Merge remote-tracking branch 'origin/master' into fix/last-encoding

.github/actions/spelling/allow.txt

@@ -440,8 +440,8 @@ rsyslogd
 scriptblock
 servlet
 Sinjo
-shannon
 sublocation
+shannon
 sundar
 svcb
 snyk
@@ -526,3 +526,4 @@ JetBrains
 gifs
 meme
 simdutf
+vhosts

.github/audit.yml

@@ -9,7 +9,7 @@ on:
 
 jobs:
   security_audit:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v1
       - uses: actions-rs/audit-check@v1

.github/workflows/changes.yml

@@ -129,7 +129,7 @@ on:
 jobs:
   # Detects changes that are not specific to integration tests
   source:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 5
     if: ${{ inputs.source }}
     outputs:

.github/workflows/ci-integration-review.yml

@@ -84,7 +84,7 @@ jobs:
 
   integration-tests:
     needs: prep-pr
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 90
     strategy:
       matrix:
@@ -117,7 +117,7 @@ jobs:
 
   e2e-tests:
     needs: prep-pr
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4

.github/workflows/cli.yml

@@ -8,7 +8,7 @@ permissions:
 
 jobs:
   test-cli:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 30
     env:
       CARGO_INCREMENTAL: 0
@@ -44,7 +44,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-cargo-
 
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: echo "::add-matcher::.github/matchers/rust.json"
       - run: make test-cli

.github/workflows/compilation-timings.yml

@@ -13,18 +13,18 @@ env:
 jobs:
   release-build-optimized:
     name: "Release Build (optimized)"
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     steps:
       - uses: colpal/actions-clean@v1
       - uses: actions/checkout@v4
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: cargo clean
       - run: cargo build --release
 
   release-build-normal:
     name: "Release Build (normal)"
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     env:
       # We're not actually doing a debug build, we're just turning off the logic
       # in release-flags.sh so that we don't override the Cargo "release" profile
@@ -33,29 +33,29 @@ jobs:
     steps:
       - uses: colpal/actions-clean@v1
       - uses: actions/checkout@v4
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: cargo clean
       - run: cargo build --release
 
   debug-build:
     name: "Debug Build"
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     steps:
       - uses: colpal/actions-clean@v1
       - uses: actions/checkout@v4
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: cargo clean
       - run: cargo build
 
   debug-rebuild:
     name: "Debug Rebuild"
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     steps:
       - uses: colpal/actions-clean@v1
       - uses: actions/checkout@v4
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: cargo clean
       - run: cargo build
@@ -64,11 +64,11 @@ jobs:
 
   check:
     name: "Cargo Check"
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     steps:
       - uses: colpal/actions-clean@v1
       - uses: actions/checkout@v4
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: cargo clean
       - run: cargo check

.github/workflows/component_features.yml

@@ -22,7 +22,7 @@ permissions:
 jobs:
   check-component-features:
     # use free tier on schedule and 8 core to expedite results on demand invocation
-    runs-on: ${{ github.event_name == 'schedule' && 'ubuntu-20.04' || 'ubuntu-20.04-8core' }}
+    runs-on: ${{ github.event_name == 'schedule' && 'ubuntu-24.04' || 'ubuntu-24.04-8core' }}
     if: github.event_name == 'pull_request_review' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
     steps:
       - name: (PR review) Set latest commit status as pending
@@ -44,7 +44,7 @@ jobs:
         if: github.event_name != 'pull_request_review'
         uses: actions/checkout@v4
 
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: echo "::add-matcher::.github/matchers/rust.json"
       - run: make check-component-features

.github/workflows/create_preview_sites.yml

@@ -42,7 +42,7 @@ jobs:
           const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
              owner: context.repo.owner,
              repo: context.repo.repo,
-             run_id: ${{ github.event.workflow_run.id }},
+             run_id: context.runId,
           });
           const matchArtifact = artifacts.data.artifacts.filter(artifact => artifact.name == "pr")[0];
           const download = await github.rest.actions.downloadArtifact({
@@ -55,36 +55,86 @@ jobs:
 
     # Extract the info from the artifact and set variables
     - name: Extract PR info from artifact
-      run: |
-        unzip pr.zip -d pr
-        BRANCH_NAME=$(cat ./pr/branch)
-        SANITIZED_BRANCH_NAME=$(echo "$BRANCH_NAME" | sed 's/[\/\.]/-/g')
-        echo "SANITIZED_BRANCH_NAME=$SANITIZED_BRANCH_NAME" >> $GITHUB_ENV
-        echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
+      uses: actions/github-script@v7.0.1
+      with:
+        script: |
+          const fs = require('fs');
+          const { execSync } = require('child_process');
+          const path = require('path');
+          const core = require('@actions/core');
+
+          execSync('unzip pr.zip -d pr');
+          const branchName = fs.readFileSync(path.join('pr', 'branch'), 'utf8').trim();
+          const prNumber = fs.readFileSync(path.join('pr', 'number'), 'utf8').trim();
+          const integrity = fs.readFileSync(path.join('pr', 'integrity'), 'utf8').trim();
+
+          // Validate branch name again (only allow alphanumeric, dash, and underscore)
+          const branchNameRegex = /^[a-zA-Z0-9_\-]+$/;
+          if (!branchNameRegex.test(branchName)) {
+            core.setFailed(`Invalid branch name detected: ${branchName}`);
+            return;
+          }
+
+          const sanitizedBranchName = branchName.replace(/[\/\.]/g, '-');
+          core.exportVariable('SANITIZED_BRANCH_NAME', sanitizedBranchName);
+          core.exportVariable('BRANCH_NAME', branchName);
+          core.exportVariable('PR_NUMBER', prNumber);
+          core.exportVariable('INTEGRITY', integrity);
+
+    # Validate the integrity of the artifact
+    - name: Validate Artifact Integrity
+      uses: actions/github-script@v7.0.1
+      with:
+        script: |
+          const crypto = require('crypto');
+          const core = require('@actions/core');
+
+          const prNumber = process.env.PR_NUMBER;
+          const branchName = process.env.BRANCH_NAME;
+          const integrity = process.env.INTEGRITY;
+
+          const numberHash = crypto.createHash('sha256').update(prNumber).digest('hex');
+          const branchHash = crypto.createHash('sha256').update(branchName).digest('hex');
+          const expectedIntegrity = `${numberHash}:${branchHash}`;
+
+          if (expectedIntegrity !== integrity) {
+            core.setFailed('Artifact integrity validation failed');
+          }
 
     # Kick off the job in amplify
     - name: Deploy Site
-      env:
-        APP_ID: ${{ inputs.APP_ID }}
-        APP_NAME: ${{ inputs.APP_NAME }}
-        REQUEST_TOKEN: ${{ secrets.REQUEST_TOKEN }}
-        REQUEST_MESSAGE: ${{ secrets.REQUEST_MESSAGE }}
-        ENDPOINT: ${{ secrets.ENDPOINT }}
-      run: |
-        sleep 20
-        HMAC_KEY=$(echo -n $REQUEST_MESSAGE | openssl dgst -sha256 -hmac "$REQUEST_TOKEN" | cut -d" " -f2)
-        SIGNATURE="sha256=$HMAC_KEY"
-        RESPONSE_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
-             -H "Content-Type: application/json" \
-             -H "X-Hub-Signature: $SIGNATURE" \
-             -d "{\"app_id\": \"$APP_ID\", \"branch_name\": \"$BRANCH_NAME\"}" \
-          "$ENDPOINT")
-
-        # check the response code and fail if not 200
-        if [ "$RESPONSE_CODE" != "200" ]; then
-          echo "Request failed with response code $RESPONSE_CODE"
-          exit 1
-        fi
+      uses: actions/github-script@v7.0.1
+      with:
+        script: |
+          const crypto = require('crypto');
+          const fetch = require('node-fetch');
+          const core = require('@actions/core');
+
+          const appId = core.getInput('APP_ID');
+          const appName = core.getInput('APP_NAME');
+          const requestToken = core.getSecret('REQUEST_TOKEN');
+          const requestMessage = core.getSecret('REQUEST_MESSAGE');
+          const endpoint = core.getSecret('ENDPOINT');
+          const sanitizedBranchName = process.env.SANITIZED_BRANCH_NAME;
+
+          const hmacKey = crypto.createHmac('sha256', requestToken).update(requestMessage).digest('hex');
+          const signature = `sha256=${hmacKey}`;
+
+          const response = await fetch(endpoint, {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+              'X-Hub-Signature': signature,
+            },
+            body: JSON.stringify({
+              app_id: appId,
+              branch_name: sanitizedBranchName,
+            }),
+          });
+
+          if (!response.ok) {
+            core.setFailed(`Request failed with response code ${response.status}`);
+          }
 
     # Add preview link to comment if all 3 sites successfully start
     - name: Comment Preview Link
@@ -99,7 +149,7 @@ jobs:
           const fs = require('fs');
           const prNumber = fs.readFileSync('./pr/number', 'utf8');
           const issueNumber = parseInt(prNumber);
-          const { APP_ID, APP_NAME, SANITIZED_BRANCH_NAME } = process.env
+          const { APP_ID, APP_NAME, SANITIZED_BRANCH_NAME } = process.env;
 
           await github.rest.issues.createComment({
             owner: context.repo.owner,

.github/workflows/cross.yml

@@ -9,7 +9,7 @@ permissions:
 jobs:
   cross-linux:
     name: Cross - ${{ matrix.target }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 45
     env:
       CARGO_INCREMENTAL: 0
@@ -78,7 +78,7 @@ jobs:
 
   update-pr-status:
     name: (PR review) Signal result to PR
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 5
     needs: cross-linux
     if: needs.cross-linux.result == 'success' && github.event_name == 'pull_request_review'

.github/workflows/deny.yml

@@ -21,7 +21,7 @@ permissions:
 
 jobs:
   test-deny:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 30
     env:
       CARGO_INCREMENTAL: 0
@@ -57,7 +57,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-cargo-
 
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: echo "::add-matcher::.github/matchers/rust.json"
       - name: Check cargo deny advisories/licenses

.github/workflows/e2e.yml

@@ -52,7 +52,7 @@ jobs:
 
   e2e-tests:
     name: E2E Tests
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     timeout-minutes: 45
     needs: changes
     if: always() && (

.github/workflows/environment.yml

@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   publish-new-environment:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 30
     steps:
       - name: (PR review) Set latest commit status as pending
@@ -39,9 +39,9 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.6.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.9.0
+        uses: docker/setup-buildx-action@v3.10.0
       - name: Login to DockerHub
         uses: docker/login-action@v3
         if: github.ref == 'refs/heads/master'
@@ -50,7 +50,7 @@ jobs:
           password: ${{ secrets.CI_DOCKER_PASSWORD }}
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804
         with:
           images: timberio/vector-dev
           flavor: |
@@ -62,7 +62,7 @@ jobs:
             org.opencontainers.image.title=Vector development environment
             org.opencontainers.image.url=https://github.com/vectordotdev/vector
       - name: Build and push
-        uses: docker/build-push-action@v6.13.0
+        uses: docker/build-push-action@v6.15.0
         with:
           context: .
           file: ./scripts/environment/Dockerfile

.github/workflows/install-sh.yml

@@ -9,7 +9,7 @@ permissions:
 
 jobs:
   test-install:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 5
     steps:
       - name: (PR comment) Get PR branch

.github/workflows/integration-test.yml

@@ -30,7 +30,7 @@ env:
 
 jobs:
   test-integration:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 40
     if: inputs.if || github.event_name == 'workflow_dispatch'
     steps: