Bump actions/checkout from 4 to 6#82
Closed
dependabot[bot] wants to merge 302 commits intomainfrom
Closed
Conversation
pilotctl daemon start was not reading email from config.json and not forwarding --email to the daemon subprocess, making v1.4.0 unusable for the mandatory email flow. Changes: - Fix pilotctl to read email from config.json and forward --email flag - Rename DaemonInfo.Owner to Email, IPC key owner→email - Add --email to install.sh (LaunchAgent, systemd, config, prompts) - Rename -owner to -email across all docs, examples, blog posts - Update tests for Email field rename
The website copy was missing the email prompt, config.json email field, systemd -email flag, and macOS LaunchAgent -email entries.
Security fixes: - Add trust gate to handleDatagramPacket (private nodes drop untrusted datagrams, matching SYN gate behavior) - Move trust check before rate limiting so untrusted sources cannot waste rate-limit tokens - Silent drop on untrusted SYN instead of RST to prevent leaking node existence - Normalize hostname resolve errors (denied returns same message as not-found to prevent enumeration) Tests: - Unskip 5 network tests (persistence, replication, broadcast exclusion, network create/join/leave via client) - Add 4 new trust gate tests (public node accepts untrusted SYN, datagram rejected from untrusted, datagram allowed from same network, datagram rejection webhook)
- Add -admin-token flag to cmd/rendezvous (was missing, network creation silently disabled on deployed rendezvous) - Add DeleteNetwork to registry protocol (admin-gated, cannot delete backbone, cleans member node network lists, persists state) - Add admin token bypass for backbone node listing - Update ListNodes client to accept optional admin token - Guard internal tooling build in Makefile
Test suite was at 55s on the last passing run — adding new tests pushed it past the 60s limit on both Ubuntu and macOS runners.
Remove cfg.IdentityPath = t.TempDir() overrides from test files. Go's LIFO cleanup order removes TempDir before env.Close() stops daemons, causing "directory not empty" errors on macOS. AddDaemon already sets identity path in the env's managed tmpDir.
… fleet enrollment, network CLI - Webhook reliability: monotonic event IDs, 3-retry exponential backoff, dropped counter, drain timeout - Registry audit events: structured audit() calls in 18 mutation handlers (slog JSON, filterable via jq) - Invite-requires-acceptance: pending invite inbox, poll/respond flow, persistence in snapshots - Daemon auto-join: config-driven fleet enrollment via --admin-token and --networks flags - pilotctl network commands: list, join, leave, members, invite, accept, reject via IPC - Dashboard: remove network names from Polo API and HTML - README: fix misleading claims (zero dependencies, no servers), clarify rendezvous architecture - Website: correct marketing copy across homepage, docs, and 10+ blog posts - Console/admin binaries added to gitignore - 845 tests passing (13 new test files, 44+ new tests)
…, observability - Secure channel authentication: Ed25519 identity verification inside ECDH tunnel - Registry hardening: per-operation rate limits, connection limits, 64KB message cap, snapshot checksums - Peer resilience: endpoint caching with TTL, automatic reconnection on tunnel failure - Observability: /healthz endpoint on beacon, pilotctl health command, daemon uptime/stats - RBAC: owner/admin/member roles per network, role-gated mutations, legacy snapshot backfill - Protocol versioning: version field in handshake, compatibility negotiation - Network policies: max_members, allowed_ports, description with merge-on-update semantics - Key lifecycle: CreatedAt/RotatedAt/RotateCount/ExpiresAt metadata, set_key_expiry command - Invite consent fix: PollInvites non-destructive, RespondInvite verifies + consumes invite - Policy merge fix: partial updates preserve unset fields - Key age guard: zero-time check prevents bogus age for legacy nodes - 8 new test files, 43 new tests passing
Release workflow (triggered by v* tags): - Builds binaries for linux/amd64, linux/arm64, darwin/amd64, darwin/arm64 - Smoke tests: verifies binaries execute, registry starts/stops, pilotctl responds - Integration harness: spins up registry + beacon + 2 daemons, verifies info/health - Creates GitHub release with tar.gz archives and SHA-256 checksums - Pre-release detection for -rc/-beta tags Skip 5 tests in CI that fail due to GitHub Actions runner constraints: - TestIPv6EndToEnd: IPv6 UDP routing unavailable - TestGracefulShutdown: deregister timing race - TestWebhook_NodeDeregistered: webhook delivery timing - TestTunnelEncryptionBackwardCompat: encryption fallback timing - TestRegistryReplication: standby persistence timing All 5 pass locally — skipped only when CI env var is set.
PILOT_RC=1 curl -fsSL https://pilotprotocol.network/install.sh | sh When set, the installer fetches the newest release (including pre-releases) instead of only the latest stable release. Default behavior unchanged.
- Replace static sitemap.xml with build-time generated sitemap.xml.ts that auto-includes all blog posts and doc pages - Add publish-worker (Cloudflare Worker) with HMAC-SHA256 auth, payload validation, GitHub Git Data API atomic commits, and auto-generated OG banner images via Gemini + Browser Rendering - Add deploy-website.yml GitHub Action to build and deploy the website to Cloudflare Pages on pushes to web/** - 63 tests across auth, template, banner, and handler modules
- /for/mcp: Landing page targeting MCP users — "Give your MCP servers a network" - /for/p2p: Landing page targeting P2P builders — "Direct peer-to-peer for AI agents" - Blog: Connecting MCP Servers to Agents Across Any Network - Blog: Peer-to-Peer Agent Communication: No Server Required - Both landing pages emphasize one-command install and zero config
… enrichment, security hardening - Registry: add admin_token fallback for set_hostname, set_visibility, set_tags, set_task_exec, set_key_expiry (console can manage nodes without node signatures) - Registry: add in-memory audit ring buffer (1000 entries) with get_audit_log handler - Registry: enrich list_nodes with public/tags fields for enterprise members - Registry: add requireAdminTokenLocked to avoid deadlock when handlers hold s.mu.Lock - Registry client: add SetHostnameAdmin, SetVisibilityAdmin, SetTagsAdmin, SetTaskExecAdmin, SetKeyExpiryAdmin, GetAuditLog methods - Security: phase 1 audit fixes (H3 registry auth, H4 replication auth, H12 per-port accept, M12 P2P handshake signing) - Tests: update enterprise test suite, add enterprise_gate_test.go
Replace Research and Playground nav items with a Solutions dropdown containing links to /for/mcp and /for/p2p landing pages. Mobile menu updated with grouped sections.
…layground Apply consistent navbar to index.html, plans.html, BlogFooter.astro: replace Research and Playground with Solutions dropdown (MCP, P2P). Update footer links site-wide.
- Emit polo_score.updated audit event on score delta updates - Emit polo_score.set audit event on absolute score changes - Emit network.enterprise_changed audit event on enterprise flag toggle
- Emit node.re_registered audit event for all 4 re-registration modes (existing_identity, reclaimed_identity, owner_key_update, owner_reclaim) - Emit node.reaped audit event when stale nodes are removed by background reaper
…xtraction, add audit API tests - Add polo_score, tags, public fields to backbone (network 0) node listing - Add polo_score to network member listing - Fix appendAudit to extract network_id from attrs (was only in details string) - Exclude network_id from details string to avoid duplication - Add TestAuditLogAPI: tests get_audit_log endpoint, filtering, auth, ordering - Add TestAuditLogRingBuffer: verifies 1000-entry cap and default limit
- TestEnterpriseToggle: verifies enable/disable enterprise flag gates RBAC operations and emits audit events for each toggle - TestPoloScoreConcurrent: 50 workers each increment by +1, verifies final score is exactly 50 (mutex serialization)
TestAdminNodeManagement exercises SetHostnameAdmin, SetVisibilityAdmin, SetTagsAdmin, SetTaskExecAdmin, and SetKeyExpiryAdmin via admin_token. Verifies both successful operations and wrong-token rejection.
- Persist audit log entries in the registry JSON snapshot - Restore audit log on load (separate auditMu lock, no deadlock) - Fix appendAudit to properly extract network_id from attrs - Add TestAuditLogPersistence: verifies entries survive restart
Removed the trust links badge from the README. Trust link counter broken since new networks. Removing since now irrelevant.
- Extract SSRF validator into pkg/urlvalidate and apply to every registry URL surface (IDP config, webhook target, snapshot restore). - Match cloud metadata hostnames case-insensitively; prior check bypassed when the attacker uppercased a segment. - Validate URLs when restoring snapshots so a tainted snapshot can't smuggle a malicious IDP/webhook URL on startup. - Cap crypto-map growth and short-circuit before scalar-mult when the unauth map is already at the bound. - Add SPDX headers to all registry sources; tighten tests for the new validator paths.
Tunnel + crypto: - Rekey-request on encrypted packets with no key (half-rekey recovery). - Recover from half-rekey replay-window desync. - Classify stale tunnel packets separately from true nonce replays. - Cap lastRekeyReq map and relayPeers to prevent unbounded growth under rekey flood / spoofed relay senders. - Chunk driver Conn.Write for payloads above the 1 MiB IPC cap. - Re-register promptly when registry rejects our identity. Policy runner: - Per-peer cycle scoring (evaluatePerPeerCycle) so shipped policies that tithe / anti-camp / burnout actually tick per-peer. - Cycle minimum lowered from 1 minute to 1 second (validator + runner). - Bootstrap honours EventJoin deny directive. - applyMembershipDiff refreshes tags for existing peers. - 60 s recentlyEvicted cooldown to prevent reconciler re-add. - Beacon-relay-reachable marker on rekey arrival so restarted peers stay dialable via the beacon path. IPC server: - MaxIPCClients cap now enforced by accept-then-close (the kernel listen backlog silently expanded SOMAXCONN and defeated the sleep-gate). - ipcConn write mutex to keep concurrent goroutines' frames aligned. - SubManagedReconcile (0x07) so pilotctl can drive policy reconcile. Task pipeline + event broker: - eventBroker reads through daemon.webhook on each emit so a runtime set-webhook URL change isn't masked by a cached nil pointer. - SendDatagram emits slog.Warn + webhook datagram.port_rejected when policy denies. - Fix trust revocation not propagating to remote peer. - Fix task execute FIFO (was alphabetical by UUID) and CreatedAt precision (millisecond ties). - Fix submitter-side task auto-cancel on accept timeout. - Fix inbox display ordering (ts+seq, not type prefix). - Fix message loss when inbox files arrive in the same millisecond. - Expose status_justification in task list output. - Add pilotctl task result to surface delivered payloads.
…headers
- Surface gateway listener bind failures at warn level; regression test.
- Add dataexchange round-trip tests.
- Harden beacon server small-path handling.
- Add SPDX headers across pkg/{beacon,config,dataexchange,gateway,
logging,nameserver,updater}.
- cmd/pilotctl: add set-webhook / clear-webhook, managed reconcile,
task result, refined daemon start flags.
- cmd/rendezvous, cmd/beacon, cmd/gateway, cmd/daemon, cmd/nameserver,
cmd/registry, cmd/updater: align flag surfaces, tighten startup logs.
- Makefile: ci, test-integration-quick, test-integration-full,
sdk-lib{,-linux,-darwin}, release targets.
- install.sh: updater sidecar path + prompt refinement.
- Repo hygiene: .dockerignore, .mailmap, .markdownlint{,ignore}.json,
expand .gitignore and .pre-commit-config.yaml.
- internal/{account,crypto,fsutil,ipcutil,pool,validate}: SPDX headers
and validation tightening.
Harness:
- run-all.sh: parallel runner with per-worker COMPOSE_PROJECT_NAME /
RFC5737 NAT lanes, timing.tsv, per-test logs, summary.md.
- _lib.sh, topology_helpers.sh, nat_test_common.sh, chaos_helpers.sh,
policy_helpers.sh, sec_helpers.sh: shared waits, sweeps, lane
acquisition.
- Docker Compose overlays for chaos (netem), NAT variants
(full/restricted/symmetric/CGN/hairpin/egress-443-only/multihomed/
dual-symmetric/ipv6/address-restricted), webhook sink, gateway,
policy (+admin token), 3/5/10-agent rings, split-brain, star5 hub.
New tests (sample):
- Chaos: packet loss 10/30 %, reorder, 200 ms delay — all 7 op families.
- NAT: 16 variants covering all RFC4787 NAT types + bandwidth/latency/
loss/reorder/MTU perturbations.
- Policy: connect/datagram/join allow/deny/score/tag, cycle evict,
cycle fill_trust, cycle prune_trust, cycle webhook, shipped configs.
- Webhook: file_delivered, message_received, polo_updated, pubsub_
published, task_submitted, task_completed, trust_changed, tunnel_
established, agent_registered, exactly_once_on_restart.
- Security: beacon amplification, IPC exhaustion, malformed frame,
oversized payload, pubsub spam, rekey flood, replay-after-rekey,
spoofed node-id, sym-NAT spoof, sybil reputation, trust-grant forgery.
- Task pipeline: FIFO sequential burst, polo gate rejection/recovery,
message chain, bidirectional services, progress events, invalid
states, policy decline, result integrity, description integrity.
- Resilience: rendezvous restart mid-flight, beacon restart mid-flight,
sender clean-restart, receiver sigkill, partition heal, split-brain
heal/divergence, ghost peer ping, midrekey send-file/message/task-
submit/task-results.
- Duration: idle 10 min, steady 10 min, short-cycle policy 1 min,
compressed 24 h (300 s of 1 s cycles).
- Fan-in / fan-out: 3-agent tasks, 5-agent pubsub, star hub fanout.
- Observability: dashboard polo truth, log peer rekeyed, metric
encrypt_ok, tasklist vs disk, dashboard HTTP surface.
Fixtures:
- tests/integration/fixtures/policies/{connect,datagram,join}_{allow,
deny,score}.json, cycle_{evict,fill_trust,prune_trust,webhook}.json,
short_cycle_webhook.json.
- Shipped blueprint round-trip validator (all 34 configs).
Go tests:
- tests/*: multi-container edges, window behaviour, zero-window stall.
Blueprints (configs/networks/*.json): anti-camping, aristocracy, burnout, cold-shoulder, cooling-off, data-exchange-policy, dunbar-150, first-in-first-out, forgiveness, gift-economy, golden-hour, gossip-tax, grudge-match, half-life, high-trust-society, karma-ledger, last-in-first-out, lottery, meritocracy, meritocracy-rating, mutual-admiration, old-guard, ostracism, pay-it-forward, rotating-chairs, seniority, small-circle, stable-state, sybil-gauntlet, tithe, trust-decay, two-strikes, vouching-chain, whale-hunt. Each blueprint validates at test time via provisioning round-trip. Also: add allow-echo-connect rule to data-exchange-policy so port 7 probes aren't denied by default-deny.
- README, CONTRIBUTING, CHANGELOG, CODE_OF_CONDUCT, GOVERNANCE, SECURITY, THIRD_PARTY_LICENSES. - docs: WHITEPAPER.tex (v1.7 draft), enterprise-readiness-report, research comparison + social-structures, blog posts. - examples/go: client, dataexchange, echo, eventstream, httpclient, secure, webserver refreshed. - examples/python_sdk: README + task_submit_demo.py. - examples/cli/BASIC_USAGE.md: refreshed. - web/src: homepage design refresh, blog layout, navbar; remove stale SKILLS.md. - sdk/python: pyproject updates.
- .github/CODEOWNERS, dependabot.yml, pull_request_template.md. - k8s/: pilot-website (deployment, service, ingress, alerts, blackbox, dashboard, probes), pilot-install-canary, pilot-probe, pilot- exporter, pilot-release, gcp-vms bootstraps.
srv.ListenAndServe spins up the bind in a goroutine; macOS-latest CI is slow enough that Dial fired before the listener accepted and saw `dial: daemon: connection refused`. Retry Dial briefly so the server goroutine has a chance to bind.
- tests/integration/local/logs/{.queue,.results,.timing.tsv}: per-run
output of run-all.sh.
- tests/integration/local/results/{gw_last_task.txt,p2p_summary.txt}:
per-run test output artifacts.
- web/src/pages/blog/.astro/: astro content-type generation cache.
Files stay on disk (regenerated by the tooling); only removed from
tracking. Added matching .gitignore rules to prevent re-commit.
Each ships as an open-join, default-deny network with the same service-tag-gated traffic shape as data-exchange-policy: peers tagged "service" can connect/dial freely on data ports; everyone else gets echo (port 7) and text (port 1000), and can receive files (port 1001) from service nodes. Categories: science, geo, reference, health, government, news, finance, dev, transit, sports, academic, language, security, food, entertainment, knowledge, flights, weather, traffic, vehicles, gov-finance, economics, climate, packages, culture, data, books, music, space, nature. All 30 pass TestShippedNetworkBlueprintsLoadAndValidate.
- 30 open-data networks (academic, books, climate, culture, data, dev, economics, entertainment, finance, flights, food, geo, gov-finance, government, health, knowledge, language, music, nature, news, packages, reference, science, security, space, sports, traffic, transit, vehicles, weather) switch from service-tag-gated to default-allow with explicit open-connect / open-dial / open-datagram rules. Any peer can talk to any other peer on any port. - SHIPPED.md catalogs all 64 networks (33 reputation/membership policies + 30 open-data + data-exchange-policy reference). - Untrack .claude/PROBLEM-REGISTRY.md (already in .gitignore via .claude/). The apply-networks workflow will re-provision each of the 30 changed configs against the production registry; findOrCreateNetwork looks up by name so existing IDs (44–73) are reused, only the expr_policy is replaced.
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/checkout from 4 to 6.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)