Skip to content

Track changes from upstream #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 113 commits into
base: main
Choose a base branch
from
Draft

Track changes from upstream #5

wants to merge 113 commits into from

Conversation

@AlekSi
Copy link
Member

@AlekSi AlekSi commented Feb 19, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 19, 2025
View reviewed changes
@mergify mergify bot assigned AlekSi Feb 20, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 20, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 21, 2025
View reviewed changes
.github/workflows/ferretdb_go_tests.yml
Comment on lines 28 to 59
name: Test
runs-on: ubuntu-24.04
timeout-minutes: 15

# Do not run this job in parallel for any PR change or branch push.
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
cancel-in-progress: true

if: github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'not ready')

steps:
# TODO https://github.com/FerretDB/github-actions/issues/211
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Go
uses: FerretDB/github-actions/setup-go@main

- name: Run tests
run: |
cd ferretdb_packaging
go mod tidy
go mod verify
go test ./...

- name: Check dirty
if: always()
run: |
git status --untracked-files --ignored
git status
git diff --exit-code

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

To fix the problem, explicitly set the permissions key to restrict the GITHUB_TOKEN to the least privilege required. Since the workflow appears to only check out code, set up Go, and run tests (all read-only operations), the minimal required permission is contents: read. This can be set at the workflow level (applies to all jobs) or at the job level (applies only to the test job). The best practice is to set it at the workflow level unless a job requires different permissions. To implement the fix, add the following block near the top of the workflow file, after the name and before on or after on (either is valid YAML):

permissions:
  contents: read

No additional methods, imports, or definitions are needed.

Suggested changeset 1
.github/workflows/ferretdb_go_tests.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_go_tests.yml b/.github/workflows/ferretdb_go_tests.yml
--- a/.github/workflows/ferretdb_go_tests.yml
+++ b/.github/workflows/ferretdb_go_tests.yml
@@ -2,2 +2,4 @@
 name: Go
+permissions:
+  contents: read
 on:
EOF
@@ -2,2 +2,4 @@
name: Go
permissions:
contents: read
on:
Copilot is powered by AI and may make mistakes. Always verify output.
@AlekSi AlekSi added the not ready Issues that are not ready to be worked on; PRs that should skip CI label Feb 22, 2025
@AlekSi AlekSi deleted the branch main February 27, 2025 18:31
@AlekSi AlekSi closed this Feb 27, 2025
@AlekSi AlekSi reopened this Feb 27, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 3, 2025
View reviewed changes
@mergify
Copy link

mergify bot commented Jul 15, 2025

@AlekSi this pull request has merge conflicts.

@mergify mergify bot added the conflict PRs that have merge conflicts label Jul 15, 2025
@mergify mergify bot removed the conflict PRs that have merge conflicts label Jul 16, 2025
AlekSi added 4 commits July 28, 2025 09:25
@AlekSi
Merge branch 'ferretdb' into merge-into-ferretdb
9ccd074 
# Conflicts:
#	.github/workflows/codeql.yml
@AlekSi
Merge upstream (#90)
5b5cb57
@AlekSi
Merge CodeQL changes from upstream
09ef059
@AlekSi
Abbreviate SHA hashes to at least 10 characters
61e3e55 
That solves a problem with builds of older tags when new commits with the same prefix are added:

```
0.104.0 gitref: HEAD sha:2045d0e buildId:0
0.104.0 gitref: HEAD sha:2045d0e0 buildId:0
```
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 31, 2025
View reviewed changes
.github/workflows/ferretdb_packages.yml
Comment on lines +127 to +135
- name: Build ${{ steps.version.outputs.package_version }}
if: steps.version.outputs.package_version != ''
run: ./packaging/build_packages.sh --os ${{ matrix.os }} --pg ${{ matrix.pg }} --version ${{ steps.version.outputs.package_version }} --test-clean-install

- name: Upload packages

Check failure

Code scanning / CodeQL

Cache Poisoning via execution of untrusted code High

Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. (
pull_request_target
Loading
).

Copilot Autofix

AI 2 months ago

To fix the problem, the workflow should not run untrusted code in the context of the default branch. The best way to do this is to change the workflow trigger from pull_request_target to pull_request for jobs that build or execute code from PRs. The pull_request event runs in the context of the PR branch, not the default branch, and does not have access to privileged secrets or caches from the default branch. This change should be made in the workflow file .github/workflows/ferretdb_packages.yml by replacing the pull_request_target event with pull_request in the on: section. Additionally, update any logic that checks for github.event_name == 'pull_request_target' to use github.event_name == 'pull_request' instead. This ensures that untrusted code is only run in a safe context and prevents cache poisoning.

Suggested changeset 1
.github/workflows/ferretdb_packages.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_packages.yml b/.github/workflows/ferretdb_packages.yml
--- a/.github/workflows/ferretdb_packages.yml
+++ b/.github/workflows/ferretdb_packages.yml
@@ -23,7 +23,7 @@
 
 name: Packages
 on:
-  pull_request_target:
+  pull_request:
     types:
       - unlabeled # if GitHub Actions stuck, add and remove "not ready" label to force rebuild
       - opened
@@ -93,14 +93,14 @@
     steps:
       # TODO https://github.com/FerretDB/github-actions/issues/211
       - name: Checkout code
-        if: github.event_name != 'pull_request_target'
+        if: github.event_name != 'pull_request'
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # for `generate_extension_version.sh` to work
 
       # TODO https://github.com/FerretDB/github-actions/issues/211
       - name: Checkout pull request code
-        if: github.event_name == 'pull_request_target'
+        if: github.event_name == 'pull_request'
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # for `generate_extension_version.sh` to work
@@ -112,7 +106,7 @@
           git status
 
       - name: Name branch
-        if: github.event_name == 'pull_request_target'
+        if: github.event_name == 'pull_request'
         env:
           BRANCH: ${{ github.head_ref }} # see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
         run: git checkout -b $BRANCH
EOF
@@ -23,7 +23,7 @@

name: Packages
on:
pull_request_target:
pull_request:
types:
- unlabeled # if GitHub Actions stuck, add and remove "not ready" label to force rebuild
- opened
@@ -93,14 +93,14 @@
steps:
# TODO https://github.com/FerretDB/github-actions/issues/211
- name: Checkout code
if: github.event_name != 'pull_request_target'
if: github.event_name != 'pull_request'
uses: actions/checkout@v4
with:
fetch-depth: 0 # for `generate_extension_version.sh` to work

# TODO https://github.com/FerretDB/github-actions/issues/211
- name: Checkout pull request code
if: github.event_name == 'pull_request_target'
if: github.event_name == 'pull_request'
uses: actions/checkout@v4
with:
fetch-depth: 0 # for `generate_extension_version.sh` to work
@@ -112,7 +106,7 @@
git status

- name: Name branch
if: github.event_name == 'pull_request_target'
if: github.event_name == 'pull_request'
env:
BRANCH: ${{ github.head_ref }} # see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
run: git checkout -b $BRANCH
Copilot is powered by AI and may make mistakes. Always verify output.
AlekSi and others added 3 commits August 1, 2025 17:39
@AlekSi @chilagrow
Build RPM packages (#96)
04a0257 
Closes FerretDB/FerretDB#5379.

Co-authored-by: Chi Fujii <chi.fujii@ferretdb.io>
@AlekSi
Merge branch 'ferretdb' into merge-into-ferretdb
30b4da0
@AlekSi @LordParag
Merge upstream (#98)
b33e3aa 
* Merged PR 1743705: Enabling Plain Auth with Entra tokens

### Does this PR have any customer impact?

### Type (Feature, Refactoring, Bugfix, DevOps, Testing, Perf, etc)

### Does it involve schema level changes? (Table, Column, Index, UDF, etc level changes)

### Are you introducing any new config? If yes, do you have tests with and without them being set?

### ChangeLog (Refer [Template](../oss/CHANGELOG.md))

### Description

----
#### AI description  (iteration 1)
#### PR Classification
This pull request introduces a new authentication feature for enabling plain authentication using Entra tokens.

#### PR Summary
The change adds support for Entra plain authentication by implementing a dedicated token validation flow and updating related configuration and state management. This enhancement improves authentication flexibility in the Postgres gateway.
- `Tests.Postgres.CSharp/Integration/Entra/EntraPlainAuthTests.cs`: Introduces new integration tests for various Entra token scenarios (app token, managed identity, invalid claims, expired tokens, missing user).
- `AuthSaslScramHandlerBase.cs`: Adds a new method `HandleSaslPlainEntraStartRequestAsync` and refactors token validation logic to support Entra plain auth.
- `MongoPostgresAuthStateMachine.cs`: Updates the state machine to check Entra config flags and route PLAIN auth requests through the Entra-specific handler.
- `PostgresTenantConfiguration.cs` and `pgmongo.c`: Introduce and configure the `isEntraPlainAuthEnabled` flag with its default set to false.
- `AuthenticationType.cs`: Extends the enum by adding the new `EntraPlain` type for authentication.
<!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->

* Merged PR 1751683: [User-Experience] Enhancing error message experience for output stages

### Does this PR have any customer impact?

### Type (Feature, Refactoring, Bugfix, DevOps, Testing, Perf, etc)

### Does it involve schema level changes? (Table, Column, Index, UDF, etc level changes)

### Are you introducing any new config? If yes, do you have tests with and without them being set?

### ChangeLog (Refer [Template](../oss/CHANGELOG.md))

### Description
[User-Experience] Enhancing Merge error message experience for unsupported cases

----
#### AI description  (iteration 1)
#### PR Classification
This pull request addresses a bug fix by enhancing the user experience for unsupported $merge stage scenarios with clearer error messages.

#### PR Summary
The changes introduce more specific error reporting when the $merge aggregation stage is used with mutable functions and unsupported stages, and update related test outputs accordingly.
- `oss/pg_documentdb/src/aggregation/bson_aggregation_output_pipeline.c`: Added checks for specific function IDs (e.g., system_rows, random, and empty data table functions) and updated error messages for unsupported $merge with $sample and missing collections, as well as changing the return type of `ValidatePreOutputStages` from bool to void.
- Test files under `oss/internal/pg_documentdb_distributed` and `pgmongo/src/test/docdb_compat`: Updated expected outputs to align with the revised error messages for unsupported aggregation scenarios.
<!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->

---------

Co-authored-by: Deepak Pemmaraju <deepakpe@microsoft.com>
Co-authored-by: Parag Jain <paragjain@microsoft.com>
@mergify
Copy link

mergify bot commented Aug 11, 2025

@AlekSi this pull request has merge conflicts.

@mergify mergify bot added the conflict PRs that have merge conflicts label Aug 11, 2025
AlekSi added 3 commits August 12, 2025 08:55
@AlekSi
Prepare v0.106.0-ferretdb-2.5.0 release (#99)
beb9d25
@AlekSi
Merge branch 'ferretdb' into merge-into-ferretdb
a81c65b 
# Conflicts:
#	CHANGELOG.md
#	packaging/debian_files/changelog
#	packaging/rpm_files/documentdb.spec
@AlekSi
Merge upstream (#100)
18bd81e
@mergify mergify bot removed the conflict PRs that have merge conflicts label Aug 13, 2025
@mergify
Copy link

mergify bot commented Aug 27, 2025

@AlekSi this pull request has merge conflicts.

@mergify mergify bot added the conflict PRs that have merge conflicts label Aug 27, 2025
@mergify mergify bot removed the conflict PRs that have merge conflicts label Oct 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@AlekSi AlekSi

Labels

not ready Issues that are not ready to be worked on; PRs that should skip CI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AlekSi @chilagrow @josmo