π§ chore(release): v1.5.0-rc.36 β #321 tag-pin + maintenance-window fixes + CodeQL-clean docs deploy#435
Merged
Merged
Conversation
β¦rtwing - env flag DD_EXPERIMENTAL_LOOKOUT β DD_EXPERIMENTAL_PORTWING (default off, zero footprint when unset) - WS endpoint /api/v1/lookout/ws β /api/v1/portwing/ws; subprotocol lookout/1.0 β portwing/1.0 - key registry /api/v1/lookout/keys β /api/v1/portwing/keys - rename app/api/lookout*.ts β portwing*.ts, openapi path module, and api docs page - update EdgeAgentAdapter, agent-keys store, configuration, OpenAPI index, CHANGELOG [Unreleased], README, docs meta
sync-docs.mjs copied CHANGELOG.md verbatim into the fumadocs MDX source. The <!-- ... --> maintainer note in the [Unreleased] section is valid in the GitHub-rendered CHANGELOG but MDX v3 rejects HTML comments, failing the Turbopack build (drydock-website production + preview deploys erroring since 2026-06-13). Strip HTML comments during generation (they are not published-docs content) and collapse the resulting blank-line gap. CHANGELOG.md stays GitHub-valid and unchanged.
Resolves #321 (Fix 1): containers tagged with a fully-specified semver (β₯3 segments, tagPrecision='specific') were silently climbing to newer versions. Gate getTagCandidates to return an empty tag list (digest-only path) for 'specific' tags unless the user opts in via dd.tag.include or dd.tag.family=loose.
Resolves #321 (Fix 2): auto-triggered container updates were applied outside the configured maintenance window. - Gate maybeFastResyncAfterUpdate with the same window check used in watchFromCron β debug-log and return early when the window is closed - Add maintenance-window-closed UpdateBlocker (soft, auto-updates only) with maintenanceWindowOpen context field in computeUpdateEligibility; manual UI/API updates remain ungated - Update HARD_BLOCKER_STATUS in request-update.ts to keep exhaustive map - Mirror UpdateBlockerReason + BLOCKER_SEVERITY in UI types and utils
Add tests for all previously-uncovered branches and functions: - specific-tag pin gate without a debug function - excludeTags regex compile failure (null safeRegExp) - over-length regex pattern (>1024 chars) - no-prefix candidate warning when tag starts with a digit - undefined/null tagFamily falling back to strict - invalid tagFamily value warning + fallback - logSemverCandidateFilterStats no-debug-function early return - filterSemverOnly callback (non-semver tag + includeTags with semver candidates) - isSemverFamilyMatch with null referenceShape - afterSemver > 0 + afterFamily == 0 family warning path Fixes: #321
- specific-tag pin: containers with 3-segment semver now digest-only by default - maintenance-window gate: now applies at update execution, not just detection
β¦ncomplete-sanitization Replace the single-pass /<!--[\s\S]*?-->/g regex in the changelog MDX generator with a complete indexOf-based scan. CodeQL flags the regex as js/incomplete-multi-character-sanitization (high) because a single replace can leave a residual "<!--" when comment spans abut; the ruleset's code_scanning rule blocks merge on high+ alerts, so the regex would block the rc.36 -> main PR exactly as it did on #434. The index scan removes every complete <!-- ... --> span and leaves any unterminated trailing "<!--" untouched. Output is byte-identical for the well-formed maintainer note in CHANGELOG.md (verified: 0 residual comments in the generated MDX). Build-time docs generation only; input is the repo's own trusted CHANGELOG, no untrusted-input/XSS surface.
β¦nce-window JSDoc Address adversarial-verifier findings on the rc.36 #321 fixes: - Add getTagCandidates gate tests for the most common real-world pinned patterns β suffixed 3-segment (1.13.3-bookworm) and 4-segment (1.2.3.4) β asserting digest-only (tags === []), no semver climb. - Rewrite the maintenanceWindowOpen JSDoc to be accurate: no auto-trigger dispatch path sets it; window enforcement is done at scan time in the Docker watcher. Prevents a future-maintainer trap. - Tighten a tautological assertion to an exact-array check.
β¦lidator Convert the accumulated [Unreleased] section into the dated ## [1.5.0-rc.36] release section so scripts/extract-changelog-entry.mjs (invoked by release-cut.yml) finds the entry for tag v1.5.0-rc.36. This RC ships: - #321 Fix 1: fully-pinned specific-precision tags are digest-only by default (no surprise semver climb); opt in via dd.tag.include or dd.tag.family=loose. - #321 Fix 2: maintenance window gates the post-update fast resync so auto-updates are not applied outside the window. - Experimental Portwing edge-agent mode (PR #429/#430). - Self-update overlay flicker fix (#425). - CodeQL-clean changelog MDX generation (unblocks the website deploy).
scttbnsn
requested review from
ALARGECOMPANY and
biggest-littlest
as code owners
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
biggest-littlest
previously approved these changes
Jun 15, 2026
biggest-littlest
left a comment
biggest-littlest
left a comment
Member
There was a problem hiding this comment.
Approved. #321 rc.35 regressions fixed (specific-tag digest-only default + maintenance-window resync gate), portwing rename clean, CodeQL-clean changelog generator. Verified by 9-agent adversarial pass (GO) + 100% coverage.
ALARGECOMPANY
previously approved these changes
Jun 15, 2026
ALARGECOMPANY
left a comment
ALARGECOMPANY
left a comment
Member
There was a problem hiding this comment.
Second code-owner approval. Full pre-push gate green (coverage + build + e2e); release heading validated against extract-changelog-entry.mjs.
β¦gate The #321 fix gates bare specific (3-segment) tags to digest-only updates by default. The Playwright 'actions tab' test opens Nginx (Hooked) and asserts an Update Now / Force Update control renders, which requires an available update. Without an include the container is correctly 'no-update-available' (hard blocker β disabled Blocked button), so the test counted zero controls. Add dd.tag.include=^1\.\d+\.\d+-alpine$ β the explicit family opt-in that survives the gate (identical to the edge-nginx fixture) β restoring the 'has an update' precondition main relied on via the buggy climb, now via a legitimate mechanism. Net update-state for all other specs is unchanged. Refs: #321
scttbnsn
dismissed stale reviews from ALARGECOMPANY and biggest-littlest
via
7d28eeb
Codecov Reportβ All modified and coverable lines are covered by tests. π’ Thoughts on this report? Let us know! |
β¦ab test The actions-tab Playwright test opens openAnyContainerDetail(), which is supposed to open Nginx (Hooked) but cannot: its matcher /\bNginx \(Hooked\)\b/ can never match a name ending in ')' (no word boundary after the paren), so the helper falls through to the next known container β Redis Cache (redis:7.2.0-alpine). Redis Cache had no include, so the #321 fix correctly gates it to digest-only β no-update-available hard blocker β disabled Blocked button, and the test counted zero Update Now/Force Update controls. Add dd.tag.include=^7\.\d+\.\d+-alpine$ so it climbs within its family and shows an update β exactly the state main relied on via the buggy climb, now via a legitimate mechanism. Verified the opened container and regex behavior against the failed run's error-context snapshot. Refs: #321
biggest-littlest
approved these changes
Jun 15, 2026
ALARGECOMPANY
approved these changes
Jun 15, 2026
ALARGECOMPANY
left a comment
ALARGECOMPANY
left a comment
Member
There was a problem hiding this comment.
Re-approving after fixture commits (445c256). Test-fixture-only change; verified against the failed run's snapshot.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v1.5.0-rc.36
Consolidated RC carrying the Discussion #321 fixes, the experimental edge-agent rename, and the website-deploy hotfix. All changes verified by a 9-agent adversarial verification pass (GO, 0 blockers/0 majors) and the full coverage gate (100% app + ui).
#321 β Fix 1: pinned specific-precision tags are digest-only by default
A fully-specified semver tag (β₯3 numeric segments, e.g.
image:v1.13.3) no longer silently climbs to a newer version (the reportedv1.13.3 β v1.46.1).getTagCandidatesreturns an empty candidate list (digest-only) forspecific-precision tags. Opt back into semver climbing withdd.tag.includeordd.tag.family=loose. Floating tags (latest,16-alpine) and 1β2-segment partials are unaffected.#321 β Fix 2: maintenance window gates auto-update execution
The post-update fast resync (
maybeFastResyncAfterUpdate) now honors the maintenance window the same waywatchFromCrondoes β closing the path where a triggered resync applied an update at 21:52 outside a0-10 4 * * *window. Manual UI/API updates remain immediate by design. (Window enforcement is at scan time in the Docker watcher; themaintenanceWindowOpeneligibility field is documented as UI-display scaffolding, not an auto-dispatch gate.)Experimental Portwing edge-agent mode (rename from "lookout")
Renames the experimental edge-agent feature
lookout β portwingacross code, API (/api/v1/portwing/*,portwing/1.0subprotocol), env (DD_EXPERIMENTAL_PORTWING), and docs. Zero stalelookoutreferences remain in tracked source.Website deploy hotfix (CodeQL-clean)
The changelog MDX generator stripped HTML comments with a single-pass regex that CodeQL flags as
js/incomplete-multi-character-sanitization(high) β which thecode_scanningruleset blocks merge on. Replaced with a completeindexOfscan (byte-identical output, linear-time). This unblocks the stalled getdrydock.com production deploy (broken since the maintainer upgrade-note comment landed in #426).Verification
Cut
After merge,
release-cut.ymlis dispatched withrelease_tag=v1.5.0-rc.36(package versions stay1.5.0; RC suffix is tag-only).Closes the rc.35 regressions reported in Discussion #321. Supersedes hotfix PR #434 (same docs fix, CodeQL-clean here).