From 2c7a8f021fbabc5e502b4281747f7564149987ec Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 8 Mar 2026 21:28:33 +0000 Subject: [PATCH 1/5] build(deps): bump docker/setup-qemu-action from 3 to 4 Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3 to 4. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](https://github.com/docker/setup-qemu-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 77a37c2..6955c72 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,7 +25,7 @@ jobs: go-version: ${{ env.GO_VERSION }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 From e87c1a1a6c91fae20e0b0310ea59e0bce204798f Mon Sep 17 00:00:00 2001 From: Giovanni Ferri Date: Wed, 11 Mar 2026 21:45:11 +0000 Subject: [PATCH 2/5] fix(ci): skip dependabot-incompatible PR checks --- .github/workflows/ci.yml | 1 + .github/workflows/dependency-review.yml | 1 + .github/workflows/lint.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9075a8a..58e83ea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -49,6 +49,7 @@ jobs: python-version: "3.x" - name: Commit message convention check + if: github.actor != 'dependabot[bot]' run: | python -m pip install --upgrade pip commitizen if [ "${{ github.event_name }}" = "pull_request" ]; then diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 61beb66..eb5f7f6 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -6,6 +6,7 @@ on: jobs: dependency-review: + if: github.actor != 'dependabot[bot]' runs-on: ubuntu-latest permissions: contents: read diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index cc3928c..a99957c 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -23,6 +23,7 @@ jobs: python-version: "3.x" - name: Commit message convention check + if: github.actor != 'dependabot[bot]' run: | python -m pip install --upgrade pip commitizen if [ "${{ github.event_name }}" = "pull_request" ]; then From 72b3a01af6e99587c51dd2f6fe9cb37b1b112af0 Mon Sep 17 00:00:00 2001 From: Giovanni Ferri Date: Wed, 11 Mar 2026 21:51:58 +0000 Subject: [PATCH 3/5] fix(ci): detect dependabot PRs by head branch --- .github/workflows/ci.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/lint.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58e83ea..261398c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -49,7 +49,7 @@ jobs: python-version: "3.x" - name: Commit message convention check - if: github.actor != 'dependabot[bot]' + if: ${{ !(github.event_name == 'pull_request' && startsWith(github.head_ref, 'dependabot/')) }} run: | python -m pip install --upgrade pip commitizen if [ "${{ github.event_name }}" = "pull_request" ]; then diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index eb5f7f6..5f00665 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -6,7 +6,7 @@ on: jobs: dependency-review: - if: github.actor != 'dependabot[bot]' + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} runs-on: ubuntu-latest permissions: contents: read diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index a99957c..d55e3cc 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -23,7 +23,7 @@ jobs: python-version: "3.x" - name: Commit message convention check - if: github.actor != 'dependabot[bot]' + if: ${{ !(github.event_name == 'pull_request' && startsWith(github.head_ref, 'dependabot/')) }} run: | python -m pip install --upgrade pip commitizen if [ "${{ github.event_name }}" = "pull_request" ]; then From fe5c2f9e539d6aa60e0cac99776ba30841e32158 Mon Sep 17 00:00:00 2001 From: Giovanni Ferri Date: Wed, 11 Mar 2026 21:58:46 +0000 Subject: [PATCH 4/5] fix(ci): skip branch lint commit checks for dependabot refs --- .github/workflows/ci.yml | 2 +- .github/workflows/lint.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 261398c..5848d59 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -49,7 +49,7 @@ jobs: python-version: "3.x" - name: Commit message convention check - if: ${{ !(github.event_name == 'pull_request' && startsWith(github.head_ref, 'dependabot/')) }} + if: ${{ !(startsWith(github.head_ref, 'dependabot/') || startsWith(github.ref_name, 'dependabot/')) }} run: | python -m pip install --upgrade pip commitizen if [ "${{ github.event_name }}" = "pull_request" ]; then diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index d55e3cc..dd434f6 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -23,7 +23,7 @@ jobs: python-version: "3.x" - name: Commit message convention check - if: ${{ !(github.event_name == 'pull_request' && startsWith(github.head_ref, 'dependabot/')) }} + if: ${{ !(startsWith(github.head_ref, 'dependabot/') || startsWith(github.ref_name, 'dependabot/')) }} run: | python -m pip install --upgrade pip commitizen if [ "${{ github.event_name }}" = "pull_request" ]; then From a0ea9814945d04981fc4284e7ad3991586dcedb2 Mon Sep 17 00:00:00 2001 From: Giovanni Ferri Date: Wed, 11 Mar 2026 22:22:38 +0000 Subject: [PATCH 5/5] fix(lint): align agent sources with main --- cmd/agent/main.go | 3 ++- internal/agent/api/exec.go | 6 +++--- internal/agent/api/serial.go | 8 +++++++- internal/agent/firecracker_driver.go | 4 ++-- internal/agent/reconciler.go | 3 +-- 5 files changed, 15 insertions(+), 9 deletions(-) diff --git a/cmd/agent/main.go b/cmd/agent/main.go index dcbe89f..7a93c94 100644 --- a/cmd/agent/main.go +++ b/cmd/agent/main.go @@ -17,10 +17,11 @@ import ( "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" - impdevv1alpha1 "github.com/syscode-labs/imp/api/v1alpha1" "go.opentelemetry.io/otel" "go.opentelemetry.io/otel/propagation" + impdevv1alpha1 "github.com/syscode-labs/imp/api/v1alpha1" + "github.com/syscode-labs/imp/internal/agent" "github.com/syscode-labs/imp/internal/agent/api" "github.com/syscode-labs/imp/internal/agent/network" diff --git a/internal/agent/api/exec.go b/internal/agent/api/exec.go index 6301037..135bd44 100644 --- a/internal/agent/api/exec.go +++ b/internal/agent/api/exec.go @@ -19,9 +19,9 @@ type execRequest struct { // execLine is one line of the streaming NDJSON response. type execLine struct { - Stream string `json:"stream"` // "stdout", "stderr", or "exit" - Line string `json:"line,omitempty"` // present for stdout/stderr - Code *int32 `json:"code,omitempty"` // present for exit + Stream string `json:"stream"` // "stdout", "stderr", or "exit" + Line string `json:"line,omitempty"` // present for stdout/stderr + Code *int32 `json:"code,omitempty"` // present for exit } func (s *APIServer) handleExec(w http.ResponseWriter, r *http.Request) { diff --git a/internal/agent/api/serial.go b/internal/agent/api/serial.go index 1a42e6a..b45f2d1 100644 --- a/internal/agent/api/serial.go +++ b/internal/agent/api/serial.go @@ -10,15 +10,21 @@ import ( "os" "path/filepath" "time" + + "k8s.io/apimachinery/pkg/util/validation" ) func (s *APIServer) handleSerial(w http.ResponseWriter, r *http.Request) { namespace := r.PathValue("namespace") vmName := r.PathValue("vm") + if len(validation.IsDNS1123Label(namespace)) != 0 || len(validation.IsDNS1123Subdomain(vmName)) != 0 { + http.Error(w, "invalid namespace or vm name", http.StatusBadRequest) + return + } logPath := filepath.Join(s.SocketDir, namespace+"-"+vmName+".serial.log") - f, err := os.Open(logPath) + f, err := os.Open(logPath) //nolint:gosec // G304: path segments validated as Kubernetes DNS-1123 names if err != nil { if errors.Is(err, os.ErrNotExist) { http.Error(w, fmt.Sprintf("serial log for %s/%s not found", namespace, vmName), http.StatusNotFound) diff --git a/internal/agent/firecracker_driver.go b/internal/agent/firecracker_driver.go index 37ecfbd..e442236 100644 --- a/internal/agent/firecracker_driver.go +++ b/internal/agent/firecracker_driver.go @@ -50,7 +50,7 @@ type fcProc struct { machine *firecracker.Machine pid int64 socket string - vsockPath string // path to the VSOCK Unix socket proxy; empty when guest agent is disabled + vsockPath string // path to the VSOCK Unix socket proxy; empty when guest agent is disabled netInfo *network.NetworkInfo // nil when NetworkRef is absent probeCancel context.CancelFunc // non-nil when probe goroutine is running } @@ -215,7 +215,7 @@ func (d *FirecrackerDriver) Start(ctx context.Context, vm *impdevv1alpha1.ImpVM) // Redirect the Firecracker process stdout to a serial log file so that // the guest ttyS0 console (console=ttyS0 kernel arg) is persisted on disk. serialLogPath := filepath.Join(d.SocketDir, vm.Namespace+"-"+vm.Name+".serial.log") - serialLogFile, err := os.OpenFile(serialLogPath, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0o640) + serialLogFile, err := os.OpenFile(serialLogPath, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0o640) //nolint:gosec // G304: path is derived from Kubernetes metadata names if err != nil { return 0, fmt.Errorf("open serial log %s: %w", serialLogPath, err) } diff --git a/internal/agent/reconciler.go b/internal/agent/reconciler.go index 7ef5a74..6daf4ec 100644 --- a/internal/agent/reconciler.go +++ b/internal/agent/reconciler.go @@ -63,6 +63,7 @@ func (r *ImpVMReconciler) Reconcile(ctx context.Context, req ctrl.Request) (resu if vm.Spec.NodeName != r.NodeName { return ctrl.Result{}, nil } + ctx = logf.IntoContext(ctx, log.WithValues("vm", req.NamespacedName, "phase", vm.Status.Phase)) ctx, span := otel.Tracer("imp.agent").Start(ctx, "agent.impvm.reconcile", trace.WithAttributes( @@ -77,8 +78,6 @@ func (r *ImpVMReconciler) Reconcile(ctx context.Context, req ctrl.Request) (resu span.End() }() - log = log.WithValues("vm", req.NamespacedName, "phase", vm.Status.Phase) - switch vm.Status.Phase { case impdevv1alpha1.VMPhaseTerminating: return r.handleTerminating(ctx, vm)