build(deps): bump actions/upload-artifact from 4 to 7

.github/workflows/ci.yml

@@ -49,6 +49,7 @@ jobs:
           python-version: "3.x"
 
       - name: Commit message convention check
+        if: ${{ !(startsWith(github.head_ref, 'dependabot/') || startsWith(github.ref_name, 'dependabot/')) }}
         run: |
           python -m pip install --upgrade pip commitizen
           if [ "${{ github.event_name }}" = "pull_request" ]; then

.github/workflows/dependency-review.yml

@@ -6,6 +6,7 @@ on:
 
 jobs:
   dependency-review:
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
     permissions:
       contents: read

.github/workflows/lint.yml

@@ -23,6 +23,7 @@ jobs:
           python-version: "3.x"
 
       - name: Commit message convention check
+        if: ${{ !(startsWith(github.head_ref, 'dependabot/') || startsWith(github.ref_name, 'dependabot/')) }}
         run: |
           python -m pip install --upgrade pip commitizen
           if [ "${{ github.event_name }}" = "pull_request" ]; then

.github/workflows/nightly-e2e-cilium-heavy.yml

@@ -75,7 +75,7 @@ jobs:
 
       - name: Upload diagnostics
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: nightly-e2e-kind-cilium-heavy-diagnostics
           path: artifacts/

.github/workflows/nightly-e2e.yml

@@ -54,7 +54,7 @@ jobs:
           kubectl -n imp-system logs ds/imp-agent --all-containers > artifacts/imp-agent-logs.txt || true
       - name: Upload diagnostics
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: nightly-e2e-kind-smoke-diagnostics
           path: artifacts/

cmd/agent/main.go

@@ -17,10 +17,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
-	impdevv1alpha1 "github.com/syscode-labs/imp/api/v1alpha1"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/propagation"
 
+	impdevv1alpha1 "github.com/syscode-labs/imp/api/v1alpha1"
+
 	"github.com/syscode-labs/imp/internal/agent"
 	"github.com/syscode-labs/imp/internal/agent/api"
 	"github.com/syscode-labs/imp/internal/agent/network"

internal/agent/api/exec.go

@@ -19,9 +19,9 @@ type execRequest struct {
 
 // execLine is one line of the streaming NDJSON response.
 type execLine struct {
-	Stream string `json:"stream"`           // "stdout", "stderr", or "exit"
-	Line   string `json:"line,omitempty"`   // present for stdout/stderr
-	Code   *int32 `json:"code,omitempty"`   // present for exit
+	Stream string `json:"stream"`         // "stdout", "stderr", or "exit"
+	Line   string `json:"line,omitempty"` // present for stdout/stderr
+	Code   *int32 `json:"code,omitempty"` // present for exit
 }
 
 func (s *APIServer) handleExec(w http.ResponseWriter, r *http.Request) {

internal/agent/api/serial.go

@@ -10,15 +10,21 @@ import (
 	"os"
 	"path/filepath"
 	"time"
+
+	"k8s.io/apimachinery/pkg/util/validation"
 )
 
 func (s *APIServer) handleSerial(w http.ResponseWriter, r *http.Request) {
 	namespace := r.PathValue("namespace")
 	vmName := r.PathValue("vm")
+	if len(validation.IsDNS1123Label(namespace)) != 0 || len(validation.IsDNS1123Subdomain(vmName)) != 0 {
+		http.Error(w, "invalid namespace or vm name", http.StatusBadRequest)
+		return
+	}
 
 	logPath := filepath.Join(s.SocketDir, namespace+"-"+vmName+".serial.log")
 
-	f, err := os.Open(logPath)
+	f, err := os.Open(logPath) //nolint:gosec // G304: path segments validated as Kubernetes DNS-1123 names
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			http.Error(w, fmt.Sprintf("serial log for %s/%s not found", namespace, vmName), http.StatusNotFound)

internal/agent/firecracker_driver.go

@@ -50,7 +50,7 @@ type fcProc struct {
 	machine     *firecracker.Machine
 	pid         int64
 	socket      string
-	vsockPath   string             // path to the VSOCK Unix socket proxy; empty when guest agent is disabled
+	vsockPath   string               // path to the VSOCK Unix socket proxy; empty when guest agent is disabled
 	netInfo     *network.NetworkInfo // nil when NetworkRef is absent
 	probeCancel context.CancelFunc   // non-nil when probe goroutine is running
 }
@@ -215,7 +215,7 @@ func (d *FirecrackerDriver) Start(ctx context.Context, vm *impdevv1alpha1.ImpVM)
 	// Redirect the Firecracker process stdout to a serial log file so that
 	// the guest ttyS0 console (console=ttyS0 kernel arg) is persisted on disk.
 	serialLogPath := filepath.Join(d.SocketDir, vm.Namespace+"-"+vm.Name+".serial.log")
-	serialLogFile, err := os.OpenFile(serialLogPath, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0o640)
+	serialLogFile, err := os.OpenFile(serialLogPath, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0o640) //nolint:gosec // G304: path is derived from Kubernetes metadata names
 	if err != nil {
 		return 0, fmt.Errorf("open serial log %s: %w", serialLogPath, err)
 	}

internal/agent/reconciler.go

@@ -63,6 +63,7 @@ func (r *ImpVMReconciler) Reconcile(ctx context.Context, req ctrl.Request) (resu
 	if vm.Spec.NodeName != r.NodeName {
 		return ctrl.Result{}, nil
 	}
+	ctx = logf.IntoContext(ctx, log.WithValues("vm", req.NamespacedName, "phase", vm.Status.Phase))
 
 	ctx, span := otel.Tracer("imp.agent").Start(ctx, "agent.impvm.reconcile",
 		trace.WithAttributes(
@@ -77,8 +78,6 @@ func (r *ImpVMReconciler) Reconcile(ctx context.Context, req ctrl.Request) (resu
 		span.End()
 	}()
 
-	log = log.WithValues("vm", req.NamespacedName, "phase", vm.Status.Phase)
-
 	switch vm.Status.Phase {
 	case impdevv1alpha1.VMPhaseTerminating:
 		return r.handleTerminating(ctx, vm)