Skip to content

Prepare patch release v1.8.3 on release branch#3497

Merged
kalleep merged 5 commits intorelease/v1.8from
prep-v1.8.3
May 5, 2025
Merged

Prepare patch release v1.8.3 on release branch#3497
kalleep merged 5 commits intorelease/v1.8from
prep-v1.8.3

Conversation

@kalleep
Copy link
Contributor

@kalleep kalleep commented May 5, 2025

kalleep and others added 5 commits May 5, 2025 09:49
@kalleep
fix: panic that happens when a target gets deleted when using decompr…
10b6f3a 
…ession (#3475)

* Fix panic caused that can happen when when file is removed for
decompressor

* Change to start readLine start and stops updatePositions

* Add changelog
@TheoBrigitte @kalleep
Fix mimir.rules.kubernetes panic on non-leader debug info retrieval (#…
40a725a 
…3451)

* Fix mimir.rules.kubernetes to only return eventProcessor state if it exists
@kalleep @wildum
fix: deadlock in loki.source.file when target is removed (#3488)
9505e2a 
* Fix deadlock that can happen when stopping reader tasks

Co-authored-by: William Dumont <william.dumont@grafana.com>
@kalleep
fix: emit valid logfmt key (#3495)
25ae6af 
* Fix log keys to be valid for logfmt

* Add changelog
@maratkhv @kalleep
Fix streams limit error check so that metrics are correctly labeled a…
1dacda2 
…s `ReasonStreamLimited` (#3466)

* fix: replace direct error string compare with isErrMaxStreamsLimitExceeded helper

* update CHANGELOG

* Make errMaxStreamsLimitExceeded an error type
@kalleep kalleep requested a review from a team as a code owner May 5, 2025 07:58
@github-actions
Copy link
Contributor

github-actions bot commented May 5, 2025

😢 zizmor failed with exit code 14.

Expand for full output 
error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/autolock.yml:19:9
   |
19 |       - uses: dessant/lock-threads@v5
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> ./.github/workflows/backport.yml:2:1
  |
2 | / on:
3 | |   pull_request_target:
4 | |     types:
5 | |       - closed
6 | |       - labeled
  | |_______________^ pull_request_target is almost always used insecurely
  |
  = note: audit confidence → Medium

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/check-linux-build-image.yml:30:9
   |
30 |         uses: docker/setup-qemu-action@v3.6.0
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/check-linux-build-image.yml:33:9
   |
33 |         uses: docker/setup-buildx-action@v3
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/check-linux-build-image.yml:36:9
   |
36 |         uses: docker/build-push-action@v6
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/check-windows-build-image.yml:16:9
   |
16 |         uses: mr-smithers-excellent/docker-build-push@v6
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/create_build_image.yml:43:7
   |
43 |       uses: docker/setup-qemu-action@v3.6.0
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/create_build_image.yml:46:7
   |
46 |       uses: docker/setup-buildx-action@v3
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/create_build_image.yml:49:7
   |
49 |       uses: docker/build-push-action@v6
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/depcheck.yml:15:9
   |
15 |         uses: rfratto/depcheck@main
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/fuzz-go.yml:28:9
   |
28 |         - name: Find fuzz tests
   |           ^^^^^^^^^^^^^^^^^^^^^ this step
29 |           id: find-tests
30 | /         run: |
31 | |           TEST_FILES=$(find "${{ inputs.directory }}" -name '*_test.go' -not -path './vendor/*')
...  |
61 | |
62 | |           echo 'tests=['$INCLUDE_STRING']' >> $GITHUB_OUTPUT
   | |____________________________________________________________^ inputs.directory may expand into attacker-controllable code
   |
   = note: audit confidence → Low

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/fuzz-go.yml:28:9
   |
28 |         - name: Find fuzz tests
   |           ^^^^^^^^^^^^^^^^^^^^^ this step
29 |           id: find-tests
30 | /         run: |
31 | |           TEST_FILES=$(find "${{ inputs.directory }}" -name '*_test.go' -not -path './vendor/*')
...  |
61 | |
62 | |           echo 'tests=['$INCLUDE_STRING']' >> $GITHUB_OUTPUT
   | |____________________________________________________________^ inputs.directory may expand into attacker-controllable code
   |
   = note: audit confidence → Low

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/fuzz-go.yml:92:9
   |
92 |         - name: Fuzz
   |           ^^^^^^^^^^ this step
93 | /         run: |
94 | |           # Change directory to the package first, since go test doesn't
...  |
97 | |           cd "${{ matrix.package }}"
98 | |           go test -fuzz="${{ matrix.function }}\$" -run="${{ matrix.function }}\$" -fuzztime="${{ inputs.fuzz-time }}" .
   | |________________________________________________________________________________________________________________________^ inputs.fuzz-time may expand into attacker-controllable code
   |
   = note: audit confidence → Low

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/helm-release.yml:28:9
   |
28 |         - name: List changed charts
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^ this step
29 |           id: list-changed
30 | /         run: |
31 | |           cd source
...  |
58 | |             echo "changed=false" >> $GITHUB_OUTPUT
59 | |           fi
   | |____________^ github.ref_name may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/helm-release.yml:28:9
   |
28 |         - name: List changed charts
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^ this step
29 |           id: list-changed
30 | /         run: |
31 | |           cd source
...  |
58 | |             echo "changed=false" >> $GITHUB_OUTPUT
59 | |           fi
   | |____________^ github.ref_name may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/helm-release.yml:26:9
   |
26 |         uses: helm/chart-testing-action@v2.7.0
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/helm-release.yml:102:9
    |
102 |         uses: azure/setup-helm@v4
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/helm-release.yml:145:9
    |
145 |         uses: softprops/action-gh-release@v2
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/helm-test.yml:28:9
   |
28 |         uses: azure/setup-helm@v4
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/helm-test.yml:49:9
   |
49 |         uses: azure/setup-helm@v4
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/helm-test.yml:60:9
   |
60 |         uses: helm/chart-testing-action@v2.7.0
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/helm-test.yml:74:9
   |
74 |         uses: helm/kind-action@v1.12.0
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[excessive-permissions]: overly broad permissions
 --> ./.github/workflows/publish-alloy-devel.yml:9:3
  |
9 |   id-token: write
  |   ^^^^^^^^^^^^^^^ id-token: write is overly broad at the workflow level
  |
  = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/publish-alloy.yaml:48:7
   |
48 |       - run: |
   |  _______^
49 | |        & "C:/Program Files/git/bin/bash.exe" -c 'WINDOWS_VERSION=${{matrix.os}} ALLOY_GO_VERSION=${{steps.get_go_version.outputs.alloy_go_version}} ./tools/ci/docker-containers-windows ${{ inputs.img-name }}'
   | |                                                                                                                                                                                                                 ^
   | |_________________________________________________________________________________________________________________________________________________________________________________________________________________|
   |                                                                                                                                                                                                                   this step
   |                                                                                                                                                                                                                   inputs.img-name may expand into attacker-controllable code
   |
   = note: audit confidence → Low

error[unpinned-uses]: unpinned action reference
 --> ./.github/workflows/scripts.yml:9:7
  |
9 |     - uses: azohra/shell-linter@latest
  |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
  |
  = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/test_pr.yml:17:7
   |
17 |       uses: golangci/golangci-lint-action@v6
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/test_pr.yml:21:7
   |
21 |       uses: golangci/golangci-lint-action@v6
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/trivy.yml:38:9
   |
38 |         uses: github/codeql-action/upload-sarif@v3
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

160 findings (96 ignored, 36 suppressed): 0 unknown, 0 informational, 0 low, 0 medium, 28 high

@kalleep kalleep merged commit a3cd334 into release/v1.8 May 5, 2025
38 checks passed
@kalleep kalleep deleted the prep-v1.8.3 branch May 5, 2025 08:48
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 5, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@wildum wildum wildum approved these changes

Assignees

No one assigned

Labels

frozen-due-to-age

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kalleep @wildum @TheoBrigitte @maratkhv