (distributed and HA deployments) wraps writes in MULTI/EXEC, which is the @transaction category and not covered by @read/@Write. A note clarifies it is only exercised when the task manager is backed by Redis and is otherwise harmless to grant. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Extend the production deployment guide's least-privilege section to cover the message broker and the task manager database alongside Neo4j and Redis: - RabbitMQ: a tagless user with configure/write/read on the virtual host; Infrahub uses AMQP only and never the management API. - PostgreSQL: a non-superuser role that owns the task manager's database and schema, instead of the postgres superuser. Renames the section to "Least-privilege service credentials" and adds the broker credentials to the example .env. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
PostgreSQL is a product name with mid-word capitals (like RabbitMQ), so the sentence-case heading check flagged the new "PostgreSQL" heading. Add it to the exceptions list. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
…und service The task-manager-background-svc enables PREFECT_SERVER_SERVICES_TRIGGERS but doesn't tune its READ_BATCH_SIZE, unlike EVENT_PERSISTER and TASK_RUN_RECORDER. Add the missing var (default 1, override via INFRAHUB_TESTING_TASKMGR_TRIGGERS_READ_BATCH_SIZE) in both docker-compose.test.yml and docker-compose-cluster.test.yml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The E2E job patched the installed chrome binary (objdump to find net::internal::AddressTrackerLinux::ReadMessages, then dd an 0xc3 RET over it) to dodge ERR_NETWORK_CHANGED flake from Docker/veth netlink churn on the runners. That offset detection depends on an exact mangled symbol and binary layout, both of which newer Playwright/Chromium builds change, so the patch breaks. Replace it with an LD_PRELOAD shim (no_netlink.c) that fails NETLINK_ROUTE sockets with EAFNOSUPPORT at the libc level, so AddressTrackerLinux::Init takes its graceful "assume always online" path. This is version-independent since it never inspects the chromium binary. The shim is compiled in CI and injected into the browser process only, via playwright.config.ts launchOptions keyed on NO_NETLINK_SO, keeping it out of node/pnpm subprocesses. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bump @playwright/test and the playwright/playwright-core pnpm overrides from 1.56.1 to 1.60.0 (latest stable), refresh the lockfile, and update the tech-stack note in AGENTS.md. The netlink LD_PRELOAD shim added in the prior commit replaces the binary patching that broke on newer Chromium builds, so the upgrade no longer depends on it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…butes (#9025) * IFC-2449: Performance improvements for transform based computed attributes * add news fragment * chunk the workflow submission * Update backend/infrahub/computed_attribute/tasks.py * Update backend/infrahub/computed_attribute/tasks.py * Fix typing issue: use integer division for chunk_size Co-authored-by: fatih-acar <fatih-acar@users.noreply.github.com> * prevent 0 division * fix(git): skip CommitUpdatedEvent on storage-recovery re-clone When a worker loses its local clone and re-clones the repository, the re-clone yields the same commit already stored. Emitting CommitUpdatedEvent on that path triggered a redundant full recompute of every Python computed attribute. Skip the event when the repository was reinitialized. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: fatih-acar <fatih-acar@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Aaron McCarty <aaron@opsmill.com> Co-authored-by: Fatih Acar <fatih@opsmill.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Bumps [actions/labeler](https://github.com/actions/labeler) from 6.0.1 to 6.1.0. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@v6.0.1...v6.1.0) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bump pnpm/action-setup v4 -> v6 (ci.yml, chromatic.yml) and switch opsmill/paths-filter@v3.0.2 -> dorny/paths-filter@v4.0.1 in ci.yml to clear the Node.js 20 deprecation warnings before runners drop Node 20 on 2026-09-16. pnpm/action-setup v6 runs a self-installer that shells out to npm; on runners whose node24 externals ship a broken npm this fails with "Cannot find module '../lib/cli.js'" (pnpm/action-setup#251). Fix per the maintainer: run actions/setup-node before pnpm/action-setup so a working npm shadows the broken one on PATH, and move store caching from setup-node's `cache: pnpm` (which requires pnpm to pre-exist) to pnpm/action-setup's own `cache: true`. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merging stable into develop after merging pull request #9476.
Summary by cubic
Fixes branch‑scoped IPAM utilization and speeds up transform‑based computed attributes by chunking workflow submissions and capping related‑resource reads. Stabilizes E2E by replacing the Chromium patch with an LD_PRELOAD netlink shim and upgrading
@playwright/testto 1.60; also enforces cardinality‑one adds inRelationshipAdd, skips redundant recomputes on repository re‑clone, adds least‑privilege deployment guidance (Neo4j/Redis/RabbitMQ/PostgreSQL), documents the observability stack (Helm/Compose), adds an SSO account‑name fallback deprecation guide, validates generated docs in CI, bumps CIgithub/gh-aw-actionsto 0.78.3 andactions/labelerto 6.1.0, tunes Prefect testcontainers with a TRIGGERS read batch size, and updates CI to Node 24–compatible actions (pnpm/action-setup@v6,dorny/paths-filter@v4) with pnpm caching in the action.Bug Fixes
PrefixUtilizationGetteris branch‑scoped and non‑mixing;utilization_branchesis clamped to non‑negative.IPPrefixUtilizationand compare against the default branch correctly.RelationshipAdd: reject multiple peers for cardinality‑one relationships; tests added; changelog updated.PREFECT_SERVER_EVENTS_MAXIMUM_RELATED_RESOURCESfor better throughput.CommitUpdatedEventon storage‑recovery re‑clone to avoid a full redundant recompute.PREFECT_SERVER_SERVICES_TRIGGERS_READ_BATCH_SIZE(default 1) for the background service.no_netlink.soshim (CI builds and injects viaNO_NETLINK_SO); upgrade@playwright/test/playwright-coreto 1.60; Playwright config scopes the preload to the browser process.Migration
PrefixUtilizationGetternow requiresbranchin the constructor and no longer acceptsbranch_names.IPPrefixUtilization.initnow requiresbranch=.... Update any custom callers accordingly.Written for commit c3ac0b9. Summary will update on new commits.