backport of commit 727c73c

.github/ISSUE_TEMPLATE/config.yml

@@ -1,6 +1,3 @@
-# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: MPL-2.0
-
 contact_links:
   - name: Ask a question
     url: https://discuss.hashicorp.com/c/vault

.github/enos-run-matrices/ent.json

@@ -0,0 +1,24 @@
+{
+  "include": [
+    {
+      "scenario": "smoke backend:consul consul_version:1.12.3 distro:ubuntu seal:awskms arch:amd64 builder:crt edition:ent",
+      "aws_region": "us-west-1"
+    },
+    {
+      "scenario": "smoke backend:raft consul_version:1.12.3 distro:ubuntu seal:shamir arch:amd64 builder:crt edition:ent",
+      "aws_region": "us-west-2"
+    },
+    {
+      "scenario": "upgrade backend:raft consul_version:1.11.7 distro:rhel seal:shamir arch:amd64 builder:crt edition:ent",
+      "aws_region": "us-west-1"
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.11.7 distro:rhel seal:awskms arch:amd64 builder:crt edition:ent",
+      "aws_region": "us-west-2"
+    },
+    {
+      "scenario": "autopilot distro:ubuntu seal:shamir arch:amd64 builder:crt edition:ent",
+      "aws_region": "us-west-1"
+    }
+  ]
+}

.github/enos-run-matrices/oss.json

@@ -0,0 +1,20 @@
+{
+  "include": [
+    {
+      "scenario": "smoke backend:consul consul_version:1.12.3 distro:ubuntu seal:awskms arch:amd64 builder:crt edition:oss",
+      "aws_region": "us-west-1"
+    },
+    {
+      "scenario": "smoke backend:raft consul_version:1.12.3 distro:ubuntu seal:shamir arch:amd64 builder:crt edition:oss",
+      "aws_region": "us-west-2"
+    },
+    {
+      "scenario": "upgrade backend:raft consul_version:1.11.7 distro:rhel seal:shamir arch:amd64 builder:crt edition:oss",
+      "aws_region": "us-west-1"
+    },
+    {
+      "scenario": "upgrade backend:consul consul_version:1.11.7 distro:rhel seal:awskms arch:amd64 builder:crt edition:oss",
+      "aws_region": "us-west-2"
+    }
+  ]
+}

.github/scripts/gh_comment.sh

@@ -16,8 +16,7 @@ function update_or_create_comment {
                  -H "Accept: application/vnd.github+json" \
                  -H "X-GitHub-Api-Version: 2022-11-28" \
                  --paginate \
-                 /repos/hashicorp/"$REPO"/issues/"$PR_NUMBER"/comments |
-                 jq -r --arg SEARCH_KEY "$SEARCH_KEY" '.[] | select (.body | startswith($SEARCH_KEY)) | .id')
+                 /repos/hashicorp/"$REPO"/issues/"$PR_NUMBER"/comments | jq -r --arg SEARCH_KEY "$SEARCH_KEY" '.[] | select (.body | contains($SEARCH_KEY)) | .id')
 
   if [[ "$comment_id" != "" ]]; then
     # update the comment with the new body

.github/workflows/backport.yml

@@ -11,11 +11,11 @@ jobs:
   backport-targeted-release-branch:
     if: github.event.pull_request.merged
     runs-on: ubuntu-latest
-    container: hashicorpdev/backport-assistant:0.3.3
+    container: hashicorpdev/backport-assistant:0.2.5
     steps:
       - name: Backport changes to targeted release branch
         run: |
-          backport-assistant backport -merge-method=squash -gh-automerge 
+          backport-assistant backport
         env:
           BACKPORT_LABEL_REGEXP: "backport/(?P<target>\\d+\\.\\d+\\.[+\\w]+)"
           BACKPORT_TARGET_TEMPLATE: "release/{{.target}}"

.github/workflows/build-vault-oss.yml

@@ -59,6 +59,8 @@ jobs:
           GOARCH: ${{ inputs.goarch }}
           GOOS: ${{ inputs.goos }}
           GO_TAGS: ${{ inputs.go-tags }}
+          # We started stripping symbol tables in 1.13.x
+          KEEP_SYMBOLS: true
         run: make ci-build
       - name: Determine artifact basename
         env:

.github/workflows/build.yml

@@ -4,11 +4,6 @@ name: build
 on:
   workflow_dispatch:
   pull_request:
-    # The default types for pull_request are [ opened, synchronize, reopened ].
-    # This is insufficient for our needs, since we're skipping stuff on PRs in
-    # draft mode.  By adding the ready_for_review type, when a draft pr is marked
-    # ready, we run everything, including the stuff we'd have skipped up until now.
-    types: [opened, synchronize, reopened, ready_for_review]
   push:
     branches:
       - main
@@ -98,7 +93,7 @@ jobs:
         name: Set up node and yarn
         uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
         with:
-          node-version-file: ui/package.json
+          node-version: 14
           cache: yarn
           cache-dependency-path: ui/yarn.lock
       - if: steps.cache-ui-assets.outputs.cache-hit != 'true'
@@ -216,15 +211,6 @@ jobs:
 
   test:
     name: Test ${{ matrix.build-artifact-name }}
-    # Only run the Enos workflow against branches that are created from the
-    # hashicorp/vault repository. This has the effect of limiting execution of
-    # Enos scenarios to branches that originate from authors that have write
-    # access to hashicorp/vault repository. This is required as Github Actions
-    # will not populate the required secrets for branches created by outside
-    # contributors in order to protect the secrets integrity.
-    # This condition can be removed in future if enos workflow is updated to
-    # workflow_run event
-    if: "! github.event.pull_request.head.repo.fork"
     needs:
       - product-metadata
       - build-linux
@@ -248,16 +234,6 @@ jobs:
 
   test-docker-k8s:
     name: Test Docker K8s
-    # Only run the Enos workflow against branches that are created from the
-    # hashicorp/vault repository. This has the effect of limiting execution of
-    # Enos scenarios to branches that originate from authors that have write
-    # access to hashicorp/vault repository. This is required as Github Actions
-    # will not populate the required secrets for branches created by outside
-    # contributors in order to protect the secrets integrity.
-    # GHA secrets are only ready on workflow_run for public repo
-    # This condition can be removed in future if enos workflow is updated to
-    # workflow_run event
-    if: "! github.event.pull_request.head.repo.fork"
     needs:
       - product-metadata
       - build-docker
@@ -314,7 +290,7 @@ jobs:
     steps:
       - run: |
           tr -d '\n' <<< '${{ toJSON(needs.*.result) }}' | grep -q -v -E '(failure|cancelled)'
-
+          
   notify-completed-successfully-failures-oss:
     if: ${{ always() && github.repository == 'hashicorp/vault' && needs.completed-successfully.result == 'failure' && (github.ref_name == 'main' || startsWith(github.ref_name, 'release/')) }}
     runs-on: ubuntu-latest

.github/workflows/ci.yml

@@ -39,7 +39,7 @@ jobs:
             # shellcheck disable=SC2129
             echo 'compute-small=["self-hosted","ondemand","linux","type=c6a.large"]' >> "$GITHUB_OUTPUT"     #  2x vCPUs,  4 GiB RAM,
             echo 'compute-medium=["self-hosted","ondemand","linux","type=c6a.xlarge"]' >> "$GITHUB_OUTPUT"   #  4x vCPUs,  8 GiB RAM,
-            echo 'compute-large=["self-hosted","ondemand","linux","type=c6a.2xlarge"]' >> "$GITHUB_OUTPUT"   #  8x vCPUs, 16 GiB RAM,
+            echo 'compute-large=["self-hosted","ondemand","linux","type=c6a.2xlarge","disk_gb=64"]' >> "$GITHUB_OUTPUT"   #  8x vCPUs, 16 GiB RAM,
             echo 'compute-largem=["self-hosted","ondemand","linux","type=m6a.2xlarge"]' >> "$GITHUB_OUTPUT"  #  8x vCPUs, 32 GiB RAM,
             echo 'compute-xlarge=["self-hosted","ondemand","linux","type=c6a.4xlarge"]' >> "$GITHUB_OUTPUT"  # 16x vCPUs, 32 GiB RAM,
             echo 'enterprise=1' >> "$GITHUB_OUTPUT"
@@ -196,14 +196,14 @@ jobs:
       # Setup node.js without caching to allow running npm install -g yarn (next step)
       - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
         with:
-          node-version-file: './ui/package.json'
+          node-version: 14
       - id: install-yarn
         run: |
           npm install -g yarn
       # Setup node.js with caching using the yarn.lock file
       - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
         with:
-          node-version-file: './ui/package.json'
+          node-version: 14
           cache: yarn
           cache-dependency-path: ui/yarn.lock
       - id: install-browser
@@ -261,7 +261,7 @@ jobs:
           name: test-results-ui
           path: ui/test-results
         if: success() || failure()
-      - uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f # v2.1
+      - uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f  # TSCCR: no entry for repository "test-summary/action"
         with:
           paths: "ui/test-results/qunit/results.xml"
           show: "fail"
@@ -279,15 +279,23 @@ jobs:
           tr -d '\n' <<< '${{ toJSON(needs.*.result) }}' | grep -q -v -E '(failure|cancelled)'
 
   notify-tests-completed-failures-oss:
-    if: ${{ always() && github.repository == 'hashicorp/vault' && needs.tests-completed.result == 'failure' && (github.ref_name == 'main' || startsWith(github.ref_name, 'release/')) }}
+    if:  |
+      always() &&
+      github.repository == 'hashicorp/vault' &&
+      (needs.test-go.result == 'failure' ||
+      needs.test-go-fips.result == 'failure' ||
+      needs.test-go-race.result == 'failure') &&
+      (github.ref_name == 'main' || startsWith(github.ref_name, 'release/'))
     runs-on: ubuntu-latest
     permissions:
       id-token: write
       contents: read
     strategy:
       fail-fast: false
     needs:
-      - tests-completed
+      - test-go
+      - test-go-fips
+      - test-go-race
     steps:
       - name: send-notification
         uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
@@ -301,15 +309,23 @@ jobs:
             {"text":"OSS test failures on ${{ github.ref_name }}","blocks":[{"type":"header","text":{"type":"plain_text","text":":rotating_light: OSS test failures :rotating_light:","emoji":true}},{"type":"divider"},{"type":"section","text":{"type":"mrkdwn","text":"test(s) failed on ${{ github.ref_name }}"},"accessory":{"type":"button","text":{"type":"plain_text","text":"View Failing Workflow","emoji":true},"url":"${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"}}]}
 
   notify-tests-completed-failures-ent:
-    if: ${{ always() && github.repository == 'hashicorp/vault-enterprise' && needs.tests-completed.result == 'failure' && (github.ref_name == 'main' || startsWith(github.ref_name, 'release/')) }}
+    if: |
+      always() &&
+      github.repository == 'hashicorp/vault-enterprise' &&
+      (needs.test-go.result == 'failure' ||
+      needs.test-go-fips.result == 'failure' ||
+      needs.test-go-race.result == 'failure') &&
+      (github.ref_name == 'main' || startsWith(github.ref_name, 'release/'))
     runs-on: ['self-hosted', 'linux', 'small']
     permissions:
       id-token: write
       contents: read
     strategy:
       fail-fast: false
     needs:
-      - tests-completed
+      - test-go
+      - test-go-fips
+      - test-go-race
     steps:
       - id: vault-auth
         name: Vault Authenticate

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,50 @@
+name: "Code scanning - scheduled (weekly) or on-demand"
+
+on:
+  schedule:
+    - cron: '0 15 * * 0'
+  workflow_dispatch:
+
+jobs:
+  CodeQL-Build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # codeql-bundle-v2.13.4
+      # Override language selection by uncommenting this and choosing your languages
+      with:
+        languages: go, javascript
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # codeql-bundle-v2.13.4
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # codeql-bundle-v2.13.4

.github/workflows/enos-release-testing-oss.yml

@@ -64,7 +64,6 @@ jobs:
 
   save-metadata:
     runs-on: linux
-    if: always()
     needs: test
     steps:
       - name: Persist metadata

.github/workflows/oss.yml

@@ -68,7 +68,7 @@ jobs:
       - if: github.event.pull_request != null && steps.changes.outputs.ui == 'true'
         run: echo "PROJECT=171" >> "$GITHUB_ENV"
 
-      - uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c # v0.5.0
+      - uses: actions/add-to-project@a9f041ddd462ed185893ea1024cec954f50dbe42 # v0.3.0 # TSCCR: no entry for repository "actions/add-to-project"
         with:
           project-url: https://github.com/orgs/hashicorp/projects/${{ env.PROJECT }}
           github-token: ${{ secrets.TRIAGE_GITHUB_TOKEN }}