| Age | Commit message (Collapse) | Author |
|
docs: fix workers dependency conflict + test workers changes on PRs
|
|
Phase-0 CodeRabbit finding on the PR-trigger commit: github.head_ref is
not unique across forks, so two PRs from different forks with the same
branch name would share a concurrency group. Key on
github.event.pull_request.number instead.
๐ค Generated by [robots](https://vyos.io)
|
|
apex-deploy.yml's test job only triggered on push to rolling, so no
PR-level check ran the workers/ vitest suite โ that's how the vitest
3.2/pool-workers 0.18.4 peer conflict landed on rolling undetected
(two dependabot PRs merged clean since nothing exercised `npm ci` in
workers/ pre-merge).
Add a `pull_request` trigger scoped to `workers/**` so the test job
runs pre-merge. Gate deploy-canary and deploy-production with
`if: github.event_name != 'pull_request'` so PR runs test only โ
no canary/production deploys fire on a PR (deploy-production would
also auto-skip via `needs: deploy-canary` once canary skips, but the
explicit `if:` keeps intent visible). Concurrency group now branches
per-event so PR runs queue/cancel independently of the rolling deploy
group instead of colliding with it.
Validated with actionlint + a YAML parse check.
๐ค Generated by [robots](https://vyos.io)
|
|
Dependabot bumped @cloudflare/vitest-pool-workers to 0.18.4 (peer:
vitest ^4.1.0) while workers/package.json still pinned vitest ~3.2.0,
so npm ci ERESOLVEs in workers/ on rolling (docs-build run
29153221240; apex-deploy affected too).
Bump vitest to ~4.1.0 to match the peer. 0.18.4 also removed the
`@cloudflare/vitest-pool-workers/config` subpath export in favor of a
`cloudflareTest()` Vite plugin โ vitest.config.ts updated to the new
shape (defineConfig from vitest/config + plugins: [cloudflareTest(...)]),
matching the package's own vitest-v3-to-v4 codemod. No other files
reference the old API. Verified: clean `npm ci` from a deleted
node_modules resolves without --force/--legacy-peer-deps, `npm audit`
reports 0 vulnerabilities (ws/wrangler bumps stay in place), and the
full suite (`npx vitest run`) passes 84/84 across all 9 test files.
๐ค Generated by [robots](https://vyos.io)
|
|
Bumps [ws](https://github.com/websockets/ws) to 8.21.0 and updates ancestor dependency [@cloudflare/vitest-pool-workers](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/vitest-pool-workers). These dependencies need to be updated together.
Updates `ws` from 8.18.0 to 8.21.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](https://github.com/websockets/ws/compare/8.18.0...8.21.0)
Updates `@cloudflare/vitest-pool-workers` from 0.8.71 to 0.18.4
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/vitest-pool-workers/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/@cloudflare/vitest-pool-workers@0.18.4/packages/vitest-pool-workers)
---
updated-dependencies:
- dependency-name: ws
dependency-version: 8.21.0
dependency-type: indirect
- dependency-name: "@cloudflare/vitest-pool-workers"
dependency-version: 0.18.4
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
|
Bumps [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler) to 4.110.0 and updates ancestor dependency [@cloudflare/vitest-pool-workers](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/vitest-pool-workers). These dependencies need to be updated together.
Updates `wrangler` from 4.35.0 to 4.110.0
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/wrangler@4.110.0/packages/wrangler)
Updates `@cloudflare/vitest-pool-workers` from 0.8.71 to 0.18.4
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/vitest-pool-workers/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/@cloudflare/vitest-pool-workers@0.18.4/packages/vitest-pool-workers)
---
updated-dependencies:
- dependency-name: wrangler
dependency-version: 4.110.0
dependency-type: indirect
- dependency-name: "@cloudflare/vitest-pool-workers"
dependency-version: 0.18.4
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
|
docs: render diagrams in PDF builds (imgconverter + ImageMagick/librsvg)
|
|
line: imagemagick, librsvg2-bin, poppler-utils)
๐ค Generated by [robots](https://vyos.io)
|
|
docs: force latexmk through per-glyph/per-image errors (fix Devanagari PDF failure)
|
|
๐ค Generated by [robots](https://vyos.io)
|
|
๐ค Generated by [robots](https://vyos.io)
|
|
๐ค Generated by [robots](https://vyos.io)
|
|
MiB asset cap
๐ค Generated by [robots](https://vyos.io)
|
|
+ ImageMagick/librsvg)
๐ค Generated by [robots](https://vyos.io)
|
|
* docs(DMVPN): T4667: Add firewall rule to prevent unencrypted GRE leaks
In DMVPN the mGRE tunnel and the IPSec protecting it are handled
independently, so GRE can be forwarded while no IPSec SA is active for a
peer (e.g. while an SA is still being negotiated or after one expires),
allowing unencrypted GRE to leave the router. This is inherent to
combining GRE with IPSec and is common to DMVPN implementations in
general.
Add a "Protecting against unencrypted traffic leaks" section to the DMVPN
reference page explaining the behaviour and recommending an output filter
rule that drops GRE not matched by an outbound IPSec policy
(ipsec match-none-out). Note that this disables unencrypted GRE on the
node entirely, so coexisting plain GRE tunnels would stop working.
Apply the same rule in the Dual HUB Dual Cloud example on the VyOS nodes.
Co-authored-by: Daniil Baturin <daniil@baturin.org>
* docs(DMVPN): reflow DMVPN documentation for line length compliance
Reformat the DMVPN guide and dual-hub dual-cloud example to wrap
long lines and improve readability without changing the documented
behavior or configuration guidance.
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
|
|
pdflatex hard-errors on the Devanagari etymology text in
docs/introducing/history.md ("! LaTeX Error: Unicode character เคต
(U+0935) not set up for use with LaTeX") and separately cannot embed
several pre-existing .webp images (no BoundingBox) โ both previously
undiscovered because the Devanagari error always halted the build
first. latexmk -f (force mode) + pdflatex -interaction=nonstopmode
makes the build tolerate both classes of per-glyph/per-image failure
and finish, matching how ReadTheDocs has always built this project's
PDF (verified against the live docs.vyos.io PDF: same Devanagari
glyphs blanked, same ~4 images embedded out of 2000+ pages).
latexmk exits non-zero in force mode even on a fully-produced PDF, so
the workflow step now verifies the artifact itself (exists, >2MB)
instead of relying on the command's exit code.
๐ค Generated by [robots](https://vyos.io)
|
|
previews) (#2140)
* docs-infra: scaffold Cloudflare workers workspace (versions.json v2, matrix, toolchain)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: record full Phase-0 plan decision in workers/PLAN.md
๐ค Generated by [robots](https://vyos.io)
* docs-infra: shared content worker โ asset serving, cache classes, X-Docs-Build, canary no-store
๐ค Generated by [robots](https://vyos.io)
* docs-infra: run worker script before assets; test fetch entrypoint
๐ค Generated by [robots](https://vyos.io)
* docs-infra: apex manifest loader + dispatch map + runtime binding guard (TDD)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: apex redirects (aliases, PDF, trailing-slash) + special paths (TDD)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: PDF redirect honors pdf:null and preserves query
๐ค Generated by [robots](https://vyos.io)
* docs-infra: apex UA gate โ allowlist-wins, log-only AI crawlers, empty block list at launch
๐ค Generated by [robots](https://vyos.io)
* docs-infra: apex router (pipeline ยง3.2), themed 404/503, /kb seam, env configs + congruence test
๐ค Generated by [robots](https://vyos.io)
* docs-infra: add missing-User-Agent regression test for apex UA gate
๐ค Generated by [robots](https://vyos.io)
* docs-infra: R2-streaming preview worker โ MIME map, noindex, no-store (TDD)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: preview 404 no-store + fetch handler tests
๐ค Generated by [robots](https://vyos.io)
* docs-infra: bootstrap script โ binding-target workers must exist before apex deploys
๐ค Generated by [robots](https://vyos.io)
* docs-infra: apex run_worker_first, lockfile for npm ci, PDF Location from manifest
๐ค Generated by [robots](https://vyos.io)
* docs-infra: derive html_baseurl from DOCS_VERSION_SLUG with RTD fallback (canonical gate prereq)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: version picker + status banner + language scaffold (vanilla JS, TDD pure core)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: picker preserves query+hash across switch; valid breadcrumb markup
๐ค Generated by [robots](https://vyos.io)
* docs-infra: Pagefind search wrapper with runtime base-path + preview prefix handling (TDD)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: pagefind wrapper โ asset-failure notice + UI stylesheet load
๐ค Generated by [robots](https://vyos.io)
* docs-infra: gate Pagefind searchbox to CF builds (RTD keeps stock search until cutover)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: deploy sanity gates โ limits, critical pages, count-delta, canonical (TDD)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: hermetic gate tests via fixture versions.json
๐ค Generated by [robots](https://vyos.io)
* docs-infra: docs-build workflow โ candidate/smoke/promote two-stage deploy + registry + rollback
Two-stage CF Workers pipeline: build in pinned container, assemble artifact,
sanity gates, deploy candidate, scoped pre-traffic smoke via canary apex,
promote (rollback-id capture, hostname purge, registry upload), post-promote
probe + auto-rollback. DOCS_CF_LIVE repo variable gates every docs.vyos.io
production interaction pre-cutover.
scripts/docs_gates/smoke.py adds one authorized check beyond the spec: the
version's index.html probe asserts the #vyos-search mount div is present in
the response body, guarding CI silently forgetting DOCS_VERSION_SLUG (which
would otherwise ship stock RTD search without the Pagefind gate noticing).
๐ค Generated by [robots](https://vyos.io)
* docs-infra: build docs image in-workflow with buildx cache (v4.1 โ digest pin dropped)
Plan v4.1 amendment: the ghcr.io digest-pinned image does not exist (workflow
would hard-fail at the first docker step on every push). Replace the BUILD_IMAGE
env placeholder with an in-workflow docker build from docker/Dockerfile via
docker/setup-buildx-action@v3 + docker/build-push-action@v6 (context: docker/,
load: true, tags: docs-build:local, GHA cache from/to). The checked-out commit
is the pin; buildx GHA cache keeps repeat builds cheap. Sphinx-build step swaps
to docs-build:local; inner script unchanged.
๐ค Generated by [robots](https://vyos.io)
* docs-infra: apex/preview deploy workflow โ canary auto, production behind environment approval
* docs-infra: apex-deploy concurrency guard (per-ref, cancel-in-progress)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: fork-safe PR preview pipeline โ approval record, R2 prefixes, label consumption, cleanup
* docs-infra: nightly preview sweep โ pipefail + per-prefix failure isolation
๐ค Generated by [robots](https://vyos.io)
* docs-infra: nightly canary QA โ per-entry sweep + URL-parity corpus vs RTD
๐ค Generated by [robots](https://vyos.io)
* docs-infra: parity sweep scoped to CF-built versions; transport-error resilience
๐ค Generated by [robots](https://vyos.io)
* docs-infra: one-off bootstrap workflow (binding targets โ runs once on this push)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: remove one-off bootstrap workflow (bootstrap complete)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: one-off canary apex + preview deploy (route targets for Task 3.6 step 2c)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: remove one-off canary deploy workflow (targets live)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: address Phase-0 CodeRabbit findings (canonical gate, error caching, registry pointer, validation)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: strengthen manifest tests (full dispatch iteration, mutation-free validate)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: address GitHub CodeRabbit review (pointer-after-probe, fail-closed sweeps, block-precedence UA gate, preview hardening)
๐ค Generated by [robots](https://vyos.io)
* docs-infra: adversarial review fixes โ error no-store, probe retry, PR-list membership, preview dotted-segment
๐ค Generated by [robots](https://vyos.io)
* docs-infra: serve oversized legacy PDF from R2 via apex (spec ยง5 fallback)
The 1.3 PDF (29.2 MiB) exceeds the 25 MiB static-asset cap and is absent
from the legacy content Worker's build, so /_/downloads/en/1.3/pdf/ (and
the picker's PDF link) 301'd into a dead-end 404 post-cutover. Add the R2
object fallback spec ยง5 already documented but never implemented: a
DOCS_PDFS R2 bucket binding on the apex Worker, a manifest pdf_r2_key
field (1.3 only), and a router step ahead of version dispatch that streams
the object with its own cache class (canary/error still force no-store).
๐ค Generated by [robots](https://vyos.io)
* docs-infra: PDF R2 fallback honors Range + If-None-Match, preserves ETag
๐ค Generated by [robots](https://vyos.io)
|
|
* docs: Update Suricata page to VyOS 1.5 standards
* Update suricata.md
* Update suricata.md
* Update suricata.md
|
|
docs(Traffic Engineering): Clarify OSPF advertisement is not yet supported
|
|
|
|
* docs: Add GeoIP ASN support (T5746)
* Small styling changes
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
|
|
* ci: track Context7 LTS variants by branch instead of moved git tags
Switch the Context7 1.5/1.4 variants from tag-backed to branch-backed:
- context7.json: previousVersions entries `{tag:"1.5"}`/`{tag:"1.4"}` โ
`{branch:"circinus"}`/`{branch:"sagitta"}`. Context7 now indexes the
LTS branch HEADs directly.
- Delete update-version-tags.yml. Its sole purpose was force-moving the
git tags 1.5/1.4 to circinus/sagitta HEAD so the tag-backed Context7
variants tracked the branches. With branch-backed variants Context7
tracks the HEAD natively, so the tag indirection โ and its re-run
"moves the tag backward" footgun โ is gone.
- context7-refresh.yml: trigger directly on push to rolling/circinus/
sagitta (docs/** + context7.json paths) instead of chaining off the
deleted tag-mover via workflow_run; refresh payload uses
`branch:"circinus"`/`branch:"sagitta"` for the non-default variants.
Operator follow-up (post-merge): the circinus/sagitta branch variants
must be registered in the Context7 dashboard (a refresh by branch 404s
until Context7 crawls the new config), and the now-unused git tags
1.5/1.4 can be deleted.
๐ค Generated by [robots](https://vyos.io)
* ci: harden jq repo interpolation in context7-refresh
Adversarial review (agy): use the $GITHUB_REPOSITORY runner env var
(mapped as REPO) instead of inlining ${{ github.repository }} into the
jq command string, matching the safe env-mapping pattern already used
for EVENT_NAME/REF_NAME. github.repository is validated and low-risk,
but this structurally removes the interpolation-into-shell surface.
๐ค Generated by [robots](https://vyos.io)
|
|
* docs: expand Context7 branch-to-version mapping rule
Rule 29 in context7.json only mapped circinus (1.5.x) and sagitta
(1.4.x). Expand it to the full branch-to-version table matching
AGENTS.md: rolling (1.5+), circinus (1.5.x LTS), sagitta (1.4.x LTS),
equuleus (1.3.x legacy), crux (1.2.x legacy).
๐ค Generated by [robots](https://vyos.io)
* docs: correct rolling branch version in Context7 mapping
CodeRabbit review: `rolling` was described as "1.5+", but circinus is
already the 1.5 LTS line, so rolling tracks the next major (1.6+), not
1.5. Fix the rolling entry accordingly.
๐ค Generated by [robots](https://vyos.io)
|
|
* docs: Update UDP broadcast relay page to VyOS 1.5 standards
* Remove the implication that something other than IPv4 supports broadcast
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
|
|
bgp: T6573: add input/output queue limit CLI commands
|
|
|
|
* docs: Update TFTP server page to VyOS 1.5 standards
* Update tftp-server.md
|
|
* docs: Update Console server page to VyOS 1.5 standards
* Minor corrections
* Minor corrections
* Apply suggestions from code review
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Update console-server.md
* Apply suggestions from code review
Co-authored-by: Daniil Baturin <daniil@baturin.org>
* Remove the mention of long-EOL'd VyOS 1.3
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Daniil Baturin <daniil@baturin.org>
|
|
pseudo-ethernet: T8540: Add anycast-gateway support for EVPN
|
|
* docs: Update Config sync page to VyOS 1.5 standards
* Minor corrections
* Update config-sync.md
* Apply suggestion from @github-actions[bot]
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Apply suggestion from @github-actions[bot]
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
|
|
On a fresh (no-consent) load the consent banner could render completely
unstyled and expand to full page height. Cookiebot delivers its dialog CSS as
a constructed stylesheet on document.adoptedStyleSheets; ReadTheDocs'
readthedocs-addons.js reassigns that whole-array property with a destructive
replace, and when that lands after Cookiebot's network-gated adoption it drops
Cookiebot's sheet, leaving #CybotCookiebotDialog at position:static expanded to
~6700px. It is a race, so it is intermittent and clears once consent is given
(the dialog then never renders).
- layout.html: a small adoptedStyleSheets shim, installed before any page
script, that preserves Cookiebot's sheet so another library cannot drop it.
- custom.css: a leak-safe safety net that keeps the dialog contained even if
its adopted sheet is ever absent. It uses only properties Cookiebot itself
sets, so it has verifiably no effect on the normal, styled banner.
๐ค Generated by [robots](https://vyos.io)
|
|
* dhcp: Update documentation to sync with DHCPv4/v6 options
Sync up with Kea DHCPv4 and DHCPv6 options documentation,
and clarify some of the options.
* Remove mentions of specific DHCP server implementations
Co-authored-by: Daniil Baturin <daniil@baturin.org>
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
|
|
* docs: Update IS-IS page to VyOS 1.5 standards
* Apply suggestions from code review
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Update isis.md
* Update isis.md
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
|
|
Removes the eps1lon `check-open-prs-conflict.yml` caller (which ran
`eps1lon/actions-label-merge-conflict` on push to base branches to label
conflicting PRs + comment) and replaces it with Mergify:
- Conflict LABEL (`conflicts`): already handled by the inherited central
`Label conflicting pull requests` rule (predicate `conflict`, toggle).
Mergify re-evaluates continuously, so the GHA's push-triggered re-scan
is covered natively โ no local rule needed for the label.
- Conflict COMMENT: a local additive rule `Comment on conflicting pull
requests` (distinct name โ does not replace the inherited label rule)
posts the contributor-facing "please resolve" notice once when a PR
enters conflict (Mergify dedupes the comment per rule+message).
The GHA's clean-side "conflicts resolved" comment is intentionally NOT
replicated โ Mergify has no "was-conflicting-now-clean" predicate, and
keying on `-conflict` would match every non-conflicting PR.
This is the final piece of the T8937 Mergify-GHA retirement (the central
`check-pr-conflict.yml` reusable was preserved pending this consumer; it
is deleted in a follow-up vyos/.github PR once this merges).
Advances: T8937
๐ค Generated by [robots](https://vyos.io)
|
|
T8973: remove salt from documentation - feature removed
|
|
|
|
docs: Use the 'rolling' branch in install.md
|
|
Replace mentions of the 'current' Git branch with 'rolling'
|
|
docs: Remove stale CLI output examples from build-vyos.md
|
|
|
|
Update the default Git branch in build-vyos.md from 'current' to 'rolling'
|
|
* docs: Update OpenFabric page to VyOS 1.5 standards
* Update openfabric.md
* Update openfabric.md
* Update openfabric.md
|
|
* docs: Update RPKI page to VyOS 1.5 standards
* Update rpki.md
* Update rpki.md
|
|
* docs: Update Traffic Engineering page to VyOS 1.5 standards
* Update traffic-engineering.md
* Update traffic-engineering.md
|
|
* docs: Update Segment Routing page to VyOS 1.5 standards
* docs: Minor corrections
* docs: Minor formatting corrections
* Update segment-routing.md
|
|
* docs: Update RIP page to VyOS 1.5 standards
* Update rip.md
|
|
* docs: Update PIM page to VyOS 1.5 standards
* Update pim.md
|
|
* docs: Update MPLS page to VyOS 1.5 standards
* Update mpls.md
|
|
T8967: Fix update-check URL for rolling
|
|
|