Skip to content

Fix data races in built-in BundlePublisher plugins on dynamic reconfiguration#7082

Merged
sorindumitru merged 1 commit into
spiffe:mainfrom
amartinezfayo:fix-bundlepublisher-client-race
Jun 19, 2026
Merged

Fix data races in built-in BundlePublisher plugins on dynamic reconfiguration#7082
sorindumitru merged 1 commit into
spiffe:mainfrom
amartinezfayo:fix-bundlepublisher-client-race

Conversation

@amartinezfayo

@amartinezfayo amartinezfayo commented Jun 18, 2026

Copy link
Copy Markdown
Member

The built-in BundlePublisher plugins assign their storage client in Configure and read it in PublishBundle without any synchronization. Several of them also read the cached bundle in getBundle while holding configMtx, even though setBundle writes it under a separate bundleMtx, so the two never exclude each other.

These were harmless while Configure only ran once during plugin initialization, but dynamic reconfiguration now calls Configure again at runtime, so it can run concurrently with PublishBundle. That produces data races on both the client field and the cached bundle, and a concurrent reconfiguration could also leave PublishBundle using a client that no longer matches the active configuration.

This PR fixes the aws_s3, gcp_cloudstorage, and aws_rolesanywhere_trustanchor plugins by storing the configuration and its client together and updating them atomically under configMtx, with getConfig returning both so that PublishBundle always observes a matching pair. It also corrects getBundle in those plugins to read under bundleMtx, matching setBundle. The k8s_configmap plugin already stores its clients inside the configuration and reads the bundle under the correct lock, so it needs no change. The azure_blob plugin under review in #7030 has the same structure and adopts this pattern there.

Changes:

  • Store the config and storage client as a pair under configMtx in the aws_s3, gcp_cloudstorage, and aws_rolesanywhere_trustanchor plugins, returned together from getConfig.
  • Read the cached bundle under bundleMtx in getBundle to match setBundle in those plugins.
  • Guard the client read in the gcp_cloudstorage Close method.
  • Add a TestConcurrentConfigureAndPublish regression test to each fixed plugin that runs Configure and PublishBundle concurrently and fails under -race without the fix.

@amartinezfayo amartinezfayo added this to the 1.15.2 milestone Jun 18, 2026
@amartinezfayo
amartinezfayo force-pushed the fix-bundlepublisher-client-race branch from c259bb1 to 368812d Compare June 18, 2026 14:28
…guration

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
@amartinezfayo amartinezfayo changed the title Fix data races in the aws_s3 and gcp_cloudstorage BundlePublisher plugins on dynamic reconfiguration Fix data races in built-in BundlePublisher plugins on dynamic reconfiguration Jun 18, 2026
@amartinezfayo
amartinezfayo force-pushed the fix-bundlepublisher-client-race branch from 368812d to 3b7a874 Compare June 18, 2026 14:44
@amartinezfayo
amartinezfayo requested a review from Copilot June 18, 2026 15:09

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Fixes data races in built-in BundlePublisher plugins during dynamic reconfiguration by ensuring configuration/client are updated and read atomically, and by using the correct mutex for cached bundle access.

Changes:

  • Atomically store and retrieve (config, client) under configMtx in aws_s3, gcp_cloudstorage, and aws_rolesanywhere_trustanchor.
  • Fix getBundle to read under bundleMtx (matching setBundle) in the affected plugins.
  • Add concurrent Configure vs PublishBundle regression tests intended to fail under -race without the fix.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
pkg/server/plugin/bundlepublisher/gcpcloudstorage/gcpcloudstorage.go Atomically pairs config+client under configMtx; fixes bundle locking; guards client read in Close.
pkg/server/plugin/bundlepublisher/gcpcloudstorage/gcpcloudstorage_test.go Adds concurrent Configure/Publish regression test.
pkg/server/plugin/bundlepublisher/awss3/awss3.go Atomically pairs config+client under configMtx; fixes bundle locking.
pkg/server/plugin/bundlepublisher/awss3/awss3_test.go Adds concurrent Configure/Publish regression test.
pkg/server/plugin/bundlepublisher/awsrolesanywhere/awsrolesanywhere.go Atomically pairs config+client under configMtx; fixes bundle locking; introduces setConfig.
pkg/server/plugin/bundlepublisher/awsrolesanywhere/awsrolesanywhere_test.go Adds concurrent Configure/Publish regression test.

Comment thread pkg/server/plugin/bundlepublisher/awss3/awss3_test.go
@amartinezfayo
amartinezfayo marked this pull request as ready for review June 18, 2026 18:39
@amartinezfayo amartinezfayo removed this from the 1.15.2 milestone Jun 18, 2026
@github-actions github-actions Bot assigned sorindumitru and unassigned MarcosDY Jun 18, 2026
@sorindumitru
sorindumitru enabled auto-merge June 18, 2026 20:13
@sorindumitru
sorindumitru added this pull request to the merge queue Jun 18, 2026
@github-merge-queue
github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jun 18, 2026
@sorindumitru sorindumitru added this to the 1.15.2 milestone Jun 19, 2026
@sorindumitru
sorindumitru added this pull request to the merge queue Jun 19, 2026
Merged via the queue into spiffe:main with commit 06cf96c Jun 19, 2026
157 of 161 checks passed
zzzz465 added a commit to pubg/spire that referenced this pull request Jul 16, 2026
* build(deps): bump github.com/open-policy-agent/opa from 1.16.2 to 1.17.0 (#6997)

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.16.2 to 1.17.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.16.2...v1.17.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Apply PQC policy to bundle endpoint and prometheus server (#6995)

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* build(deps): bump the aws-sdk group with 2 updates (#6996)

Bumps the aws-sdk group with 2 updates: [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/smithy-go](https://github.com/aws/smithy-go).


Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.101.0 to 1.102.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.101.0...service/s3/v1.102.0)

Updates `github.com/aws/smithy-go` from 1.25.1 to 1.26.0
- [Release notes](https://github.com/aws/smithy-go/releases)
- [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/smithy-go/compare/v1.25.1...v1.26.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-version: 1.102.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/smithy-go
  dependency-version: 1.26.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: use structured logger for rebootstrap messages and fix typos (#7000)

Signed-off-by: immanuwell <pchpr.00@list.ru>

* Fix stale proto directory layout in CONTRIBUTING.md (#7011)

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* build(deps): bump github.com/sigstore/sigstore from 1.10.6 to 1.10.7 (#7005)

Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.10.6 to 1.10.7.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.10.6...v1.10.7)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.10.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump cloud.google.com/go/security (#7004)

Bumps the google-cloud-sdk group with 1 update: [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go).


Updates `cloud.google.com/go/security` from 1.24.0 to 1.25.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.24.0...kms/v1.25.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/security
  dependency-version: 1.25.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: google-cloud-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/aws/aws-sdk-go-v2/service/autoscaling (#7003)

Bumps the aws-sdk group with 1 update: [github.com/aws/aws-sdk-go-v2/service/autoscaling](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/autoscaling` from 1.66.0 to 1.67.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.66.0...service/s3/v1.67.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/autoscaling
  dependency-version: 1.67.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add Copilot repository custom instructions (#7009)

* Add Copilot repository custom instructions

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Address Copilot comments

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Add links to the SDK repositories

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Note that field names come from pkg/common/telemetry/names.go

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

---------

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Add support for two more PQC curves (#6999)

Go 1.26 added support for these so we can allow using them

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* build(deps): bump google.golang.org/api in the google-cloud-sdk group (#7014)

Bumps the google-cloud-sdk group with 1 update: [google.golang.org/api](https://github.com/googleapis/google-api-go-client).


Updates `google.golang.org/api` from 0.282.0 to 0.283.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.282.0...v0.283.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-version: 0.283.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: google-cloud-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/sigstore/sigstore from 1.10.7 to 1.10.8 (#7016)

Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.10.7 to 1.10.8.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.10.7...v1.10.8)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.10.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* agent: add `log_selectors` config item (#6981)

* agent: log configured workload selectors on identity failures

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* agent: minor refactor to reduce num params

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* agent: log selectors as single string

Addresses review comment.

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* agent: Sort selectors before logging

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

---------

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* build(deps): bump github.com/shirou/gopsutil/v4 from 4.26.4 to 4.26.5 (#7015)

Bumps [github.com/shirou/gopsutil/v4](https://github.com/shirou/gopsutil) from 4.26.4 to 4.26.5.
- [Release notes](https://github.com/shirou/gopsutil/releases)
- [Commits](https://github.com/shirou/gopsutil/compare/v4.26.4...v4.26.5)

---
updated-dependencies:
- dependency-name: github.com/shirou/gopsutil/v4
  dependency-version: 4.26.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump the aws-sdk group with 7 updates (#7013)

Bumps the aws-sdk group with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) | `1.304.0` | `1.305.0` |
| [github.com/aws/aws-sdk-go-v2/service/iam](https://github.com/aws/aws-sdk-go-v2) | `1.53.1` | `1.54.1` |
| [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2) | `1.52.0` | `1.53.1` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.102.0` | `1.103.0` |
| [github.com/aws/aws-sdk-go-v2/service/secretsmanager](https://github.com/aws/aws-sdk-go-v2) | `1.41.0` | `1.42.0` |
| [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) | `1.42.0` | `1.43.0` |
| [github.com/aws/smithy-go](https://github.com/aws/smithy-go) | `1.26.0` | `1.27.0` |


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.304.0 to 1.305.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.304.0...service/ec2/v1.305.0)

Updates `github.com/aws/aws-sdk-go-v2/service/iam` from 1.53.1 to 1.54.1
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.53.1...service/s3/v1.54.1)

Updates `github.com/aws/aws-sdk-go-v2/service/kms` from 1.52.0 to 1.53.1
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.52.0...service/s3/v1.53.1)

Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.102.0 to 1.103.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.102.0...service/s3/v1.103.0)

Updates `github.com/aws/aws-sdk-go-v2/service/secretsmanager` from 1.41.0 to 1.42.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.41.0...service/s3/v1.42.0)

Updates `github.com/aws/aws-sdk-go-v2/service/sts` from 1.42.0 to 1.43.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.42.0...service/s3/v1.43.0)

Updates `github.com/aws/smithy-go` from 1.26.0 to 1.27.0
- [Release notes](https://github.com/aws/smithy-go/releases)
- [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/smithy-go/compare/v1.26.0...v1.27.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.305.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/iam
  dependency-version: 1.54.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/kms
  dependency-version: 1.53.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-version: 1.103.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/secretsmanager
  dependency-version: 1.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/sts
  dependency-version: 1.43.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/smithy-go
  dependency-version: 1.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#7024)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0 (#7026)

Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.9.2 to 5.10.0.
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](https://github.com/jackc/pgx/compare/v5.9.2...v5.10.0)

---
updated-dependencies:
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Retry image builds to tolerate transient base image pull failures (#7032)

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* build(deps): bump github.com/aws/smithy-go from 1.27.0 to 1.27.1 in the aws-sdk group (#7033)

build(deps): bump github.com/aws/smithy-go in the aws-sdk group

Bumps the aws-sdk group with 1 update: [github.com/aws/smithy-go](https://github.com/aws/smithy-go).


Updates `github.com/aws/smithy-go` from 1.27.0 to 1.27.1
- [Release notes](https://github.com/aws/smithy-go/releases)
- [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/smithy-go/compare/v1.27.0...v1.27.1)

---
updated-dependencies:
- dependency-name: github.com/aws/smithy-go
  dependency-version: 1.27.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Datastore config doc updates (#7023)

* server sql doc: explain connection string

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* server sql doc: spelling of AWS_SECRET_ACCESS_KEY

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* server sql doc: misc cleanups

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

---------

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* Retry container image pulls in integration tests to reduce CI flakiness (#7031)

* Retry container image pulls in integration tests to reduce CI flakiness

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Hardcode retry attempts and backoff in integration tests

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

---------

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Upgrade go-spiffe to 2.7.0 (#7035)

* Upgrade go-spiffe to 2.7.0

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Add dumy implementations for WIT-SVID API

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

---------

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Remove the unused kind configuration from the cert-manager integration test (#7037)

* Remove stale kindest/node pin from the cert-manager integration test

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Remove the now-unused cert-manager kind config

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

---------

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Add assignee rotation with ball-in-court tracking for pull requests (#7012)

* Add round-robin reviewer auto-assignment with ball-in-court tracking

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Address Copilot comments

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Address Copilot comments

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Exclude bot-authored PRs from reviewer rotation

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Pick the PR assignee at random instead of by PR number

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

---------

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Fix assign-reviewer not setting an assignee on open (#7043)

Scope assign-reviewer concurrency per event action

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* build(deps): bump github.com/mattn/go-sqlite3 from 1.14.44 to 1.14.45 (#7041)

Bumps [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) from 1.14.44 to 1.14.45.
- [Release notes](https://github.com/mattn/go-sqlite3/releases)
- [Commits](https://github.com/mattn/go-sqlite3/compare/v1.14.44...v1.14.45)

---
updated-dependencies:
- dependency-name: github.com/mattn/go-sqlite3
  dependency-version: 1.14.45
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/google/go-tpm-tools from 0.4.8 to 0.4.9 (#7040)

Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.4.8 to 0.4.9.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.4.8...v0.4.9)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-version: 0.4.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.1 to 1.22.0 in the azure-sdk group (#7039)

build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore

Bumps the azure-sdk group with 1 update: [github.com/Azure/azure-sdk-for-go/sdk/azcore](https://github.com/Azure/azure-sdk-for-go).


Updates `github.com/Azure/azure-sdk-for-go/sdk/azcore` from 1.21.1 to 1.22.0
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.21.1...sdk/azcore/v1.22.0)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azcore
  dependency-version: 1.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: azure-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* test: Add x509util certificate coverage (#7029)

Signed-off-by: Keegan Witt <keeganwitt@gmail.com>

* Add SPIRE-backed Prometheus TLS identity and SPIFFE allowlist (#6812)

* Add SPIRE-backed Prometheus TLS identity and SPIFFE allowlist

(cherry picked from commit 2ec839e145e276b6e1079f49831a8a023f92f266)
Signed-off-by: aviralgarg05 <gargaviral99@gmail.com>

* Fix markdown table formatting to pass lint

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

---------

Signed-off-by: aviralgarg05 <gargaviral99@gmail.com>
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* test(common/idutil): Expand IDFromProto coverage (#7028)

Add table-driven coverage for invalid trust domain values.

Preserve the existing path validation cases and keep expectations aligned with actual behavior.

Signed-off-by: Keegan Witt <keeganwitt@gmail.com>

* Correct the stale actions/upload-artifact version comment to v7.0.1 (#7053)

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Update the review ball-in-court on fork PRs via workflow_run (#7052)

* Update the review ball-in-court on fork PRs via workflow_run

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Address Copilot comments

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Address Copilot comments

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Harden review-apply against forged capture artifacts

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Mention the review-existence and bot checks in the workflow headers

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

---------

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* build(deps): bump the aws-sdk group across 1 directory with 2 updates (#7059)

Bumps the aws-sdk group with 2 updates in the / directory: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/smithy-go](https://github.com/aws/smithy-go).


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.305.0 to 1.306.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.305.0...service/ec2/v1.306.0)

Updates `github.com/aws/smithy-go` from 1.27.1 to 1.27.2
- [Release notes](https://github.com/aws/smithy-go/releases)
- [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/smithy-go/compare/v1.27.1...v1.27.2)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.306.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/smithy-go
  dependency-version: 1.27.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump google.golang.org/api from 0.283.0 to 0.284.0 in the google-cloud-sdk group (#7058)

build(deps): bump google.golang.org/api in the google-cloud-sdk group

Bumps the google-cloud-sdk group with 1 update: [google.golang.org/api](https://github.com/googleapis/google-api-go-client).


Updates `google.golang.org/api` from 0.283.0 to 0.284.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.283.0...v0.284.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-version: 0.284.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: google-cloud-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/open-policy-agent/opa from 1.17.0 to 1.17.1 (#7050)

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.17.0 to 1.17.1.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/v1.17.1/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.17.0...v1.17.1)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.17.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* agent: treat failure of all attestation plugins as overall failure & return Unavailable (#7045)

* agent: handle failure of all attestation plugins

Treat failure from all attestation plugins as an overall workload
attestation failure instead of returning no selectors. Without any
selectors, we can never match any workload registration entry.

This early error return path will result in clearer error logs. For
example, in FetchJWTSVID, we'll log "Workload attestation failed"
instead of "No identity issued" with a misleading "registered=false"
field.

Also, pass any attestation error to the telemetry counter.

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* agent: return Unavailable on attestation fail

Map workload attestation failures to gRPC code Unavailable in request
handlers, instead of returning raw attestor errors (which could be gRPC
errors received from the plugins that may not make sense for the
Workload API, or non-gRPC errors that would get mapped to gRPC code
Unknown).

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

---------

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* fix: validate missing Workload API endpoint in spire upstreamauthority (#7008)

* fix: validate missing workload API endpoint in spire upstreamauthority

Signed-off-by: immanuwell <pchpr.00@list.ru>

* fix: reject invalid platform workload API settings early

Signed-off-by: immanuwell <pchpr.00@list.ru>

* fix: address review comments on spire upstreamauthority validation

Signed-off-by: immanuwell <pchpr.00@list.ru>

---------

Signed-off-by: immanuwell <pchpr.00@list.ru>

* build(deps): bump actions/github-script from 7.0.1 to 9.0.0 (#7047)

Bumps [actions/github-script](https://github.com/actions/github-script) from 7.0.1 to 9.0.0.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/60a0d83039c74a4aee543508d2ffcb1c3799cdea...3a2844b7e9c422d3c10d287c895573f7108da1b3)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: 9.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump the golang-org-x group across 1 directory with 3 updates (#7061)

Bumps the golang-org-x group with 2 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto) and [golang.org/x/net](https://github.com/golang/net).


Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0
- [Commits](https://github.com/golang/crypto/compare/v0.52.0...v0.53.0)

Updates `golang.org/x/net` from 0.55.0 to 0.56.0
- [Commits](https://github.com/golang/net/compare/v0.55.0...v0.56.0)

Updates `golang.org/x/sys` from 0.45.0 to 0.46.0
- [Commits](https://github.com/golang/sys/compare/v0.45.0...v0.46.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-org-x
- dependency-name: golang.org/x/net
  dependency-version: 0.56.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-org-x
- dependency-name: golang.org/x/sys
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-org-x
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Prefer determining pod and container ids from cgroup file (#7060)

* Prefer determining pod and container ids from cgroup file

This file is owned by the kernel and a workload is not able to influence it in any way.

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Fixup previous tests

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

---------

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* build(deps): bump github.com/sigstore/cosign/v3 from 3.0.6 to 3.1.1 (#7055)

Bumps [github.com/sigstore/cosign/v3](https://github.com/sigstore/cosign) from 3.0.6 to 3.1.1.
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/cosign/compare/v3.0.6...v3.1.1)

---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign/v3
  dependency-version: 3.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix Azure IMDS Plugin Signature Validation (#6960)

* Fix Azure IMDS Plugin Signature Validation

Signed-off-by: Changheng Gu <cgu@confluent.io>

* Update cert and documentation

Signed-off-by: Changheng Gu <cgu@confluent.io>

* Use slices.Contains for domain validation

Signed-off-by: Changheng Gu <cgu@confluent.io>

* address comment

Signed-off-by: Changheng Gu <cgu@confluent.io>

* address comments

Signed-off-by: Changheng Gu <cgu@confluent.io>

---------

Signed-off-by: Changheng Gu <cgu@confluent.io>

* Switch Dependabot to grouped weekly PRs and drop the auto-merge workflow (#7070)

* Switch Dependabot to grouped weekly PRs and drop the auto-merge workflow

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Address Copilot comments

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

---------

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.306.0 to 1.307.0 in the aws-sdk group (#7067)

build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2

Bumps the aws-sdk group with 1 update: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.306.0 to 1.307.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.306.0...service/ec2/v1.307.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.307.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump regclient/actions from c70ad64367908075211b10dcd2ab9fad4bfa1816 to 14f9d37db17b5dc41fefd1ffdd1af4b9e2490560 (#7063)

build(deps): bump regclient/actions

Bumps [regclient/actions](https://github.com/regclient/actions) from c70ad64367908075211b10dcd2ab9fad4bfa1816 to 14f9d37db17b5dc41fefd1ffdd1af4b9e2490560.
- [Release notes](https://github.com/regclient/actions/releases)
- [Changelog](https://github.com/regclient/actions/blob/main/RELEASE.md)
- [Commits](https://github.com/regclient/actions/compare/c70ad64367908075211b10dcd2ab9fad4bfa1816...14f9d37db17b5dc41fefd1ffdd1af4b9e2490560)

---
updated-dependencies:
- dependency-name: regclient/actions
  dependency-version: 14f9d37db17b5dc41fefd1ffdd1af4b9e2490560
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump actions/github-script from 7.0.1 to 9.0.0 (#7062)

Bumps [actions/github-script](https://github.com/actions/github-script) from 7.0.1 to 9.0.0.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/v7.0.1...3a2844b7e9c422d3c10d287c895573f7108da1b3)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: 9.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix http_challenge agent name validation regex (#7066)

The agentNamePattern regex had a typo and a structural error. The
character class [a-zA-z] (lowercase z) spans ASCII 0x41-0x7A, which also
matches the six symbols between Z and a ([ \ ] ^ _ `), so names
containing them were accepted. The shape ^[a-zA-z]+[a-zA-Z0-9-]$ required
one or more letters followed by exactly one alphanumeric or dash, which
rejected ordinary agent names such as host01, agent-01 and web-agent.

Replace it with ^[a-zA-Z][a-zA-Z0-9-]*$ (a letter followed by letters,
digits or dashes), simplify validateAgentName to use MatchString, and add
test cases for the newly-accepted and newly-rejected names.

Signed-off-by: kanywst <niwatakuma@icloud.com>

* Upgrade to Go 1.26.4 (#7069)

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* [gcp_kms] add small sleep to get public key (#6924)

* [gcp_kms] add small sleep between attempts to getPublicKey

Signed-off-by: daescha <djschlatt@gmail.com>

* [gcp_kms] fix tests

Signed-off-by: daescha <djschlatt@gmail.com>

---------

Signed-off-by: daescha <djschlatt@gmail.com>
Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Add spire-agent workload API rate limiting by pod UID with OS UID fal… (#6724)

* Add spire-agent workload API rate limiting by pod UID with OS UID fallback

Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>

* Refactor rate limiting into shared package and optimize pod UID resolution

Extract the two-generation GC per-key rate limiter into
pkg/common/ratelimit so both the agent and server share the same
implementation. Add Kubernetes auto-detection to skip procfs reads on
non-k8s nodes and cache pod UID lookups per PID to reduce overhead.

Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>

* Rate limit workload API by SPIFFE ID after attestation

Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>

* Rekey rate limiter on attested selector set, expand coverage to bundles and SDS

Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>

* Clarify rate limiting log message covers Workload API and SDS

Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>

* Move rate-limit config to experimental, SHA-256-hash keys, exempt agent from SDS, expand exemption tests, use wg.Go

Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>

* Fix CI: avoid out-of-range slice index in test helper and commit regenerated test keys

Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>

* Fix CI: align markdown tables in spire_agent.md to satisfy MD060

Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>

---------

Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>
Signed-off-by: Kevin <4625079+terahertz5k@users.noreply.github.com>
Co-authored-by: Kevin Lui <kevin.lui@thetradedesk.com>

* Update dario.cat/merge dependency (#7083)

This seems to be currently causing issues for dependabot, so manually updating it

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* build(deps): bump the minor-and-patch group across 1 directory with 2 updates (#7084)

Bumps the minor-and-patch group with 2 updates in the / directory: [github.com/aws/aws-sdk-go-v2/service/eks](https://github.com/aws/aws-sdk-go-v2) and [k8s.io/mount-utils](https://github.com/kubernetes/mount-utils).


Updates `github.com/aws/aws-sdk-go-v2/service/eks` from 1.84.0 to 1.85.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.84.0...service/s3/v1.85.0)

Updates `k8s.io/mount-utils` from 0.36.1 to 0.36.2
- [Commits](https://github.com/kubernetes/mount-utils/compare/v0.36.1...v0.36.2)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/eks
  dependency-version: 1.85.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: k8s.io/mount-utils
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix data races in built-in BundlePublisher plugins on dynamic reconfiguration (#7082)

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Fix flaky `gcp_kms` key manager tests caused by mock clock handling and shared fixture mutation (#7081)

* Fix flaky `gcp_kms` key manager tests caused by mock clock handling and shared fixture mutation

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Address review comments

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

---------

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* events: keep previous first/lastEvent information when reloading (#6994)

* events: keep previous first/lastEvent information when reloading

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* commitReload -> swapCache

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Add concurrent access test

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

---------

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* feat: Support for optional verification of client cert IPs (x509pop) (#6911)

* x509pop: add optional client IP verification

* Switchable with verify_client_ip feature flag
* When enabled, connecting peer's IP is extracted from the gRPC context
  header, forwarded a X-Forwarded-Client-IP, and validated against the
  leaf cert IP SANs

Signed-off-by: Jason Costello <jason@jsnc.tl>

* Adds unit test coverage for verify client IP attestation

Signed-off-by: Jason Costello <jason@jsnc.tl>

* [From review] Perform IP SAN check after X509 is verified

Signed-off-by: Jason Costello <jason@jsnc.tl>

* Fix unit tests to challenge, as required with Attest adjustments

Signed-off-by: Jason Costello <jason@jsnc.tl>

* PR changes

Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>

* PR changes

Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>

* Resolve lint issue on MD

Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>

---------

Signed-off-by: Jason Costello <jason@jsnc.tl>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Co-authored-by: Marcos Yacob <marcosyacob@gmail.com>

* migrate use of github.com/docker/docker dependencies to github.com/moby/moby equivalents to resolve CVEs (#7078)

migrate use of github.com/docker/docker dependencies to github.com/moby/moby equivalents

Signed-off-by: Daniel Schlatter <djschlatt@gmail.com>

* refactor: use standard `fs.FS` to simplify code (#7046)

Simplify filesystem interfaces using stdlib

Replace our custom FileSystem interface with the standard library's
fs.FS interface, and benefit from its associated helpers.

The only slight downside is that we must now open "proc/[pid]/cgroups"
rather than "/proc/[pid]/cgroups", due to fs.FS interface semantics,
which looks a little bit odd perhaps, but it seems like an overall win
to me.

Also delete OSFileSystem type, which was entirely unused.

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* Copilot instructions: tell it about new(EXPR) form (#7086)

Tell Copilot about this new Go feature.

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* Fetch updated attested nodes in bulk (#7022)

* Fetch updated attested nodes in bulk

Signed-off-by: nweisenauer-sap <137267159+nweisenauer-sap@users.noreply.github.com>

* checks for positive pageSize in buildAttestedNodesCache

Signed-off-by: nweisenauer-sap <137267159+nweisenauer-sap@users.noreply.github.com>

* addresses Copilot's review comments

Signed-off-by: nweisenauer-sap <137267159+nweisenauer-sap@users.noreply.github.com>

---------

Signed-off-by: nweisenauer-sap <137267159+nweisenauer-sap@users.noreply.github.com>

* Tolerate mountinfo lines with an empty mount source (#7044)

* Tolerate mountinfo lines with an empty mount source

The docker workload attestor (and k8s, which shares the code) parses
/proc/<pid>/mountinfo via k8s.io/mount-utils ParseMountInfo, which splits
each line with strings.Fields and requires at least 10 fields. Per proc(5)
the mount source may be empty (a tmpfs mount has no source), which renders
as an empty field between the filesystem type and the super options. The
kernel escapes any real whitespace in a path as octal (\040), so the
double space in a line like:

    119 206 0:68 / /local rw,relatime - tmpfs  rw,size=8192k

unambiguously means an empty source. strings.Fields collapses that empty
field, so the line counts as 9 fields and ParseMountInfo rejects the whole
file with "wrong number of fields". The attestor then extracts no
container ID and no SVID is issued.

Replace the upstream call with a small SPIRE-side mountinfo parser that is
position-aware around the "-" separator, so the trailing fstype/source/
super-options triple is read by position and an empty source is tolerated.
Only the root and filesystem type are consumed by the extractor. This also
drops the k8s.io/mount-utils dependency (and its transitive moby/sys/
mountinfo) since it was the only user.

Adds a regression fixture with the empty-source tmpfs line plus unit tests
for the parser.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

* Use strings.Split to preserve empty mount-source fields

Switch parseMountInfoLine from the Index+Fields approach to
strings.Split(line, " "), which preserves empty fields between
consecutive spaces. This makes the empty-source handling more
direct: the separator and all fields are located by index in
a single slice.

Also switch parseMountInfo to stream lines with bufio.Scanner
instead of reading the whole file into memory first.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

* Use slices.Index for the mountinfo separator

Addresses review: replace the manual separator loop with slices.Index,
and drop the now-unused k8s.io/mount-utils dependency via go mod tidy.

Signed-off-by: arpitjain099 <arpitjain099@gmail.com>

---------

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Signed-off-by: arpitjain099 <arpitjain099@gmail.com>

* build(deps): bump the minor-and-patch group with 10 updates (#7091)

Bumps the minor-and-patch group with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go) | `1.13.1` | `1.14.0` |
| [github.com/aws/aws-sdk-go-v2/service/eks](https://github.com/aws/aws-sdk-go-v2) | `1.85.0` | `1.86.0` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.103.0` | `1.104.0` |
| [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) | `2.7.0` | `2.8.0` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.284.0` | `0.285.0` |
| [google.golang.org/genproto/googleapis/rpc](https://github.com/googleapis/go-genproto) | `0.0.0-20260526163538-3dc84a4a5aaa` | `0.0.0-20260610212136-7ab31c22f7ad` |
| [k8s.io/api](https://github.com/kubernetes/api) | `0.36.1` | `0.36.2` |
| [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.36.1` | `0.36.2` |
| [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.36.1` | `0.36.2` |
| [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) | `0.36.1` | `0.36.2` |


Updates `github.com/Azure/azure-sdk-for-go/sdk/azidentity` from 1.13.1 to 1.14.0
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azidentity/v1.13.1...sdk/azcore/v1.14.0)

Updates `github.com/aws/aws-sdk-go-v2/service/eks` from 1.85.0 to 1.86.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.85.0...service/s3/v1.86.0)

Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.103.0 to 1.104.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.103.0...service/s3/v1.104.0)

Updates `github.com/spiffe/go-spiffe/v2` from 2.7.0 to 2.8.0
- [Release notes](https://github.com/spiffe/go-spiffe/releases)
- [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md)
- [Commits](https://github.com/spiffe/go-spiffe/compare/v2.7.0...v2.8.0)

Updates `google.golang.org/api` from 0.284.0 to 0.285.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.284.0...v0.285.0)

Updates `google.golang.org/genproto/googleapis/rpc` from 0.0.0-20260526163538-3dc84a4a5aaa to 0.0.0-20260610212136-7ab31c22f7ad
- [Commits](https://github.com/googleapis/go-genproto/commits)

Updates `k8s.io/api` from 0.36.1 to 0.36.2
- [Commits](https://github.com/kubernetes/api/compare/v0.36.1...v0.36.2)

Updates `k8s.io/apimachinery` from 0.36.1 to 0.36.2
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.36.1...v0.36.2)

Updates `k8s.io/client-go` from 0.36.1 to 0.36.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.36.1...v0.36.2)

Updates `k8s.io/kube-aggregator` from 0.36.1 to 0.36.2
- [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.36.1...v0.36.2)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-version: 1.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: github.com/aws/aws-sdk-go-v2/service/eks
  dependency-version: 1.86.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-version: 1.104.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: github.com/spiffe/go-spiffe/v2
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: google.golang.org/api
  dependency-version: 0.285.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: google.golang.org/genproto/googleapis/rpc
  dependency-version: 0.0.0-20260610212136-7ab31c22f7ad
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: k8s.io/api
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: k8s.io/client-go
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: k8s.io/kube-aggregator
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump regclient/actions from 14f9d37db17b5dc41fefd1ffdd1af4b9e2490560 to 4b4db1dcc7dad75ad67a788a380f75a20cc8a040 (#7090)

build(deps): bump regclient/actions

Bumps [regclient/actions](https://github.com/regclient/actions) from 14f9d37db17b5dc41fefd1ffdd1af4b9e2490560 to 4b4db1dcc7dad75ad67a788a380f75a20cc8a040.
- [Release notes](https://github.com/regclient/actions/releases)
- [Changelog](https://github.com/regclient/actions/blob/main/RELEASE.md)
- [Commits](https://github.com/regclient/actions/compare/14f9d37db17b5dc41fefd1ffdd1af4b9e2490560...4b4db1dcc7dad75ad67a788a380f75a20cc8a040)

---
updated-dependencies:
- dependency-name: regclient/actions
  dependency-version: 4b4db1dcc7dad75ad67a788a380f75a20cc8a040
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump actions/checkout from 6.0.3 to 7.0.0 (#7089)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3 to 7.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/df4cb1c069e1874edd31b4311f1884172cec0e10...9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump msys2/setup-msys2 from 2.31.1 to 2.32.0 in the minor-and-patch group (#7088)

build(deps): bump msys2/setup-msys2 in the minor-and-patch group

Bumps the minor-and-patch group with 1 update: [msys2/setup-msys2](https://github.com/msys2/setup-msys2).


Updates `msys2/setup-msys2` from 2.31.1 to 2.32.0
- [Release notes](https://github.com/msys2/setup-msys2/releases)
- [Changelog](https://github.com/msys2/setup-msys2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/msys2/setup-msys2/compare/e9898307ac31d1a803454791be09ab9973336e1c...66cd2cce69caa17b53920067426061ca1de3a884)

---
updated-dependencies:
- dependency-name: msys2/setup-msys2
  dependency-version: 2.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: correct TTL logging in delegated identity X.509 SVID subscriber (#7071)

fix: correct TTL logging in delegated identity subscriber when admin/downstream identities are present

Signed-off-by: immanuwell <pchpr.00@list.ru>

* Document the ball-in-court review process in the pull request template (#7095)

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* spire-agent: implement logger service (#7017)

* spire-agent: implement logger service

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Copilot review comments

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* review comments

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* review comments

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Remove auditing

there's no auditing support in the agent

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Use agent rpccontext

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Move status helpers to common/api

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Use status helpers from common/api

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Make sure logger metrics are emitted

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* fix linter errors

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Review comments

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Add RPC metric name test

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

---------

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* fix: cascade-delete registered_entries on attested node deletion (#6946)

* fix: cascade-delete registered_entries on attested node deletion

Previously, deleteAttestedNodeAndSelectors deleted AttestedNode and
NodeSelector rows but left registered_entries with parent_id matching
the deleted node's SPIFFE ID untouched. In particular, the alias row
that SPIRE auto-creates in createJoinTokenRegistrationEntry (when
CreateJoinToken is called with AgentId) would survive the node it was
minted for, accumulating as dead rows that still flow through the
server's entry cache and the events-based cache.

This extends deleteAttestedNodeAndSelectors to cascade: find entries
whose parent_id equals the deleted node's SPIFFE ID, delete each via
the existing deleteRegistrationEntrySupport helper, emit a
RegistrationEntryEvent per deletion so event-cache consumers see
them, and log each cascaded delete at Info with the usual
SPIFFEID/ParentID/RegistrationID telemetry fields (matching the
pruneRegistrationEntries pattern). The cascade fires for both
DeleteAttestedNode (admin delete) and PruneAttestedExpiredNodes
(periodic prune) since both paths reach this helper. Callers pass
their existing logger (ds.log for DeleteAttestedNode, the prune
logger for PruneAttestedExpiredNodes).

Mirrors the shape of #3873 which added the node_resolver_map_entries
cascade at the same function.

Fixes #6944

Signed-off-by: angabini <494150+angabini@users.noreply.github.com>

* doc: update spire_server.md

Signed-off-by: angabini <494150+angabini@users.noreply.github.com>

* doc: cleanup spire_server.md

Signed-off-by: angabini <494150+angabini@users.noreply.github.com>

* fix(sqlstore): narrow cascade to join-token-attested nodes

Per review feedback on #6946: cascading every entry parented on a
deleted attested node would also wipe legitimately user-registered
workload entries that happen to be parented directly on a non-join-
token agent SVID (e.g. spiffe://td/spire/agent/aws_iid/...). That
is a supported registration pattern, not an orphan.

Restrict the cascade in deleteAttestedNodeAndSelectors to nodes
whose attested DataType is "join_token". The auto-alias that
createJoinTokenRegistrationEntry writes is the only entry SPIRE
itself creates with parent_id = node SVID, so this still cleans up
the unbounded-growth case reported in #6944 without changing
behavior for any other attestor. A broader explicit cascade can be
added later behind a CLI flag, as suggested in the issue.

Add TestDeleteAttestedNodeNonJoinTokenDoesNotCascade asserting an
aws_iid-attested node's child entry survives node deletion and no
RegistrationEntryEvent is emitted. Existing cascade tests already
use join_token nodes and continue to pass.

Update doc/spire_server.md to reflect the narrowed scope.

Refs #6944

Signed-off-by: angabini <494150+angabini@users.noreply.github.com>

* fix(sqlstore): match alias selector shape on cascade

Per Copilot review feedback on #6946 (B): even within join-token-attested
nodes, child entries can be user-managed (e.g. an operator-created entry
parented on the agent SVID for a workload that happens to share that
parent). Cascading on parent_id alone would still over-delete those.

Tighten deleteAttestedNodeAndSelectors to match the exact shape that
createJoinTokenRegistrationEntry writes:
  - exactly one selector
  - selector.Type == "spiffe_id"
  - selector.Value == entry.ParentID

Anything else stays put.

Tests:
  - Add TestDeleteAttestedNodeJoinTokenPreservesNonAliasChildEntries
    (replaces the federation multi-test): asserts an alias-shaped child
    cascades while a unix-selector workload child parented on the same
    join_token-attested node survives, and exactly one entry event is
    emitted.
  - Sharpen TestDeleteAttestedNodeNonJoinTokenDoesNotCascade: switch
    the child entry to alias-shaped selectors so the test isolates the
    DataType filter from the selector-shape filter.
  - Extract lastRegistrationEntryEventID() helper used by all four
    cascade tests (Copilot review comment 4).

Refs #6944

Signed-off-by: angabini <494150+angabini@users.noreply.github.com>

* doc(spire_server): re-align config table to widest row

The cascade note added in 61a42b9ad widened the prune_attested_nodes_expired_for
description to 581 chars while every other row in the table sat at 480, tripping
markdownlint MD060/table-column-style. Pad the description column on every other
row in the table to match, keeping pipe positions identical at columns 1, 38,
516, 581 across the entire config table.

Pure padding change; no rendered content moved. Separator row padded with
dashes (preserving continuous alignment marker), content rows with spaces.

Signed-off-by: angabini <494150+angabini@users.noreply.github.com>

* test(agent): cover join-token alias cascade end-to-end, cross-ref shape

Incorporates review feedback on #6946.

- Cross-reference the auto-alias entry shape between its writer
  (createJoinTokenRegistrationEntry) and the cascade matcher
  (deleteAttestedNodeAndSelectors) so the two can't drift silently.
- Add TestCascadeDeleteJoinTokenAliasEntry exercising the real
  CreateJoinToken -> DeleteAgent path; fakedatastore is backed by the
  sqlstore, so a shape change that misses the matcher fails the test.
- Document that manual `agent evict`/`agent purge` also cascade and that
  the cleanup is forward-only (pre-existing orphans are not swept).
- Revert the unrelated config-table realignment to keep the doc diff minimal.

Signed-off-by: angabini <494150+angabini@users.noreply.github.com>

---------

Signed-off-by: angabini <494150+angabini@users.noreply.github.com>

* Add tag-based key discovery support in the `aws_kms` KeyManager plugin (#7006)

* Add tag-based key discovery support in the `aws_kms` KeyManager plugin

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Address Copilot comments

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Address review comments

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

---------

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Fix data race in spiretest log assertion helper (#7096)

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* spire-agent: try to enable SE_DEBUG_PRIVILEGE at startup on windows (#7073)

* spire-agent: try to enable SE_DEBUG_PRIVILEGE at startup on windows

The [OpenProcessToken](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken) API mentions that
SE_DEBUG_NAME/SeDebugPrivilege (why two different names, windows???) privilege is required for opening the process token for a process running as a more
privileged account (it does work from admin to admin users without this).

Attempt to enable this and log an warning if that fails.

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Workaround broken AdjustTokenPrivileges

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Move function to global variable

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

---------

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Fix azure_imds node attestation for standalone VMs (#6807)

Signed-off-by: Ravishen Jain <ravisshen@gmail.com>

* Fix flaky fetch-jwt-svids integration test by waiting for the restarted server (#7108)

* Fix flaky fetch-jwt-svids integration test by waiting for the restarted server

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Address review comments

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

---------

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Add azure_imds network interface unmarshal regression test (#7106)

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Add force-push guidance to the PR template and reference it from CONTRIBUTING.md (#7105)

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* build(deps): bump the minor-and-patch group with 10 updates (#7109)

Bumps the minor-and-patch group with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) | `1.307.0` | `1.308.0` |
| [github.com/aws/aws-sdk-go-v2/service/eks](https://github.com/aws/aws-sdk-go-v2) | `1.86.0` | `1.87.0` |
| [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.6` | `0.21.7` |
| [github.com/hashicorp/go-metrics](https://github.com/hashicorp/go-metrics) | `0.5.4` | `0.6.0` |
| [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) | `1.14.45` | `1.14.47` |
| [github.com/moby/moby/api](https://github.com/moby/moby) | `1.54.2` | `1.55.0` |
| [github.com/moby/moby/client](https://github.com/moby/moby) | `0.4.1` | `0.5.0` |
| [github.com/shirou/gopsutil/v4](https://github.com/shirou/gopsutil) | `4.26.5` | `4.26.6` |
| [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) | `2.8.0` | `2.8.1` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.285.0` | `0.286.0` |


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.307.0 to 1.308.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.307.0...service/ec2/v1.308.0)

Updates `github.com/aws/aws-sdk-go-v2/service/eks` from 1.86.0 to 1.87.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.86.0...service/s3/v1.87.0)

Updates `github.com/google/go-containerregistry` from 0.21.6 to 0.21.7
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.21.6...v0.21.7)

Updates `github.com/hashicorp/go-metrics` from 0.5.4 to 0.6.0
- [Release notes](https://github.com/hashicorp/go-metrics/releases)
- [Commits](https://github.com/hashicorp/go-metrics/compare/v0.5.4...v0.6.0)

Updates `github.com/mattn/go-sqlite3` from 1.14.45 to 1.14.47
- [Release notes](https://github.com/mattn/go-sqlite3/releases)
- [Commits](https://github.com/mattn/go-sqlite3/compare/v1.14.45...v1.14.47)

Updates `github.com/moby/moby/api` from 1.54.2 to 1.55.0
- [Release notes](https://github.com/moby/moby/releases)
- [Commits](https://github.com/moby/moby/compare/api/v1.54.2...api/v1.55.0)

Updates `github.com/moby/moby/client` from 0.4.1 to 0.5.0
- [Release notes](https://github.com/moby/moby/releases)
- [Changelog](https://github.com/moby/moby/blob/v0.5.0/CHANGELOG.md)
- [Commits](https://github.com/moby/moby/compare/v0.4.1...v0.5.0)

Updates `github.com/shirou/gopsutil/v4` from 4.26.5 to 4.26.6
- [Release notes](https://github.com/shirou/gopsutil/releases)
- [Commits](https://github.com/shirou/gopsutil/compare/v4.26.5...v4.26.6)

Updates `github.com/spiffe/go-spiffe/v2` from 2.8.0 to 2.8.1
- [Release notes](https://github.com/spiffe/go-spiffe/releases)
- [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md)
- [Commits](https://github.com/spiffe/go-spiffe/compare/v2.8.0...v2.8.1)

Updates `google.golang.org/api` from 0.285.0 to 0.286.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.285.0...v0.286.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.308.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: github.com/aws/aws-sdk-go-v2/service/eks
  dependency-version: 1.87.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: github.com/google/go-containerregistry
  dependency-version: 0.21.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: github.com/hashicorp/go-metrics
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: github.com/mattn/go-sqlite3
  dependency-version: 1.14.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: github.com/moby/moby/api
  dependency-version: 1.55.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: github.com/moby/moby/client
  dependency-version: 0.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: github.com/shirou/gopsutil/v4
  dependency-version: 4.26.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: github.com/spiffe/go-spiffe/v2
  dependency-version: 2.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: google.golang.org/api
  dependency-version: 0.286.0
  dependency-type: direct:production
  update-type: versio…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants