Release v1.17.3 by github-actions[bot] · Pull Request #840 · overmindtech/cli

github-actions · 2026-03-30T12:07:48Z

Copybara Sync - Release v1.17.3

This PR was automatically created by Copybara, syncing changes from the overmindtech/workspace monorepo.

Original author: David Schmitt (david.schmitt@overmind.tech)

What happens when this PR is merged?

The tag-on-merge workflow will automatically create the v1.17.3 tag on main
This tag will trigger the release workflow, which will:
- Run tests
- Build and publish release binaries via GoReleaser
- Upload packages to Cloudsmith

Review Checklist

Changes look correct and match the expected monorepo sync
Tests pass (see CI checks below)

…resource conflicts (#4389)  > [!NOTE] > **Medium Risk** > Changes Azure integration test setup logic to delete/retry on "ghost" 409 Conflict states instead of skipping, which can make previously non-fatal flakes fail loudly and may increase cleanup/destructive actions in shared subscriptions. Adds optional per-run resource-group isolation to reduce cross-test interference. > > **Overview** > Improves Azure integration test robustness by handling *ghost* control-plane conflicts (create returns `409` but subsequent `Get` is `404`) with **automatic remediation**: attempt a best-effort delete, wait, retry creation once, and **fail** if the resource remains unrecoverable (replacing prior `t.Skip` behavior for VM/VMSS/role-assignment cases). > > Adds optional parallel-run isolation by deriving `integrationTestResourceGroup` from `AZURE_INTEGRATION_TEST_RUN_ID` (sanitized/length-capped) and updates integration-test docs and the adapter-creation skill to reflect the new resource-group behavior and the “auto-remediate then fail” policy. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 013173ce82183b498ce1d32f5d795d4a090a637c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  GitOrigin-RevId: 19315221a8b7e93d5db24a6141edb0401b10f7f8

## Summary Add a new Azure adapter for Load Balancer Backend Address Pools (ENG-3327). ## Changes - **Client interface**: Created `load-balancer-backend-address-pools-client.go` with `Get` and `NewListPager` methods - **Mock**: Generated mock client for unit testing - **Adapter implementation**: `network-load-balancer-backend-address-pool.go` implementing `SearchableWrapper` with: - `Get` method requiring `loadBalancerName` and `backendAddressPoolName` query parts - `Search` and `SearchStream` methods requiring `loadBalancerName` query part - Health status mapping from provisioning state - Input validation for empty query parts - **Linked item queries**: - Parent: NetworkLoadBalancer - VirtualNetwork (pool and address level) - Subnet (from backend addresses) - NetworkInterface (from backend IP configurations) - InboundNatRule, LoadBalancingRule, OutboundRule references - FrontendIPConfiguration (from regional LB references) - stdlib NetworkIP (from backend address IP addresses) - **Registration**: Added to `adapters.go` in both active and placeholder blocks - **Unit tests**: Comprehensive tests including StaticTests for linked queries - **Integration test**: Setup/Run/Teardown structure with Get, Search, VerifyLinkedItems, and VerifyItemAttributes tests ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.Network/loadBalancers/backendAddressPools/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 10 link types verified (parent LB, VNets, subnets, NICs, NAT rules, LB rules, outbound rules, frontend IPs, IP addresses). IP links included. - [x] **PotentialLinks**: 9 types listed, matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, Search, SearchStream, StaticTests, ErrorHandling, empty validation) - [x] **Integration test**: Present, follows Setup/Run/Teardown structure All checklist items passed. Ready for review.  Linear Issue: [ENG-3327](https://linear.app/overmind/issue/ENG-3327/create-azure-adapter-networkloadbalancerbackendaddresspool) <div><a href="https://cursor.com/agents/bc-6a1336c3-9cda-48d4-a15a-7a3d815ee9eb"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-6a1336c3-9cda-48d4-a15a-7a3d815ee9eb"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> Passing integration test : <img width="744" height="992" alt="image" src="https://github.com/user-attachments/assets/7e6806e1-fe22-4786-b4dc-7ded89f001f8" /> GitOrigin-RevId: 4c6f3ae3a9e4029379959b970b67009d945c98cf

## Summary Adds a new Azure adapter for Load Balancer Probes (`NetworkLoadBalancerProbe`). Probes are child resources of Load Balancers that define health check configurations for backend pool members. ## Changes - **Client interface** (`sources/azure/clients/load-balancer-probes-client.go`): New `LoadBalancerProbesClient` interface wrapping `armnetwork.LoadBalancerProbesClient` with `Get` and `NewListPager` methods - **Mock** (`sources/azure/shared/mocks/mock_load_balancer_probes_client.go`): Generated mock for unit testing - **Adapter** (`sources/azure/manual/network-load-balancer-probe.go`): `SearchableWrapper` implementation with: - `Get(scope, loadBalancerName, probeName)` - retrieves a specific probe - `Search(scope, loadBalancerName)` - lists all probes under a load balancer - `SearchStream` - streaming variant of Search - Health status mapping from provisioning state - Linked items: parent LoadBalancer (GET), LoadBalancingRules (GET) - **Registration** (`sources/azure/manual/adapters.go`): Registered in both init and placeholder blocks - **Unit tests** (`sources/azure/manual/network-load-balancer-probe_test.go`): Comprehensive tests including Get, Search, StaticTests, error handling, empty name validation, nil name handling - **Integration test** (`sources/azure/integration-tests/network-load-balancer-probe_test.go`): Full Setup/Run/Teardown test against live Azure APIs ## Bidirectional Links The parent `NetworkLoadBalancer` adapter already links to probes via GET (iterating `Properties.Probes`) and includes `NetworkLoadBalancerProbe` in `PotentialLinks()`. The child probe adapter links back to the parent via GET. Both directions are tested. ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.Network/loadBalancers/probes/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 2 link types verified (parent LoadBalancer GET, LoadBalancingRules GET). No IP/DNS fields in Probe struct. - [x] **PotentialLinks**: 2 types listed (`NetworkLoadBalancer`, `NetworkLoadBalancerLoadBalancingRule`), matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, Get_WithInsufficientQueryParts, Get_WithEmptyLoadBalancerName, Get_WithEmptyProbeName, Search, Search_WithNilName, Search_InvalidQueryParts, Search_WithEmptyLoadBalancerName, ErrorHandling_Get, ErrorHandling_Search, Get_NoProperties, StaticTests) - [x] **Integration test**: All sub-tests passing (Setup, Run/GetProbe, Run/SearchProbes, Run/VerifyLinkedItems, Run/VerifyItemAttributes, Teardown) against live Azure APIs All checklist items passed. Ready for review.  <div><a href="https://cursor.com/agents/bc-863ee979-1cff-4ba2-9947-c616fe0372ee"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-863ee979-1cff-4ba2-9947-c616fe0372ee"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: c44110ae2ba31335086570b41a867ca262fdde88

…n (#4413)  ## Summary This PR adds an Azure adapter for PostgreSQL Flexible Server Configurations using the `azure-adapter-creation` skill. The adapter discovers server configuration settings (like `shared_buffers`, `work_mem`, etc.) that can be queried as child resources of a PostgreSQL Flexible Server. ## Changes - **Client interface**: `sources/azure/clients/dbforpostgresql-configurations-client.go` - **Adapter implementation**: `sources/azure/manual/dbforpostgresql-flexible-server-configuration.go` - **Unit tests**: `sources/azure/manual/dbforpostgresql-flexible-server-configuration_test.go` - **Integration test**: `sources/azure/integration-tests/dbforpostgresql-flexible-server-configuration_test.go` - **Generated mock**: `sources/azure/shared/mocks/mock_dbforpostgresql_configurations_client.go` - **Registration**: Added to `sources/azure/manual/adapters.go` ## Adapter Details | Property | Value | | --- | --- | | Wrapper Type | `SearchableWrapper` (child of Flexible Server) | | Item Type | `DBforPostgreSQLFlexibleServerConfiguration` | | SDK Package | `armpostgresqlflexibleservers/v5` (already in go.mod) | | Get | `client.Get(ctx, resourceGroupName, serverName, configurationName)` | | Search | Lists all configurations for a given server | | Unique Attribute | Composite key: `serverName|configurationName` | | IAM Permissions | `Microsoft.DBforPostgreSQL/flexibleServers/configurations/read` | | Predefined Role | `Reader` | ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.DBforPostgreSQL/flexibleServers/configurations/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 1 link verified (GET to parent DBforPostgreSQLFlexibleServer). No IP/DNS fields in Configuration properties. - [x] **PotentialLinks**: 1 type listed (`DBforPostgreSQLFlexibleServer`), matches LinkedItemQueries - [x] **Bidirectional links**: Parent adapter (`dbforpostgresql-flexible-server.go`) already has SEARCH link to this child type and includes it in PotentialLinks - [x] **Unit tests**: All passing (Get, Search, SearchStream, GetWithInsufficientQueryParts, GetWithEmptyServerName, GetWithEmptyConfigurationName, SearchWithEmptyServerName, SearchWithNoQueryParts, Search_ConfigurationWithNilName, ErrorHandling_Get, ErrorHandling_Search) - [x] **Integration test**: All sub-tests passing (Setup, Run, Teardown) against live Azure APIs - GetPostgreSQLFlexibleServerConfiguration: Retrieved configuration successfully - SearchPostgreSQLFlexibleServerConfigurations: Found 530 configurations - VerifyLinkedItems: Verified 1 linked query to parent server - VerifyItemAttributes: Validated type, scope, and unique attribute All checklist items passed. Ready for review. ## Related Closes ENG-3370  Linear Issue: [ENG-3370](https://linear.app/overmind/issue/ENG-3370/create-azure-adapter-dbforpostgresqlflexibleserverconfiguration) <div><a href="https://cursor.com/agents/bc-7b555039-e8d5-4d26-a42c-426a39085938"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-7b555039-e8d5-4d26-a42c-426a39085938"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: 0c189d2da9845e789cb27ef0c9b3ffb62a3dfa60

## Summary Create Azure adapter for SQL Database Schemas (child resource of SQL Server → SQL Database). ## Changes - **Client interface** (`sources/azure/clients/sql-database-schemas-client.go`): Wraps Azure SDK `DatabaseSchemasClient` with `Get` and `ListByDatabase` methods - **Adapter implementation** (`sources/azure/manual/sql-database-schema.go`): SearchableWrapper with 3-level composite key (serverName, databaseName, schemaName) - **Registration** (`sources/azure/manual/adapters.go`): Register adapter in both active and placeholder blocks - **Unit tests** (`sources/azure/manual/sql-database-schema_test.go`): Comprehensive test coverage including edge cases - **Integration test** (`sources/azure/integration-tests/sql-database-schema_test.go`): Tests against live Azure APIs ## Architecture - **Parent chain**: SQL Server → SQL Database → Database Schema - **Wrapper type**: SearchableWrapper (deeply nested, 3 path params after resourceGroup) - **`Get`** requires: serverName, databaseName, schemaName - **`Search`** requires: serverName, databaseName (lists all schemas under that database) - **Links back** to parent SQLDatabase resource via composite key The parent adapter `sql-database.go` already has a SEARCH link to SQLDatabaseSchema (added in a prior PR). ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.Sql/servers/databases/schemas/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 1 link verified (parent SQLDatabase via GET) - [x] **PotentialLinks**: 1 type listed (SQLDatabase), matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, Search, SearchStream, StaticTests, ErrorHandling, edge cases) - [x] **Integration test**: All sub-tests passing (Setup, Run, Teardown) against live Azure APIs All checklist items passed. Ready for review. Closes: ENG-3372  Linear Issue: [ENG-3372](https://linear.app/overmind/issue/ENG-3372/create-azure-adapter-sqldatabaseschema) <div><a href="https://cursor.com/agents/bc-8bd525e4-23d3-4eed-8410-68336a47f8b6"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-8bd525e4-23d3-4eed-8410-68336a47f8b6"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: a2944706e235d4e386a3c9ba5412ed938d0fce25

## Summary This PR adds a new Azure adapter for PostgreSQL Flexible Server Replicas. The adapter discovers read replicas of PostgreSQL Flexible Servers and links them to related infrastructure resources. ## Changes - **Client interface** (`sources/azure/clients/dbforpostgresql-flexible-server-replica-client.go`): Wrapper combining `ReplicasClient` (for listing replicas via `NewListByServerPager`) and `ServersClient` (for `Get` since replicas are servers themselves) - **Adapter implementation** (`sources/azure/manual/dbforpostgresql-flexible-server-replica.go`): - `SearchableWrapper` implementation with `Get`, `Search`, `SearchStream` methods - Composite unique attribute: `serverName + replicaName` - Health mapping from server state (Ready, Starting, Stopping, etc.) - Links to: parent server, FQDN (DNS), subnet, VNet, private DNS zone, managed identities, private endpoints, Key Vault resources - **Registration** (`sources/azure/manual/adapters.go`): Register adapter with SDK clients - **Unit tests** (`sources/azure/manual/dbforpostgresql-flexible-server-replica_test.go`): Comprehensive tests for Get, Search, SearchStream, validation errors, health mapping - **Integration test** (`sources/azure/integration-tests/dbforpostgresql-flexible-server-replica_test.go`): End-to-end test against live Azure APIs ## Technical Details - **Item type**: `DBforPostgreSQLFlexibleServerReplica` (already defined in `item-types.go`) - **Parent adapter**: `dbforpostgresql-flexible-server.go` already has SEARCH link to this child type - **Wrapper type**: `SearchableWrapper` — `Get` requires `serverName` + `replicaName`, `Search` lists replicas under a parent server ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.DBforPostgreSQL/flexibleServers/read` and `Microsoft.DBforPostgreSQL/flexibleServers/replicas/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 9 link types verified (DBforPostgreSQLFlexibleServer, NetworkSubnet, NetworkVirtualNetwork, NetworkPrivateDNSZone, NetworkPrivateEndpoint, ManagedIdentityUserAssignedIdentity, KeyVaultVault, KeyVaultKey, NetworkDNS) - [x] **PotentialLinks**: 9 types listed, matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, Search, SearchStream, StaticTests, ErrorHandling, HealthMapping, validation edge cases) - [x] **Integration test**: All sub-tests passing (Setup, Run, Teardown) against live Azure APIs All checklist items passed. Ready for review. ## Related Issues Closes ENG-3371  Linear Issue: [ENG-3371](https://linear.app/overmind/issue/ENG-3371/create-azure-adapter-dbforpostgresqlflexibleserverreplica) <div><a href="https://cursor.com/agents/bc-1fe05f63-e95d-4304-887c-5b3922877436"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-1fe05f63-e95d-4304-887c-5b3922877436"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: f9af49b051c4edd8a75861cf4f554e99fb88fb5d

## Summary - Add end-to-end GitHub Check Run lifecycle to the GitHub App: create an in-progress check run in `StartChangeAnalysis` for immediate UX, conclude it in the River worker with pass/fail based on configured `CheckRunMode` (or `neutral` on failure/timeout) - Extend `SignalConfig` proto with `CheckRunMode` enum (REPORT_ONLY default, FAIL_HIGH_SEVERITY, FAIL_ANY_RISK) and add `github_check_run_id` column to `changes` table - Graceful degradation: silently skipped when `checks:write` not granted; default mode always concludes as success ## Linear Ticket - **Ticket**: [ENG-3353](https://linear.app/overmind/issue/ENG-3353/implement-github-app-check-runs-phase-1) — Implement GitHub App Check Runs (Phase 1) - **Purpose**: Enable teams to gate PR merges on Overmind risk analysis results via GitHub branch protection - **Project**: GitHub App v2 ## Changes ### Proto & Config - `CheckRunMode` enum added to `sdp/config.proto` with three modes; `check_run_mode` field 4 on `SignalConfig` - Generated Go and TypeScript protobuf code updated ### GitHub App Library (`githubapp.go`) - `CheckRunName` constant (`"Overmind / Risk Analysis"`) — stable identifier for branch protection - `GetPRHeadSHA` — fetches PR head SHA via GitHub API (per ADR 0021) - `CheckInstallationCanCreateChecks` — verifies `checks:write` permission - `CreateCheckRun` / `ConcludeCheckRun` — create in-progress and conclude completed check runs - Unit tests covering all new functions including 403 handling ### Check Run Output & Conclusion (`checkrun_summary.go`) - `buildCheckRunSummary` — risk count by severity, blast radius, link with UTM tracking - `evaluateCheckRunConclusion` — mode-based pass/fail logic - `concludeCheckRunForWorker` — bridge function injected into River worker ### RPC Handler Wiring (`changesservice.go`) - `checkGithubAppCanCreateChecks` — permission check method - Check run creation in `StartChangeAnalysis` after existing PR comment setup - Check run ID persisted to DB and passed to River job args ### River Worker Wiring (`change_analysis.go`) - `concludeAnalysisCheckRun` on success path (before PR comment) - `concludeAnalysisCheckRunNeutral` on failure path (`FailRiskJob`) - `ConcludeCheckRunFunc` injected from `main.go` to avoid circular imports ### Database - `github_check_run_id bigint` column on `changes` table (nullable, with comment) - `SetGithubCheckRunID` SQLC query - Atlas migration generated ### Documentation - ADR 0021: Head SHA resolution decision documented - PRD updated with engineering decisions appended below open questions ## Approved Plan - **Plan approver**: Daniel Carabas - **Linear ticket**: [ENG-3353](https://linear.app/overmind/issue/ENG-3353/implement-github-app-check-runs-phase-1) > Deviation analysis and reviewer assignment are handled automatically by the > pre-approved PR review automation (see docs/PREAPPROVED_CHANGES.md). ## Pre-PR Review <details> <summary>Review findings: 0 Blocking, 4 Warnings, 4 Advisories</summary> **Groups run:** Security, Architecture, Database **Groups skipped:** Frontend (only generated protobuf code in sdp-js/), DevOps (no matching paths) **Groups failed:** none **Result:** 0 Blocking, 4 Warnings, 4 Advisories ### Warning (should address) - [Security] `buildCheckRunSummary` interpolates `r.Title` into markdown without escaping (checkrun_summary.go ~line 63). Malformed titles could break check run formatting. - [Security] `concludeAnalysisCheckRun` loads risks with `GetChangeRisks` filtering only by `change_external_id`, not `account_name`. Isolation maintained via FK but tenant-scoped convention suggests adding `account_name`. - [Security] No tests for the check-run creation path in `StartChangeAnalysis` or worker-side conclusion/neutral behaviour. - [Security] `ticket_link` parsed to `owner/repo` could target another repo within org-wide installation scope. Low risk. ### Advisory (consider) - [Architecture] Cross-cutting scope: 6 top-level directories. - [Architecture] Check runs user-visible without PostHog feature flag — account-level CheckRunMode + installation permission used as rollout levers. - [Architecture] Adding checks:write triggers GitHub permission-update notification to existing installs. Plan customer notification. - [Architecture] User-facing docs at docs.overmind.tech don't yet cover Check Runs. ### Clean Areas - Auth chain, SQL parameterization, SSRF, secrets, dependencies all verified clean - Database: SQLC-generated code correct, migration additive, account_name in query, nullable column documented </details> ## Deviations from Approved Plan > Implementation matches the approved plan — no material deviations. Made with [Cursor](https://cursor.com)  --- > [!NOTE] > **Medium Risk** > Adds new GitHub API interactions (creating/concluding Check Runs) and threads new state through RPC/job execution plus a DB migration; failures are intended to be non-blocking but could affect PR UX if misconfigured permissions/URLs occur. > > **Overview** > Adds an end-to-end **GitHub Check Run** flow for PR risk analysis: `StartChangeAnalysis` now (when permitted) resolves the PR head SHA from GitHub, creates an `in_progress` check, persists its ID, and passes it into the River job. > > On completion the worker builds a condensed check output (`checkrun_summary.go`) and concludes the check as `success`/`failure` based on a new per-account `SignalConfig.check_run_mode` (default *report-only*), and concludes as `neutral` on non-retryable failures/timeouts. > > Includes the new `github_check_run_id` column + SQLC setter, new GitHub App helpers for checks permissions/SHA lookup/create/conclude (with tests), regenerated proto/TS/Go bindings, and ADR/PRD documentation for the head-SHA resolution decision. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 73360d60c4beccecea47e179b29ed0331498a764. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  GitOrigin-RevId: 4337950d45fde23f323b414c3f3e0a09f744838a

# GitHub Webhook Lifecycle Events This PR implements handling for GitHub App installation lifecycle webhook events (`deleted`, `suspend`, and `unsuspend`). ## Changes ### Database Schema - Added `github_suspended_at` column to `accounts` table to track suspension state locally - Created migration `20260326000000_add_github_suspended_at.sql` ### SQLC Queries - **`HandleGithubInstallationDeleted`**: Atomically clears `installation_id`, `suspended_at`, and removes `GithubOrganisationProfile` from `signal_config` - **`HandleGithubInstallationSuspended`**: Sets `suspended_at` to NOW() and removes `GithubOrganisationProfile` - **`HandleGithubInstallationUnsuspended`**: Clears `suspended_at` - **`UnsetGithubInstallation`**: Atomic cleanup query for manual removal - **`GetAccountGithubSuspendedAt`**: Retrieves suspension timestamp All queries use PostgreSQL's `jsonb - 'key'` operator for atomic profile removal, eliminating read-modify-write races. ### Webhook Handlers Added three new handlers in `githubservice.go`: - `handleGithubInstallationDeleted`: Processes `installation.deleted` events - `handleGithubInstallationSuspended`: Processes `installation.suspend` events - `handleGithubInstallationUnsuspended`: Processes `installation.unsuspend` events Each handler: - Validates the webhook payload - Calls the corresponding atomic SQLC query - Logs the result with appropriate context - Returns 200 OK even if no matching account is found (idempotent) ### Backend API Changes - **`GetGithubAppInformation`**: Now checks `github_suspended_at` and returns early with `suspended=true` when the installation is suspended, avoiding GitHub API calls that would fail - **`UnsetGithubInstallationID`**: Refactored to use the new atomic `UnsetGithubInstallation` query instead of separate update + read-modify-write operations ### Protocol Buffers - Added `optional bool suspended = 13` field to `GithubAppInformation` message in `sdp/config.proto` - Regenerated Go and TypeScript protobuf code ## Design Decisions 1. **Suspension state is stored locally** - The `github_suspended_at` column avoids relying on GitHub API calls which fail for suspended installations 2. **Installation ID is retained on suspend** - Only cleared on delete, enabling automatic restoration on unsuspend 3. **GithubOrganisationProfile is removed on both suspend and delete** - The cached profile becomes stale when installation tokens are non-functional 4. **All operations are atomic** - Single UPDATE queries with jsonb operators prevent race conditions 5. **No source lifecycle changes** - GitHub installations are independent from srcman-managed sources ## Testing The changes should be tested by: - Verifying webhook handlers respond correctly to `installation.deleted`, `installation.suspend`, and `installation.unsuspend` events - Confirming `GetGithubAppInformation` returns `suspended=true` when `github_suspended_at` is set - Testing that unsuspend automatically restores the integration without user action - Validating that delete permanently removes the installation ID  Linear Issue: [ENG-3330](https://linear.app/overmind/issue/ENG-3330/github-webhook-lifecycle-events-deleted-suspend-unsuspend) <div><a href="https://cursor.com/agents/bc-cb562311-6cb4-434f-b5ef-d6ecbe075625"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-cb562311-6cb4-434f-b5ef-d6ecbe075625"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> GitOrigin-RevId: e736709f5a25eb7d66c6d71110b66970051ab5e7

…439) ## Summary Pre-Phase 1 housekeeping for the **Organizational Rules** project ([ENG-3404](https://linear.app/overmind/issue/ENG-3404/move-oql-prototype-into-tools)). Moves the OQL prototype into `tools/oql-prototype/`, integrates it with the monorepo's single `go.mod`, and cleans up all references — so Phase 1 implementation plans can import prototype packages directly. - **Move & merge modules**: `git mv oql-prototype tools/oql-prototype`, delete both standalone `go.mod`/`go.sum` files, rewrite all 11 Go import paths to `github.com/overmindtech/workspace/tools/oql-prototype/...` - **Dependency hygiene**: Migrate archived `gopkg.in/yaml.v3` to active fork `go.yaml.in/yaml/v3` - **CI coverage**: Add path filters and dedicated test jobs for both `tools/oql-prototype` and `tools/area51-cli` - **Documentation**: Update all 8 external docs referencing the old path, both prototype READMEs, add Tools section to `ARCHITECTURE.md` and `INDEX.md` - **Lint cleanup**: Fix all 64 pre-existing `golangci-lint` issues (errcheck, staticcheck QF1012/S1008/SA4010, canonicalheader, gosec, intrange, predeclared, usestdlibvars, errchkjson) ## Plan [ENG-3404 — Move oql-prototype into tools/](https://linear.app/overmind/issue/ENG-3404/move-oql-prototype-into-tools) ## Test plan - [x] `go build ./tools/oql-prototype/...` — zero errors - [x] `go test ./tools/oql-prototype/...` — `testbank/loader_test.go` passes - [x] `golangci-lint run ./tools/oql-prototype/...` — 0 issues - [x] Stale reference sweep — no orphan references to old root-level path - [x] `go mod tidy` — clean Made with [Cursor](https://cursor.com)  --- > [!NOTE] > **Medium Risk** > Moderate risk because it changes a widely-used YAML dependency/import path across multiple packages and adjusts CI gating; runtime behavior should be equivalent but could affect YAML encoding/decoding edge cases and test coverage triggers. > > **Overview** > Moves the OQL prototype into `tools/oql-prototype/` and integrates it into the monorepo by deleting its standalone `go.mod` files and rewriting imports to `github.com/overmindtech/workspace/tools/oql-prototype/...`. > > Updates Go codebase YAML usage to the maintained fork `go.yaml.in/yaml/v3` (and adjusts `go.mod`), plus assorted lint-driven cleanups in the prototype (stricter error handling, safer file permissions, minor stdlib modernizations). > > Extends `.github/workflows/ci.yml` with new path filters and dedicated `go test` jobs for `tools/oql-prototype` and `tools/area51-cli`, and updates docs to reference the new `tools/` locations and list these tools in repo architecture/index docs. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 576e0dd5a46194a6af96e574591f797aa431d209. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  GitOrigin-RevId: c045678a91918e88df35860dc60c54294dbb1887

…age (#4438) Consolidate the duplicated CLI authentication code (OAuth device flow, API key exchange, token file caching, scope checking) into a shared go/cliauth package with a Logger interface for output flexibility. This eliminates three copies of the same auth functions across the public CLI, gateway assistant, and (upcoming) area51-cli. The shared package also brings security improvements: 0600/0700 file permissions on token files, nil guards for corrupt token entries, and safe slice handling to prevent caller mutation. Consumers are refactored to use go/cliauth: - cli/cmd/ uses a ptermLogger adapter - services/gateway/cmd/assistant.go uses a logrusLogger adapter - Copybara config updated to export go/cliauth to the public CLI repo  --- > [!NOTE] > **Medium Risk** > Refactors CLI authentication/token caching into a new shared package and changes how both the main CLI and gateway assistant obtain tokens, which could affect login flows and local token file handling. Risk is mitigated by added tests and stricter token file permissions/validation. > > **Overview** > Consolidates duplicated CLI authentication into a new shared `go/cliauth` package, covering OAuth device flow, API key exchange, scope checking, and local token caching behind a small `Logger` interface. > > Updates the public `cli` and `services/gateway` assistant to use `cliauth` via `pterm`/`logrus` adapters, removing their embedded auth helpers and shifting tests to validate the shared implementation. > > Tweaks CI/path filters and utility Go tests so changes to `go/cliauth` (and other shared Go packages) correctly trigger dependent jobs, and collapses multiple utility `go test` steps into a single parallel run; Copybara config now exports `go/cliauth` to the public CLI repo as well. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 75a3bce4f9ff41f0d56f08630ba5cc53b05bb2dd. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: David Schmitt <david.schmitt@overmind.tech> GitOrigin-RevId: 96e4ff0fc5d6433646b3471f5d4824481e50fa5b

…440) Depends on https://github.com/overmindtech/workspace/pull/4438 ## Summary Adds an `area51 export-archive` command to download production/dogfood `ChangeArchive` data (protojson format), and hardens both CLIs against credential exfiltration via untrusted `--app`/`--change` URLs. ### New command: `area51 export-archive` - Downloads a full change archive by URL (`--change`) or UUID (`--uuid`) - Supports OAuth device flow and API key authentication (`--api-key` / `OVM_API_KEY`) - Writes output with `0600` permissions to prevent other users from reading production data - Blocks cross-origin redirects to prevent bearer token leakage - Caps error response body reads to 64 KiB to prevent memory exhaustion from malicious servers ### Security: trusted host validation (shared libraries) Addresses the SSRF-style credential exfiltration vector where a crafted `--change` or `--app` URL could send API keys/OAuth tokens to attacker-controlled hosts. **`go/sdp-go`:** - New `IsTrustedHost(host)` — validates against `*.overmind.tech`, `*.overmind-demo.com`, and localhost (case-insensitive, port-aware) - New `ValidateAppURL(url)` — enforces HTTPS for all non-localhost hosts - `NewOvermindInstance` now calls `ValidateAppURL`, rejecting `http://` for remote targets **`go/cliauth`:** - New `ConfirmUntrustedHost(appURL, hasAPIKey, stdin, writer)` — shared interactive `[y/N]` prompt that warns users before sending credentials to non-Overmind domains, with explicit mention of API key exposure when relevant **Both CLIs (`cli/cmd/root.go` + `tools/area51-cli/cmd/export_archive.go`):** - Call `cliauth.ConfirmUntrustedHost` before instance discovery, blocking the flow where a crafted URL exfiltrates credentials ### Files changed | Area | Files | What | | --- | --- | --- | | Shared: sdp-go | `host_trust.go`, `host_trust_test.go`, `instance_detect.go` | Trusted host validation, HTTPS enforcement | | Shared: cliauth | `cliauth.go`, `cliauth_test.go` | Untrusted host confirmation prompt | | Public CLI | `cli/cmd/root.go` | Trust check in `login()` gateway | | Area51 CLI | `cmd/export_archive.go`, `cmd/export_archive_test.go`, `cmd/auth.go`, `cmd/root.go` | New export-archive command with trust check | | Docs | `tools/area51-cli/README.md`, `.gitignore` | Usage docs and ignore built binary | ## Test plan - [x] `go test ./go/sdp-go/` — 37 cases for `IsTrustedHost`, `IsLocalHost`, `ValidateAppURL` (including suffix-bypass attempts) - [x] `go test ./go/cliauth/` — 11 cases for `ConfirmUntrustedHost` (trusted skip, y/yes/YES/n/empty/other, API key warning) - [x] `go test ./tools/area51-cli/cmd/` — parseChangeURL, download permissions, cross-origin redirect blocking - [x] `go build ./cli/...` and `go build ./tools/area51-cli/...` — both compile cleanly  --- > [!NOTE] > **Medium Risk** > Touches authentication/credential-handling paths and adds a new production-data export command; mistakes could leak credentials or allow unintended network targets despite the added safeguards. > > **Overview** > Adds a new `area51 export-archive` CLI command to download protojson `ChangeArchive` data by change URL or UUID, supporting OAuth device flow or API key auth and writing outputs with `0600` permissions. > > Hardens both the public `overmind` CLI and `area51` CLI against credential exfiltration by introducing trusted-host checks (`sdp.IsTrustedHost`), enforcing HTTPS for non-local targets (`sdp.ValidateAppURL` used by `NewOvermindInstance`), prompting on untrusted hosts (`cliauth.ConfirmUntrustedHost`), and blocking cross-origin redirects on authenticated HTTP clients. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 0bf77bdd51136e58cf2e401aca95a2dfe04ecf51. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: David Schmitt <david.schmitt@overmind.tech> GitOrigin-RevId: 34b1ef18d86892017d9d5e667d784fb4a7e4fdde

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [aws](https://registry.terraform.io/providers/hashicorp/aws) ([source](https://redirect.github.com/hashicorp/terraform-provider-aws)) | required_provider | minor | `6.37.0` → `6.38.0` | | [google](https://registry.terraform.io/providers/hashicorp/google) ([source](https://redirect.github.com/hashicorp/terraform-provider-google)) | required_provider | minor | `7.24.0` → `7.25.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>hashicorp/terraform-provider-aws (aws)</summary> ### [`v6.38.0`](https://redirect.github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6380-March-25-2026) [Compare Source](https://redirect.github.com/hashicorp/terraform-provider-aws/compare/v6.37.0...v6.38.0) FEATURES: - **New Action:** `aws_dms_start_replication_task_assessment_run` ([#47058](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47058)) - **New Data Source:** `aws_dynamodb_backups` ([#47036](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47036)) - **New Data Source:** `aws_msk_topic` ([#46490](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46490)) - **New Data Source:** `aws_savingsplans_offerings` ([#47081](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47081)) - **New List Resource:** `aws_msk_cluster` ([#46490](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46490)) - **New List Resource:** `aws_msk_serverless_cluster` ([#46490](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46490)) - **New List Resource:** `aws_msk_topic` ([#46490](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46490)) - **New List Resource:** `aws_route53_resolver_rule` ([#47063](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47063)) - **New List Resource:** `aws_sagemaker_algorithm` ([#47051](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47051)) - **New List Resource:** `aws_ssm_document` ([#46974](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46974)) - **New List Resource:** `aws_ssoadmin_account_assignment` ([#47067](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47067)) - **New List Resource:** `aws_vpc_endpoint` ([#46977](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46977)) - **New List Resource:** `aws_workmail_domain` ([#46931](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46931)) - **New Resource:** `aws_msk_topic` ([#46490](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46490)) - **New Resource:** `aws_observabilityadmin_telemetry_enrichment` ([#47089](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47089)) - **New Resource:** `aws_sagemaker_algorithm` ([#47051](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47051)) - **New Resource:** `aws_workmail_default_domain` ([#46931](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46931)) - **New Resource:** `aws_workmail_domain` ([#46931](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46931)) ENHANCEMENTS: - data-source/aws\_networkfirewall\_firewall\_policy: Add `firewall_policy.enable_tls_session_holding` attribute ([#47065](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47065)) - resource/aws\_bedrockagentcore\_agent\_runtime: Add `authorizer_configuration.custom_jwt_authorizer.custom_claim` configuration block ([#47049](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47049)) - resource/aws\_bedrockagentcore\_gateway: Add `authorizer_configuration.custom_jwt_authorizer.custom_claim` configuration block ([#47049](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47049)) - resource/aws\_bedrockagentcore\_gateway\_target: Add `target_configuration.mcp.api_gateway` configuration block ([#46916](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46916)) - resource/aws\_dynamodb\_table: Add `restore_backup_arn` argument ([#47068](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47068)) - resource/aws\_fis\_experiment\_template: Support `KinesisStreams` as a value for `action.target.key` ([#47010](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47010)) - resource/aws\_fis\_experiment\_template: Support `VPCEndpoints` as a value for `action.target.key` ([#47045](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47045)) - resource/aws\_mq\_broker: Change `user` block to Optional ([#46883](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46883)) - resource/aws\_msk\_cluster: Add resource identity support ([#46490](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46490)) - resource/aws\_msk\_serverless\_cluster: Add resource identity support ([#46490](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46490)) - resource/aws\_networkfirewall\_firewall\_policy: Add `firewall_policy.enable_tls_session_holding` argument ([#47065](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47065)) - resource/aws\_securityhub\_insight: Add `filters.aws_account_name` configuration block ([#47027](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47027)) - resource/aws\_securityhub\_insight: Add `filters.compliance_associated_standards_id` configuration block ([#47027](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47027)) - resource/aws\_securityhub\_insight: Add `filters.compliance_security_control_id` configuration block ([#47027](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47027)) - resource/aws\_securityhub\_insight: Add `filters.compliance_security_control_parameters_name` configuration block ([#47027](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47027)) - resource/aws\_securityhub\_insight: Add `filters.compliance_security_control_parameters_value` configuration block ([#47027](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47027)) - resource/aws\_ssoadmin\_account\_assignment: Add Resource Identity support ([#47067](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47067)) BUG FIXES: - resource/aws\_api\_gateway\_method: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_apigatewayv2\_integration: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_apigatewayv2\_route: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_apigatewayv2\_stage: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_appmesh\_gateway\_route: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_appmesh\_route: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_appmesh\_virtual\_gateway: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_appmesh\_virtual\_node: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_appmesh\_virtual\_router: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_appmesh\_virtual\_service: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_cloudfront\_distribution\_tenant: Fix panic when managed certificate is not found during creation ([#46982](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46982)) - resource/aws\_controltower\_control: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_default\_route\_table: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_dx\_gateway\_association: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_dx\_hosted\_private\_virtual\_interface: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_dx\_hosted\_private\_virtual\_interface\_accepter: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_dx\_hosted\_public\_virtual\_interface: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_dx\_hosted\_public\_virtual\_interface\_accepter: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_dx\_hosted\_transit\_virtual\_interface: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_dx\_hosted\_transit\_virtual\_interface\_accepter: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_dx\_private\_virtual\_interface: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_dx\_public\_virtual\_interface: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_dx\_transit\_virtual\_interface: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_ecs\_express\_gateway\_service: Fix `Provider produced inconsistent result after apply` error when `environment` variables are defined in non-alphabetical order ([#46771](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46771)) - resource/aws\_elasticache\_reserved\_cache\_node: Fix `Provider returned invalid result object after apply` errors where computed attributes remained unknown after create ([#47012](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47012)) - resource/aws\_kinesis\_stream: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_mq\_broker: Fix non-idempotent behavior for RabbitMQ brokers with `user` block ([#46883](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46883)) - resource/aws\_network\_acl: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_network\_interface\_sg\_attachment: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_opensearch\_domain: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_route53recoverycontrolconfig\_routing\_control: Fix panic on concurrent creates when API returns ConflictException ([#47038](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47038)) - resource/aws\_route\_table\_association: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_serverlessapplicationrepository\_cloudformation\_stack: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_servicecatalog\_product: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_ses\_active\_receipt\_rule\_set: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_ssm\_default\_patch\_baseline: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_vpc\_dhcp\_options\_association: Fix import to honor `@region` suffix when using resource-level `region` attribute ([#47043](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47043)) - resource/aws\_wafv2\_web\_acl\_rule: Fix `Unable to unmarshal DynamicValue` error when `statement.managed_rule_group_statement.rule_action_override` block is specified ([#46998](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46998)) - resource/aws\_wafv2\_web\_acl\_rule\_group\_association: Fix `WAFOptimisticLockException` errors when multiple associations target the same Web ACL ([#47037](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47037)) </details> <details> <summary>hashicorp/terraform-provider-google (google)</summary> ### [`v7.25.0`](https://redirect.github.com/hashicorp/terraform-provider-google/blob/HEAD/CHANGELOG.md#7250-Unreleased) [Compare Source](https://redirect.github.com/hashicorp/terraform-provider-google/compare/v7.24.0...v7.25.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 490523fcf2a01ced2265937b6b3ca41a169568b2

## Summary - Bumps `github.com/buger/jsonparser` from v1.1.1 to v1.1.2 to fix CVE-2026-32285 (GO-2026-4514) — uncaught exception in `Delete()` on malformed JSON input - The `google.golang.org/grpc` vulnerability (CVE-2026-33186) was already resolved; go.mod has v1.79.3 which is the fix version ## Linear Ticket - **Ticket**: [ENG-3461](https://linear.app/overmind/issue/ENG-3461/snyk-vulnerabilities-for-march-30th) — Snyk vulnerabilities for March 30th - **Purpose**: Resolve High/Critical Snyk findings for the weekly vulnerability check - **Priority**: Urgent ## Changes - `go.mod`: `github.com/buger/jsonparser` v1.1.1 → v1.1.2 (indirect dependency) - `go.sum`: Updated checksums for jsonparser v1.1.2 ## Vulnerability Details | CVE | Package | Severity | Fix | | --- | --- | --- | --- | | CVE-2026-33186 | `google.golang.org/grpc` | Critical (9.3) | Already at v1.79.3 | | CVE-2026-32285 | `github.com/buger/jsonparser` | High (8.7) | Bumped to v1.1.2 | ## Deviations from Approved Plan > No approved plan is associated with this PR.  --- > [!NOTE] > **Low Risk** > Low risk dependency bump with no application code changes; main risk is minor behavioral differences in JSON parsing under malformed inputs. > > **Overview** > Updates the indirect dependency `github.com/buger/jsonparser` from `v1.1.1` to `v1.1.2` in `go.mod`, with corresponding `go.sum` checksum updates. > > This is a dependency-only change intended to pick up the upstream security fix for malformed JSON handling (CVE-2026-32285). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f5bf71f97b5e748b4bc2d271755e788d18413e20. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  GitOrigin-RevId: 03de4a0e9f9426a31d892195dfe2799690a79e5f

DavidS-ovm and others added 15 commits March 30, 2026 12:06

Run go mod tidy

83cfe72

tphoney approved these changes Mar 30, 2026

View reviewed changes

tphoney merged commit e58d4b5 into main Mar 30, 2026

tphoney deleted the copybara/v1.17.3 branch March 30, 2026 12:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release v1.17.3#840

Release v1.17.3#840
tphoney merged 15 commits intomainfrom
copybara/v1.17.3

github-actions bot commented Mar 30, 2026 •

edited by tphoney

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

github-actions bot commented Mar 30, 2026 • edited by tphoney Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Copybara Sync - Release v1.17.3

What happens when this PR is merged?

Review Checklist

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

github-actions bot commented Mar 30, 2026 •

edited by tphoney

Loading