| Age | Commit message (Collapse) | Author |
|
* returned lost sentrium.svg image
* changed phone number to valid one
* Remove explicit branch reference from the checkout action
* Use a variable for branch checkout
* Add an option to take the branch from the inputs
* Update the release status for 1.4.0 GA
* [release status] Do not render security advisory table headers if there are no advisories
* added one month date of expiration for user's cookie consent
(cherry picked from commit 7863f97ba712fe6e7801eee8c29c955000b6560a)
* minisign: T6610: update the rolling release signing key
(cherry picked from commit c471f8ee728dd5a0b599f8ed61518716cfba37b1)
* Update to checkout@v4
(cherry picked from commit f5934afca8a7d790c15e77e19ce4a1d651411b07)
* nightly-builds: rename GitHub repo
(cherry picked from commit 2f993bbe13e083efc65f7b05825f94f05fcfb615)
* moved deployment to AWS Amplify
* Update README.md
* added a new step to check Amplify build status [no ci]
* fixed access to variables [no ci]
* trigger rebuild
* Remove the mention of LTS source code being public
It's now available only to people who legitimately acquired binaries,
as per the GPL requirements
* Add an anchor to the stream release link
* Remove the legacy LTS application form
We'll encourage everyone to get VyOS Stream or rolling release
* Remove the mention of oudated support subscriptions
* Change the wording from "sofrware access subscription" to just "subscription"
* Remove Sentrium from the footer
since it no longer exists as an independent company
* Update the hsforms library to v4
* Revert "Update the hsforms library to v4"
This reverts commit 0b0916da4f60f58fc9ed988d97e35769bffc222b.
* Add links to VyOS Stream 2025-Q2
* Add VyOS Stream 2025.11
* cosmetic bug: Fix image allign
(cherry picked from commit e8107f90846c7256184983a42a0fc8a3f5f36c66)
* Update the release status for 1.4.4
* Remove now-EOLd 1.3.x from release status
* Add VyOS Stream 2026.03
* Ignore .soupault-cache/ build artifact directory
Soupault 5.x writes incremental build caches under `.soupault-cache/`
in the repo root. The directory appears as untracked after any local
build and `gh pr create` warns about it. Add it to .gitignore
alongside `build/*` so clean checkouts stay clean.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* ci: T8943: retarget main.yml push trigger main->development (rollout 1c) (#59)
The default-branch reorg renamed main->development (production is now the
default). main.yml deploys by mirroring github.ref_name to an AWS Amplify
branch, so the dead main trigger is replaced with development. The Amplify
app has a matching development branch (operator-confirmed). amplify/production
trigger entries left unchanged.
Tracking: T8943
* ci: T8947: point CLA check at vyos-cla-signatures@production (rollout 1c follow-up) (#60)
Rollout 1c (IS-503) renamed vyos-cla-signatures' default branch to `production`,
but cla-check.yml still called the reusable at @current. The `current` branch of
vyos-cla-signatures has diverged from `production` and its copy of cla-reusable.yml
writes signatures to `branch: 'current'` — so CLA signatures from this repo's PRs
were landing on the stale `current` branch instead of `production`.
Flip the ref to @production (whose cla-reusable.yml writes to `branch: 'production'`).
Note: migrating/reconciling signatures already accumulated on
vyos-cla-signatures@current (and whether to delete that branch) is a separate
operator decision tracked in IS-504 / T8947.
🤖 Generated by [robots](https://vyos.io)
* T8943: ci: remove dead amplify branch from CI push trigger (#61)
The amplify branch no longer exists in this repo; the trigger entry is
unreachable. main was already retargeted to development in #59 (rollout 1c).
This completes the trigger cleanup so the list matches real branches.
🤖 Generated by [robots](https://vyos.io)
---------
Co-authored-by: bogdankol <68349689+bogdankol@users.noreply.github.com>
Co-authored-by: Daniil Baturin <daniil@baturin.org>
Co-authored-by: Daniil Baturin <daniil@vyos.io>
Co-authored-by: Christian Breunig <christian@breunig.cc>
Co-authored-by: Yevhen Bondarenko <evgeniy.bondarenko@sentrium.io>
Co-authored-by: lemeshovich <17667824+lemeshovich@users.noreply.github.com>
Co-authored-by: Viacheslav Hletenko <v.gletenko@vyos.io>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Tracking: T8943
|
|
Rewrites uses: pins to the three HIGH-fanout producers (vyos/.github,
vyos/vyos-cla-signatures, VyOS-Networks/vyos-reusable-workflows) from their
old default branch to the new production compat branch staged in Task 1.
No functional change; pin-ref rewrite only.
Tracking: T8943
|
|
(#56)
Replace PAT-based secrets with App-token-compatible `secrets: inherit`
and standardise wrapper to the uniform stub shape for rollout 1b.
Plan: ~/.claude/plans/2026-05-26-mirror-rollout-1b-revised.md Task 5
🤖 Generated by [robots](https://vyos.io)
|
|
T8809: add extends: mergify, preserve manual-only deviation
|
|
preserve manual-only deviation
|
|
ci: add .coderabbit.yaml for central-config inheritance (T8851)
|
|
|
|
T8835: added pr mirror workflow
|
|
|
|
general: T8595: add AGENTS.md
|
|
|
|
|
|
|
|
Use soupault 5.3.0 for builds
|
|
That eliminates the need for an external Markdown processor
and allows native support for prefixing links with a base URL
in the machine-readable index for easier sitemap generation
|
|
build: quote SSM command substitution in amplify.yml
|
|
Prevents word-splitting if token value ever contains whitespace.
🤖 Generated by robots (https://vyos.io)
|
|
- Gate GH_ACCESS_TOKEN SSM fetch on production branch only;
staging builds no longer depend on that secret.
- Add sudo to soupault mv command for non-root build images.
🤖 Generated by robots (https://vyos.io)
|
|
build: profile-gate Amplify builds; add PR check workflow
|
|
🤖 Generated by robots (https://vyos.io)
|
|
🤖 Generated by robots (https://vyos.io)
|
|
Builds with --profile staging on any PR targeting main.
Runs locally in the Actions runner; no Amplify branch config needed.
🤖 Generated by robots (https://vyos.io)
|
|
main → --profile staging, production → --profile live.
Overrides console build spec; fixes live widgets appearing on staging.
🤖 Generated by robots (https://vyos.io)
|
|
🤖 Generated by robots
|
|
fix: remove async from Cookiebot loader (GDPR consent-before-GTM)
|
|
With async, the browser starts downloading Cookiebot in parallel and
immediately continues parsing, reaching GTM inline bootstrap before
Cookiebot executes. Removing async makes it render-blocking so consent
state is set before GTM fires.
Also clarifies the after + prepend_child ordering in the comment.
Generated by robots (https://vyos.io)
|
|
Add Mergify configuration
|
|
Enables @Mergifyio merge/rebase/update/backport commands.
No automated rules — all merges remain manual.
🤖 Generated by [robots](https://vyos.io)
|
|
Load Cookiebot uc.js directly before GTM
|
|
GTM container tag 163 was not firing the Cookiebot uc.js loader despite
correct rules in the container. Loading Cookiebot directly via soupault
is the architecturally correct approach anyway: consent state must be set
before GTM fires any tracking tags.
Widget runs after insert-google-tag-manager-head (same pattern as
insert-preconnect-hints) so the final <head> order is:
preconnect hints → Cookiebot uc.js → GTM snippet
🤖 Generated by [robots](https://vyos.io)
|
|
Add 1.5.0 to the release status data file
|
|
|
|
Substitute real Cookiebot CBID for vyos.net
|
|
Replaces the <CBID> placeholder in the insert-cookiebot-declaration
widget with the actual domain group ID (932cb8b9-5141-4dc9-9018-21fc31a0586f)
registered for vyos.net in the Cookiebot admin panel.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
|
Migrate to Cookiebot + GTM-T5VQHRT via metrics.vyos.io
|
|
Address Copilot review: preconnect order + staging-gate cookies-policy script
|
|
Two fixes flagged by the Copilot reviewer on #35:
1. Preconnect hints were appended to the end of <head> while the GTM
loader is prepended to the top, so GTM's async script creation
fired before the browser ever saw the preconnect tags — they
provided no benefit. Switches insert-preconnect-hints to
prepend_child and adds `after = "insert-google-tag-manager-head"`
so the widget runs after GTM and its prepend pushes GTM down to
position 1. Result: preconnects land at the top of <head>, ahead
of the GTM loader.
2. The Cookiebot cd.js script embedded directly in
site/legal/cookies-policy.md rendered on every profile, so a
staging visitor who hit /legal/cookies-policy/ would leak their
IP to consent.cookiebot.com. Replaces the inline <script> with a
<div id="cookie-declaration-placeholder"></div> and adds a new
insert-cookiebot-declaration widget (profile = "live", page =
"legal/cookies-policy.md") that replaces the placeholder with
the real script element only on live builds. Staging now emits
zero Cookiebot markup on the cookies-policy page.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Ignore .soupault-cache/ build artifact directory
|
|
Soupault 5.x writes incremental build caches under `.soupault-cache/`
in the repo root. The directory appears as untracked after any local
build and `gh pr create` warns about it. Add it to .gitignore
alongside `build/*` so clean checkouts stay clean.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Task 5 inserted the preconnect tags directly into templates/main.html,
which caused them to ship on every profile — defeating the staging
privacy posture (staging visitors' IPs would leak to Cookiebot and
metrics.vyos.io during TLS handshake). Moves them to a new
insert-preconnect-hints widget with profile = "live", matching the
pattern used for the two GTM widgets and Step 5.2's original
--profile live verification intent.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Embeds Cookiebot's auto-generated cookie declaration table. The
declaration content is served by consent.cookiebot.com and rendered
at display time — this repo only holds the embed shim and intro copy.
The CBID is a <CBID> placeholder that MUST be substituted with the
real value before merging main into production. The PR body's
prerequisite checklist gates this.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Sits next to the copyright line inside <div class="bottom">. Links to
the new /legal/cookies-policy/ page created in the next commit.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Starts DNS/TCP/TLS handshake for the Cookiebot banner and GTM proxy
during initial HTML parse, shaving perceivable latency off the
first-visit banner paint.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Deletes the hand-rolled "Allow Analytics" aside, its JavaScript, its
SCSS partial, and the unconditional gtag.js script. The replacement
consent UI (Cookiebot banner) is loaded by the new GTM-T5VQHRT
container; the custom banner is no longer needed and was also
ineffective (both GTM and gtag loaded before the user clicked anything).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Migrates the site's GTM container to GTM-T5VQHRT (shared with vyos.io)
proxied through metrics.vyos.io, and gates both GTM widgets on
profile = "live" so they only render in production builds. The new
container handles Google Consent Mode v2 defaults, Cookiebot loading,
and consent-state updates internally, so no page-side consent plumbing
is needed.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
|
|
|
|
|
|
|