Merge branch 'main' into CE-654

.changelog/21616.txt

@@ -0,0 +1,3 @@
+```release-note: improvement
+connect: Add Envoy 1.31 and 1.30 to support matrix
+```

.changelog/21703.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6.
+```

.changelog/21704.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Explicitly set 'Content-Type' header to mitigate XSS vulnerability.
+```

.changelog/21710.txt

@@ -0,0 +1,3 @@
+```release-note:security
+ui: Pin a newer resolution of Braces
+```

.changelog/21711.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI.
+```

.changelog/21715.txt

@@ -0,0 +1,3 @@
+```release-note:security
+ui: Pin a newer resolution of Codemirror
+```

.changelog/21717.txt

@@ -0,0 +1,3 @@
+```release-note:security
+ui: Pin a newer resolution of Markdown-it
+```

.changelog/21726.txt

@@ -0,0 +1,3 @@
+```release-note:security
+UI: Remove codemirror linting due to package dependency
+```

.changelog/21729.txt

@@ -0,0 +1,4 @@
+```release-notes:security
+Bump Dockerfile base image to `alpine:3.20`.
+This resolves CVE-2024-7264 and CVE-2024-8096 (curl).
+```

.changelog/21735.txt

@@ -0,0 +1,3 @@
+```release-note:security
+ui: Pin a newer resolution of ansi-html
+```

.github/scripts/check_skip_ci.sh

@@ -13,7 +13,8 @@ set -euo pipefail
 #
 # ... `git merge-base origin/$SKIP_CHECK_BRANCH HEAD` would return commit `D`
 # `...HEAD` specifies from the common ancestor to the latest commit on the current branch (HEAD)..
-files_to_check=$(git diff --name-only "$(git merge-base origin/$SKIP_CHECK_BRANCH HEAD~)"...HEAD)
+skip_check_branch=${SKIP_CHECK_BRANCH:?SKIP_CHECK_BRANCH is required}
+files_to_check=$(git diff --name-only "$(git merge-base origin/$skip_check_branch HEAD~)"...HEAD)
 
 # Define the directories to check
 skipped_directories=("docs/" "ui/" "website/" "grafana/" ".changelog/")
@@ -46,4 +47,4 @@ for file_to_check in "${files_to_check_array[@]}"; do
 done
 
 echo "Changes detected in only documentation files - skipping tests and build"
-echo "skip-ci=true" >> "$GITHUB_OUTPUT"
+echo "skip-ci=true" >> "$GITHUB_OUTPUT"

.github/workflows/nightly-test-integrations-1.17.x.yml → .github/workflows/nightly-test-integrations-1.20.x.yml

@@ -1,7 +1,7 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
-name: Nightly test-integrations 1.17.x
+name: Nightly test-integrations 1.20.x
 
 on:
   schedule:
@@ -19,19 +19,12 @@ env:
   # strip the hashicorp/ off the front of github.repository for consul
   CONSUL_LATEST_IMAGE_NAME: ${{ endsWith(github.repository, '-enterprise') && github.repository || 'hashicorp/consul' }}
   GOPRIVATE: github.com/hashicorp # Required for enterprise deps
-  BRANCH: "release/1.17.x"
-  BRANCH_NAME: "release-1.17.x"   # Used for naming artifacts
+  BRANCH: "release/1.20.x"
+  BRANCH_NAME: "release-1.20.x"   # Used for naming artifacts
 
 jobs:
-  check-ent:
-    runs-on: ubuntu-latest
-    if: ${{ endsWith(github.repository, '-enterprise') }}
-    steps:
-      - run: echo "Building Enterprise"
-
   setup:
     runs-on: ubuntu-latest
-    needs: [check-ent]
     name: Setup
     outputs:
       compute-small: ${{ steps.runners.outputs.compute-small }}
@@ -48,16 +41,14 @@ jobs:
         run: .github/scripts/get_runner_classes.sh
 
   get-go-version:
-    needs: [check-ent]
     uses: ./.github/workflows/reusable-get-go-version.yml
     with:
-      ref: release/1.17.x
+      ref: release/1.20.x
 
   get-envoy-versions:
-    needs: [check-ent]
     uses: ./.github/workflows/reusable-get-envoy-versions.yml
     with:
-      ref: release/1.17.x
+      ref: release/1.20.x
 
   dev-build:
     needs:
@@ -68,7 +59,7 @@ jobs:
       runs-on: ${{ needs.setup.outputs.compute-large }}
       repository-name: ${{ github.repository }}
       uploaded-binary-name: 'consul-bin'
-      branch-name: "release/1.17.x"
+      branch-name: "release/1.20.x"
       go-version: ${{ needs.get-go-version.outputs.go-version }}
     secrets:
       elevated-github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
@@ -223,20 +214,21 @@ jobs:
           DATADOG_API_KEY: "${{ endsWith(github.repository, '-enterprise') && env.DATADOG_API_KEY || secrets.DATADOG_API_KEY }}"
           DD_ENV: ci
         run: datadog-ci junit upload --service "$GITHUB_REPOSITORY" $TEST_RESULTS_DIR/results.xml
-
+  
   upgrade-integration-test:
     runs-on: ${{ fromJSON(needs.setup.outputs.compute-large) }}
     needs:
       - setup
       - get-go-version
+      - get-envoy-versions
       - dev-build
     permissions:
       id-token: write # NOTE: this permission is explicitly required for Vault auth.
       contents: read
     strategy:
       fail-fast: false
       matrix:
-        consul-version: ["1.15", "1.16", "1.17"]
+        consul-version: ["1.15", "1.18", "1.19"]
     env:
       CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
       # ENVOY_VERSION should be the latest version supported by _all_ Consul versions in the
@@ -372,7 +364,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        consul-version: [ "1.15", "1.16", "1.17"]
+        consul-version: ["1.15", "1.18", "1.19"]
     env:
       CONSUL_LATEST_VERSION: ${{ matrix.consul-version }}
     steps:
@@ -460,7 +452,7 @@ jobs:
     - upgrade-integration-test
     - upgrade-integration-test-deployer
     runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
-    if: ${{ always() && endsWith(github.repository, '-enterprise') }}
+    if: ${{ always() }}
     steps:
       - name: evaluate upstream job results
         run: |

.github/workflows/security-scan.yml

@@ -9,38 +9,27 @@ on:
     branches:
       - main
       - release/**
+    paths-ignore:
+      - 'docs/**'
+      - 'grafana/**'
+      - '.changelog/**'
 
 # cancel existing runs of the same workflow on the same ref
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
 jobs:
-  conditional-skip:
-    runs-on: ubuntu-latest
-    name: Get files changed and conditionally skip CI
-    outputs:
-      skip-ci: ${{ steps.read-files.outputs.skip-ci }}
-    steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-        with:
-          fetch-depth: 0
-      - name: Get changed files
-        id: read-files
-        run: ./.github/scripts/check_skip_ci.sh
-
   setup:
-    needs: [conditional-skip]
     name: Setup
-    if: needs.conditional-skip.outputs.skip-ci != 'true'
     runs-on: ubuntu-latest
     outputs:
       compute-small: ${{ steps.setup-outputs.outputs.compute-small }}
       compute-medium: ${{ steps.setup-outputs.outputs.compute-medium }}
       compute-large: ${{ steps.setup-outputs.outputs.compute-large }}
       compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }}
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - id: setup-outputs
         name: Setup outputs
         run: ./.github/scripts/get_runner_classes.sh
@@ -59,15 +48,15 @@ jobs:
       && (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }}
 
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ needs.get-go-version.outputs.go-version }}
 
       - name: Clone Security Scanner repo
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: hashicorp/security-scanner
           token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
@@ -87,6 +76,6 @@ jobs:
           cat results.sarif | jq
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@c4fb451437765abf5018c6fbf22cce1a7da1e5cc # codeql-bundle-v2.17.1
+        uses: github/codeql-action/upload-sarif@8fd294e26a0e458834582b0fe4988d79966c7c0a # codeql-bundle-v2.18.4
         with:
-          sarif_file: results.sarif
+          sarif_file: results.sarif

.github/workflows/test-integrations.yml

@@ -422,7 +422,8 @@ jobs:
       contents: read
     env:
       ENVOY_VERSION: ${{ needs.get-envoy-versions.outputs.max-envoy-version }}
-      CONSUL_DATAPLANE_IMAGE: "docker.io/hashicorppreview/consul-dataplane:1.5-dev-ubi"
+      #TODO don't harcode this image name
+      CONSUL_DATAPLANE_IMAGE: "docker.io/hashicorppreview/consul-dataplane:1.6-dev-ubi"
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       # NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
@@ -535,7 +536,8 @@ jobs:
     strategy:
       fail-fast: false
     env:
-      DEPLOYER_CONSUL_DATAPLANE_IMAGE: "docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.3-dev"
+      # TODO @sarah.alsmiller Don't hardcode this version value
+      DEPLOYER_CONSUL_DATAPLANE_IMAGE: "docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.6-dev"
     steps:
       - name: Checkout code
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

.release/security-scan.hcl

@@ -38,10 +38,7 @@ container {
 		suppress {
 			# N.b. `vulnerabilites` is the correct spelling for this tool.
 			vulnerabilites = [
-				"CVE-2023-46218", # [email protected]
-				"CVE-2023-46219", # [email protected]
-				"CVE-2023-5678",  # [email protected]
-				"CVE-2024-7264", # [email protected]
+				"CVE-2024-8096", # [email protected],
 			]
 			paths = [
 				"internal/tools/proto-gen-rpc-glue/e2e/consul/*",

.release/versions.hcl

@@ -6,6 +6,9 @@
 
 schema = 1
 active_versions {
+  version "1.20" {
+    ce_active = true
+  },
   version "1.19" {
     ce_active = true
   }

Dockerfile

@@ -16,7 +16,7 @@
 # Official docker image that includes binaries from releases.hashicorp.com. This
 # downloads the release from releases.hashicorp.com and therefore requires that
 # the release is published before building the Docker image.
-FROM docker.mirror.hashicorp.services/alpine:3.19 as official
+FROM docker.mirror.hashicorp.services/alpine:3.20 as official
 
 # This is the release of Consul to pull in.
 ARG VERSION
@@ -112,7 +112,7 @@ CMD ["agent", "-dev", "-client", "0.0.0.0"]
 
 # Production docker image that uses CI built binaries.
 # Remember, this image cannot be built locally.
-FROM docker.mirror.hashicorp.services/alpine:3.19 as default
+FROM docker.mirror.hashicorp.services/alpine:3.20 as default
 
 ARG PRODUCT_VERSION
 ARG BIN_NAME

Makefile

@@ -73,8 +73,8 @@ CONSUL_IMAGE_VERSION?=latest
 GOLANG_VERSION?=$(shell head -n 1 .go-version)
 # Takes the highest version from the ENVOY_VERSIONS file.
 ENVOY_VERSION?=$(shell cat envoyextensions/xdscommon/ENVOY_VERSIONS | grep '^[[:digit:]]' | sort -nr | head -n 1)
-CONSUL_DATAPLANE_IMAGE := $(or $(CONSUL_DATAPLANE_IMAGE),"docker.io/hashicorppreview/consul-dataplane:1.3-dev-ubi")
-DEPLOYER_CONSUL_DATAPLANE_IMAGE := $(or $(DEPLOYER_CONSUL_DATAPLANE_IMAGE), "docker.io/hashicorppreview/consul-dataplane:1.3-dev")
+CONSUL_DATAPLANE_IMAGE := $(or $(CONSUL_DATAPLANE_IMAGE),"docker.io/hashicorppreview/consul-dataplane:1.6-dev-ubi")
+DEPLOYER_CONSUL_DATAPLANE_IMAGE := $(or $(DEPLOYER_CONSUL_DATAPLANE_IMAGE), "docker.io/hashicorppreview/consul-dataplane:1.6-dev")
 
 CONSUL_VERSION?=$(shell cat version/VERSION)
 
@@ -619,6 +619,14 @@ envoy-regen: ## Regenerating envoy golden files
 	@find "command/connect/envoy/testdata" -name '*.golden' -delete
 	@go test -tags '$(GOTAGS)' ./command/connect/envoy -update
 
+
+##@ Changelog
+
+.PHONY: gen-changelog
+gen-changelog: ## Generate changelog entry for the current branch based on the currently open PR for that branch
+	@$(SHELL) $(CURDIR)/build-support/scripts/gen-changelog.sh
+
+
 ##@ Help
 
 # The help target prints out all targets with their descriptions organized
@@ -634,3 +642,4 @@ envoy-regen: ## Regenerating envoy golden files
 .PHONY: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+