Copilot instructions: tell it about new(EXPR) form#7086
Merged
Conversation
Tell Copilot about this new Go feature. Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
c4rlo
requested review from
MarcosDY,
amartinezfayo,
evan2645,
rturner3 and
sorindumitru
as code owners
June 21, 2026 10:13
There was a problem hiding this comment.
Pull request overview
Updates the repository’s Copilot guidance to reflect the project’s current Go toolchain capabilities, preventing incorrect “does not compile” feedback for valid modern Go syntax.
Changes:
- Document that
new(x)is valid whenxis an expression (not just a type), aligning Copilot guidance with the Go version used by this repo.
sorindumitru
approved these changes
Jun 22, 2026
zzzz465
added a commit
to pubg/spire
that referenced
this pull request
Jul 16, 2026
* build(deps): bump github.com/open-policy-agent/opa from 1.16.2 to 1.17.0 (#6997)
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.16.2 to 1.17.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.16.2...v1.17.0)
---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
dependency-version: 1.17.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Apply PQC policy to bundle endpoint and prometheus server (#6995)
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* build(deps): bump the aws-sdk group with 2 updates (#6996)
Bumps the aws-sdk group with 2 updates: [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/smithy-go](https://github.com/aws/smithy-go).
Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.101.0 to 1.102.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.101.0...service/s3/v1.102.0)
Updates `github.com/aws/smithy-go` from 1.25.1 to 1.26.0
- [Release notes](https://github.com/aws/smithy-go/releases)
- [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/smithy-go/compare/v1.25.1...v1.26.0)
---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
dependency-version: 1.102.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws-sdk
- dependency-name: github.com/aws/smithy-go
dependency-version: 1.26.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws-sdk
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix: use structured logger for rebootstrap messages and fix typos (#7000)
Signed-off-by: immanuwell <pchpr.00@list.ru>
* Fix stale proto directory layout in CONTRIBUTING.md (#7011)
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* build(deps): bump github.com/sigstore/sigstore from 1.10.6 to 1.10.7 (#7005)
Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.10.6 to 1.10.7.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.10.6...v1.10.7)
---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
dependency-version: 1.10.7
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump cloud.google.com/go/security (#7004)
Bumps the google-cloud-sdk group with 1 update: [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go).
Updates `cloud.google.com/go/security` from 1.24.0 to 1.25.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.24.0...kms/v1.25.0)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/security
dependency-version: 1.25.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: google-cloud-sdk
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/autoscaling (#7003)
Bumps the aws-sdk group with 1 update: [github.com/aws/aws-sdk-go-v2/service/autoscaling](https://github.com/aws/aws-sdk-go-v2).
Updates `github.com/aws/aws-sdk-go-v2/service/autoscaling` from 1.66.0 to 1.67.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.66.0...service/s3/v1.67.0)
---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/autoscaling
dependency-version: 1.67.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws-sdk
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Add Copilot repository custom instructions (#7009)
* Add Copilot repository custom instructions
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Address Copilot comments
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Add links to the SDK repositories
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Note that field names come from pkg/common/telemetry/names.go
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---------
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Add support for two more PQC curves (#6999)
Go 1.26 added support for these so we can allow using them
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* build(deps): bump google.golang.org/api in the google-cloud-sdk group (#7014)
Bumps the google-cloud-sdk group with 1 update: [google.golang.org/api](https://github.com/googleapis/google-api-go-client).
Updates `google.golang.org/api` from 0.282.0 to 0.283.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.282.0...v0.283.0)
---
updated-dependencies:
- dependency-name: google.golang.org/api
dependency-version: 0.283.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: google-cloud-sdk
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump github.com/sigstore/sigstore from 1.10.7 to 1.10.8 (#7016)
Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.10.7 to 1.10.8.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.10.7...v1.10.8)
---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
dependency-version: 1.10.8
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* agent: add `log_selectors` config item (#6981)
* agent: log configured workload selectors on identity failures
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
* agent: minor refactor to reduce num params
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
* agent: log selectors as single string
Addresses review comment.
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
* agent: Sort selectors before logging
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
---------
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
* build(deps): bump github.com/shirou/gopsutil/v4 from 4.26.4 to 4.26.5 (#7015)
Bumps [github.com/shirou/gopsutil/v4](https://github.com/shirou/gopsutil) from 4.26.4 to 4.26.5.
- [Release notes](https://github.com/shirou/gopsutil/releases)
- [Commits](https://github.com/shirou/gopsutil/compare/v4.26.4...v4.26.5)
---
updated-dependencies:
- dependency-name: github.com/shirou/gopsutil/v4
dependency-version: 4.26.5
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump the aws-sdk group with 7 updates (#7013)
Bumps the aws-sdk group with 7 updates:
| Package | From | To |
| --- | --- | --- |
| [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) | `1.304.0` | `1.305.0` |
| [github.com/aws/aws-sdk-go-v2/service/iam](https://github.com/aws/aws-sdk-go-v2) | `1.53.1` | `1.54.1` |
| [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2) | `1.52.0` | `1.53.1` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.102.0` | `1.103.0` |
| [github.com/aws/aws-sdk-go-v2/service/secretsmanager](https://github.com/aws/aws-sdk-go-v2) | `1.41.0` | `1.42.0` |
| [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) | `1.42.0` | `1.43.0` |
| [github.com/aws/smithy-go](https://github.com/aws/smithy-go) | `1.26.0` | `1.27.0` |
Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.304.0 to 1.305.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.304.0...service/ec2/v1.305.0)
Updates `github.com/aws/aws-sdk-go-v2/service/iam` from 1.53.1 to 1.54.1
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.53.1...service/s3/v1.54.1)
Updates `github.com/aws/aws-sdk-go-v2/service/kms` from 1.52.0 to 1.53.1
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.52.0...service/s3/v1.53.1)
Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.102.0 to 1.103.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.102.0...service/s3/v1.103.0)
Updates `github.com/aws/aws-sdk-go-v2/service/secretsmanager` from 1.41.0 to 1.42.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.41.0...service/s3/v1.42.0)
Updates `github.com/aws/aws-sdk-go-v2/service/sts` from 1.42.0 to 1.43.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.42.0...service/s3/v1.43.0)
Updates `github.com/aws/smithy-go` from 1.26.0 to 1.27.0
- [Release notes](https://github.com/aws/smithy-go/releases)
- [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/smithy-go/compare/v1.26.0...v1.27.0)
---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
dependency-version: 1.305.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/iam
dependency-version: 1.54.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/kms
dependency-version: 1.53.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
dependency-version: 1.103.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/secretsmanager
dependency-version: 1.42.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/sts
dependency-version: 1.43.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws-sdk
- dependency-name: github.com/aws/smithy-go
dependency-version: 1.27.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws-sdk
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#7024)
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 6.0.3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump github.com/jackc/pgx/v5 from 5.9.2 to 5.10.0 (#7026)
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.9.2 to 5.10.0.
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](https://github.com/jackc/pgx/compare/v5.9.2...v5.10.0)
---
updated-dependencies:
- dependency-name: github.com/jackc/pgx/v5
dependency-version: 5.10.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Retry image builds to tolerate transient base image pull failures (#7032)
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* build(deps): bump github.com/aws/smithy-go from 1.27.0 to 1.27.1 in the aws-sdk group (#7033)
build(deps): bump github.com/aws/smithy-go in the aws-sdk group
Bumps the aws-sdk group with 1 update: [github.com/aws/smithy-go](https://github.com/aws/smithy-go).
Updates `github.com/aws/smithy-go` from 1.27.0 to 1.27.1
- [Release notes](https://github.com/aws/smithy-go/releases)
- [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/smithy-go/compare/v1.27.0...v1.27.1)
---
updated-dependencies:
- dependency-name: github.com/aws/smithy-go
dependency-version: 1.27.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: aws-sdk
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Datastore config doc updates (#7023)
* server sql doc: explain connection string
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
* server sql doc: spelling of AWS_SECRET_ACCESS_KEY
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
* server sql doc: misc cleanups
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
---------
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
* Retry container image pulls in integration tests to reduce CI flakiness (#7031)
* Retry container image pulls in integration tests to reduce CI flakiness
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Hardcode retry attempts and backoff in integration tests
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---------
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Upgrade go-spiffe to 2.7.0 (#7035)
* Upgrade go-spiffe to 2.7.0
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Add dumy implementations for WIT-SVID API
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
---------
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Remove the unused kind configuration from the cert-manager integration test (#7037)
* Remove stale kindest/node pin from the cert-manager integration test
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Remove the now-unused cert-manager kind config
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---------
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Add assignee rotation with ball-in-court tracking for pull requests (#7012)
* Add round-robin reviewer auto-assignment with ball-in-court tracking
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Address Copilot comments
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Address Copilot comments
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Exclude bot-authored PRs from reviewer rotation
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Pick the PR assignee at random instead of by PR number
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---------
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Fix assign-reviewer not setting an assignee on open (#7043)
Scope assign-reviewer concurrency per event action
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* build(deps): bump github.com/mattn/go-sqlite3 from 1.14.44 to 1.14.45 (#7041)
Bumps [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) from 1.14.44 to 1.14.45.
- [Release notes](https://github.com/mattn/go-sqlite3/releases)
- [Commits](https://github.com/mattn/go-sqlite3/compare/v1.14.44...v1.14.45)
---
updated-dependencies:
- dependency-name: github.com/mattn/go-sqlite3
dependency-version: 1.14.45
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump github.com/google/go-tpm-tools from 0.4.8 to 0.4.9 (#7040)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.4.8 to 0.4.9.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.4.8...v0.4.9)
---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
dependency-version: 0.4.9
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.21.1 to 1.22.0 in the azure-sdk group (#7039)
build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore
Bumps the azure-sdk group with 1 update: [github.com/Azure/azure-sdk-for-go/sdk/azcore](https://github.com/Azure/azure-sdk-for-go).
Updates `github.com/Azure/azure-sdk-for-go/sdk/azcore` from 1.21.1 to 1.22.0
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.21.1...sdk/azcore/v1.22.0)
---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azcore
dependency-version: 1.22.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: azure-sdk
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* test: Add x509util certificate coverage (#7029)
Signed-off-by: Keegan Witt <keeganwitt@gmail.com>
* Add SPIRE-backed Prometheus TLS identity and SPIFFE allowlist (#6812)
* Add SPIRE-backed Prometheus TLS identity and SPIFFE allowlist
(cherry picked from commit 2ec839e145e276b6e1079f49831a8a023f92f266)
Signed-off-by: aviralgarg05 <gargaviral99@gmail.com>
* Fix markdown table formatting to pass lint
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---------
Signed-off-by: aviralgarg05 <gargaviral99@gmail.com>
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* test(common/idutil): Expand IDFromProto coverage (#7028)
Add table-driven coverage for invalid trust domain values.
Preserve the existing path validation cases and keep expectations aligned with actual behavior.
Signed-off-by: Keegan Witt <keeganwitt@gmail.com>
* Correct the stale actions/upload-artifact version comment to v7.0.1 (#7053)
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Update the review ball-in-court on fork PRs via workflow_run (#7052)
* Update the review ball-in-court on fork PRs via workflow_run
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Address Copilot comments
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Address Copilot comments
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Harden review-apply against forged capture artifacts
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Mention the review-existence and bot checks in the workflow headers
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---------
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* build(deps): bump the aws-sdk group across 1 directory with 2 updates (#7059)
Bumps the aws-sdk group with 2 updates in the / directory: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/smithy-go](https://github.com/aws/smithy-go).
Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.305.0 to 1.306.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.305.0...service/ec2/v1.306.0)
Updates `github.com/aws/smithy-go` from 1.27.1 to 1.27.2
- [Release notes](https://github.com/aws/smithy-go/releases)
- [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/smithy-go/compare/v1.27.1...v1.27.2)
---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
dependency-version: 1.306.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws-sdk
- dependency-name: github.com/aws/smithy-go
dependency-version: 1.27.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: aws-sdk
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump google.golang.org/api from 0.283.0 to 0.284.0 in the google-cloud-sdk group (#7058)
build(deps): bump google.golang.org/api in the google-cloud-sdk group
Bumps the google-cloud-sdk group with 1 update: [google.golang.org/api](https://github.com/googleapis/google-api-go-client).
Updates `google.golang.org/api` from 0.283.0 to 0.284.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.283.0...v0.284.0)
---
updated-dependencies:
- dependency-name: google.golang.org/api
dependency-version: 0.284.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: google-cloud-sdk
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump github.com/open-policy-agent/opa from 1.17.0 to 1.17.1 (#7050)
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.17.0 to 1.17.1.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/v1.17.1/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.17.0...v1.17.1)
---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
dependency-version: 1.17.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* agent: treat failure of all attestation plugins as overall failure & return Unavailable (#7045)
* agent: handle failure of all attestation plugins
Treat failure from all attestation plugins as an overall workload
attestation failure instead of returning no selectors. Without any
selectors, we can never match any workload registration entry.
This early error return path will result in clearer error logs. For
example, in FetchJWTSVID, we'll log "Workload attestation failed"
instead of "No identity issued" with a misleading "registered=false"
field.
Also, pass any attestation error to the telemetry counter.
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
* agent: return Unavailable on attestation fail
Map workload attestation failures to gRPC code Unavailable in request
handlers, instead of returning raw attestor errors (which could be gRPC
errors received from the plugins that may not make sense for the
Workload API, or non-gRPC errors that would get mapped to gRPC code
Unknown).
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
---------
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
* fix: validate missing Workload API endpoint in spire upstreamauthority (#7008)
* fix: validate missing workload API endpoint in spire upstreamauthority
Signed-off-by: immanuwell <pchpr.00@list.ru>
* fix: reject invalid platform workload API settings early
Signed-off-by: immanuwell <pchpr.00@list.ru>
* fix: address review comments on spire upstreamauthority validation
Signed-off-by: immanuwell <pchpr.00@list.ru>
---------
Signed-off-by: immanuwell <pchpr.00@list.ru>
* build(deps): bump actions/github-script from 7.0.1 to 9.0.0 (#7047)
Bumps [actions/github-script](https://github.com/actions/github-script) from 7.0.1 to 9.0.0.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/60a0d83039c74a4aee543508d2ffcb1c3799cdea...3a2844b7e9c422d3c10d287c895573f7108da1b3)
---
updated-dependencies:
- dependency-name: actions/github-script
dependency-version: 9.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump the golang-org-x group across 1 directory with 3 updates (#7061)
Bumps the golang-org-x group with 2 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto) and [golang.org/x/net](https://github.com/golang/net).
Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0
- [Commits](https://github.com/golang/crypto/compare/v0.52.0...v0.53.0)
Updates `golang.org/x/net` from 0.55.0 to 0.56.0
- [Commits](https://github.com/golang/net/compare/v0.55.0...v0.56.0)
Updates `golang.org/x/sys` from 0.45.0 to 0.46.0
- [Commits](https://github.com/golang/sys/compare/v0.45.0...v0.46.0)
---
updated-dependencies:
- dependency-name: golang.org/x/crypto
dependency-version: 0.53.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-org-x
- dependency-name: golang.org/x/net
dependency-version: 0.56.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-org-x
- dependency-name: golang.org/x/sys
dependency-version: 0.46.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-org-x
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Prefer determining pod and container ids from cgroup file (#7060)
* Prefer determining pod and container ids from cgroup file
This file is owned by the kernel and a workload is not able to influence it in any way.
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Fixup previous tests
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
---------
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* build(deps): bump github.com/sigstore/cosign/v3 from 3.0.6 to 3.1.1 (#7055)
Bumps [github.com/sigstore/cosign/v3](https://github.com/sigstore/cosign) from 3.0.6 to 3.1.1.
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/cosign/compare/v3.0.6...v3.1.1)
---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign/v3
dependency-version: 3.1.1
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Fix Azure IMDS Plugin Signature Validation (#6960)
* Fix Azure IMDS Plugin Signature Validation
Signed-off-by: Changheng Gu <cgu@confluent.io>
* Update cert and documentation
Signed-off-by: Changheng Gu <cgu@confluent.io>
* Use slices.Contains for domain validation
Signed-off-by: Changheng Gu <cgu@confluent.io>
* address comment
Signed-off-by: Changheng Gu <cgu@confluent.io>
* address comments
Signed-off-by: Changheng Gu <cgu@confluent.io>
---------
Signed-off-by: Changheng Gu <cgu@confluent.io>
* Switch Dependabot to grouped weekly PRs and drop the auto-merge workflow (#7070)
* Switch Dependabot to grouped weekly PRs and drop the auto-merge workflow
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Address Copilot comments
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---------
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.306.0 to 1.307.0 in the aws-sdk group (#7067)
build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2
Bumps the aws-sdk group with 1 update: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2).
Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.306.0 to 1.307.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.306.0...service/ec2/v1.307.0)
---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
dependency-version: 1.307.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: aws-sdk
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump regclient/actions from c70ad64367908075211b10dcd2ab9fad4bfa1816 to 14f9d37db17b5dc41fefd1ffdd1af4b9e2490560 (#7063)
build(deps): bump regclient/actions
Bumps [regclient/actions](https://github.com/regclient/actions) from c70ad64367908075211b10dcd2ab9fad4bfa1816 to 14f9d37db17b5dc41fefd1ffdd1af4b9e2490560.
- [Release notes](https://github.com/regclient/actions/releases)
- [Changelog](https://github.com/regclient/actions/blob/main/RELEASE.md)
- [Commits](https://github.com/regclient/actions/compare/c70ad64367908075211b10dcd2ab9fad4bfa1816...14f9d37db17b5dc41fefd1ffdd1af4b9e2490560)
---
updated-dependencies:
- dependency-name: regclient/actions
dependency-version: 14f9d37db17b5dc41fefd1ffdd1af4b9e2490560
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump actions/github-script from 7.0.1 to 9.0.0 (#7062)
Bumps [actions/github-script](https://github.com/actions/github-script) from 7.0.1 to 9.0.0.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/v7.0.1...3a2844b7e9c422d3c10d287c895573f7108da1b3)
---
updated-dependencies:
- dependency-name: actions/github-script
dependency-version: 9.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Fix http_challenge agent name validation regex (#7066)
The agentNamePattern regex had a typo and a structural error. The
character class [a-zA-z] (lowercase z) spans ASCII 0x41-0x7A, which also
matches the six symbols between Z and a ([ \ ] ^ _ `), so names
containing them were accepted. The shape ^[a-zA-z]+[a-zA-Z0-9-]$ required
one or more letters followed by exactly one alphanumeric or dash, which
rejected ordinary agent names such as host01, agent-01 and web-agent.
Replace it with ^[a-zA-Z][a-zA-Z0-9-]*$ (a letter followed by letters,
digits or dashes), simplify validateAgentName to use MatchString, and add
test cases for the newly-accepted and newly-rejected names.
Signed-off-by: kanywst <niwatakuma@icloud.com>
* Upgrade to Go 1.26.4 (#7069)
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* [gcp_kms] add small sleep to get public key (#6924)
* [gcp_kms] add small sleep between attempts to getPublicKey
Signed-off-by: daescha <djschlatt@gmail.com>
* [gcp_kms] fix tests
Signed-off-by: daescha <djschlatt@gmail.com>
---------
Signed-off-by: daescha <djschlatt@gmail.com>
Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Add spire-agent workload API rate limiting by pod UID with OS UID fal… (#6724)
* Add spire-agent workload API rate limiting by pod UID with OS UID fallback
Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>
* Refactor rate limiting into shared package and optimize pod UID resolution
Extract the two-generation GC per-key rate limiter into
pkg/common/ratelimit so both the agent and server share the same
implementation. Add Kubernetes auto-detection to skip procfs reads on
non-k8s nodes and cache pod UID lookups per PID to reduce overhead.
Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>
* Rate limit workload API by SPIFFE ID after attestation
Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>
* Rekey rate limiter on attested selector set, expand coverage to bundles and SDS
Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>
* Clarify rate limiting log message covers Workload API and SDS
Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>
* Move rate-limit config to experimental, SHA-256-hash keys, exempt agent from SDS, expand exemption tests, use wg.Go
Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>
* Fix CI: avoid out-of-range slice index in test helper and commit regenerated test keys
Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>
* Fix CI: align markdown tables in spire_agent.md to satisfy MD060
Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>
---------
Signed-off-by: Kevin Lui <kevin.lui@thetradedesk.com>
Signed-off-by: Kevin <4625079+terahertz5k@users.noreply.github.com>
Co-authored-by: Kevin Lui <kevin.lui@thetradedesk.com>
* Update dario.cat/merge dependency (#7083)
This seems to be currently causing issues for dependabot, so manually updating it
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* build(deps): bump the minor-and-patch group across 1 directory with 2 updates (#7084)
Bumps the minor-and-patch group with 2 updates in the / directory: [github.com/aws/aws-sdk-go-v2/service/eks](https://github.com/aws/aws-sdk-go-v2) and [k8s.io/mount-utils](https://github.com/kubernetes/mount-utils).
Updates `github.com/aws/aws-sdk-go-v2/service/eks` from 1.84.0 to 1.85.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.84.0...service/s3/v1.85.0)
Updates `k8s.io/mount-utils` from 0.36.1 to 0.36.2
- [Commits](https://github.com/kubernetes/mount-utils/compare/v0.36.1...v0.36.2)
---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/eks
dependency-version: 1.85.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-and-patch
- dependency-name: k8s.io/mount-utils
dependency-version: 0.36.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: minor-and-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Fix data races in built-in BundlePublisher plugins on dynamic reconfiguration (#7082)
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Fix flaky `gcp_kms` key manager tests caused by mock clock handling and shared fixture mutation (#7081)
* Fix flaky `gcp_kms` key manager tests caused by mock clock handling and shared fixture mutation
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Address review comments
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---------
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* events: keep previous first/lastEvent information when reloading (#6994)
* events: keep previous first/lastEvent information when reloading
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* commitReload -> swapCache
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Add concurrent access test
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
---------
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* feat: Support for optional verification of client cert IPs (x509pop) (#6911)
* x509pop: add optional client IP verification
* Switchable with verify_client_ip feature flag
* When enabled, connecting peer's IP is extracted from the gRPC context
header, forwarded a X-Forwarded-Client-IP, and validated against the
leaf cert IP SANs
Signed-off-by: Jason Costello <jason@jsnc.tl>
* Adds unit test coverage for verify client IP attestation
Signed-off-by: Jason Costello <jason@jsnc.tl>
* [From review] Perform IP SAN check after X509 is verified
Signed-off-by: Jason Costello <jason@jsnc.tl>
* Fix unit tests to challenge, as required with Attest adjustments
Signed-off-by: Jason Costello <jason@jsnc.tl>
* PR changes
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
* PR changes
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
* Resolve lint issue on MD
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
---------
Signed-off-by: Jason Costello <jason@jsnc.tl>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Co-authored-by: Marcos Yacob <marcosyacob@gmail.com>
* migrate use of github.com/docker/docker dependencies to github.com/moby/moby equivalents to resolve CVEs (#7078)
migrate use of github.com/docker/docker dependencies to github.com/moby/moby equivalents
Signed-off-by: Daniel Schlatter <djschlatt@gmail.com>
* refactor: use standard `fs.FS` to simplify code (#7046)
Simplify filesystem interfaces using stdlib
Replace our custom FileSystem interface with the standard library's
fs.FS interface, and benefit from its associated helpers.
The only slight downside is that we must now open "proc/[pid]/cgroups"
rather than "/proc/[pid]/cgroups", due to fs.FS interface semantics,
which looks a little bit odd perhaps, but it seems like an overall win
to me.
Also delete OSFileSystem type, which was entirely unused.
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
* Copilot instructions: tell it about new(EXPR) form (#7086)
Tell Copilot about this new Go feature.
Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
* Fetch updated attested nodes in bulk (#7022)
* Fetch updated attested nodes in bulk
Signed-off-by: nweisenauer-sap <137267159+nweisenauer-sap@users.noreply.github.com>
* checks for positive pageSize in buildAttestedNodesCache
Signed-off-by: nweisenauer-sap <137267159+nweisenauer-sap@users.noreply.github.com>
* addresses Copilot's review comments
Signed-off-by: nweisenauer-sap <137267159+nweisenauer-sap@users.noreply.github.com>
---------
Signed-off-by: nweisenauer-sap <137267159+nweisenauer-sap@users.noreply.github.com>
* Tolerate mountinfo lines with an empty mount source (#7044)
* Tolerate mountinfo lines with an empty mount source
The docker workload attestor (and k8s, which shares the code) parses
/proc/<pid>/mountinfo via k8s.io/mount-utils ParseMountInfo, which splits
each line with strings.Fields and requires at least 10 fields. Per proc(5)
the mount source may be empty (a tmpfs mount has no source), which renders
as an empty field between the filesystem type and the super options. The
kernel escapes any real whitespace in a path as octal (\040), so the
double space in a line like:
119 206 0:68 / /local rw,relatime - tmpfs rw,size=8192k
unambiguously means an empty source. strings.Fields collapses that empty
field, so the line counts as 9 fields and ParseMountInfo rejects the whole
file with "wrong number of fields". The attestor then extracts no
container ID and no SVID is issued.
Replace the upstream call with a small SPIRE-side mountinfo parser that is
position-aware around the "-" separator, so the trailing fstype/source/
super-options triple is read by position and an empty source is tolerated.
Only the root and filesystem type are consumed by the extractor. This also
drops the k8s.io/mount-utils dependency (and its transitive moby/sys/
mountinfo) since it was the only user.
Adds a regression fixture with the empty-source tmpfs line plus unit tests
for the parser.
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
* Use strings.Split to preserve empty mount-source fields
Switch parseMountInfoLine from the Index+Fields approach to
strings.Split(line, " "), which preserves empty fields between
consecutive spaces. This makes the empty-source handling more
direct: the separator and all fields are located by index in
a single slice.
Also switch parseMountInfo to stream lines with bufio.Scanner
instead of reading the whole file into memory first.
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
* Use slices.Index for the mountinfo separator
Addresses review: replace the manual separator loop with slices.Index,
and drop the now-unused k8s.io/mount-utils dependency via go mod tidy.
Signed-off-by: arpitjain099 <arpitjain099@gmail.com>
---------
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Signed-off-by: arpitjain099 <arpitjain099@gmail.com>
* build(deps): bump the minor-and-patch group with 10 updates (#7091)
Bumps the minor-and-patch group with 10 updates:
| Package | From | To |
| --- | --- | --- |
| [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go) | `1.13.1` | `1.14.0` |
| [github.com/aws/aws-sdk-go-v2/service/eks](https://github.com/aws/aws-sdk-go-v2) | `1.85.0` | `1.86.0` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.103.0` | `1.104.0` |
| [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) | `2.7.0` | `2.8.0` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.284.0` | `0.285.0` |
| [google.golang.org/genproto/googleapis/rpc](https://github.com/googleapis/go-genproto) | `0.0.0-20260526163538-3dc84a4a5aaa` | `0.0.0-20260610212136-7ab31c22f7ad` |
| [k8s.io/api](https://github.com/kubernetes/api) | `0.36.1` | `0.36.2` |
| [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.36.1` | `0.36.2` |
| [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.36.1` | `0.36.2` |
| [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) | `0.36.1` | `0.36.2` |
Updates `github.com/Azure/azure-sdk-for-go/sdk/azidentity` from 1.13.1 to 1.14.0
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azidentity/v1.13.1...sdk/azcore/v1.14.0)
Updates `github.com/aws/aws-sdk-go-v2/service/eks` from 1.85.0 to 1.86.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.85.0...service/s3/v1.86.0)
Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.103.0 to 1.104.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.103.0...service/s3/v1.104.0)
Updates `github.com/spiffe/go-spiffe/v2` from 2.7.0 to 2.8.0
- [Release notes](https://github.com/spiffe/go-spiffe/releases)
- [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md)
- [Commits](https://github.com/spiffe/go-spiffe/compare/v2.7.0...v2.8.0)
Updates `google.golang.org/api` from 0.284.0 to 0.285.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.284.0...v0.285.0)
Updates `google.golang.org/genproto/googleapis/rpc` from 0.0.0-20260526163538-3dc84a4a5aaa to 0.0.0-20260610212136-7ab31c22f7ad
- [Commits](https://github.com/googleapis/go-genproto/commits)
Updates `k8s.io/api` from 0.36.1 to 0.36.2
- [Commits](https://github.com/kubernetes/api/compare/v0.36.1...v0.36.2)
Updates `k8s.io/apimachinery` from 0.36.1 to 0.36.2
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.36.1...v0.36.2)
Updates `k8s.io/client-go` from 0.36.1 to 0.36.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.36.1...v0.36.2)
Updates `k8s.io/kube-aggregator` from 0.36.1 to 0.36.2
- [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.36.1...v0.36.2)
---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
dependency-version: 1.14.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-and-patch
- dependency-name: github.com/aws/aws-sdk-go-v2/service/eks
dependency-version: 1.86.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-and-patch
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
dependency-version: 1.104.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-and-patch
- dependency-name: github.com/spiffe/go-spiffe/v2
dependency-version: 2.8.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-and-patch
- dependency-name: google.golang.org/api
dependency-version: 0.285.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-and-patch
- dependency-name: google.golang.org/genproto/googleapis/rpc
dependency-version: 0.0.0-20260610212136-7ab31c22f7ad
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: minor-and-patch
- dependency-name: k8s.io/api
dependency-version: 0.36.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: minor-and-patch
- dependency-name: k8s.io/apimachinery
dependency-version: 0.36.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: minor-and-patch
- dependency-name: k8s.io/client-go
dependency-version: 0.36.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: minor-and-patch
- dependency-name: k8s.io/kube-aggregator
dependency-version: 0.36.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: minor-and-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump regclient/actions from 14f9d37db17b5dc41fefd1ffdd1af4b9e2490560 to 4b4db1dcc7dad75ad67a788a380f75a20cc8a040 (#7090)
build(deps): bump regclient/actions
Bumps [regclient/actions](https://github.com/regclient/actions) from 14f9d37db17b5dc41fefd1ffdd1af4b9e2490560 to 4b4db1dcc7dad75ad67a788a380f75a20cc8a040.
- [Release notes](https://github.com/regclient/actions/releases)
- [Changelog](https://github.com/regclient/actions/blob/main/RELEASE.md)
- [Commits](https://github.com/regclient/actions/compare/14f9d37db17b5dc41fefd1ffdd1af4b9e2490560...4b4db1dcc7dad75ad67a788a380f75a20cc8a040)
---
updated-dependencies:
- dependency-name: regclient/actions
dependency-version: 4b4db1dcc7dad75ad67a788a380f75a20cc8a040
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump actions/checkout from 6.0.3 to 7.0.0 (#7089)
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3 to 7.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/df4cb1c069e1874edd31b4311f1884172cec0e10...9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 7.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* build(deps): bump msys2/setup-msys2 from 2.31.1 to 2.32.0 in the minor-and-patch group (#7088)
build(deps): bump msys2/setup-msys2 in the minor-and-patch group
Bumps the minor-and-patch group with 1 update: [msys2/setup-msys2](https://github.com/msys2/setup-msys2).
Updates `msys2/setup-msys2` from 2.31.1 to 2.32.0
- [Release notes](https://github.com/msys2/setup-msys2/releases)
- [Changelog](https://github.com/msys2/setup-msys2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/msys2/setup-msys2/compare/e9898307ac31d1a803454791be09ab9973336e1c...66cd2cce69caa17b53920067426061ca1de3a884)
---
updated-dependencies:
- dependency-name: msys2/setup-msys2
dependency-version: 2.32.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-and-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix: correct TTL logging in delegated identity X.509 SVID subscriber (#7071)
fix: correct TTL logging in delegated identity subscriber when admin/downstream identities are present
Signed-off-by: immanuwell <pchpr.00@list.ru>
* Document the ball-in-court review process in the pull request template (#7095)
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* spire-agent: implement logger service (#7017)
* spire-agent: implement logger service
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Copilot review comments
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* review comments
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* review comments
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Remove auditing
there's no auditing support in the agent
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Use agent rpccontext
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Move status helpers to common/api
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Use status helpers from common/api
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Make sure logger metrics are emitted
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* fix linter errors
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Review comments
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Add RPC metric name test
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
---------
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* fix: cascade-delete registered_entries on attested node deletion (#6946)
* fix: cascade-delete registered_entries on attested node deletion
Previously, deleteAttestedNodeAndSelectors deleted AttestedNode and
NodeSelector rows but left registered_entries with parent_id matching
the deleted node's SPIFFE ID untouched. In particular, the alias row
that SPIRE auto-creates in createJoinTokenRegistrationEntry (when
CreateJoinToken is called with AgentId) would survive the node it was
minted for, accumulating as dead rows that still flow through the
server's entry cache and the events-based cache.
This extends deleteAttestedNodeAndSelectors to cascade: find entries
whose parent_id equals the deleted node's SPIFFE ID, delete each via
the existing deleteRegistrationEntrySupport helper, emit a
RegistrationEntryEvent per deletion so event-cache consumers see
them, and log each cascaded delete at Info with the usual
SPIFFEID/ParentID/RegistrationID telemetry fields (matching the
pruneRegistrationEntries pattern). The cascade fires for both
DeleteAttestedNode (admin delete) and PruneAttestedExpiredNodes
(periodic prune) since both paths reach this helper. Callers pass
their existing logger (ds.log for DeleteAttestedNode, the prune
logger for PruneAttestedExpiredNodes).
Mirrors the shape of #3873 which added the node_resolver_map_entries
cascade at the same function.
Fixes #6944
Signed-off-by: angabini <494150+angabini@users.noreply.github.com>
* doc: update spire_server.md
Signed-off-by: angabini <494150+angabini@users.noreply.github.com>
* doc: cleanup spire_server.md
Signed-off-by: angabini <494150+angabini@users.noreply.github.com>
* fix(sqlstore): narrow cascade to join-token-attested nodes
Per review feedback on #6946: cascading every entry parented on a
deleted attested node would also wipe legitimately user-registered
workload entries that happen to be parented directly on a non-join-
token agent SVID (e.g. spiffe://td/spire/agent/aws_iid/...). That
is a supported registration pattern, not an orphan.
Restrict the cascade in deleteAttestedNodeAndSelectors to nodes
whose attested DataType is "join_token". The auto-alias that
createJoinTokenRegistrationEntry writes is the only entry SPIRE
itself creates with parent_id = node SVID, so this still cleans up
the unbounded-growth case reported in #6944 without changing
behavior for any other attestor. A broader explicit cascade can be
added later behind a CLI flag, as suggested in the issue.
Add TestDeleteAttestedNodeNonJoinTokenDoesNotCascade asserting an
aws_iid-attested node's child entry survives node deletion and no
RegistrationEntryEvent is emitted. Existing cascade tests already
use join_token nodes and continue to pass.
Update doc/spire_server.md to reflect the narrowed scope.
Refs #6944
Signed-off-by: angabini <494150+angabini@users.noreply.github.com>
* fix(sqlstore): match alias selector shape on cascade
Per Copilot review feedback on #6946 (B): even within join-token-attested
nodes, child entries can be user-managed (e.g. an operator-created entry
parented on the agent SVID for a workload that happens to share that
parent). Cascading on parent_id alone would still over-delete those.
Tighten deleteAttestedNodeAndSelectors to match the exact shape that
createJoinTokenRegistrationEntry writes:
- exactly one selector
- selector.Type == "spiffe_id"
- selector.Value == entry.ParentID
Anything else stays put.
Tests:
- Add TestDeleteAttestedNodeJoinTokenPreservesNonAliasChildEntries
(replaces the federation multi-test): asserts an alias-shaped child
cascades while a unix-selector workload child parented on the same
join_token-attested node survives, and exactly one entry event is
emitted.
- Sharpen TestDeleteAttestedNodeNonJoinTokenDoesNotCascade: switch
the child entry to alias-shaped selectors so the test isolates the
DataType filter from the selector-shape filter.
- Extract lastRegistrationEntryEventID() helper used by all four
cascade tests (Copilot review comment 4).
Refs #6944
Signed-off-by: angabini <494150+angabini@users.noreply.github.com>
* doc(spire_server): re-align config table to widest row
The cascade note added in 61a42b9ad widened the prune_attested_nodes_expired_for
description to 581 chars while every other row in the table sat at 480, tripping
markdownlint MD060/table-column-style. Pad the description column on every other
row in the table to match, keeping pipe positions identical at columns 1, 38,
516, 581 across the entire config table.
Pure padding change; no rendered content moved. Separator row padded with
dashes (preserving continuous alignment marker), content rows with spaces.
Signed-off-by: angabini <494150+angabini@users.noreply.github.com>
* test(agent): cover join-token alias cascade end-to-end, cross-ref shape
Incorporates review feedback on #6946.
- Cross-reference the auto-alias entry shape between its writer
(createJoinTokenRegistrationEntry) and the cascade matcher
(deleteAttestedNodeAndSelectors) so the two can't drift silently.
- Add TestCascadeDeleteJoinTokenAliasEntry exercising the real
CreateJoinToken -> DeleteAgent path; fakedatastore is backed by the
sqlstore, so a shape change that misses the matcher fails the test.
- Document that manual `agent evict`/`agent purge` also cascade and that
the cleanup is forward-only (pre-existing orphans are not swept).
- Revert the unrelated config-table realignment to keep the doc diff minimal.
Signed-off-by: angabini <494150+angabini@users.noreply.github.com>
---------
Signed-off-by: angabini <494150+angabini@users.noreply.github.com>
* Add tag-based key discovery support in the `aws_kms` KeyManager plugin (#7006)
* Add tag-based key discovery support in the `aws_kms` KeyManager plugin
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Address Copilot comments
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Address review comments
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---------
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Fix data race in spiretest log assertion helper (#7096)
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* spire-agent: try to enable SE_DEBUG_PRIVILEGE at startup on windows (#7073)
* spire-agent: try to enable SE_DEBUG_PRIVILEGE at startup on windows
The [OpenProcessToken](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken) API mentions that
SE_DEBUG_NAME/SeDebugPrivilege (why two different names, windows???) privilege is required for opening the process token for a process running as a more
privileged account (it does work from admin to admin users without this).
Attempt to enable this and log an warning if that fails.
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Workaround broken AdjustTokenPrivileges
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Move function to global variable
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
---------
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
* Fix azure_imds node attestation for standalone VMs (#6807)
Signed-off-by: Ravishen Jain <ravisshen@gmail.com>
* Fix flaky fetch-jwt-svids integration test by waiting for the restarted server (#7108)
* Fix flaky fetch-jwt-svids integration test by waiting for the restarted server
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Address review comments
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
---------
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Add azure_imds network interface unmarshal regression test (#7106)
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* Add force-push guidance to the PR template and reference it from CONTRIBUTING.md (#7105)
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
* build(deps): bump the minor-and-patch group with 10 updates (#7109)
Bumps the minor-and-patch group with 10 updates:
| Package | From | To |
| --- | --- | --- |
| [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) | `1.307.0` | `1.308.0` |
| [github.com/aws/aws-sdk-go-v2/service/eks](https://github.com/aws/aws-sdk-go-v2) | `1.86.0` | `1.87.0` |
| [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.6` | `0.21.7` |
| [github.com/hashicorp/go-metrics](https://github.com/hashicorp/go-metrics) | `0.5.4` | `0.6.0` |
| [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) | `1.14.45` | `1.14.47` |
| [github.com/moby/moby/api](https://github.com/moby/moby) | `1.54.2` | `1.55.0` |
| [github.com/moby/moby/client](https://github.com/moby/moby) | `0.4.1` | `0.5.0` |
| [github.com/shirou/gopsutil/v4](https://github.com/shirou/gopsutil) | `4.26.5` | `4.26.6` |
| [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) | `2.8.0` | `2.8.1` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.285.0` | `0.286.0` |
Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.307.0 to 1.308.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.307.0...service/ec2/v1.308.0)
Updates `github.com/aws/aws-sdk-go-v2/service/eks` from 1.86.0 to 1.87.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.86.0...service/s3/v1.87.0)
Updates `github.com/google/go-containerregistry` from 0.21.6 to 0.21.7
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.21.6...v0.21.7)
Updates `github.com/hashicorp/go-metrics` from 0.5.4 to 0.6.0
- [Release notes](https://github.com/hashicorp/go-metrics/releases)
- [Commits](https://github.com/hashicorp/go-metrics/compare/v0.5.4...v0.6.0)
Updates `github.com/mattn/go-sqlite3` from 1.14.45 to 1.14.47
- [Release notes](https://github.com/mattn/go-sqlite3/releases)
- [Commits](https://github.com/mattn/go-sqlite3/compare/v1.14.45...v1.14.47)
Updates `github.com/moby/moby/api` from 1.54.2 to 1.55.0
- [Release notes](https://github.com/moby/moby/releases)
- [Commits](https://github.com/moby/moby/compare/api/v1.54.2...api/v1.55.0)
Updates `github.com/moby/moby/client` from 0.4.1 to 0.5.0
- [Release notes](https://github.com/moby/moby/releases)
- [Changelog](https://github.com/moby/moby/blob/v0.5.0/CHANGELOG.md)
- [Commits](https://github.com/moby/moby/compare/v0.4.1...v0.5.0)
Updates `github.com/shirou/gopsutil/v4` from 4.26.5 to 4.26.6
- [Release notes](https://github.com/shirou/gopsutil/releases)
- [Commits](https://github.com/shirou/gopsutil/compare/v4.26.5...v4.26.6)
Updates `github.com/spiffe/go-spiffe/v2` from 2.8.0 to 2.8.1
- [Release notes](https://github.com/spiffe/go-spiffe/releases)
- [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md)
- [Commits](https://github.com/spiffe/go-spiffe/compare/v2.8.0...v2.8.1)
Updates `google.golang.org/api` from 0.285.0 to 0.286.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.285.0...v0.286.0)
---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
dependency-version: 1.308.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-and-patch
- dependency-name: github.com/aws/aws-sdk-go-v2/service/eks
dependency-version: 1.87.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-and-patch
- dependency-name: github.com/google/go-containerregistry
dependency-version: 0.21.7
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: minor-and-patch
- dependency-name: github.com/hashicorp/go-metrics
dependency-version: 0.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-and-patch
- dependency-name: github.com/mattn/go-sqlite3
dependency-version: 1.14.47
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: minor-and-patch
- dependency-name: github.com/moby/moby/api
dependency-version: 1.55.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-and-patch
- dependency-name: github.com/moby/moby/client
dependency-version: 0.5.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-and-patch
- dependency-name: github.com/shirou/gopsutil/v4
dependency-version: 4.26.6
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: minor-and-patch
- dependency-name: github.com/spiffe/go-spiffe/v2
dependency-version: 2.8.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: minor-and-patch
- dependency-name: google.golang.org/api
dependency-version: 0.286.0
dependency-type: direct:production
update-type: versio…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tell Copilot about this new Go feature. Came up in #7085 (comment).