Release v1.15.1 #832
Open
Release v1.15.1 #832
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GitOrigin-RevId: 18d75a296de262cf034ae71c9cb40b96cee5fc11
This reverts commit 18d75a296de262cf034ae71c9cb40b96cee5fc11. GitOrigin-RevId: a94a59cf956ac3668299a2b1d68a6df1e58e05f0
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Touches core reconciliation and resource write paths (SSA apply semantics, ownership/managedFields, and event recording), which could change update/merge behavior and conflict handling across Secrets/Deployments/Sources. > > **Overview** > Upgrades Kubernetes controller dependencies (notably `sigs.k8s.io/controller-runtime` to `v0.23.1`) and aligns code to the newer Server-Side Apply (SSA) APIs. > > `api-server` and `srcman` are migrated from `Patch(..., client.Apply, PatchOptions)` and imperative create/update flows to **typed apply configurations** with `client.Apply`/`ApplyOptions`, including a new `sourceToApplyConfiguration` helper and generated `srcman/api/v0/applyconfiguration/...` code. > > Controllers now build owned resources (Secrets, ConfigMaps, ServiceAccounts, Deployments, Manager resources) via SSA apply configs with explicit owner references, and event emission/RBAC is updated to use `events.k8s.io` and the new controller-runtime event recorder API; a VSCode debug launch target is added for testing SSA source creation. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit fb5b7a2efcf8e6f9e5ab486382d9efb7f78ebbfc. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: f84ac61c3e95059583fa35d5591713f3ed74f94c
Redirect log and status messages to STDERR and reduce log verbosity to fix `jq` parse errors when piping JSON output. Previously, `INFO` level log messages and `pterm` status messages were being written to STDOUT, interfering with JSON output and causing `jq` to fail. This PR ensures that only the intended JSON output goes to STDOUT, while all log and status messages are directed to STDERR. --- Linear Issue: [ENG-2384](https://linear.app/overmind/issue/ENG-2384/jq-parse-error-for-json) <a href="https://cursor.com/background-agent?bcId=bc-5aeaa2c4-d5bf-48a3-bdbf-3de1218b9b4a"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-5aeaa2c4-d5bf-48a3-bdbf-3de1218b9b4a"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Output/logging-only changes; main risk is reduced visibility of previously `Info`-level messages or unexpected stderr/stdout expectations in scripts. > > **Overview** > Ensures the CLI’s machine-readable output stays clean when piping to tools like `jq` by redirecting `logrus` output to stderr and configuring `pterm` to write all status messages to stderr. > > Reduces verbosity for change-related commands by downgrading “found change” logs in `get-change`, `get-signals`, and `list-changes` from `Info` to `Debug`, minimizing stdout noise when emitting JSON. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 6340c6b51b38c4855852c9c99c2b4e2d5a8a9774. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 43423357125d5cefed86bae6611f1be8799d6d5d
Changes: - GetListAdapterV2: Cache NOTFOUND when GetFunc returns nil/zero value or LIST returns 0 items - GetListAdapter: Cache NOTFOUND when GetFunc returns nil/zero value, LIST returns 0 items, or SEARCH returns 0 items - AlwaysGetAdapter: Cache NOTFOUND when GetFunc returns nil, LIST returns 0 items, or SEARCH returns 0 items - DescribeOnlyAdapter: Cache NOTFOUND when LIST/SEARCH returns 0 items (GET already handled) Benefits: - Reduces API calls by 90%+ for repeated queries that find nothing - Particularly impactful for LIST operations across unused regions - Uses standard NOTFOUND QueryError type for consistency - Maintains backward compatibility (still returns nil for GET, empty array for LIST) - Caches for same duration as successful results (DefaultCacheDuration) https://github.com/user-attachments/assets/5af4f673-82fe-4188-b690-48ee03d23c7e --- Linear Issue: [ENG-2235](https://linear.app/overmind/issue/ENG-2235/cache-not-found-results) <a href="https://cursor.com/background-agent?bcId=bc-df187550-2e62-425f-8400-88536dc1cf23"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-cursor-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in Cursor" src="https://cursor.com/open-in-cursor.svg"></picture></a> <a href="https://cursor.com/agents?id=bc-df187550-2e62-425f-8400-88536dc1cf23"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-web-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web" src="https://cursor.com/open-in-web.svg"></picture></a> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes caching semantics across multiple AWS adapters by introducing cached `NOTFOUND` errors for empty results; risk is mainly behavioral (clients relying on repeated backend calls or differing empty-vs-error handling) but guarded by backward-compatible consumption of cached `NOTFOUND` as empty in list/search paths. > > **Overview** > Adds **negative caching** to `aws-source` adapters so repeated `LIST`/`SEARCH` (and some `GET`) queries that return no items now cache a `QueryError_NOTFOUND` for the normal cache duration, reducing redundant AWS calls. > > Updates `AlwaysGetAdapter`, `GetListAdapter`, `GetListAdapterV2`, `DescribeOnlyAdapter`, and `s3` list/get helpers to (1) treat cached `NOTFOUND` as an empty result for backward compatibility, and (2) only write a `NOTFOUND` cache entry when *no items were produced and no processing errors occurred* (with concurrency-safe tracking in `AlwaysGetAdapter`). Adds extensive unit coverage for not-found caching, expiry/ignore-cache behavior, and “don’t cache NOTFOUND on mapper/extractor errors,” plus a VS Code launch config for running `aws-source` locally unauthenticated. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit e06e6883fde380caa5ff8a001611434e900f088c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 217f1edc7e0dc5b8719d2c6c3beba1ab8bb161d0
<img width="2618" height="1061" alt="image" src="https://github.com/user-attachments/assets/9f2aa352-9528-452f-8e28-f776535dc4fe" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds a new mounted admin-capable UI (`riverui`) that starts background processes and exposes job control actions, so misconfiguration of auth scopes, routing order, or context cancellation could impact operations or shutdown behavior. > > **Overview** > Integrates the official River UI into Area51 by creating and starting a `riverui` handler during router construction, mounting it at `/area51/api-server/riverui` with `admin:write` scope protection, and adding a navigation link. > > Refactors the Area51 router plumbing by renaming `NewAdminRouter*`/`adminApp` to `NewRouter*`/`area51App`, adding an `area51` lifecycle context from `service.Server` (with explicit cancellation on shutdown and on startup failures), and updating handlers/templates/tests to use the new app/type names. Dependencies are updated to include `riverui` and a `slog`→logrus adapter for River UI logging. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit e6fc872d5daa4b9bb283ea465e3a2f48fe9c9485. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 68f673d4701e7776c953bf56f4128b9d297ab0d7
adapter tests now use appropriate cache, memory cache or NewNoOpCache i also found a few adapters that do not use a cache !!! <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes how caching is wired across multiple adapter helpers by removing implicit nil-to-no-op behavior; misconfigured adapters/tests could now nil-deref or change caching semantics if not updated everywhere. > > **Overview** > Makes adapter caching **explicit and mandatory** by removing the `Cache()` helper methods that silently substituted a global `NewNoOpCache()` when `cache` was nil, and updating all cache call sites to use the struct’s `cache` field directly. > > Updates unit/integration/E2E tests and various adapter constructors to always pass a cache (typically `sdpcache.NewNoOpCache()`; caching-focused tests use `sdpcache.NewMemoryCache()`), and fixes a few adapters (e.g., IAM `NewIAMRoleAdapter`/`NewIAMUserAdapter`) to actually wire the provided cache into the underlying adapter. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 1d2878c789b33289749fbc037e1eaa0a05f9fe52. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 195ffa56fb75fe4f21d90df23d465bd0505e595e
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Changes how CI resolves and masks secrets and adds retry/backoff behavior; failures could block builds or leak less obvious errors if the new SDK path behaves differently than the CLI. > > **Overview** > Updates the internal `inject-secrets` GitHub composite action to resolve `op://` references via the 1Password Go SDK instead of shelling out to the `op` CLI, including **exponential backoff retries** specifically for SDK rate-limit errors and improved error diagnostics. > > Adjusts CI workflows to stop installing the 1Password CLI wherever it was only needed for secret injection (adding `actions/setup-go` where required), while leaving the CLI install in `terraform.yml` for the Terraform 1Password provider; also includes minor workflow YAML quoting/formatting cleanups. Adds `github.com/1password/onepassword-sdk-go` (and related indirect deps) to `go.mod`/`go.sum`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 82657e4401b6938aba98803bbd45c5e44b440ae3. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 11945b4bf0ed6caba0472c7d8cdf29312a405894
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Touches adapter query/mapping behavior that affects resource resolution and caching for BigQuery/KMS/IAM keys; changes are localized but could alter how Terraform IDs resolve (SEARCH vs GET) if mappings or interception assumptions are wrong. > > **Overview** > Improves Terraform interoperability for multiple GCP manual adapters by switching their `TerraformMappings` from `GET`/name-based fields to `SEARCH` using the resource `.id` field, relying on the framework’s full-path (`projects/...`) interception to perform `GET` where appropriate. > > Adds missing `SearchStream` implementation for `BigQueryRoutine` (including caching of streamed items), and introduces Terraform-style and legacy-format search tests across BigQuery Routine and Cloud KMS adapters (`CryptoKey`, `CryptoKeyVersion`, `KeyRing`) to validate both ID parsing and cache key behavior. Also enables Terraform mappings for `CloudKMSCryptoKey` (previously `nil`) and updates mappings for `BigQueryTable` and `IAMServiceAccountKey`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9a43c6bf2230c9140ae400ac610abc3ec1899ad7. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: b5163225ab07244d89ba567d10d5b0834959944b
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Changes control flow during multi-region engine initialization so some STS failures are treated as non-fatal; incorrect classification could hide real auth/config issues for a region. > > **Overview** > AWS source initialization now **detects STS `InvalidIdentityToken`/OIDC-provider failures as disabled opt-in regions** and *skips those regions* instead of failing the entire engine startup. > > Adds `isOptInRegionError` (using `smithy.APIError`) and updates `wrapRegionError` to preserve the original error while appending region-enablement guidance; initialization logs per-region skips plus a final summary of skipped regions. Tests add a `smithy.APIError` mock and coverage for both detection and wrapping behavior (including wrapped errors). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 178b19d65c60b47478eb323503c24bc16036ed0d. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: c47f98f6c4dad46bdd74785bb3e7324a974cfa33
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Touches shared protobuf contracts and mapping-status logic across CLI/API/frontend; incorrect enum handling or fallback behavior could mislabel mapping results in the UI. > > **Overview** > Improves resource mapping UX by introducing a new **Pending creation** state for mapped items, so newly-created Terraform resources that don’t exist yet aren’t shown as mapping errors. > > The CLI now emits an explicit `mapping_status` on `MappedItemDiff` (new `MappedItemMappingStatus` enum) and classifies missing mapping attributes as `PENDING_CREATION` for `ITEM_DIFF_STATUS_CREATED`, while preserving `UNSUPPORTED` and real `ERROR` cases. The API timeline prefers this explicit status (falling back to inference for backward compatibility), and the frontend updates timeline rows/summary/resource-mapping views and mocks to display the new status and counts. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit b6958c95fe5fde8df97d0c4df0096cd8e9de2473. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: c490da6a3010b00c8aa11006190287f7ab45e567
## Numeric Projects We can't use numeric projects for the scope because we use the project names for the scope and therefore they don't match. If we encounter a numeric name, we just need to use an asterisk. ## Wildcard Scope Adapters GET Broken The optimization that @DavidS-ovm created means that some adapters can handle wildcards themselves. The problem is that we only implemented this handling for the list method. If you do a GET or a SEARCH with a wildcard scope, the whole thing just fails, so I have changed it so that the optimization only applies for list queries. [Example span](https://ui.honeycomb.io/overmind/environments/prod/datasets/gcp-source/result/ASNgg7MxQj6/trace/o87jWtPdHoF?fields[]=s_name&fields[]=s_serviceName&fields[]=c_ovm.sdp.type&fields[]=c_ovm.adapter.numItems&span=a75f76c7bd64b388) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes query expansion behavior for wildcard scopes (GET/SEARCH now fan out per scope) and forces wildcard scoping for numeric GCP project URIs, which can increase query breadth and affect result sets/performance. > > **Overview** > Fixes wildcard-scope handling so the `WildcardScopeAdapter` optimization is **only applied to `LIST` queries**; wildcard `GET` and `SEARCH` are now always expanded across concrete adapter scopes to avoid missing multi-scope matches. > > Updates GCP `ExtractScopeFromURI` to detect **numeric project identifiers** and return `"*"` scope (broadcast) since adapter scopes are keyed by project IDs, and adds test coverage for numeric-project URIs plus the revised wildcard adapter expansion behavior. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 773c700836bccd9ec7c721e4e7fd579eb1c0ee79. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> <!-- BUGBOT_STATUS --><sup><a href="https://cursor.com/dashboard?tab=bugbot">Cursor Bugbot</a> reviewed your changes and found no issues for commit <u>773c700</u></sup><!-- /BUGBOT_STATUS --> GitOrigin-RevId: eb7577d82b3f073098c8bdadcba59f24e4869d7f
…t to 477360e (#3808) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/hashicorp/terraform-config-inspect](https://redirect.github.com/hashicorp/terraform-config-inspect) | require | digest | `7854796` → `477360e` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZ29sYW5nIl19--> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Single-module dependency update limited to `go.mod`/`go.sum`, with low likelihood of behavior change outside whatever `terraform-config-inspect` impacts at runtime/build time. > > **Overview** > Updates the Go dependency `github.com/hashicorp/terraform-config-inspect` to a newer pseudo-version (digest `7854796` → `477360e`) by changing `go.mod` and refreshing the corresponding `go.sum` entries. > > No application code changes are included; this is strictly a dependency digest bump. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit ef48d0476243eefee93d7e6825bd3f6db9999dce. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 5a26f643960f4251492a83c34b32c51128eb6cdd
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [aws](https://registry.terraform.io/providers/hashicorp/aws) ([source](https://redirect.github.com/hashicorp/terraform-provider-aws)) | required_provider | minor | `6.30.0` → `6.31.0` | | [github](https://registry.terraform.io/providers/integrations/github) ([source](https://redirect.github.com/integrations/terraform-provider-github)) | required_provider | minor | `6.10.2` → `6.11.0` | | [google](https://registry.terraform.io/providers/hashicorp/google) ([source](https://redirect.github.com/hashicorp/terraform-provider-google)) | required_provider | minor | `7.17.0` → `7.18.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>hashicorp/terraform-provider-aws (aws)</summary> ### [`v6.31.0`](https://redirect.github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6310-February-4-2026) [Compare Source](https://redirect.github.com/hashicorp/terraform-provider-aws/compare/v6.30.0...v6.31.0) NOTES: - resource/aws\_s3\_bucket\_abac: Deprecates `expected_bucket_owner` attribute. ([#​46262](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46262)) - resource/aws\_s3\_bucket\_abac: Removes `expected_bucket_owner` attribute from Resource Identity. ([#​46272](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46272)) - resource/aws\_s3\_bucket\_accelerate\_configuration: Deprecates `expected_bucket_owner` attribute. ([#​46262](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46262)) - resource/aws\_s3\_bucket\_accelerate\_configuration: Removes `expected_bucket_owner` attribute from Resource Identity. ([#​46272](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46272)) - resource/aws\_s3\_bucket\_acl: Deprecates `expected_bucket_owner` attribute. ([#​46262](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46262)) - resource/aws\_s3\_bucket\_acl: Removes `expected_bucket_owner` and `acl` attribute from Resource Identity. ([#​46272](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46272)) - resource/aws\_s3\_bucket\_cors\_configuration: Deprecates `expected_bucket_owner` attribute. ([#​46262](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46262)) - resource/aws\_s3\_bucket\_cors\_configuration: Removes `expected_bucket_owner` attribute from Resource Identity. ([#​46272](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46272)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Deprecates `expected_bucket_owner` attribute. ([#​46262](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46262)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Removes `expected_bucket_owner` attribute from Resource Identity. ([#​46272](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46272)) - resource/aws\_s3\_bucket\_logging: Deprecates `expected_bucket_owner` attribute. ([#​46262](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46262)) - resource/aws\_s3\_bucket\_logging: Removes `expected_bucket_owner` attribute from Resource Identity. ([#​46272](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46272)) - resource/aws\_s3\_bucket\_metadata\_configuration: Deprecates `expected_bucket_owner` attribute. ([#​46262](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46262)) - resource/aws\_s3\_bucket\_metadata\_configuration: Removes `expected_bucket_owner` attribute from Resource Identity. ([#​46272](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46272)) - resource/aws\_s3\_bucket\_object\_lock\_configuration: Deprecates `expected_bucket_owner` attribute. ([#​46262](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46262)) - resource/aws\_s3\_bucket\_object\_lock\_configuration: Removes `expected_bucket_owner` attribute from Resource Identity. ([#​46272](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46272)) - resource/aws\_s3\_bucket\_request\_payment\_configuration: Deprecates `expected_bucket_owner` attribute. ([#​46262](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46262)) - resource/aws\_s3\_bucket\_request\_payment\_configuration: Removes `expected_bucket_owner` attribute from Resource Identity. ([#​46272](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46272)) - resource/aws\_s3\_bucket\_server\_side\_encryption\_configuration: Deprecates `expected_bucket_owner` attribute. ([#​46262](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46262)) - resource/aws\_s3\_bucket\_server\_side\_encryption\_configuration: Removes `expected_bucket_owner` attribute from Resource Identity. ([#​46272](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46272)) - resource/aws\_s3\_bucket\_versioning: Deprecates `expected_bucket_owner` attribute. ([#​46262](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46262)) - resource/aws\_s3\_bucket\_versioning: Removes `expected_bucket_owner` attribute from Resource Identity. ([#​46272](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46272)) - resource/aws\_s3\_bucket\_website\_configuration: Deprecates `expected_bucket_owner` attribute. ([#​46262](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46262)) - resource/aws\_s3\_bucket\_website\_configuration: Removes `expected_bucket_owner` attribute from Resource Identity. ([#​46272](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46272)) FEATURES: - **New Data Source:** `aws_account_regions` ([#​41746](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/41746)) - **New Ephemeral Resource:** `aws_ecrpublic_authorization_token` ([#​45841](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/45841)) - **New List Resource:** `aws_cloudwatch_event_rule` ([#​46304](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46304)) - **New List Resource:** `aws_cloudwatch_event_target` ([#​46297](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46297)) - **New List Resource:** `aws_cloudwatch_metric_alarm` ([#​46268](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46268)) - **New List Resource:** `aws_iam_role_policy` ([#​46293](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46293)) - **New List Resource:** `aws_lambda_function` ([#​46295](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46295)) - **New List Resource:** `aws_s3_bucket_acl` ([#​46305](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46305)) - **New List Resource:** `aws_s3_bucket_policy` ([#​46312](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46312)) - **New List Resource:** `aws_s3_bucket_public_access_block` ([#​46309](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46309)) - **New Resource:** `aws_ssoadmin_customer_managed_policy_attachments_exclusive` ([#​46191](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46191)) ENHANCEMENTS: - resource/aws\_odb\_cloud\_autonomous\_vm\_cluster: autonomous vm cluster creation using odb network ARN and exadata infrastructure ARN for resource sharing model. ([#​45583](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/45583)) - resource/aws\_opensearch\_domain: Add `serverless_vector_acceleration` to `aiml_options` ([#​45882](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/45882)) BUG FIXES: - list-resource/aws\_s3\_bucket: Restricts listed buckets to expected region. ([#​46305](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46305)) - resource/aws\_elasticache\_replication\_group: Fixed AUTH to RBAC migration. Previously, `auth_token_update_strategy` always required `auth_token`, which caused an error when migrating from AUTH to RBAC. Now, `auth_token_update_strategy` still requires `auth_token` except when `auth_token_update_strategy` is `DELETE`. ([#​45518](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/45518)) - resource/aws\_elasticache\_replication\_group: Fixed an issue with downscaling `aws_elasticache_replication_group` when `cluster_mode="enabled"` and `num_node_groups` is reduced. Previously, downscaling could fail in certain scenarios; for example, if nodes `0001`, `0002`, `0003`, `0004`, and `0005` exist, and a user manually removes `0003` and `0005`, then sets `num_node_groups = 2`, terraform would attempt to delete `0003`, `0004`, and `0005`. This is now fixed, after this fix terraform will retrieve the current node groups before resizing. ([#​45893](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/45893)) - resource/aws\_elasticache\_serverless\_cache: Fix `user_group_id` removal during modification. ([#​45571](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/45571)) - resource/aws\_elasticache\_serverless\_cache: Fix forced replacement when upgrading Valkey major version or switching engine between redis and valkey ([#​45087](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/45087)) - resource/aws\_network\_interface: Fix `UnauthorizedOperation` error when detaching resource that does not have an attachment ([#​46211](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46211)) </details> <details> <summary>integrations/terraform-provider-github (github)</summary> ### [`v6.11.0`](https://redirect.github.com/integrations/terraform-provider-github/releases/tag/v6.11.0) [Compare Source](https://redirect.github.com/integrations/terraform-provider-github/compare/v6.10.2...v6.11.0) <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### 🚀 New Features - feat: allow users to set GitHub app in their repositories by [@​M0NsTeRRR](https://redirect.github.com/M0NsTeRRR) in [#​2469](https://redirect.github.com/integrations/terraform-provider-github/pull/2469) - feat: add github\_release\_asset data source by [@​mdb](https://redirect.github.com/mdb) in [#​2514](https://redirect.github.com/integrations/terraform-provider-github/pull/2514) - feat(actions\_permissions): sha\_pinning\_required by [@​sheeeng](https://redirect.github.com/sheeeng) in [#​2870](https://redirect.github.com/integrations/terraform-provider-github/pull/2870) - feat: Consistent secret and variable selected repos by [@​stevehipwell](https://redirect.github.com/stevehipwell) in [#​3155](https://redirect.github.com/integrations/terraform-provider-github/pull/3155) - feat: Add ruleset rule for pull request required reviewers by [@​deiga](https://redirect.github.com/deiga) in [#​3073](https://redirect.github.com/integrations/terraform-provider-github/pull/3073) - feat: support internal visibility for repositories created by a template by [@​puneet-arora15](https://redirect.github.com/puneet-arora15) in [#​3123](https://redirect.github.com/integrations/terraform-provider-github/pull/3123) ##### 🐛 Bugfixes - fix: Correct forking and vulnerability alert logic by [@​stevehipwell](https://redirect.github.com/stevehipwell) in [#​3127](https://redirect.github.com/integrations/terraform-provider-github/pull/3127) - fix: Correct ruleset pr allowed merge method logic by [@​stevehipwell](https://redirect.github.com/stevehipwell) in [#​3128](https://redirect.github.com/integrations/terraform-provider-github/pull/3128) - fix: Relax id parsing strictness for existing ids by [@​stevehipwell](https://redirect.github.com/stevehipwell) in [#​3129](https://redirect.github.com/integrations/terraform-provider-github/pull/3129) - fix(environments): swallow 404 not found errors by [@​acouvreur](https://redirect.github.com/acouvreur) in [#​3132](https://redirect.github.com/integrations/terraform-provider-github/pull/3132) - fix: Correct repo vulnerability alert logic by [@​stevehipwell](https://redirect.github.com/stevehipwell) in [#​3144](https://redirect.github.com/integrations/terraform-provider-github/pull/3144) - fix: Correct secret drift implementation by [@​stevehipwell](https://redirect.github.com/stevehipwell) in [#​3069](https://redirect.github.com/integrations/terraform-provider-github/pull/3069) - fix: Ensure `github_emu_group_mapping` behaves correctly if mapping changes upstream by [@​deiga](https://redirect.github.com/deiga) in [#​3118](https://redirect.github.com/integrations/terraform-provider-github/pull/3118) ##### 🛠️ Maintenance - \[MAINT] Fix ruleset tests after rebase by [@​deiga](https://redirect.github.com/deiga) in [#​3153](https://redirect.github.com/integrations/terraform-provider-github/pull/3153) - \[MAINT] enable nilnesserr linter by [@​deiga](https://redirect.github.com/deiga) in [#​3113](https://redirect.github.com/integrations/terraform-provider-github/pull/3113) - \[MAINT] Remove unnecessary separate API call for repo topics in `github_repository` by [@​deiga](https://redirect.github.com/deiga) in [#​3086](https://redirect.github.com/integrations/terraform-provider-github/pull/3086) - \[MAINT] refactor `github_repository_file` to use Context-aware provider functions by [@​deiga](https://redirect.github.com/deiga) in [#​3107](https://redirect.github.com/integrations/terraform-provider-github/pull/3107) - \[MAINT] Fix `github_organization_ruleset` and `github_repository_ruleset` with `push` target by [@​deiga](https://redirect.github.com/deiga) in [#​2958](https://redirect.github.com/integrations/terraform-provider-github/pull/2958) - chore(actions): Add doc how to verify GitHub Attestations with GitHub cli and verify release artifacts with Cosign by [@​ViacheslavKudinov](https://redirect.github.com/ViacheslavKudinov) in [#​2846](https://redirect.github.com/integrations/terraform-provider-github/pull/2846) - chore: Refactor test provider by [@​stevehipwell](https://redirect.github.com/stevehipwell) in [#​3146](https://redirect.github.com/integrations/terraform-provider-github/pull/3146) - chore: Update go-github to v82 by [@​stevehipwell](https://redirect.github.com/stevehipwell) in [#​3139](https://redirect.github.com/integrations/terraform-provider-github/pull/3139) - chore: Simplify codeql workflow by [@​stevehipwell](https://redirect.github.com/stevehipwell) in [#​3138](https://redirect.github.com/integrations/terraform-provider-github/pull/3138) - build(deps): bump the github-actions group across 1 directory with 5 updates by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​3141](https://redirect.github.com/integrations/terraform-provider-github/pull/3141) - build(deps): bump the gomod group across 1 directory with 2 updates by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​3091](https://redirect.github.com/integrations/terraform-provider-github/pull/3091) #### New Contributors - [@​puneet-arora15](https://redirect.github.com/puneet-arora15) made their first contribution in [#​3123](https://redirect.github.com/integrations/terraform-provider-github/pull/3123) - [@​sheeeng](https://redirect.github.com/sheeeng) made their first contribution in [#​2870](https://redirect.github.com/integrations/terraform-provider-github/pull/2870) **Full Changelog**: <integrations/terraform-provider-github@v6.10.2...v6.11.0> </details> <details> <summary>hashicorp/terraform-provider-google (google)</summary> ### [`v7.18.0`](https://redirect.github.com/hashicorp/terraform-provider-google/releases/tag/v7.18.0) [Compare Source](https://redirect.github.com/hashicorp/terraform-provider-google/compare/v7.17.0...v7.18.0) BREAKING CHANGES: - alloydb: removed the incorrect top-level field `last_successful_backup_consistency_time` from `google_backup_dr_backup_plan_association`. No value has been present in this output-only field. ([#​25928](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25928)) FEATURES: - **New Resource:** `google_dataplex_data_asset` ([#​25922](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25922)) - **New Resource:** `google_firebase_ai_logic_prompt_template_lock` ([#​25877](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25877)) - **New Resource:** `google_logging_saved_query` ([#​25921](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25921)) IMPROVEMENTS: - alloydb: added `restore_backupdr_backup_source`, `restore_backupdr_pitr_source`, and `backupdr_backup_source` to `google_alloydb_cluster` ([#​25928](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25928)) - alloydb: added `rules_config_info.last_successful_backup_consistency_time` to `google_backup_dr_backup_plan_association` ([#​25928](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25928)) - compute: updated `target_service` field to support update-in-place in `google_compute_service_attachment` resource ([#​25924](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25924)) - datafusion: added `patch_revision` field to `google_data_fusion_instance` resource ([#​25923](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25923)) - firestore: added `skip_wait` field to `google_firestore_index` resource, skipping the wait for index creation ([#​25934](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25934)) - gkeonprem: added `skip_validations` field to `google_gkeonprem_vmware_cluster` resource ([#​25917](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25917)) - sql: added `database_role` field and `iam_email` field to `google_sql_user` resource to support managing Cloud SQL users with database roles. ([#​25926](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25926)) BUG FIXES: - cloudbuild: fixed `google_cloudbuild_trigger` to allow creation without source configuration for manual triggers ([#​25925](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25925)) - cloudrunv2: fix permadiff on `scaling.scaling_mode` in `google_cloud_run_v2_worker_pool` ([#​25927](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25927)) - compute: resolved issues where `show_nat_ips` and `nat_ips` in `google_compute_service_attachment` were causing test failures due to an underlying API problem. These fields are now temporarily non-functional and will be ignored. ([#​25908](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25908)) - container: fixed a bug in `google_container_node_pool` that prevented creation when `blue_green_settings` was specified ([#​25916](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25916)) - container: fixed perma-diff in `google_container_cluster` when setting `resource_limits` with disabled node autoprovisioning ([#​25929](https://redirect.github.com/hashicorp/terraform-provider-google/pull/25929)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwidGVycmFmb3JtIl19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: d3f5866d4192e121685d494cc1033d4612717382
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [cloud.google.com/go/aiplatform](https://redirect.github.com/googleapis/google-cloud-go) | `v1.114.0` → `v1.115.0` |  |  | | [cloud.google.com/go/bigquery](https://redirect.github.com/googleapis/google-cloud-go) | `v1.72.0` → `v1.73.1` |  |  | | [cloud.google.com/go/bigtable](https://redirect.github.com/googleapis/google-cloud-go) | `v1.41.0` → `v1.42.0` |  |  | | [cloud.google.com/go/logging](https://redirect.github.com/googleapis/google-cloud-go) | `v1.13.1` → `v1.13.2` |  |  | | [github.com/aws/aws-sdk-go-v2/service/cloudfront](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.59.0` → `v1.60.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/dynamodb](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.54.0` → `v1.55.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/eks](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.77.0` → `v1.77.1` |  |  | | [github.com/googleapis/gax-go/v2](https://redirect.github.com/googleapis/gax-go) | `v2.16.0` → `v2.17.0` |  |  | | [github.com/harness/harness-go-sdk](https://redirect.github.com/harness/harness-go-sdk) | `v0.7.4` → `v0.7.6` |  |  | | [github.com/nats-io/nkeys](https://redirect.github.com/nats-io/nkeys) | `v0.4.12` → `v0.4.15` |  |  | | [github.com/openai/openai-go/v3](https://redirect.github.com/openai/openai-go) | `v3.17.0` → `v3.18.0` |  |  | | [github.com/posthog/posthog-go](https://redirect.github.com/posthog/posthog-go) | `v1.9.1` → `v1.10.0` |  |  | | [github.com/samber/slog-logrus/v2](https://redirect.github.com/samber/slog-logrus) | `v2.5.2` → `v2.5.3` |  |  | | [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://redirect.github.com/open-telemetry/opentelemetry-go-contrib) | `v0.64.0` → `v0.65.0` |  |  | | [go.opentelemetry.io/otel](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.39.0` → `v1.40.0` |  |  | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.39.0` → `v1.40.0` |  |  | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.39.0` → `v1.40.0` |  |  | | [go.opentelemetry.io/otel/exporters/stdout/stdouttrace](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.39.0` → `v1.40.0` |  |  | | [go.opentelemetry.io/otel/sdk](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.39.0` → `v1.40.0` |  |  | | [go.opentelemetry.io/otel/trace](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.39.0` → `v1.40.0` |  |  | | [google.golang.org/api](https://redirect.github.com/googleapis/google-api-go-client) | `v0.264.0` → `v0.265.0` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ##⚠️ Warning These modules are almost certainly going to break everything. They do every time they update. If you update even one repo's OTEL modules, go will then pull in new versions due to [MVS](https://research.swtch.com/vgo-mvs) which will cause your repo to break. All [otel pull requests](https://redirect.github.com/pulls?q=is%3Aopen+is%3Apr+user%3Aovermindtech+archived%3Afalse+label%3Aobservability+) need to be merged basically at the same time, and after all of the modules have been updated to be compatible with each other. --- ### Release Notes <details> <summary>aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2/service/cloudfront)</summary> ### [`v1.60.0`](https://redirect.github.com/aws/aws-sdk-go-v2/blob/HEAD/CHANGELOG.md#Release-2025-11-19) #### General Highlights - **Dependency Update**: Updated to the latest SDK module versions #### Module Highlights - `github.com/aws/aws-sdk-go-v2/service/apigateway`: [v1.37.0](service/apigateway/CHANGELOG.md#v1370-2025-11-19) - **Feature**: API Gateway now supports response streaming and new security policies for REST APIs and custom domain names. - `github.com/aws/aws-sdk-go-v2/service/apigatewayv2`: [v1.33.0](service/apigatewayv2/CHANGELOG.md#v1330-2025-11-19) - **Feature**: Support for API Gateway portals and portal products. - `github.com/aws/aws-sdk-go-v2/service/backup`: [v1.54.0](service/backup/CHANGELOG.md#v1540-2025-11-19) - **Feature**: Amazon GuardDuty Malware Protection now supports AWS Backup, extending malware detection capabilities to EC2, EBS, and S3 backups. - `github.com/aws/aws-sdk-go-v2/service/bcmpricingcalculator`: [v1.10.0](service/bcmpricingcalculator/CHANGELOG.md#v1100-2025-11-19) - **Feature**: Add GroupSharingPreference, CostCategoryGroupSharingPreferenceArn, and CostCategoryGroupSharingPreferenceEffectiveDate to Bill Estimate. Add GroupSharingPreference and CostCategoryGroupSharingPreferenceArn to Bill Scenario. - `github.com/aws/aws-sdk-go-v2/service/bedrockruntime`: [v1.44.0](service/bedrockruntime/CHANGELOG.md#v1440-2025-11-19) - **Feature**: This release includes support for Search Results. - `github.com/aws/aws-sdk-go-v2/service/billing`: [v1.9.0](service/billing/CHANGELOG.md#v190-2025-11-19) - **Feature**: Added name filtering support to ListBillingViews API through the new names parameter to efficiently filter billing views by name. - `github.com/aws/aws-sdk-go-v2/service/billingconductor`: [v1.27.0](service/billingconductor/CHANGELOG.md#v1270-2025-11-19) - **Feature**: This release adds support for Billing Transfers, enabling management of billing transfers with billing groups on AWS Billing Conductor. - `github.com/aws/aws-sdk-go-v2/service/cloudtrail`: [v1.54.0](service/cloudtrail/CHANGELOG.md#v1540-2025-11-19) - **Feature**: AWS CloudTrail now supports Insights for data events, expanding beyond management events to automatically detect unusual activity on data plane operations. - `github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs`: [v1.60.0](service/cloudwatchlogs/CHANGELOG.md#v1600-2025-11-19) - **Feature**: Adding support for ocsf version 1.5, add optional parameter MappingVersion - `github.com/aws/aws-sdk-go-v2/service/connectcampaignsv2`: [v1.9.0](service/connectcampaignsv2/CHANGELOG.md#v190-2025-11-19) - **Feature**: This release added support for ring timer configuration for campaign calls. - `github.com/aws/aws-sdk-go-v2/service/costexplorer`: [v1.60.0](service/costexplorer/CHANGELOG.md#v1600-2025-11-19) - **Feature**: Add support for COST\_CATEGORY, TAG, and LINKED\_ACCOUNT AWS managed cost anomaly detection monitors - `github.com/aws/aws-sdk-go-v2/service/costoptimizationhub`: [v1.21.0](service/costoptimizationhub/CHANGELOG.md#v1210-2025-11-19) - **Feature**: Release ListEfficiencyMetrics API - `github.com/aws/aws-sdk-go-v2/service/datazone`: [v1.48.0](service/datazone/CHANGELOG.md#v1480-2025-11-19) - **Feature**: Amazon DataZone now supports business metadata (readme and metadata forms) at the individual attribute (column) level, a new rule type for glossary terms, and the ability to update the owner of the root domain unit. - `github.com/aws/aws-sdk-go-v2/service/dynamodb`: [v1.53.0](service/dynamodb/CHANGELOG.md#v1530-2025-11-19) - **Feature**: Extended Global Secondary Index (GSI) composite keys to support up to 8 attributes. - `github.com/aws/aws-sdk-go-v2/service/ec2`: [v1.272.0](service/ec2/CHANGELOG.md#v12720-2025-11-19) - **Feature**: This launch adds support for two new features: Regional NAT Gateway and IPAM Policies. IPAM policies offers customers central control for public IPv4 assignments across AWS services. Regional NAT is a single NAT Gateway that automatically expands across AZs in a VPC to maintain high availability. - `github.com/aws/aws-sdk-go-v2/service/ecr`: [v1.53.0](service/ecr/CHANGELOG.md#v1530-2025-11-19) - **Feature**: Add support for ECR archival storage class and Inspector org policy for scanning - `github.com/aws/aws-sdk-go-v2/service/ecs`: [v1.68.0](service/ecs/CHANGELOG.md#v1680-2025-11-19) - **Feature**: Added support for Amazon ECS Managed Instances infrastructure optimization configuration. - `github.com/aws/aws-sdk-go-v2/service/emr`: [v1.56.0](service/emr/CHANGELOG.md#v1560-2025-11-19) - **Feature**: Add CloudWatch Logs integration for Spark driver, executor and step logs - `github.com/aws/aws-sdk-go-v2/service/fsx`: [v1.64.0](service/fsx/CHANGELOG.md#v1640-2025-11-19) - **Feature**: Adding File Server Resource Manager configuration to FSx Windows - `github.com/aws/aws-sdk-go-v2/service/guardduty`: [v1.68.0](service/guardduty/CHANGELOG.md#v1680-2025-11-19) - **Feature**: Add support for scanning and viewing scan results for backup resource types - `github.com/aws/aws-sdk-go-v2/service/health`: [v1.35.0](service/health/CHANGELOG.md#v1350-2025-11-19) - **Feature**: Adds actionability and personas properties to Health events exposed through DescribeEvents, DescribeEventsForOrganization, DescribeEventDetails, and DescribeEventTypes APIs. Adds filtering by actionabilities and personas in EventFilter, OrganizationEventFilter, EventTypeFilter. - `github.com/aws/aws-sdk-go-v2/service/iam`: [v1.52.0](service/iam/CHANGELOG.md#v1520-2025-11-19) - **Feature**: Added the EnableOutboundWebIdentityFederation, DisableOutboundWebIdentityFederation and GetOutboundWebIdentityFederationInfo APIs for the IAM outbound federation feature. - `github.com/aws/aws-sdk-go-v2/service/inspector2`: [v1.45.0](service/inspector2/CHANGELOG.md#v1450-2025-11-19) - **Feature**: This release introduces BLOCKED\_BY\_ORGANIZATION\_POLICY error code and IMAGE\_ARCHIVED scanStatusReason. BLOCKED\_BY\_ORGANIZATION\_POLICY error code is returned when an operation is blocked by an AWS Organizations policy. IMAGE\_ARCHIVED scanStatusReason is returned when an Image is archived in ECR. - `github.com/aws/aws-sdk-go-v2/service/invoicing`: [v1.8.0](service/invoicing/CHANGELOG.md#v180-2025-11-19) - **Feature**: Add support for adding Billing transfers in Invoice configuration - `github.com/aws/aws-sdk-go-v2/service/lambda`: [v1.82.0](service/lambda/CHANGELOG.md#v1820-2025-11-19) - **Feature**: Added support for creating and invoking Tenant Isolated functions in AWS Lambda APIs. - `github.com/aws/aws-sdk-go-v2/service/mediaconnect`: [v1.46.0](service/mediaconnect/CHANGELOG.md#v1460-2025-11-19) - **Feature**: This release adds support for global routing in AWS Elemental MediaConnect. You can now use router inputs and router outputs to manage global video and audio routing workflows both within the AWS-Cloud and over the public internet. - `github.com/aws/aws-sdk-go-v2/service/medialive`: [v1.87.0](service/medialive/CHANGELOG.md#v1870-2025-11-19) - **Feature**: MediaLive is adding support for MediaConnect Router by supporting a new input type called MEDIACONNECT\_ROUTER. This new input type will provide seamless encrypted transport between MediaConnect Router and your MediaLive channel. - `github.com/aws/aws-sdk-go-v2/service/networkfirewall`: [v1.58.0](service/networkfirewall/CHANGELOG.md#v1580-2025-11-19) - **Feature**: Partner Managed Rulegroup feature support - `github.com/aws/aws-sdk-go-v2/service/networkflowmonitor`: [v1.11.0](service/networkflowmonitor/CHANGELOG.md#v1110-2025-11-19) - **Feature**: Added new enum value (AWS::EKS::Cluster) for type field under MonitorLocalResource - `github.com/aws/aws-sdk-go-v2/service/partnercentralchannel`: [v1.0.0](service/partnercentralchannel/CHANGELOG.md#v100-2025-11-19) - **Release**: New AWS service client module - **Feature**: Initial GA launch of Partner Central Channel - `github.com/aws/aws-sdk-go-v2/service/route53`: [v1.60.0](service/route53/CHANGELOG.md#v1600-2025-11-19) - **Feature**: Add dual-stack endpoint support for Route53 - `github.com/aws/aws-sdk-go-v2/service/rum`: [v1.30.0](service/rum/CHANGELOG.md#v1300-2025-11-19) - **Feature**: CloudWatch RUM now supports mobile application monitoring for Android and iOS platforms - `github.com/aws/aws-sdk-go-v2/service/s3`: [v1.91.0](service/s3/CHANGELOG.md#v1910-2025-11-19) - **Feature**: Adds support for blocking SSE-C writes to general purpose buckets. - `github.com/aws/aws-sdk-go-v2/service/sagemaker`: [v1.224.0](service/sagemaker/CHANGELOG.md#v12240-2025-11-19) - **Feature**: Added support for enhanced metrics for SageMaker AI Endpoints. This features provides Utilization Metrics at instance and container granularity and also provides easy configuration of metric publish frequency from 10 sec -> 5 mins - `github.com/aws/aws-sdk-go-v2/service/secretsmanager`: [v1.40.0](service/secretsmanager/CHANGELOG.md#v1400-2025-11-19) - **Feature**: Adds support to create, update, retrieve, rotate, and delete managed external secrets. - `github.com/aws/aws-sdk-go-v2/service/sfn`: [v1.40.0](service/sfn/CHANGELOG.md#v1400-2025-11-19) - **Feature**: Adds support to TestState for mocked results and exceptions, along with additional inspection data. - `github.com/aws/aws-sdk-go-v2/service/signin`: [v1.0.0](service/signin/CHANGELOG.md#v100-2025-11-19) - **Release**: New AWS service client module - **Feature**: AWS Sign-In manages authentication for AWS services. This service provides secure authentication flows for accessing AWS resources from the console and developer tools. This release adds the CreateOAuth2Token API, which can be used to fetch OAuth2 access tokens and refresh tokens from Sign-In. - `github.com/aws/aws-sdk-go-v2/service/sts`: [v1.41.0](service/sts/CHANGELOG.md#v1410-2025-11-19) - **Feature**: IAM now supports outbound identity federation via the STS GetWebIdentityToken API, enabling AWS workloads to securely authenticate with external services using short-lived JSON Web Tokens. - `github.com/aws/aws-sdk-go-v2/service/transcribestreaming`: [v1.33.0](service/transcribestreaming/CHANGELOG.md#v1330-2025-11-19) - **Feature**: This release adds support for additional locales in AWS transcribe streaming. </details> <details> <summary>googleapis/gax-go (github.com/googleapis/gax-go/v2)</summary> ### [`v2.17.0`](https://redirect.github.com/googleapis/gax-go/releases/tag/v2.17.0): v2 2.17.0 [Compare Source](https://redirect.github.com/googleapis/gax-go/compare/v2.16.0...v2.17.0) ##### Features - update Invoke to add retry count to context ([#​462](https://redirect.github.com/googleapis/gax-go/issues/462)) ([ea7096d5](https://redirect.github.com/googleapis/gax-go/commit/ea7096d5)) </details> <details> <summary>harness/harness-go-sdk (github.com/harness/harness-go-sdk)</summary> ### [`v0.7.6`](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.5...v0.7.6) [Compare Source](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.5...v0.7.6) ### [`v0.7.5`](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.4...v0.7.5) [Compare Source](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.4...v0.7.5) </details> <details> <summary>nats-io/nkeys (github.com/nats-io/nkeys)</summary> ### [`v0.4.15`](https://redirect.github.com/nats-io/nkeys/compare/v0.4.14...v0.4.15) [Compare Source](https://redirect.github.com/nats-io/nkeys/compare/v0.4.14...v0.4.15) ### [`v0.4.14`](https://redirect.github.com/nats-io/nkeys/compare/v0.4.12...v0.4.14) [Compare Source](https://redirect.github.com/nats-io/nkeys/compare/v0.4.12...v0.4.14) </details> <details> <summary>openai/openai-go (github.com/openai/openai-go/v3)</summary> ### [`v3.18.0`](https://redirect.github.com/openai/openai-go/blob/HEAD/CHANGELOG.md#3180-2026-02-05) [Compare Source](https://redirect.github.com/openai/openai-go/compare/v3.17.0...v3.18.0) Full Changelog: [v3.17.0...v3.18.0](https://redirect.github.com/openai/openai-go/compare/v3.17.0...v3.18.0) ##### Features - **api:** add shell\_call\_output status field ([67a75d7](https://redirect.github.com/openai/openai-go/commit/67a75d755e815f6d6fdf4ac48314472a94c8613f)) - **api:** image generation actions for responses; ResponseFunctionCallArgumentsDoneEvent.name ([2c57016](https://redirect.github.com/openai/openai-go/commit/2c57016b7c7f45072c59f193e567a55ecbda21fd)) ##### Bug Fixes - **client:** undo change to web search Find action ([e340256](https://redirect.github.com/openai/openai-go/commit/e340256509214ee386de32b993f5ec4ebba43d38)) - **client:** update type for `find_in_page` action ([4b5d499](https://redirect.github.com/openai/openai-go/commit/4b5d4993e82ada68276bb5560bb2cd8b457aa3da)) ##### Chores - **client:** improve example values ([c86a65c](https://redirect.github.com/openai/openai-go/commit/c86a65cefd55eb18568f4b7d2660c82dc90af4ad)) ##### Documentation - split `api.md` by standalone resources ([aeed37b](https://redirect.github.com/openai/openai-go/commit/aeed37b814d37ad3d59111b7665d48bf220cbf9e)) </details> <details> <summary>posthog/posthog-go (github.com/posthog/posthog-go)</summary> ### [`v1.10.0`](https://redirect.github.com/PostHog/posthog-go/releases/tag/v1.10.0) [Compare Source](https://redirect.github.com/posthog/posthog-go/compare/v1.9.1...v1.10.0) #### 1.10.0 - 2026-02-04 - [Full Changelog](https://redirect.github.com/PostHog/posthog-go/compare/v1.9.1...v1.10.0) ##### New Features - **`GetFeatureFlagResult`**: New method that returns both the flag value and payload in a single call, while properly tracking feature flag usage via `$feature_flag_called` events. ##### Deprecations - **`GetFeatureFlagPayload`**: Deprecated in favor of `GetFeatureFlagResult`. The new method provides better tracking and a more convenient API. ##### Migration Guide ```go // Before (two calls, no event tracking for payload-only): flag, _ := client.GetFeatureFlag(payload) payloadStr, _ := client.GetFeatureFlagPayload(payload) // After (single call, always tracks): result, err := client.GetFeatureFlagResult(payload) if err != nil { /* handle */ } if result.Enabled { var config MyConfig result.GetPayloadAs(&config) } ``` **Note**: `GetFeatureFlagResult` returns `nil, error` when a flag doesn't exist (rather than a result with `Enabled: false`). Check for errors to distinguish between a disabled flag and a missing flag: ```go result, err := client.GetFeatureFlagResult(payload) if errors.Is(err, posthog.ErrFlagNotFound) { // Flag doesn't exist - use default behavior } if err != nil { // Other error (e.g., network issue) } if result.Enabled { // Flag exists and is enabled } else { // Flag exists but is disabled } ``` </details> <details> <summary>samber/slog-logrus (github.com/samber/slog-logrus/v2)</summary> ### [`v2.5.3`](https://redirect.github.com/samber/slog-logrus/releases/tag/v2.5.3) [Compare Source](https://redirect.github.com/samber/slog-logrus/compare/v2.5.2...v2.5.3) #### What's Changed - Bump golangci/golangci-lint-action from 6 to 7 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​13](https://redirect.github.com/samber/slog-logrus/pull/13) - chore(deps): bump golangci/golangci-lint-action from 7 to 8 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​14](https://redirect.github.com/samber/slog-logrus/pull/14) - chore(deps): bump github.com/samber/slog-common from 0.18.1 to 0.19.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​15](https://redirect.github.com/samber/slog-logrus/pull/15) - chore(deps): bump actions/checkout from 4 to 5 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​16](https://redirect.github.com/samber/slog-logrus/pull/16) - chore(deps): bump actions/setup-go from 5 to 6 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​17](https://redirect.github.com/samber/slog-logrus/pull/17) - chore(deps): bump actions/checkout from 5 to 6 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​18](https://redirect.github.com/samber/slog-logrus/pull/18) - chore(deps): bump golangci/golangci-lint-action from 8 to 9 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​19](https://redirect.github.com/samber/slog-logrus/pull/19) - chore(deps): bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​20](https://redirect.github.com/samber/slog-logrus/pull/20) - chore(deps): upgrading samber/slog-common by [@​samber](https://redirect.github.com/samber) in [#​21](https://redirect.github.com/samber/slog-logrus/pull/21) #### New Contributors - [@​samber](https://redirect.github.com/samber) made their first contribution in [#​21](https://redirect.github.com/samber/slog-logrus/pull/21) **Full Changelog**: <samber/slog-logrus@v2.5.2...v2.5.3> </details> <details> <summary>open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)</summary> ### [`v1.40.0`](https://redirect.github.com/open-telemetry/opentelemetry-go/compare/v1.39.0...v1.40.0) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-go/compare/v1.39.0...v1.40.0) </details> <details> <summary>googleapis/google-api-go-client (google.golang.org/api)</summary> ### [`v0.265.0`](https://redirect.github.com/googleapis/google-api-go-client/releases/tag/v0.265.0) [Compare Source](https://redirect.github.com/googleapis/google-api-go-client/compare/v0.264.0...v0.265.0) ##### Features - Add checksums for single chunk json uploads ([#​3448](https://redirect.github.com/googleapis/google-api-go-client/issues/3448)) ([0f1cb7b](https://redirect.github.com/googleapis/google-api-go-client/commit/0f1cb7b9b71b8f21e2bb14d69bd1e11a1ca7a9ff)) - **all:** Auto-regenerate discovery clients ([#​3473](https://redirect.github.com/googleapis/google-api-go-client/issues/3473)) ([e617dd5](https://redirect.github.com/googleapis/google-api-go-client/commit/e617dd5dc920921e5fff184be3c33a8ab9c8ce41)) - **all:** Auto-regenerate discovery clients ([#​3476](https://redirect.github.com/googleapis/google-api-go-client/issues/3476)) ([986f556](https://redirect.github.com/googleapis/google-api-go-client/commit/986f55600724d148e102413766cfbdc278adba38)) - **all:** Auto-regenerate discovery clients ([#​3477](https://redirect.github.com/googleapis/google-api-go-client/issues/3477)) ([cdb1738](https://redirect.github.com/googleapis/google-api-go-client/commit/cdb1738722afcceb26e6d4be934bac46682c1c25)) - **all:** Auto-regenerate discovery clients ([#​3479](https://redirect.github.com/googleapis/google-api-go-client/issues/3479)) ([2aa3478](https://redirect.github.com/googleapis/google-api-go-client/commit/2aa3478d4e2a94b30eb6873ff5b41cffef0e89bd)) - **all:** Auto-regenerate discovery clients ([#​3480](https://redirect.github.com/googleapis/google-api-go-client/issues/3480)) ([29bd843](https://redirect.github.com/googleapis/google-api-go-client/commit/29bd84381608db3db0385bd8f4544af458df7329)) - **all:** Auto-regenerate discovery clients ([#​3482](https://redirect.github.com/googleapis/google-api-go-client/issues/3482)) ([afa65b7](https://redirect.github.com/googleapis/google-api-go-client/commit/afa65b7fb9b586aac07247474fdd1efc5812e824)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZ29sYW5nIiwib2JzZXJ2YWJpbGl0eSJdfQ==--> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Broad dependency upgrades (especially OpenTelemetry/OpenAI/PostHog) can introduce subtle runtime or build-time breakages despite minimal local code changes; verify compilation and observability/LLM paths in CI. > > **Overview** > Primarily bumps Go dependencies across Google Cloud, AWS SDK, OpenTelemetry, OpenAI, and PostHog (via `go.mod`/`go.sum`). > > Code is updated to stay compatible with upstream API changes: the PostHog test client mock now supports `GetFeatureFlagResult`, and `openai_responses.go` adjusts web-search "open page" param construction to use an optional `URL` value as required by the newer OpenAI SDK. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 6ae4a963411b19ce66da22f5e1c815639a35e718. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 0745a947ae6287d72cc14388b63d34eae475124f
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Changes adapter construction and scope resolution across many Azure resources, which can affect discovery coverage and correctness if scope parsing or registration is wrong; however changes are largely mechanical and test-updated. > > **Overview** > **Migrates Azure resource-group-scoped adapters to a multi-scope model.** Wrapper constructors now accept `[]azureshared.ResourceGroupScope` and embed `MultiResourceGroupBase`, with `Get`/`List`/`ListStream` resolving the concrete RG+subscription via `ResourceGroupScopeFromScope(scope)` (e.g., `AuthorizationRoleAssignment`, `BatchAccount`, `ComputeAvailabilitySet`, `ComputeDisk`, `ComputeDiskEncryptionSet`, and many more). > > `manual/adapters.go` is refactored to build `resourceGroupScopes` once from discovered resource groups and register **one adapter per resource type** (instead of one per RG), adds DNS Zones support via `armdns`/`NewNetworkZone`, and updates metadata-registration mode to use a placeholder `resourceGroupScopes` slice. Integration tests and unit tests are updated to use the new constructors/signatures, and internal docs are revised to reflect the new multi-scope patterns. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f7286c9a6419481bfcd941a45312be2d6694b06c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 267b8b9632cde629bcd11abca3b199fc830319ea
Avoid CrashLoopBackOff for source pods on configuration failures by reporting errors via heartbeats and readiness probes. Previously, configuration errors caused the process to exit, leading to repeated container restarts. This change allows the pod to remain running, surface the specific error to the customer, and maintain liveness, enabling quicker diagnosis and resolution without Kubernetes intervention. ### source running with bad config. not dying <img width="2634" height="892" alt="image" src="https://github.com/user-attachments/assets/09f412ca-4392-4340-9bbc-ab71c1fda22a" /> ### source being reported with heartbeat <img width="3760" height="1090" alt="image" src="https://github.com/user-attachments/assets/1a38f8d4-63bb-41e7-ba59-6f3e2057f623" /> --- Linear Issue: [ENG-2399](https://linear.app/overmind/issue/ENG-2399/avoid-crashloopbackoff-on-source-configreadiness-failure-surface-error) <p><a href="https://cursor.com/background-agent?bcId=bc-a3fae997-17bd-4fa3-9092-ba5d713c722d"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-a3fae997-17bd-4fa3-9092-ba5d713c722d"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Touches core engine health/heartbeat behavior and startup flows across multiple sources; a mistake could misreport readiness/heartbeats or leave sources running without properly initialized adapters. > > **Overview** > Prevents source pods from CrashLooping on configuration/credential failures by introducing a persistent engine `initError` that is surfaced through `ReadinessHealthCheck` and included in heartbeats. > > Source entrypoints (AWS/GCP/Harness/K8s/Stdlib, plus CLI `explore`) are refactored to create/start the engine and serve health probes first, then attempt adapter initialization; failures now log/report to Sentry, call `SetInitError`, and keep the process running (only NATS/engine start errors return/exit). Heartbeats are adjusted to no-op when `ManagementClient` is nil (unauthenticated local mode) and to include `initError`, with new unit tests covering these behaviors. > > Developer ergonomics/docs are updated: new Cursor rule forbidding `log.Fatal`, improved VSCode launch configs (including `gcp-source`), and clarified local authenticated vs unauthenticated source running guidance; `.gitignore` also broadens `__debug_bin` ignores. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit b9f2857b87d599d9d46eb0b0255632b48c90fd84. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 884b7aad147a9ee884588ec59e35f1c3ebafb620
… 546029d (#3809) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [google.golang.org/genproto/googleapis/rpc](https://redirect.github.com/googleapis/go-genproto) | require | digest | `8636f87` → `546029d` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZ29sYW5nIl19--> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Primarily a dependency patch bump plus removal of unused `o3` model wiring/tests; runtime impact should be minimal unless something still relies on the `o3` provider key. > > **Overview** > Updates the `google.golang.org/genproto/googleapis/rpc` dependency digest in `go.mod`/`go.sum`. > > As follow-on cleanup, removes `o3` provider registrations and related OpenAI model tests, and switches the manual `changevalidation` integration test to use `gpt-5-mini-low` instead. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 3ce4f3bc31a46193e8c08be22a3c4f5de077e386. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 21be3261859bd536be1712b452f5fd582c916077
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Medium risk due to CI/terraform deployment pipeline changes that alter which images are built/pushed and disable some publishing steps; regressions could impact deployments. Runtime code changes are mostly additive logging/signature changes with test coverage, but the `TimelineFindInProgressEntry` signature change touches multiple call sites. > > **Overview** > Updates CI/deploy workflows to better separate responsibilities: adds a `srcman` codegen check job, makes SBOM generation conditional on `main`, and changes `terraform.yml` to only bake/push *non-migrated* container targets via a new `terraform` group in `images-bake.hcl` (removing the prior `srcman` manifest generation/upload from that workflow and commenting out Cloudsmith image push steps). > > Improves change-analysis progress reporting by extending `sdp-go`’s `TimelineFindInProgressEntry` to also return a human-readable content description (with new tests) and wiring that extra context into API server run-task logs and CLI waiting logs. > > Minor infra/test tweaks: River queue now uses an `slog`→`logrus` bridged logger, OpenAI provider tests switch to GPT-5 mini models and tighten the whitespace prompt, OTel collector config removes an explicit metrics telemetry address, and `srcman` CRD annotations reflect a newer `controller-gen` version. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit b8cc41612b23548719d37de341a7695d2f4b6045. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 59e43668a561535d2317f484700402436f09776f
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Touches core source lifecycle and engine initialization/retry/heartbeat behavior, which can impact startup, readiness, and error reporting across multiple production sources. Changes are conceptually consistent but broad and timing-sensitive, so regressions would show up as stuck init/retry loops or missed heartbeats. > > **Overview** > Standardizes the startup flow across sources (AWS/GCP/Azure/Harness/K8s/Stdlib) to **start the engine + health probes first**, then perform explicit config validation and use `SetInitError` to idle on permanent misconfigurations instead of exiting. > > Introduces `Engine.InitialiseAdapters`, a blocking exponential-backoff retry wrapper that clears adapters between attempts, updates init error state, and emits a heartbeat on each attempt; source-specific adapter initializers (AWS/Harness/Azure/GCP) are simplified to single-attempt functions and new `ConfigFromViper` helpers centralize config parsing/validation. > > Operational/CI tweaks: Postgres `pg_isready` healthchecks now specify the configured user, docker-compose `--wait` gets a timeout in CI, `srcman` uses `HEALTH_CHECK_PORT` env var naming, and various tests/benchmarks switch to unauthenticated engine configs and explicitly start heartbeats; JS packages remove `pnpm dlx` from lint scripts and Bugbot rules add guardrails against unpinned tooling. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f7422d313ab46cfb334f76a91364b42d4624538e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: f5c5feeedd6feb83faf671f8c659e7ac49ccb41c
This is based on https://github.com/overmindtech/workspace/pull/3709 and combines all backend changes from https://github.com/overmindtech/workspace/pull/3701 into a single commit. To test, run `start-change` and `end-change` SLI commands (using th eold endpoints) to verify that the state is correctly changed, with jobs kicking off in the background). <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **High Risk** > High risk because it rewires change lifecycle processing and state transitions to asynchronous jobs with new DB coordination primitives; mistakes could leave changes stuck in-progress or skip snapshots/metrics under concurrency and retry scenarios. > > **Overview** > Start/end-change snapshot processing is moved to **background River jobs**: the RPCs now enqueue `StartChangeWorker`/`EndChangeWorker` jobs and return immediately, while workers handle gateway snapshotting, status transitions, metric updates, and `all_modifications` population. > > To coordinate concurrency and retries, the PR adds `start_change_in_progress`/`end_change_in_progress` flags on `changes` plus a new `change_job_queue` table to safely queue an end-change arriving during start-change completion, and introduces new SQL/queries for atomic flag setting, row locking, and completion paths (including “complete without snapshot” on final retry). > > Performance and reliability improvements include switching `all_modifications` writes to a `COPY FROM` bulk insert API, adding savepoint-isolated `populateAllModifications` in the end-change worker to prevent transaction poisoning, and updating `RunTaskWorker` messaging to reflect snapshot initiation rather than completion. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9807c52eeddf39e38ce05e2a47bfb934766b611c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 7e0176d68698b54ea0f7cfbe1d72da7015a7c92a
Update k8s-source Helm chart probes to `/healthz/alive` and `/healthz/ready` to align with new source engine endpoints. --- Linear Issue: [ENG-2302](https://linear.app/overmind/issue/ENG-2302/update-k8s‑source-helm-chart-probes-to-healthzalive-and-healthzready) <p><a href="https://cursor.com/background-agent?bcId=bc-70255dae-85ed-4d1f-b9c2-57ba3665ed02"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-70255dae-85ed-4d1f-b9c2-57ba3665ed02"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Small Helm template change limited to probe paths; risk is mainly misconfigured endpoints causing pods to fail readiness/liveness checks. > > **Overview** > Updates the `overmind-kube-source` Helm chart Deployment probes to hit the new source-engine endpoints: liveness now checks `/healthz/alive` and readiness checks `/healthz/ready` (previously both used `/healthz`). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 65312f0e94fb1954e0d668d2ee8dadf4142dee16. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: f352a421e8af2458a1ba286b4da4178afcf0fb04
![https://cursor.com/assets/images/open-in-cursor-dark.png"><source](https://cursor.com/assets/images/open-in-cursor-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-cursor-light.png"><img](https://cursor.com/assets/images/open-in-cursor-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a](https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a){kind=link}
![https://cursor.com/assets/images/open-in-web-dark.png"><source](https://cursor.com/assets/images/open-in-web-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-web-light.png"><img](https://cursor.com/assets/images/open-in-web-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-web-dark.png"></picture></a](https://cursor.com/assets/images/open-in-web-dark.png"></picture></a){kind=link}
![https://cursor.com/open-in-cursor-dark.svg"><source](https://cursor.com/open-in-cursor-dark.svg"><source){kind=link}
![https://cursor.com/open-in-cursor-light.svg"><img](https://cursor.com/open-in-cursor-light.svg"><img){kind=link}
![https://cursor.com/open-in-cursor.svg"></picture></a> <a](https://cursor.com/open-in-cursor.svg"></picture></a> <a){kind=link}
![https://cursor.com/open-in-web-dark.svg"><source](https://cursor.com/open-in-web-dark.svg"><source){kind=link}
![https://cursor.com/open-in-web-light.svg"><img](https://cursor.com/open-in-web-light.svg"><img){kind=link}
![https://cursor.com/open-in-web.svg"></picture></a](https://cursor.com/open-in-web.svg"></picture></a){kind=link}
![https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p](https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p){kind=link}
Fix for aws source errors seen in pod logs:
```
{"error":"arn: invalid prefix","input":"rds.amazonaws.com","level":"error","msg":"Error parsing principal ARN","scope":"944651592624.eu-west-2","severity":"error","time":"2026-02-09T15:09:42Z"}
{"error":"arn: invalid prefix","input":"ec2.eu-west-2.amazonaws.com","level":"error","msg":"Error parsing principal ARN","scope":"944651592624.eu-west-2","severity":"error","time":"2026-02-09T15:09:42Z"}
```
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: change is isolated to KMS grant link generation and a shared
partition-suffix helper, with added unit tests covering the new behavior
and no auth/data-path modifications.
>
> **Overview**
> Fixes `kms-grant` discovery failures caused by AWS service principals
(e.g. `rds.amazonaws.com`) being treated like ARNs.
>
> This introduces a shared `awsPartitionDNSSuffixes` map plus
`GetAllAWSPartitionDNSSuffixes()` to detect DNS-style service principals
across partitions, and updates `grantOutputMapper` to *silently skip*
those principals (and downgrade ARN-parse logs from error to warn) so
only linkable IAM/KMS items are emitted. Adds unit coverage for
service-principal detection and for ensuring service principals don’t
generate linked-item queries.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
14d07808f0a26a089203aee10f581104e2141ffb. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
GitOrigin-RevId: bd8474862b2fb7344b2bc3a787c0c9fa693144a3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Copybara Sync - Release v1.15.1
This PR was automatically created by Copybara, syncing changes from the overmindtech/workspace monorepo.
Original author: carabasdaniel (daniel.carabas@overmind.tech)
What happens when this PR is merged?
tag-on-mergeworkflow will automatically create thev1.15.1tag on mainReview Checklist