backport of commit 47f0bb8

Author: ddebko

.github/dependabot.yml

@@ -11,6 +11,3 @@ updates:
     schedule:
       # Check for updates to GitHub Actions every weekday
       interval: "daily"
-    allow:
-      # Allow updates for internal actions
-      - dependency-name: "hashicorp/*"

.github/workflows/backport.yml

@@ -14,26 +14,8 @@ jobs:
   backport:
     if: github.event.pull_request.merged
     runs-on: ${{ fromJSON(vars.RUNNER) }}
-    container: hashicorpdev/backport-assistant:0.5.1
+    container: hashicorpdev/backport-assistant:0.2.3
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0 # Fetch all branches and tags
-      - name: Check if any migrations have changed
-        run: |
-          if git diff --exit-code --name-only "origin/${{ github.event.pull_request.base.ref }}"...HEAD -- internal/db/schema/migrations; then
-            echo "No migrations have changed, continuing with backport"
-          else
-            # Post comment on PR.
-            echo "Posting new backport-failure GitHub comment under PR #${{ github.event.pull_request.number }}"
-            curl -sX POST \
-              -H "Accept: application/vnd.github+json" \
-              -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-              -d '{"body": "Backport Assistant: you attempted to automatically backport changes in this PR, but because it contained changes to migration files, this was rejected. Please carefully manually backport the changes."}' \
-              "$GITHUB_API_URL/repos/$GITHUB_REPOSITORY/issues/${{ github.event.pull_request.number }}/comments"
-            echo "Migrations have changed, refusing to backport. Please carefully manually backport the changes."
-            exit 1
-          fi
       - name: Backport changes to stable-website
         run: |
           backport-assistant backport -automerge

.github/workflows/build.yml

@@ -380,7 +380,6 @@ jobs:
           arch: ${{ matrix.arch }}
           tags: |
             docker.io/hashicorp/${{ env.repo }}:${{ env.version }}
-            docker.io/hashicorp/${{ env.repo }}:${{ env.version }}_${{ github.sha }}
             public.ecr.aws/hashicorp/${{ env.repo }}:${{ env.version }}
           # Per-commit dev images follow the naming convention MAJOR.MINOR-dev
           # And MAJOR.MINOR-dev-$COMMITSHA

.github/workflows/enos-run.yml

@@ -76,11 +76,10 @@ jobs:
       fail-fast: false # don't fail as that can skip required cleanup steps for jobs
       matrix:
         include:
-          - filter: 'e2e_aws builder:crt ip_version:4'
+          - filter: 'e2e_aws builder:crt'
           - filter: 'e2e_database'
           - filter: 'e2e_docker_base builder:crt'
           - filter: 'e2e_docker_base_plus builder:crt'
-          - filter: 'e2e_docker_base_with_gcp builder:crt'
           - filter: 'e2e_docker_base_with_vault builder:crt'
           - filter: 'e2e_docker_base_with_worker builder:crt'
           - filter: 'e2e_docker_worker_registration_controller_led builder:crt'
@@ -102,10 +101,6 @@ jobs:
       ENOS_VAR_boundary_docker_image_name: ${{ inputs.docker-image-name }}
       ENOS_VAR_boundary_docker_image_file: ./support/boundary_docker_image.tar
       ENOS_VAR_go_version: ${{ inputs.go-version }}
-      ENOS_VAR_gcp_project_id: ${{ secrets.GCP_PROJECT_ID_CI }}
-      ENOS_VAR_gcp_client_email: ${{ secrets.GCP_CLIENT_EMAIL_CI }}
-      ENOS_VAR_gcp_private_key_id: ${{ secrets.GCP_PRIVATE_KEY_ID_CI }}
-      ENOS_VAR_gcp_private_key: ${{ secrets.GCP_PRIVATE_KEY_CI }}
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -124,7 +119,7 @@ jobs:
           key: ${{ needs.setup.outputs.go-cache-key }}
           restore-keys: |
             ${{ runner.os }}-go
-          fail-on-cache-miss: false
+          fail-on-cache-miss: true
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36    # TSCCR: loading action configs: failed to query HEAD reference: failed to get advertised references: authorization failed
         with:
@@ -144,25 +139,14 @@ jobs:
           echo "trusted-key ${{ secrets.ENOS_GPG_UID }}" >> ~/.gnupg/gpg.conf
           cat ~/.gnupg/gpg.conf
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
           aws-region: us-east-1
           role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
           role-skip-session-tagging: true
           role-duration-seconds: 3600
-      - name: Configure GCP credentials
-        if: contains(matrix.filter, 'gcp')
-        id: gcp_auth
-        uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
-        with:
-          credentials_json: ${{ secrets.GCP_CREDENTIALS }}
-          access_token_lifetime: '3600s'
-          project_id: ${{ secrets.GCP_PROJECT_ID_CI }}
-      - name: 'Set up GCP Cloud SDK'
-        if: contains(matrix.filter, 'gcp')
-        uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2
       - name: Set up Enos
         uses: hashicorp/action-setup-enos@v1    # TSCCR: loading action configs: failed to query HEAD reference: failed to get advertised references: authorization failed
         with:
@@ -279,7 +263,7 @@ jobs:
       - name: Split matrix filter name
         id: split
         run: |
-          SCENARIO=$(echo "${{ matrix.filter }}" | cut -d' ' -f1,3 | sed 's/:/_/g')
+          SCENARIO=$(echo "${{ matrix.filter }}" | cut -d' ' -f1)
           echo fragment="${SCENARIO}" >> "$GITHUB_OUTPUT"
       - name: Upload e2e tests output
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
@@ -349,18 +333,21 @@ jobs:
         # failure() does not capture errors in `Run Enos scenario` due to continue-on-error
         if: ${{ failure() || (steps.run.outcome == 'failure' && steps.run_retry.outcome == 'failure') }}
         with:
-          method: chat.postMessage
-          token: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_TOKEN }}
+          channel-id: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_CHANNEL_ID }}
           payload: |
-            channel: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_CHANNEL_ID }}
-            text: ":x: e2e tests failed (${{ matrix.filter }}): ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n*Branch:* ${{ github.event.ref }}\n*SHA:* <${{ github.event.head_commit.url }}|${{ github.event.after }}>"
+            {
+              "text": ":x: e2e tests failed (${{ matrix.filter }}): ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n*Branch:* ${{ github.event.ref }}\n*SHA:* <${{ github.event.head_commit.url }}|${{ github.event.after }}>"
+            }
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_TOKEN }}
       - name: Send Slack message if Run but Retry passes
         uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
         if: ${{ steps.run.outcome == 'failure' && steps.run_retry.outcome != 'failure' }}
         with:
-          method: chat.postMessage
-          token: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_TOKEN }}
+          channel-id: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_CHANNEL_ID }}
           payload: |
-            channel: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_CHANNEL_ID }}
-            text: ":warning: e2e tests passed, but needed retry (${{ matrix.filter }}): ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n*Branch:* ${{ github.event.ref }}\n*SHA:* <${{ github.event.head_commit.url }}|${{ github.event.after }}>"
-
+            {
+              "text": ":warning: e2e tests passed, but needed retry (${{ matrix.filter }}): ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n*Branch:* ${{ github.event.ref }}\n*SHA:* <${{ github.event.head_commit.url }}|${{ github.event.after }}>"
+            }
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_TOKEN }}

.github/workflows/jira.yml

@@ -22,7 +22,7 @@ jobs:
       id: boundary-team-role
       run: |
         TEAM=boundary
-        ROLE="$(gh api orgs/hashicorp/teams/${TEAM}/memberships/${{ github.actor }} | jq -r '.role | select(.!=null)')"
+        ROLE="$(hub api orgs/hashicorp/teams/${TEAM}/memberships/${{ github.actor }} | jq -r '.role | select(.!=null)')"
         if [[ -n ${ROLE} ]]; then
           echo "Actor ${{ github.actor }} is a ${TEAM} team member, skipping ticket creation"
         else

.github/workflows/security-scan.yml

@@ -34,15 +34,15 @@ jobs:
         cache: false
 
     - name: Set up Python
-      uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:
         python-version: 3.x
 
     - name: Clone Security Scanner repo
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         repository: hashicorp/security-scanner
-        token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
+        token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
         path: security-scanner
         ref: main
 
@@ -64,7 +64,7 @@ jobs:
         python3 -m pip install semgrep==1.45.0
 
         # CodeQL
-        LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | grep codeql-bundle- | sort --version-sort | tail -n1)
+        LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | sort --version-sort | tail -n1)
         gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST"
         tar xf codeql-bundle-linux64.tar.gz -C "$HOME/.bin"
 
@@ -79,7 +79,7 @@ jobs:
         repository: "$PWD"
 
     - name: Upload SARIF file
-      uses: github/codeql-action/upload-sarif@7e3036b9cd87fc26dd06747b7aa4b96c27aaef3a # codeql-bundle-v2.20.3
+      uses: github/codeql-action/upload-sarif@08bc0cf022445eacafaa248bf48da20f26b8fd40 # codeql-bundle-v2.20.4
       with:
         sarif_file: results.sarif
 

.github/workflows/test-ci-bootstrap-oss.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36    # TSCCR: loading action configs: failed to query HEAD reference: failed to get advertised references: authorization failed
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}

.github/workflows/test-ci-cleanup-oss.yml

@@ -15,7 +15,7 @@ jobs:
       regions: ${{steps.regions.outputs.regions}}
     steps:
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
@@ -44,7 +44,7 @@ jobs:
     steps:
       - name: Configure AWS credentials
         id: aws-configure
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
@@ -80,7 +80,7 @@ jobs:
         region: ${{ fromJSON(needs.setup.outputs.regions) }}
     steps:
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}

.github/workflows/test-cli-ui_oss.yml

@@ -114,8 +114,10 @@ jobs:
         if: ${{ failure() }}
         uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
         with:
-          method: chat.postMessage
-          token: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_TOKEN }}
+          channel-id: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_CHANNEL_ID }}
           payload: |
-            channel: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_CHANNEL_ID }}
-            text: ":x: bats tests failed: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n*Branch:* ${{ github.event.ref }}\n*SHA:* <${{ github.event.head_commit.url }}|${{ github.event.after }}>"
+            {
+              "text": ":x: bats tests failed: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n*Branch:* ${{ github.event.ref }}\n*SHA:* <${{ github.event.head_commit.url }}|${{ github.event.after }}>"
+            }
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_TOKEN }}

.github/workflows/test-race.yml

@@ -109,7 +109,7 @@ jobs:
           key: ${{ needs.setup.outputs.go-cache-key }}
           restore-keys: |
             ${{ runner.os }}-go
-          fail-on-cache-miss: false
+          fail-on-cache-miss: true
       - name: Test ${{ matrix.module }} Module
         run: |
           make test-${{ matrix.module }}
@@ -132,7 +132,6 @@ jobs:
           go-version: "${{ needs.setup.outputs.go-version }}"
           cache: false
       - name: Set up Go modules cache
-        id: go-cache
         uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
@@ -142,16 +141,7 @@ jobs:
           key: ${{ needs.setup.outputs.go-cache-key }}
           restore-keys: |
             ${{ runner.os }}-go
-          fail-on-cache-miss: false
-      - name: Install tools if tparse doesn't exist
-        run: |
-          if command -v tparse &> /dev/null; then
-            echo "tparse exists"
-          else
-            echo "tparse doesn't exist"
-            go mod download
-            make tools
-          fi
+          fail-on-cache-miss: true
       - name: Set up plugin cache
         id: plugin-cache
         uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0

.github/workflows/test.yml

@@ -109,7 +109,7 @@ jobs:
           key: ${{ needs.setup.outputs.go-cache-key }}
           restore-keys: |
             ${{ runner.os }}-go
-          fail-on-cache-miss: false
+          fail-on-cache-miss: true
       - name: Test ${{ matrix.module }} Module
         run: |
           make test-${{ matrix.module }}
@@ -132,7 +132,6 @@ jobs:
           go-version: "${{ needs.setup.outputs.go-version }}"
           cache: false
       - name: Set up Go modules cache
-        id: go-cache
         uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
@@ -142,16 +141,7 @@ jobs:
           key: ${{ needs.setup.outputs.go-cache-key }}
           restore-keys: |
             ${{ runner.os }}-go
-          fail-on-cache-miss: false
-      - name: Install tools if tparse doesn't exist
-        run: |
-          if command -v tparse &> /dev/null; then
-            echo "tparse exists"
-          else
-            echo "tparse doesn't exist"
-            go mod download
-            make tools
-          fi
+          fail-on-cache-miss: true
       - name: Set up plugin cache
         id: plugin-cache
         uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0

.go-version

@@ -1 +1 @@
-1.24.0
+1.22.5

.golangci.yml

@@ -69,9 +69,3 @@ issues:
     - linters:
         - staticcheck
       text: "SA1019: j.GetId is deprecated:"
-    - linters:
-        - staticcheck
-      text: "SA1019: pbs.StatusRequest is deprecated:"
-    - linters:
-        - staticcheck
-      text: "SA1019: pbs.StatusResponse is deprecated:"

.release/boundary-artifacts.hcl

@@ -13,7 +13,7 @@
 #   description = "A default worker created demonstration"
 
 #   # Workers must be able to reach controllers on :9201
-#   initial_upstreams = [
+#   controllers = [
 #     "10.0.0.1",
 #     "10.0.0.2",
 #     "10.0.0.3",

.release/linux/package/etc/boundary.d/worker.hcl

@@ -5,6 +5,13 @@ container {
 	dependencies = true
 	alpine_secdb = true
 	secrets      = false
+
+	triage {
+    	    suppress {
+    	        // Suppress wget vulnerability
+    	        vulnerabilities = ["CVE-2024-10524"]
+    	    }
+    	}
 }
 
 binary {