Renames test to Test_preChecks_sensitive_data_detected_decline. Uses a temporary .env file with an AWS token to reliably trigger the DefangLabs secret detector, and confirms that preChecks correctly aborts early on user decline.
Signed-off-by: Ishwar <ishwarcm@iitbhilai.ac.in>
Before this, assertion libraries were mixed, sometimes
even in the same file.
git grep -l '"gotest.tools/v3/' | wc -l
75
git grep -l '"github.com/stretchr/testify' | wc -l
24
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
For Docker daemons older than API 1.44, the extra networks omitted from
ContainerCreate must be connected individually after creation via
NetworkConnect. If any NetworkConnect call fails, remove the freshly
created container to prevent orphans.
Add two tests:
- TestCreateMobyContainerLegacyAPI: happy path verifying NetworkConnect
is called for the secondary network on API 1.43
- TestCreateMobyContainerLegacyAPI_NetworkConnectFailure: verifies
ContainerRemove is called with Force when NetworkConnect fails
Signed-off-by: jarek <jkrochmalski@gmail.com>
Before API 1.44 (Docker Engine 25.0), ContainerCreate only accepted a
single EndpointsConfig entry. Passing multiple entries silently drops
all but one network, leaving containers under-connected on older daemons
such as Docker 20.10 or Synology DSM 7.1/7.2.
Add apiVersion144 constant and wrap the secondary-networks loop in
defaultNetworkSettings so that only the primary network is included in
the ContainerCreate call when the negotiated API version is below 1.44.
Signed-off-by: jarek <jkrochmalski@gmail.com>
After API negotiation, Compose should only rely on the negotiated version
and never use the daemon's raw max version for request shaping. Merge both
functions into a single RuntimeAPIVersion that negotiates via Ping and
returns ClientVersion, erroring if the client reports an empty version
instead of silently falling back to ServerVersion.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
Replace sync.Once with sync.Mutex so that only successful version
lookups are cached. Errors (context cancellation, network blips) are
returned without caching, allowing subsequent calls to retry.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
Moving runtimeVersionCache from a package-level var to instance fields on
composeService caused copylocks violations in methods using value receivers,
since sync.Once contains sync.noCopy. Switch the 4 affected methods to
pointer receivers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
Move runtimeVersionCache from a package-level var to per-instance fields
on composeService and add CurrentAPIVersion() that negotiates via Ping
before returning the client version.
Switch getCreateConfigs and buildContainerVolumes to use
CurrentAPIVersion so that version-gated request shaping matches what
the daemon actually validates against (the negotiated API version from
the request path, not the server's max capability).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
Dependabot PRs don't have access to the secrets required by the
cagent-action reusable workflow (CAGENT_ORG_MEMBERSHIP_TOKEN), causing
the org membership check to fail with "github-token not supplied".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
filepath.Join cleans its arguments, collapsing the double slash in
ssh:// URLs to a single slash (ssh:/), corrupting the scheme before
it reaches buildx. Return the dockerfile as-is for any URL-schemed
context, matching the existing behaviour for git:// and https:// URLs.
Fixes the issue #13668
Signed-off-by: Samaresh Kumar Singh <ssam3003@gmail.com>
Fixes CVE-2026-24051 (PATH hijacking in otel SDK).
Bumps all otel packages to v1.42.0 for consistency.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
- Pin all action references to full commit SHA instead of mutable
version tags. Tag retained as inline comment for readability.
- Remove pr-review.yml workflow.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
# Conflicts:
# .github/workflows/pr-review.yml
Introduce a GitHub Actions workflow that triggers an AI-powered code
review on pull requests using docker/cagent-action's reusable workflow.
- Restrict comment-triggered runs to OWNER/MEMBER/COLLABORATOR
- Gate on github.repository to prevent execution on forks
- Filter out draft PRs and bot actors
- Only trigger on PR comments, not plain issue comments
- Serialize reviews per PR via concurrency group
Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
Fixes template validation error in CI by updating to latest stable version
of docker/github-builder workflow. This resolves the JToken parsing error
in bake.yml@v1 that was causing bin-image-test to fail.
Signed-off-by: maks2134 <maks210306@yandex.by>
- Replace context.Background() with t.Context() in TestDoneDeadlockFix
- Ensures .idea files are not included in commit
Signed-off-by: maks2134 <maks210306@yandex.by>
- Replace context.Background() with context.WithCancel() in test
- Fix formatting issues (remove extra empty line)
Signed-off-by: maks2134 <maks210306@yandex.by>
Resolves race condition between main thread calling Done() and UI thread
calling printWithDimensions(). The issue was that Done() held the mutex
while sending to the done channel, but the UI thread needed the same
mutex to process the done signal.
Fixed by sending the done signal before acquiring the mutex, allowing
the UI thread to receive the signal and release any held locks.
Fixes#13639
Signed-off-by: maks2134 <maks210306@yandex.by>
go1.25.8 (released 2026-03-05) includes security fixes to the html/template,
net/url, and os packages, as well as bug fixes to the go command, the compiler,
and the os package. See the Go 1.25.8 milestone on our issue tracker for details.
- 1.25.8 https://github.com/golang/go/issues?q=milestone%3AGo1.25.8+label%3ACherryPickApproved
- diff: https://github.com/golang/go/compare/go1.25.7...go1.25.8
- 1.26.1 https://github.com/golang/go/issues?q=milestone%3AGo1.26.1+label%3ACherryPickApproved
- diff: https://github.com/golang/go/compare/go1.26.0...go1.26.1
---
We have just released Go versions 1.26.1 and 1.25.8, minor point releases.
These releases include 5 security fixes following the security policy:
crypto/x509: incorrect enforcement of email constraints
- When verifying a certificate chain which contains a certificate containing
multiple email address constraints (composed of the full email address) which
share common local portions (the portion of the address before the '@'
character) but different domain portions (the portion of the address after the
'@' character), these constraints will not be properly applied, and only the
last constraint will be considered.
This can allow certificates in the chain containing email addresses which are
either not permitted or excluded by the relevant constraints to be returned by
calls to Certificate.Verify. Since the name constraint checks happen after chain
building is complete, this only applies to certificate chains which chain to
trusted roots (root certificates either in VerifyOptions.Roots or in the system
root certificate pool), requiring a trusted CA to issue certificates containing
either not permitted or excluded email addresses.
This issue only affects Go 1.26.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2026-27137 and Go issue https://go.dev/issue/77952.
- crypto/x509: panic in name constraint checking for malformed certificates
Certificate verification can panic when a certificate in the chain has an empty
DNS name and another certificate in the chain has excluded name constraints.
This can crash programs that are either directly verifying X.509 certificate
chains, or those that use TLS.
Since the name constraint checks happen after chain building is complete, this
only applies to certificate chains which chain to trusted roots (root
certificates either in VerifyOptions.Roots or in the system root certificate
pool), requiring a trusted CA to issue certificates containing malformed DNS
names.
This issue only affects Go 1.26.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2026-27138 and Go issue https://go.dev/issue/77953.
- html/template: URLs in meta content attribute actions are not escaped
Actions which insert URLs into the content attribute of HTML meta tags are not
escaped. This can allow XSS if the meta tag also has an http-equiv attribute
with the value "refresh".
A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be
used to disable escaping URLs in actions in the meta content attribute which
follow "url=" by setting htmlmetacontenturlescape=0.
This is CVE-2026-27142 and Go issue https://go.dev/issue/77954.
- net/url: reject IPv6 literal not at start of host
The Go standard library function net/url.Parse insufficiently
validated the host/authority component and accepted some invalid URLs
by effectively treating garbage before an IP-literal as ignorable.
The function should have rejected this as invalid.
To prevent this behavior, net/url.Parse now rejects IPv6 literals
that do not appear at the start of the host subcomponent of a URL.
Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.
This is CVE-2026-25679 and Go issue https://go.dev/issue/77578.
- os: FileInfo can escape from a Root
On Unix platforms, when listing the contents of a directory using
File.ReadDir or File.Readdir the returned FileInfo could reference
a file outside of the Root in which the File was opened.
The contents of the FileInfo were populated using the lstat system
call, which takes the path to the file as a parameter. If a component
of the full path of the file described by the FileInfo is replaced with
a symbolic link, the target of the lstat can be directed to another
location on the filesystem.
The impact of this escape is limited to reading metadata provided by
lstat from arbitrary locations on the filesystem. This could be used
to probe for the presence or absence of files as well as gleaning
metadata like file sizes, but does not permit reading or writing files
outside the root.
The FileInfo is now populated using fstatat.
Thank you to Miloslav Trmač of Red Hat for reporting this issue.
This is CVE-2026-27139 and Go issue https://go.dev/issue/77827.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The moby/moby client (v0.2.2) validates that ConsoleSize is zero when
TTY is disabled, returning "console size is only supported when TTY is
enabled" otherwise. Previously, ConsoleSize was populated unconditionally
from GetTtySize(), which returns real terminal dimensions when Compose is
run interactively — causing post_start hooks to fail for services without
`tty: true`.
Fix by only reading and passing the console size when service.Tty is true.
Signed-off-by: Michael Irwin <michael.irwin@docker.com>
Resolves#13615
RunOneOffContainer was not executing post_start lifecycle hooks after
starting a container. This adds hook execution by listening for the
container's start event via the Docker Events API and running hooks
once the container is running, matching the behavior already present
in startService (used by docker compose up) and restart.
Signed-off-by: Varun Chawla <varun_6april@hotmail.com>
Results of running the modernize command, with some minor changes
afterwards (removing the `contains` and `hasStatus` helper functions);
go install golang.org/x/tools/go/analysis/passes/modernize/cmd/modernize@latest
modernize -fix ./...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These consts were added in b760afaf9f,
but are only user internal in the package. Given that the list of
consts may change over time, it's probably best to keep them internal
and not part of the module's API.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
