π§ chore(release): consolidate v1.6.0-rc.1#522
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedToo many files! This PR contains 883 files, which is 583 over the limit of 300. To get a review, narrow the scope: βοΈ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: β Files ignored due to path filters (13)
π Files selected for processing (883)
You can disable this status message by setting the Use the checkbox below for a quick retry:
β¨ Finishing Touchesπ§ͺ Generate unit tests (beta)
Comment |
## Summary - updates the Alpine tzdata pin from 2026b-r0 to the currently available 2026c-r0 - adds a regression that rejects the retired revision - restores the release-container build that blocked PR #522 Playwright before tests could start ## Verification - regression failed against the old pin and passes with the fix - complete release image builds locally with fresh pulls - full pre-push gate passes: 100 maintenance tests, 31 workflow tests, 37 website-script tests, 100 percent backend/UI coverage, app/UI builds, Biome, accepted Qlty baseline, and Zizmor After this merges, PR #522 will be rebuilt from the new accepted dev/v1.6 tree and its complete matrix restarted. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ### Changelog - π§ Changed Alpine `tzdata` pin from `2026b-r0` to `2026c-r0`. - β¨ Added regression coverage rejecting the retired `2026b-r0` revision. - π Fixed release-container build configuration. ### Verification - Regression tests passed. - Release-image build passed. - Full pre-push checks passed. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary Clears all seven CodeQL annotations exposed by the consolidated v1.6 release PR without weakening behavior or globally suppressing analysis. - opens persisted SBOM documents descriptor-first with O_NOFOLLOW and O_NONBLOCK, then validates file type, exact bytes, and checksum - expresses registry in-flight Promise identity with Object.is and adds a stale-old versus fresh-pending interleaving regression - replaces three whole-source URL regex assertions with literal indexOf checks that retain substring semantics - constructs intentional Drydock template expressions through the existing literal-template helper ## Root-cause verification - the filesystem alert came from a redundant path lstat before a descriptor-safe open - the URL alerts were test-only substring checks, where adding anchors would break intent - the Promise comparison is intentional identity cleanup; awaiting it would be a runtime bug - the template strings are second-stage Drydock templates, not JavaScript interpolation ## Verification - 44 SBOM-storage tests - 220 BaseRegistry tests - 569 Trigger tests - 9 release-doc identity tests - 3 website marketing tests - complete pre-push gate: 100 maintenance tests, 31 workflow tests, 37 website-script tests, 100 percent backend/UI coverage, app/UI builds, Biome, accepted Qlty baseline, and Zizmor After merge, PR #522 will be rebuilt from the new accepted dev/v1.6 head and its full CodeQL and release matrix restarted. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Changelog - π Secure SBOM document reads with atomic descriptor-based validation, `O_NOFOLLOW`, size, and checksum checks. - π Fix registry cache race handling by comparing Promise identity explicitly; add interleaving regression coverage. - π§ Replace regex URL assertions with literal `indexOf` checks while preserving substring semantics. - π§ Use `buildLiteralTemplateExpression` for intentional Drydock template expressions. - π§ Verified SBOM, registry, trigger, release-document, and website tests, plus pre-push, builds, coverage, Biome, Qlty, and Zizmor gates. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
4c8c348 to
f5a01c0
Compare
|
Deployment failed with the following error: Learn More: https://vercel.com/codeswhat?upgradeToPro=build-rate-limit |
f5a01c0 to
f339997
Compare
f339997 to
0462a11
Compare
|
Deployment failed with the following error: Learn More: https://vercel.com/codeswhat?upgradeToPro=build-rate-limit |
## Summary - evaluate trusted Passport authentication state before request-controlled method/path data in the auth rate-limit exemption - share that security-sensitive authentication predicate with identity-aware rate-limit keying - preserve the existing contract: only authenticated `GET /auth/user` skips the shared public auth budget - add ordering, helper-delegation, and truth-table regression coverage for authenticated, anonymous, nonmatching, and missing-auth-function requests ## Why GitHub Code Scanning alert #551 (`js/user-controlled-bypass`) traced `req.path` to a later short-circuited `req.isAuthenticated()` call. Reordering the conjunction removes request control over whether the security check runs without moving any routes or weakening the 100-per-15-minute limiter for unauthenticated traffic. CodeRabbit review-body feedback was incorporated: the Passport guard is centralized in one tested helper, both limiter paths use it, and the auth limiter test explicitly asserts delegation while independently proving evaluation order. ## Verification - TDD red: ordering regression received `method`, `path`, `authenticated` - TDD red: shared helper tests failed before the helper export existed - focused auth/rate-limit suites: 183/183 passed - app production build passed - final exact-head pre-push gate passed in 338.07s - 105 maintenance tests - 31 workflow tests - UI typecheck - 100% backend and UI coverage - backend and UI builds - Biome and accepted Qlty baseline ## Release integration Target is `dev/v1.6`. After exact-head review and merge, PR #522 will be rebuilt from the updated frozen remote dev tree and its complete release matrix rerun before the final 24-hour NAS acceptance. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Changelog - π Fixed auth rate-limit exemption ordering to evaluate trusted Passport authentication before request-controlled method and path data. - π§ Changed auth limiter and identity-aware rate-limit keying to use shared `isRequestAuthenticated`. - β¨ Added regression coverage for authentication ordering, helper delegation, authenticated/anonymous requests, nonmatching routes, and missing auth functions. - π Preserved bypass behavior exclusively for authenticated `GET /auth/user` requests. ## Verification - Focused auth/rate-limit tests passed. - Production build passed. - Full pre-push verification passed. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
0462a11 to
8d93f4b
Compare
β¦534) The #523 tzdata `2026c-r0` pin landed on `dev/v1.6` without its changelog bullet, so the dated `[1.6.0-rc.1]` section shipped no mention of the image-build failure it fixes. This adds the bullet under **Fixed**, next to the related Trivy image-digest entry, referencing #523 and the post-GA main-side application #533. Found by the 2026-07-14 release-train correctness review: the v1.6 release consolidation (#522) sources its tree from the accepted dev head, so without this the rc.1 release notes silently omit a real shipped fix. Docs-only: no runtime change. Full local pre-push gate green (lint, qlty, scripts/workflow tests, app+ui 100% coverage, builds, zizmor).
8d93f4b to
96f23fd
Compare
Summary
dev/v1.6.planningchanges from the release diff and historyImmutable release construction
mainatbdcb8d837d74dc0305a387ae91e18cb54318c4e7dev/v1.6at0f107d2134ea5515070efa2e1a5af7b6d0a973bb8d93f4bff6d8f2712715acb262d02c286a1e285c59819a792b39f6d4f422b148bfbd2dbd105f27dbdev/v1.6tree exactly.planningis absent from frozen main and the release head and contributes zero files or commitsLocal verification on the exact release head
1.6.0Final merge gate
Do not merge this PR or cut
v1.6.0-rc.1until the exact-head GitHub CI, Playwright, Cucumber, load/security matrix, CodeRabbit/Qlty/CodeQL review, two required non-author approvals, manual candidate scanner/tool/image identity and multi-arch checks, and isolated 24-hour NAS acceptance report are clean withpassed: true. The 24-hour NAS run starts last from the frozen approved tree. After RC.1, require seven full days of soak before GA and promote the exact RC digest; any code change requires a new RC and a fresh soak.