Security and Testing infrastructure Remediation#666
Open
Wikid82 wants to merge 545 commits intodevelopmentfrom
Open
Security and Testing infrastructure Remediation#666Wikid82 wants to merge 545 commits intodevelopmentfrom
Wikid82 wants to merge 545 commits intodevelopmentfrom
Conversation
Wikid82
added
bug
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Wikid82
changed the title
Wikid82
changed the title
Wikid82
pushed a commit
that referenced
this pull request
Feb 8, 2026
Contributor
✅ Supply Chain Verification Results✅ PASSED 📦 SBOM Summary
🔍 Vulnerability Scan
📎 Artifacts
Generated by Supply Chain Verification workflow • View Details |
Wikid82
pushed a commit
that referenced
this pull request
Feb 8, 2026
The golangci-lint-action v9.2.0 requires version strings in "vX.Y.Z" format. Previous attempt to remove the "v" prefix caused validation error: "invalid version string '1.64.5', expected format v1.2 or v1.2.3" Updated both ci-pipeline.yml and quality-checks.yml to use "v1.64.5" instead of "1.64.5" to match the action's expected format. Fixes: #666 (PR CI validation failure)
Wikid82
pushed a commit
that referenced
this pull request
Feb 8, 2026
The golangci-lint-action v9.2.0 dropped support for golangci-lint v1.x and requires v2.x versions. The error "golangci-lint v1 is not supported by golangci-lint-action >= v7" indicates we need to upgrade, not downgrade. Updated both ci-pipeline.yml and quality-checks.yml from v1.64.5 to v2.8.0 to align with the current golangci-lint major version. Fixes: #666 (golangci-lint version compatibility error)
Wikid82
pushed a commit
that referenced
this pull request
Feb 8, 2026
The golangci-lint v2.x series requires a different configuration schema: 1. `linters-settings` must be nested under `linters.settings` 2. `issues.exclude-generated-strict` is not supported 3. `issues.exclude-rules` complex syntax replaced with simpler `exclude` patterns Changes to both backend/.golangci-fast.yml and backend/.golangci.yml: - Restructured linter settings under `linters.settings` - Converted exclude-rules to simple exclude patterns - Added proper v2.x directives (exclude-use-default, max-issues-per-linter) - Maintained all security checks and error handling exclusions This resolves the "invalid configuration keys" error when running golangci-lint v2.8.0 with golangci-lint-action v9.2.0. Fixes: #666 (golangci-lint configuration schema validation)
Wikid82
pushed a commit
that referenced
this pull request
Feb 8, 2026
The golangci-lint v2.8.0 schema validation rejected all properties in the issues section: - exclude-use-default - exclude-dirs - exclude-files - exclude - max-issues-per-linter - max-same-issues Solution: Removed the entire issues section from both config files. Linter behavior is now controlled exclusively through linters.settings, which is properly configured for govet, errcheck, gosec, gocritic, etc. Changes to backend/.golangci-fast.yml and backend/.golangci.yml: - Removed issues section entirely (v2.x schema incompatible) - Retained all linter-specific settings under linters.settings - Linters will run with their configured settings and default behaviors This resolves the jsonschema validation error: "additional properties ... not allowed" Fixes: #666 (golangci-lint v2.x schema validation)
… for Phase 3 - Implement CrowdSec integration tests to validate DDoS/bot protection mechanisms. - Create rate limiting tests to ensure request throttling and proper handling of rate limit headers. - Develop security enforcement tests to check JWT validation, CSRF protection, request timeouts, and middleware execution order.
… logging functionality
…nimum coverage validation
…frontend test script
…n in frontend test script
…service error handling
…nts and thresholds
…ekly-non-major-updates fix(deps): update dependency i18next to ^25.8.9 (feature/beta-release)
- Updated test scripts in package.json to set NODE_OPTIONS for increased memory limit. - Added safety checks for remote servers and domains in ProxyHostForm component to prevent errors. - Refactored Notifications tests to remove unnecessary use of fake timers and improve clarity. - Updated ProxyHosts extra tests to specify button names for better accessibility. - Enhanced Security functional tests by centralizing translation strings and improving mock implementations. - Adjusted test setup to suppress specific console errors related to act() warnings. - Modified vitest configuration to limit worker usage and prevent memory issues during testing.
…ekly-non-major-updates fix(deps): update weekly-non-major-updates (feature/beta-release)
Contributor
There was a problem hiding this comment.
Pull request overview
This PR focuses on strengthening security posture and keeping test/CI infrastructure stable while upgrading core dependencies and workflows.
Changes:
- Upgraded Go/tooling dependencies and adjusted docs to reflect the new baseline.
- Hardened/expanded backend handler behavior and tests (admin context, logs WS tests, emergency reset behavior).
- Reworked CI/workflows and local “skills” scripts to improve reliability and reduce redundant runs.
Reviewed changes
Copilot reviewed 146 out of 523 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| backend/internal/api/handlers/notification_template_handler_test.go | Sets admin context in handler tests to match new auth expectations |
| backend/internal/api/handlers/notification_template_handler.go | Adds admin enforcement + permission-error handling hooks in CRUD |
| backend/internal/api/handlers/notification_provider_handler_test.go | Adds SSRF-style Discord URL validation tests |
| backend/internal/api/handlers/manual_challenge_handler.go | Renames bind error var for clarity/shadow avoidance |
| backend/internal/api/handlers/logs_ws_test.go | Adds WebSocket log streaming tests with filters/tracker |
| backend/internal/api/handlers/logs_handler_test.go | Makes log listing assertions less brittle + checks key logs exist |
| backend/internal/api/handlers/logs_handler.go | Avoids err shadowing in deferred cleanup |
| backend/internal/api/handlers/import_handler_sanitize_test.go | Adds admin context to import upload sanitization test |
| backend/internal/api/handlers/import_handler_coverage_test.go | Adds admin context to import multi-upload coverage tests |
| backend/internal/api/handlers/encryption_handler.go | Removes duplicate local isAdmin helper (centralize auth logic) |
| backend/internal/api/handlers/emergency_handler_test.go | Expands emergency reset assertions (whitelist, decisions) |
| backend/internal/api/handlers/emergency_handler.go | Clears admin whitelist + block decisions; adds SQLite retry upsert |
| backend/internal/api/handlers/dns_provider_handler.go | Standardizes bind error handling variable naming |
| backend/internal/api/handlers/crowdsec_handler_comprehensive_test.go | Makes getLAPIKey behavior deterministic via env setup |
| backend/internal/api/handlers/crowdsec_bouncer_test.go | Avoids err shadowing in test |
| backend/internal/api/handlers/credential_handler_test.go | Adds timing workaround for SQLite locks in tests |
| backend/internal/api/handlers/credential_handler.go | Standardizes bind error handling variable naming |
| backend/internal/api/handlers/coverage_quick_test.go | Adds admin context to quick coverage handler test |
| backend/internal/api/handlers/certificate_handler.go | Avoids err shadowing in deferred closes |
| backend/internal/api/handlers/backup_handler_test.go | Adds transient error tests + restore response assertions + admin context |
| backend/internal/api/handlers/backup_handler_sanitize_test.go | Adds admin context to direct handler test |
| backend/internal/api/handlers/access_list_handler.go | Returns persisted/updated records and tightens error handling |
| backend/go.mod | Bumps Go version and upgrades dependencies |
| backend/cmd/seed/main_test.go | Cleans up malformed/duplicated package/import blocks |
| backend/cmd/api/main_parse_plugin_signatures_test.go | Adds unit tests for plugin signature parsing |
| backend/.golangci.yml | Refactors golangci-lint config structure |
| backend/.golangci-fast.yml | Refactors golangci-lint fast config structure |
| SECURITY.md | Updates Go version reference for upstream CVE note |
| README.md | Updates Go version docs and adds GHCR pulls badge |
| Makefile | Updates install-go target to new Go version script |
| CONTRIBUTING.md | Updates Go version + adds Go upgrade workflow guidance |
| CHANGELOG.md | Adds CI/security changelog entries |
| ARCHITECTURE.md | Updates Go version + documents new env vars |
| .version | Bumps project version |
| .trivyignore | Ignores cache/auth paths during Trivy scans |
| .pre-commit-config.yaml | Adds shellcheck + actionlint hooks |
| .github/workflows/update-geolite2.yml | Quotes outputs safely in shell |
| .github/workflows/repo-health.yml | Adjusts concurrency + triggers |
| .github/workflows/renovate_prune.yml | Quotes $GITHUB_ENV writes; adjusts triggers |
| .github/workflows/renovate.yml | Renovate action version bump |
| .github/workflows/release-goreleaser.yml | Updates GO_VERSION + quotes env file writes |
| .github/workflows/pr-checklist.yml | Switches to workflow_dispatch + explicit PR number input |
| .github/workflows/history-rewrite-tests.yml | Switches to workflow_run gating on Docker workflow success |
| .github/workflows/gh_cache_cleanup.yml | Adds manual cache cleanup workflow for PR refs |
| .github/workflows/dry-run-history-rewrite.yml | Gates on Docker workflow success; updates concurrency/checkout ref |
| .github/workflows/docker-lint.yml | Moves to workflow_dispatch; relaxes hadolint threshold |
| .github/workflows/codecov-upload.yml | Enables PR coverage uploads + inputs to control which jobs run |
| .github/workflows/benchmark.yml | Gates on Docker workflow success; updates GO_VERSION |
| .github/workflows/badge-ghcr-downloads.yml | Adds scheduled workflow to update GHCR pulls badge JSON |
| .github/workflows/auto-versioning.yml | Gates versioning on Docker workflow success for main |
| .github/workflows/auto-changelog.yml | Gates on Docker workflow success; keeps release trigger |
| .github/workflows/auto-add-to-project.yml | Adjusts triggers + token fallback behavior |
| .github/skills/utility-update-go-version-scripts/run.sh | Rebuilds key Go tools after Go upgrade |
| .github/skills/test-e2e-playwright.SKILL.md | Updates guidance/default browser + rebuild guidance |
| .github/skills/test-e2e-playwright-scripts/run.sh | Changes default browser/base URL + coverage/security env defaults |
| .github/skills/test-e2e-playwright-debug.SKILL.md | Clarifies rebuild guidance |
| .github/skills/test-e2e-playwright-debug-scripts/run.sh | Changes default browser/base URL + coverage/security env defaults |
| .github/skills/test-e2e-playwright-coverage.SKILL.md | Updates default browser + rebuild guidance |
| .github/skills/test-e2e-playwright-coverage-scripts/run.sh | Changes default browser + coverage/security env defaults |
| .github/skills/integration-test-waf.SKILL.md | Adds skill definition doc for WAF integration wrapper |
| .github/skills/integration-test-waf-scripts/run.sh | Adds wrapper script for existing WAF integration script |
| .github/skills/integration-test-rate-limit-scripts/run.sh | Adds wrapper script for existing rate limit integration script |
| .github/skills/integration-test-cerberus-scripts/run.sh | Adds wrapper script for existing Cerberus integration script |
| .github/skills/integration-test-all-scripts/run.sh | Points wrapper at canonical integration-test-all entrypoint |
| .github/renovate.json | Adds regex manager to track GO_VERSION in workflows |
| .github/instructions/testing.instructions.md | Updates test protocols (rebuild conditions, default browser, patch coverage stance) |
| .github/instructions/markdown.instructions.md | Adjusts required front matter guidance |
| .github/instructions/github-actions-ci-cd-best-practices.instructions.md | Notes gh CLI fallback when MCP fetch lacks auth |
| .github/instructions/copilot-instructions.md | Updates default E2E command + patch coverage guidance |
| .github/instructions/ARCHITECTURE.instructions.md | Updates Go version + E2E command snippet |
| .github/badges/ghcr-downloads.json | Adds badge endpoint JSON (generated/updated by workflow) |
| .github/agents/Supervisor.agent.md | Updates agent tool configuration/instructions |
| .github/agents/QA_Security.agent.md | Updates agent tool configuration + rebuild guidance text |
| .github/agents/Frontend_Dev.agent.md | Updates agent tool configuration |
| .github/agents/DevOps.agent.md | Updates agent tool configuration + guidance |
| .github/agents/Backend_Dev.agent.md | Updates agent tool configuration + guidance |
| .docker/compose/docker-compose.playwright-ci.yml | Clarifies CI image tag comment |
| .docker/README.md | Documents new env vars for runtime paths/mode |
| .codecov.yml | Configures PR comment behavior/layout |
…in golangci-lint files
…dle boolean inputs correctly
… with gotestsum and go test
…jor-10-eslint-monorepo chore(deps): update dependency eslint to v10 (feature/beta-release)
…ekly-non-major-updates chore(deps): update github/codeql-action digest to ad5a6c0 (feature/beta-release)
… improved readability
- Added tests for transient SQLite errors in emergency_handler_test.go. - Introduced validation tests for provider errors in notification_provider_handler_validation_test.go. - Implemented helper tests for settings handling in settings_handler_helpers_test.go. - Expanded backup_handler_test.go to include SQLite database setup and validation. - Improved system_permissions_handler_test.go with additional path repair tests. - Updated backup_service_test.go to ensure proper database handling and error checks during backup operations. - Refined import_handler_test.go with additional session validation tests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
placeholder....
Chores of this PR:
Migrate base image to Alpine to fix known Debian CVEs.
Make sure testing infrastructure has no regression and passes all green. Includes local and CI E2E, Integrations, Frontend and Backend Coverage.
DoD Checklist:
Closes Issues: #40, #587, #589, #592, #610, #618, #638, #664, #665, #631