Release v5.6.0#514
Open
mkolasinski-splunk wants to merge 12 commits into
Open
Conversation
## Summary - Fast-forwards `develop` to match `main` (tip: `36d2c0f`) - Brings in 20 commits that landed on `main` since last sync (#492), including fixes for PAT/GitHub App auth, spl2 tests, ubuntu 16.04 EOL drop, and manifests pin - No unique commits on `develop` that are missing from `main` 🤖 Generated with [Claude Code](https://claude.com/claude-code)
## What Bumps all GitHub Actions still bundling the deprecated Node 20 runtime to their first major version that targets Node 24, resolving the `Node.js 20 is deprecated` warnings across all jobs in this workflow family. | Action | Before | After | |---|---|---| | `actions/checkout` | v4 | v5 | | `actions/setup-python` | v5 | v6 | | `actions/download-artifact` | v4 | v7 | | `actions/upload-artifact` | v4 | v6 | | `actions/cache` | v4 | v5 | | `amannn/action-semantic-pull-request` | v5.5.3 | v6.1.1 | | `aws-actions/configure-aws-credentials` | v4 | v6 | | `dorny/test-reporter` | v1.9.1 | v3.0.0 | | `geekyeggo/delete-artifact` | v5 | v6 | | `softprops/action-gh-release` | v2 | v3 | Applied consistently across all four workflow files: - `reusable-build-test-release.yml` - `build-test-release.yaml` - `reusable-publish-to-splunkbase.yml` - `reusable-validate-deploy-docs.yml` ### Left unchanged (already Node 24, or docker/composite) `setup-java@v5`, `create-github-app-token@v3`, `amazon-ecr-login@v2`, `svenstaro/upload-release-action@v2`, and all docker/composite actions (`splunk/*`, `fsfe/reuse-action`, `pre-commit/action`, `trufflehog`, `skywalking-eyes`). ## Testing Ran the full `build-test-release` pipeline on `splunk-add-on-for-microsoft-cloud-services` pointed at this branch — **pipeline succeeded**, and the Node 20 deprecation warnings are gone from every job that consumes these actions (build, setup, meta, unit tests, all appinspect jobs, etc.). https://github.com/splunk/splunk-add-on-for-microsoft-cloud-services/actions/runs/28662878022 ### Known remaining warnings (out of scope — external sources) - `pre-commit` job → `actions/cache@v4` is hardcoded inside `pre-commit/action@v3.0.1` (latest release). - `semgrep / sast-scan` job → `checkout@v4` / `upload-artifact@v4` come from `splunk/sast-scanning/.github/workflows/sast-scan.yml@main` (separate repo; addressed here: splunk/sast-scanning#7). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>
…n ADDON-88924 (#513) ## Summary - Splits the single monolithic `run-spl2-tests` box-test job into a matrix, one job per pipeline subdirectory under `package/default/data/spl2/` (discovered dynamically in `setup-workflow`), plus a `__root__` shard for any top-level `*.test.json`/`*.test.spl2` fixtures. - Each shard is scoped with `--test_dir` (using `spl2-testing-framework`'s existing directory-scoping support — no framework changes needed); `--code_dir` stays pointed at the full tree so module resolution still works for TAs that don't duplicate pipeline code per-subdirectory. - Motivated by the AWS TA SPL2 suite, where one pipeline (`aws_cloudtrail`) accounts for ~78% of all box tests and made the single job take 4+ hours; sharding lets pipelines with skewed test-count distributions run concurrently instead of serially. ## Test plan - [x] Verify against `splunk-add-on-for-amazon-web-services` (`feature/spl2-content-for-aws-ta`) via a throwaway PR pointing `build-test-release.yml`'s `uses:` at this branch — confirm shard discovery finds `aws_cloudtrail`/`aws_cloudwatch`/`aws_cloudwatchlogs_vpcflow`/`__root__`, all four run in parallel, and total test count/pass-fail matches the current single-job baseline. [link](https://github.com/splunk/splunk-add-on-for-amazon-web-services/actions/runs/28942569538/job/85878959228a) 🤖 Generated with [Claude Code](https://claude.com/claude-code)
## Summary - Add `actions/upload-artifact@v4` step to `run-spl2-tests` job so test results are preserved as downloadable artifacts after each run - Matches the artifact upload pattern already used in `run-knowledge-tests` and `run-unit-tests` - Artifact named `spl2 test results`, contains the `test-results/` directory with JUnit XML output ## Test plan - [ ] Verify CI runs `run-spl2-tests` and produces a downloadable `spl2 test results` artifact - [ ] Confirm artifact contains `test-results/report.xml` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…sable release workflow (#503) ## Summary This PR updates the reusable add-on build-test-release workflow to split FOSSA findings into separate license and vulnerability checks, improve release gating, and document the new workflow behavior. JIRA Link - []https://splunk.atlassian.net/browse/ADDON-87374 ## Changes - Extends `fossa-scan` to run `fossa test --debug` in a dedicated step (only when analyze succeeds) and upload its output as the `fossa-test-output` artifact - Adds separate lightweight FOSSA CI jobs that parse `fossa-test-output`: - `fossa-license-test` — extracts and counts issues from the `COMPLIANCE ISSUES` section - `fossa-vulnerability-test` — extracts and counts issues from the `SECURITY ISSUES` section - Exposes separate pipeline outputs for: - active license issues - active vulnerability issues - release-blocking vulnerability issues - Publishes separate job summaries for license and vulnerability findings. - Updates `pre-publish` release gating so release paths can block independently on: - unresolved vulnerability issues - Keeps merge-to-develop and other non-release workflows usable by reporting split FOSSA results without enforcing release gating there. - Updates README documentation for the new split FOSSA jobs and release gating behavior. ### Checklist - [X] `README.md` has been updated - [ ] push trigger tests - [ ] manual release test - [ ] automated releases test - [X] pull request trigger tests - [ ] schedule trigger tests - [ ] workflow errors/warnings reviewed and addressed ### Tested TA GitHub Actions run: 1. Successful FOSSA Tests for Apache web server TA - []https://github.com/splunk/splunk-add-on-for-apache-web-server/actions/runs/29075781494 2. Crowdstrike TA FOSSA tests failure - []https://github.com/splunk/splunk-add-on-for-crowdstrike-fdr/actions/runs/29077637023 3. Salesforce TA FOSSA tests failure - []https://github.com/splunk/splunk-add-on-for-salesforce/actions/runs/29077050887 --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
### Description This PR bumps matrix version to 3.2 including Splunk 10.4 ### Checklist - [ ] `README.md` has been updated or is not required - [ ] push trigger tests - [ ] manual release test - [ ] automated releases test - [ ] pull request trigger tests - [ ] schedule trigger tests - [ ] workflow errors/warnings reviewed and addressed ### Testing done (for each selected checkbox, the corresponding test results link should be listed here)
## Summary
- Adds a step to the `validate-pr-title` job that enforces `ADDON-XXXXX`
(5–6 digit Jira ticket number) in the PR title, failing with a clear
`::error::` annotation if missing (runs after the existing semantic PR
title check).
- Adds a new `comment-on-jira` job: on push to `main`/`develop`, scans
commit messages for `ADDON-XXXXX` references and posts a comment on each
referenced ticket linking back to the commit (and originating PR, if
found), worded to match the existing GitLab→Jira integration convention
(`{author} mentioned this issue in a commit of {repo} on branch
{branch}:`).
- Auth via `ATLASSIAN_EMAIL`/`ATLASSIAN_TOKEN` secrets (hardcoded
`https://splunk.atlassian.net` base URL), matching the naming convention
already used by `addonfactory-docs-on-github-integration`; posts via raw
Jira REST API v3 + ADF body rather than `atlassian/gajira-comment`
(which has a known RCE, CVE-2020-14189).
- Never fails the workflow: a failed Jira API call only logs a
`::warning::`.
## Test plan
- [x] Open a PR without `ADDON-XXXXX` in the title → job fails with the
error message
- [x] Open a PR with `ADDON-12345` or `ADDON-123456` in the title → job
passes
- [x] Verify existing semantic PR title validation still works
- [x] **Live end-to-end verification against
`splunk/test-addonfactory-repo`** (sandbox repo, temporarily pointed at
this branch, reverted to `v5.4` after each round), commenting on real
ticket [ADDON-88759](https://splunk.atlassian.net/browse/ADDON-88759):
- `pull_request` event → `comment-on-jira` correctly `skipped` (job only
fires on `push`)
- Push directly to `main`, no originating PR → comment posted with
commit link only, no "via PR" clause
([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28979594348))
- Push to `main` via squash-merged PR → comment posted with commit link
**and** correct PR link
([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28979730875),
[PR #374](splunk/test-addonfactory-repo#374))
- Push with a mix of a ticket-referencing and a non-referencing commit →
only the referencing commit produced a comment (dedup/skip logic
confirmed)
([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28980385679))
- Bug found and fixed during testing: initial run 403'd on the PR lookup
(job only had `contents: read`) and leaked the raw error JSON into the
comment's link `href`
([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28978879858),
see resulting [malformed
comment](https://splunk.atlassian.net/browse/ADDON-88759)) — fixed by
adding `pull-requests: read` and guarding the `gh api` failure path
(`1c8ba82`)
- Final wording verified live: "mkolasinski-splunk mentioned this issue
in a commit of splunk/test-addonfactory-repo on branch main:"
([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28980385679))
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude <noreply@anthropic.com>
Adds a fossa-ignore-vulnerabilities workflow_call input (JSON array of "package@version" strings) so callers can filter out known false positives, such as urllib3@1.26.19, before the fossa-vulnerability-test job counts issues and fails. ### Description (PR description goes here) ### Checklist - [ ] `README.md` has been updated or is not required - [ ] push trigger tests - [ ] manual release test - [ ] automated releases test - [ ] pull request trigger tests - [ ] schedule trigger tests - [ ] workflow errors/warnings reviewed and addressed ### Testing done (for each selected checkbox, the corresponding test results link should be listed here) Co-authored-by: Claude <noreply@anthropic.com>
### Description Utilise new feature of spl2-testing-base and add --cli_cache to speed up spl2 tests executin ### Checklist - [ ] `README.md` has been updated or is not required - [ ] push trigger tests - [ ] manual release test - [ ] automated releases test - [ ] pull request trigger tests - [ ] schedule trigger tests - [ ] workflow errors/warnings reviewed and addressed ### Testing done (for each selected checkbox, the corresponding test results link should be listed here)
… to main] (#519) ## Summary - GS Scorecard tool remains available via `execute_gs_scorecard` label — developers can still use it - Scorecard results (pass/fail/missing) are now reported as `::warning::` instead of `::error::` and never cause the job to fail - Removed the `pre-publish` gate that blocked releases when scorecard was skipped on PRs to main - Fixes cases where scorecard flags checks as not checked, unintentionally blocking releases https://github.com/splunk/splunk-add-on-for-cisco-esa/actions/runs/27544575031/job/81415137332?pr=480#step:9:268 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- ### Description (PR description goes here) ### Checklist - [ ] `README.md` has been updated or is not required - [ ] push trigger tests - [ ] manual release test - [ ] automated releases test - [ ] pull request trigger tests - [ ] schedule trigger tests - [ ] workflow errors/warnings reviewed and addressed ### Testing done (for each selected checkbox, the corresponding test results link should be listed here)
…t selection (#522) ## Summary Generate and publish Swagger artifacts for add-ons with UCC modinput tests even when the UCC test job is not selected. ## Root cause Swagger artifact upload was tied to `execute-ucc_modinput`. When that test job was skipped, TACO later failed because the build-specific S3 prefix did not contain `swagger_client`. ## Changes - Detect whether `tests/ucc_modinput_functional` exists. - Use that capability, rather than test selection, when uploading and downloading the OpenAPI artifact. - Preserve existing UCC test-selection behavior. ## Validation - Parsed workflow YAML. - Ran diff whitespace checks. ## Related - ADDON-89264
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
(PR description goes here)
Checklist
README.mdhas been updated or is not requiredTesting done
(for each selected checkbox, the corresponding test results link should be listed here)