Skip to content

ci: bump actions/setup-go from 5 to 6#1

Merged
o1x3 merged 1 commit into
mainfrom
dependabot/github_actions/actions/setup-go-6
Jun 25, 2026
Merged

ci: bump actions/setup-go from 5 to 6#1
o1x3 merged 1 commit into
mainfrom
dependabot/github_actions/actions/setup-go-6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/setup-go from 5 to 6.

Release notes

Sourced from actions/setup-go's releases.

v6.0.0

What's Changed

Breaking Changes

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

New Contributors

Full Changelog: actions/setup-go@v5...v6.0.0

v5.6.0

What's Changed

Full Changelog: actions/setup-go@v5...v5.6.0

v5.5.0

What's Changed

Bug fixes:

Dependency updates:

New Contributors

Full Changelog: actions/setup-go@v5...v5.5.0

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: ci, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

o1x3 added a commit that referenced this pull request Jun 25, 2026
compose:
- run now forwards --tty/--interactive (defaults: keep stdin open, allocate
  a TTY unless -T or no terminal); previously it read neither so
  'compose run web bash' got no PTY. (composeRunPtyFlags)
- OneOffArgs: overriding --entrypoint on a multi-token service entrypoint
  no longer leaks the old entrypoint's trailing args onto the new one.
- one-off run containers are labeled oneoff=True and excluded by the
  service-replica resolvers, so 'compose exec/ps' no longer confuses a
  surviving 'run --rm=false' container with replica #1.
- up --scale SERVICE=0 now runs zero replicas (explicit 0 was treated as
  unset and clamped to 1). (effectiveReplicas)
- long-form port host_ip without published emits host_ip::target, not the
  malformed host_ip:target (which parsed as host_port:container).
- bare environment/build-arg keys (- FOO / FOO:) inherit the host value
  (compose passthrough) instead of being forced to FOO="". (EnvMap)
- correct the inaccurate Levels() cycle doc comment.

cli:
- port expands a published range (PublishPort.Count>1) to one line per
  port and resolves per-port filters into it. (portMappingLines)

dockerfmt:
- table header derivation handles function/pipeline-prefixed actions
  ({{upper .Name}}) instead of leaking the raw template into the header.

pool:
- Claim treats a state-write failure as a miss instead of returning ok on
  an unpersisted pop, preventing the same warm VM being handed out twice.

All covered by reproducing tests.
@o1x3 o1x3 merged commit dec07cf into main Jun 25, 2026
2 checks passed
@o1x3 o1x3 deleted the dependabot/github_actions/actions/setup-go-6 branch June 25, 2026 18:04
o1x3 added a commit that referenced this pull request Jun 25, 2026
* fix(machine): close label-spoof resolution + force-by-default footguns

1. resolveMachine matched a container when the user-controllable
   dcon.machine.name label equalled the requested name. Because
   `dcon run` forwards arbitrary --label to the backend, an ordinary
   container created with --label dcon.machine=1 --label
   dcon.machine.name=web (and any non-prefixed name) would be resolved as
   machine `web`, turning `machine rm/stop/shell web` into a confused
   deputy against an arbitrary container and defeating the dcon-machine-
   prefix namespace. Resolve strictly by the prefixed backend id plus the
   verified dcon.machine label via a new pure matchMachine helper; a
   genuine machine always has id == dcon-machine-<name>, so no real
   capability is lost.

2. `machine rm` had --force default to true, so a bare `rm` always
   force-deleted a running machine (irreversible FS loss) and -f was a
   no-op. Default to false to mirror `docker rm`: a bare rm of a running
   machine fails and tells the user to pass -f.

Both bugs are covered by reproducing unit tests.

* fix(compose): parse long-form ports/volumes and drop empty env keys

ports: and volumes: were plain []string, so the Compose long (mapping)
form — e.g. 'ports: [{target: 80, published: "8080"}]' or
'volumes: [{type: bind, source: ./d, target: /d}]' — failed to unmarshal
and hard-errored the entire compose file (every up/down/ps/config).
This is valid, common syntax (what 'docker compose config' emits).

Add PortList/VolumeList named types that accept both the short string and
long mapping forms, flattening the long form to the same
[host_ip:][published:]target[/proto] and [source:]target[:ro] strings the
translator already emits. yaml scalar .Value is read directly so numeric
ports (- 9000, target: 80) don't trip an int->string decode.

Also drop blank/keyless environment & labels list entries ('' or
'=value') in MapList, which previously injected a malformed empty-key
'--env =' argument.

Both covered by reproducing tests.

* fix(pool): reap stale warm VMs atomically to avoid destroying a claimed one

ReapStale enumerated members with List(), then for each stale one called
forget() and DestroyAsync() as separate steps. A concurrent Claim could
pop a member in that window; the reaper would then DestroyAsync the very
VM the live run was about to exec into. (It self-healed via the cold-path
fallback, but wasted the warm slot.)

Pop stale members inside the state lock via a pure partitionStale helper,
then destroy them after releasing it. A concurrent Claim and a reap can
now never both own the same member.

* fix: stop --mount panic, --filter comma-corruption, ps -n 0, images ref filters

- run: a valueless '--mount type=tmpfs,...,tmpfs-size' (no =value) sliced
  past the string end and panicked the process; pass such fields through.
- ps/images/volume/network: --filter was StringSlice, which comma-splits a
  single value, so 'label=team=a,b' became two bogus filters and matched
  the wrong set. Use StringArray (the project's comma-bearing-flag rule).
- ps: 'ps -n 0' listed every running container instead of none; trimLast
  now distinguishes the unset sentinel (-1) from an explicit 0.
- images: a registry-port ref (registry:5000/img) was misread as tag
  ':latest' and hid all other tags; a digest ref (img@sha256:..) compared
  the digest against the tag column and always returned empty. Parse via
  imageRefFilter and match digests against the digest column.
- images: a malformed reference= glob silently hid every image; validate
  the pattern up front and error like docker.

All covered by reproducing tests.

* fix: compose exec/run/create + top, cp, history, system prune correctness

compose:
- exec gated --interactive on stdin being a TTY, so 'compose exec -T db
  psql < dump.sql' dropped the redirected stdin. Forward --interactive on
  the flag value alone (TTY handled separately) via a pure composeExecArgs.
- run --rm=false used a global token strip that removed EVERY '--rm',
  including one passed to the in-container command. Pass rm into OneOffArgs
  so the run-level flag is controlled at the source; delete dropFlag.
- up/create's '--detach' strip had the same hazard for a service command
  containing a literal --detach; add a positional CreateArgs builder.
- warn (don't silently drop) when multiple -f/--file files are given,
  since dcon does not merge them like docker.

cli:
- top: pass dashed ps options through (SetInterspersed false) so
  'top web -ef' no longer dies on an unknown-flag parse error.
- cp: a local path with a colon (./my:file.txt) was misread as a
  CONTAINER:PATH ref; classify like docker's splitCpArg.
- history: truncate CREATED BY by runes, not bytes, so multibyte UTF-8
  isn't split into an invalid sequence.
- system df --verbose / prune --filter now warn instead of silently
  ignoring; system prune propagates backend errors instead of always
  exiting 0.

All covered by reproducing tests.

* fix: build --output name=, restart --signal, mixed inspect ids

- build: '--output type=docker|image,name=X' with no -t silently dropped
  the name, yielding an untagged image. A dest-less type=docker/image is
  buildx's local-store load (the long form of --load) — the backend
  default — so omit --output and carry name= through as --tag. With dest
  it stays a file export (type=oci). translateOutput now returns (output,
  tag, err).
- restart: the --signal flag was defined but never used; forward it to the
  stop phase (the backend stop accepts --signal), matching docker.
- inspect: a mixed 'inspect <container> <image>' failed because each
  namespace was tried as one batch. Fall back to per-id resolution and
  merge the JSON arrays so both print, like docker.

All covered by reproducing tests.

* fix(compose): tag built image with image: so --build output is actually used

A service with both build: and image: built an image tagged with the
derived project name (project-service:latest) via BuildArgs, but the
container was run as svc.Image (imageRef). So 'compose up --build' (and
'compose build') produced an image the run never referenced — the run used
a stale/pulled svc.Image instead of the freshly built one.

Tag the built image with imageRef (svc.Image when set, else the derived
name), matching what RunArgs/OneOffArgs run. This also makes
'down --rmi local' consistent: a service with a custom image: keeps its
tag (removed only by --rmi all), while build-only services still tag and
remove the derived name.

Covered by a reproducing test.

* fix(compose/pool/cli): 10 issues from second adversarial red-team pass

compose:
- run now forwards --tty/--interactive (defaults: keep stdin open, allocate
  a TTY unless -T or no terminal); previously it read neither so
  'compose run web bash' got no PTY. (composeRunPtyFlags)
- OneOffArgs: overriding --entrypoint on a multi-token service entrypoint
  no longer leaks the old entrypoint's trailing args onto the new one.
- one-off run containers are labeled oneoff=True and excluded by the
  service-replica resolvers, so 'compose exec/ps' no longer confuses a
  surviving 'run --rm=false' container with replica #1.
- up --scale SERVICE=0 now runs zero replicas (explicit 0 was treated as
  unset and clamped to 1). (effectiveReplicas)
- long-form port host_ip without published emits host_ip::target, not the
  malformed host_ip:target (which parsed as host_port:container).
- bare environment/build-arg keys (- FOO / FOO:) inherit the host value
  (compose passthrough) instead of being forced to FOO="". (EnvMap)
- correct the inaccurate Levels() cycle doc comment.

cli:
- port expands a published range (PublishPort.Count>1) to one line per
  port and resolves per-port filters into it. (portMappingLines)

dockerfmt:
- table header derivation handles function/pipeline-prefixed actions
  ({{upper .Name}}) instead of leaking the raw template into the header.

pool:
- Claim treats a state-write failure as a miss instead of returning ok on
  an unpersisted pop, preventing the same warm VM being handed out twice.

All covered by reproducing tests.

* fix: 5 issues from third red-team pass (incl. 2 self-introduced regressions)

- compose long-form volume read_only: parse as a boolean (ParseBool), so
  'read_only: True'/'TRUE'/'1' produce a :ro mount instead of silently
  mounting read-write. (regression in the pass-1 long-form volume support)
- OneOffArgs: a command override no longer drops the service entrypoint's
  extra tokens when --entrypoint is NOT overridden, so 'compose run web
  shell' on entrypoint [python,-m,flask] runs 'python -m flask shell', not
  'python shell'. Post-image tokens are now split into entrypoint-extras
  (kept unless the entrypoint is replaced) and command (replaced by the
  override). (regression in the pass-2 entrypoint fix)
- compose ls -q now prints only project names (the flag was ignored).
- volume create --name is honored instead of silently creating a
  random-named volume; supplying both --name and a positional errors.
- dockerfmt table header derivation strips string literals before scanning
  for the field, so a dotted token inside a printf format
  ({{.Name | printf "%s.txt"}}) no longer becomes the header column.

Reproducing tests for all except 'compose ls -q' (backend-coupled glue).

* style: gofmt alignment/trailing-newline in compose files

* fix(compose/stats): 5 issues from fourth red-team pass

- compose: $$ is compose's escape for a literal $; Load() was deleting it
  (echo $$HOME -> echo HOME). Collapse $$ to a single $ so literal-dollar
  values (shell vars, cron, hashes) survive interpolation.
- compose images now honors the [SERVICE...] positional filter instead of
  always listing every service's image.
- compose ls defaults to projects with a running container; -a/--all now
  actually includes fully-stopped projects (the flag was dead).
- compose config -q/--quiet now validates silently (prints nothing)
  instead of dumping the full rendered YAML.
- stats: the live-table clear-screen escape is gated on a real terminal,
  so 'dcon stats | cat' no longer injects raw ANSI into piped output.

$$-escape and config -q covered by reproducing tests; the others are
backend-coupled paths (per the repo's manual-validation convention).

* fix(compose): full var-interpolation, named-volume scoping, kill/stop flags

- interpolation: Load() only honored ${VAR:-default}; every other operator
  (:?, :+, -, +, :=) silently produced empty — even for SET variables, so
  'image: app:${TAG:?required}' with TAG=v2 rendered 'app:'. Implement the
  bash/compose parameter-expansion family in a new expandVar (-/:- default,
  +/:+ alternate, ?/:? required-with-error, =/:= default); a required-but-
  unset ${VAR:?} now aborts Load with a clear error.
- named volumes: a service mount of a declared top-level volume used the bare
  key (e.g. 'data:/var/lib') while ensureVolumes created '<project>_data', so
  the container got a different (auto-created) volume than declared and
  'down -v' removed the wrong one. resolveVolume now rewrites a declared named
  volume to its VolumeName (project-scoped / explicit name:), mirroring the
  network resolution.
- compose kill --signal and stop/restart --timeout were registered but
  dropped; lifecycleOnProject now forwards them (the backend kill/stop accept
  --signal/--time), via composeKillArgs/composeStopArgs.

All covered by reproducing tests (expandVar table, required-var Load error,
resolveVolume named volume, kill/stop arg builders).

* fix(compose): rewrite -f/-p shorthand even when a root flag precedes `compose`

rewriteComposeGlobalShorthands early-returned unless args[0]=="compose", so
a root persistent flag before the subcommand (`dcon -D compose -f x.yml up`,
`dcon --host x compose -p proj down`) skipped the rewrite and cobra then
hard-failed with 'unknown shorthand flag: f', diverging from docker which
accepts global flags before `compose`.

Add composeIndex to locate the `compose` token past any root flags (skipping
the value of separated value-flags like --host/--context/--tls*), and rewrite
from there. Covered by new test cases.

* fix: reject non-finite --cpus, unescape --format \t/\n, build progress, doctor builder

- parseCPUs accepted inf/NaN (ParseFloat parses them), emitting --cpus
  9223372036854775807 (Inf) or --cpus 0 (NaN) to the backend; reject
  non-finite values like docker does. Shared by run/create/machine create.
- --format 'table {{.A}}\t{{.B}}' (and the plain template branch) rendered
  a literal backslash-t and never aligned columns; unescape \t/\n to real
  bytes like the docker CLI (this is the documented recipe in SECONDARY.md).
- build --progress quiet was forwarded verbatim and rejected by the backend
  (accepts auto|plain|tty); remap quiet->plain (alongside rawjson).
- doctor's image-builder check used substring "running", which also matches
  "not running"; exclude the negative form via builderRunning.

All covered by reproducing tests.

* fix: honor ignored compose-up flags, fix info/ps/images matching (pass 8)

Recurring-class sweep (ignored flags, substring matches):
- compose up now honors --no-log-prefix (foreground), --timeout (stop grace),
  and --pull always (force-refresh each service image before start). These were
  registered with real-behavior help but never read. (formatLogLine extracted
  for the prefix; followAndWait threads noPrefix + timeout.)
- docker info reported the backend as 'running' when stopped: it used a
  substring match ("running" is inside "not running"). Use parseSystemStatus
  exact-match, like doctor.
- ps --filter status=exited/created/dead returned nothing without -a (default
  fetch was running-only); a status= filter now forces the all-states fetch.
- ps --filter ancestor=alpine matched superstrings like 'myalpine' (substring);
  match repo / repo:tag / full ref via ancestorMatches.
- images REPO filter was built from the un-normalized ref, so
  'images docker.io/library/alpine' returned empty; normalize via ShortImage.
- compose port --protocol UDP was compared case-sensitively to the backend's
  lowercase proto.

Pure helpers (hasStatusFilter/ancestorMatches/imageRefFilter/formatLogLine)
covered by reproducing tests.

* fix: address CodeRabbit review (pass 9)

Resolve the actionable CodeRabbit findings on the red-team sweep:

- compose up: short-circuit the foreground path when zero containers start
  (`up --scale svc=0` no longer hangs on the signal channel)
- run/create: reject the reserved `dcon-machine-` name prefix and
  `dcon.machine*` labels so `dcon run` can't forge a container that
  `dcon machine stop` would resolve (confused-deputy fix)
- ps --filter ancestor: normalize the filter value too, so a fully
  qualified ancestor matches a shortened stored ref (and vice-versa)
- volume create: an explicit empty --name now errors instead of silently
  creating an anonymous volume
- compose: route long-form `type: tmpfs` volumes to --tmpfs instead of a
  disk-backed anonymous --volume
- compose: external named volumes reference their exact name, never the
  project-prefixed one
- pool: destroy reaped VMs only after the state removal is persisted; a
  failed save() no longer tears down still-claimable members

Tests: machine-namespace rejection, ancestor normalization, empty --name,
tmpfs routing, external volumes, MapList label empty-key drop, plus
deterministic unset-var fixtures and a root-proof pool save-failure case.

* docs: document ui/machine packages, refresh binary size

Add the internal/ui and internal/machine architecture notes to CLAUDE.md
and update the make build size estimate (~5.3 MB -> ~6.2 MB).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant