Skip to content

Release v5.6.0#514

Open
mkolasinski-splunk wants to merge 12 commits into
mainfrom
develop
Open

Release v5.6.0#514
mkolasinski-splunk wants to merge 12 commits into
mainfrom
develop

Conversation

@mkolasinski-splunk

Copy link
Copy Markdown
Contributor

Description

(PR description goes here)

Checklist

  • README.md has been updated or is not required
  • push trigger tests
  • manual release test
  • automated releases test
  • pull request trigger tests
  • schedule trigger tests
  • workflow errors/warnings reviewed and addressed

Testing done

(for each selected checkbox, the corresponding test results link should be listed here)

mbruzda-splunk and others added 2 commits June 15, 2026 12:52
## Summary

- Fast-forwards `develop` to match `main` (tip: `36d2c0f`)
- Brings in 20 commits that landed on `main` since last sync (#492),
including fixes for PAT/GitHub App auth, spl2 tests, ubuntu 16.04 EOL
drop, and manifests pin
- No unique commits on `develop` that are missing from `main`

🤖 Generated with [Claude Code](https://claude.com/claude-code)
## What

Bumps all GitHub Actions still bundling the deprecated Node 20 runtime
to their first major version that targets Node 24, resolving the
`Node.js 20 is deprecated` warnings across all jobs in this workflow
family.

| Action | Before | After |
|---|---|---|
| `actions/checkout` | v4 | v5 |
| `actions/setup-python` | v5 | v6 |
| `actions/download-artifact` | v4 | v7 |
| `actions/upload-artifact` | v4 | v6 |
| `actions/cache` | v4 | v5 |
| `amannn/action-semantic-pull-request` | v5.5.3 | v6.1.1 |
| `aws-actions/configure-aws-credentials` | v4 | v6 |
| `dorny/test-reporter` | v1.9.1 | v3.0.0 |
| `geekyeggo/delete-artifact` | v5 | v6 |
| `softprops/action-gh-release` | v2 | v3 |

Applied consistently across all four workflow files:
- `reusable-build-test-release.yml`
- `build-test-release.yaml`
- `reusable-publish-to-splunkbase.yml`
- `reusable-validate-deploy-docs.yml`

### Left unchanged (already Node 24, or docker/composite)
`setup-java@v5`, `create-github-app-token@v3`, `amazon-ecr-login@v2`,
`svenstaro/upload-release-action@v2`, and all docker/composite actions
(`splunk/*`, `fsfe/reuse-action`, `pre-commit/action`, `trufflehog`,
`skywalking-eyes`).

## Testing

Ran the full `build-test-release` pipeline on
`splunk-add-on-for-microsoft-cloud-services` pointed at this branch —
**pipeline succeeded**, and the Node 20 deprecation warnings are gone
from every job that consumes these actions (build, setup, meta, unit
tests, all appinspect jobs, etc.).


https://github.com/splunk/splunk-add-on-for-microsoft-cloud-services/actions/runs/28662878022

### Known remaining warnings (out of scope — external sources)
- `pre-commit` job → `actions/cache@v4` is hardcoded inside
`pre-commit/action@v3.0.1` (latest release).
- `semgrep / sast-scan` job → `checkout@v4` / `upload-artifact@v4` come
from `splunk/sast-scanning/.github/workflows/sast-scan.yml@main`
(separate repo; addressed here:
splunk/sast-scanning#7).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>
@mkolasinski-splunk
mkolasinski-splunk requested a review from a team as a code owner July 9, 2026 12:02
mkolasinski-splunk and others added 10 commits July 10, 2026 10:02
…n ADDON-88924 (#513)

## Summary
- Splits the single monolithic `run-spl2-tests` box-test job into a
matrix, one job per pipeline subdirectory under
`package/default/data/spl2/` (discovered dynamically in
`setup-workflow`), plus a `__root__` shard for any top-level
`*.test.json`/`*.test.spl2` fixtures.
- Each shard is scoped with `--test_dir` (using
`spl2-testing-framework`'s existing directory-scoping support — no
framework changes needed); `--code_dir` stays pointed at the full tree
so module resolution still works for TAs that don't duplicate pipeline
code per-subdirectory.
- Motivated by the AWS TA SPL2 suite, where one pipeline
(`aws_cloudtrail`) accounts for ~78% of all box tests and made the
single job take 4+ hours; sharding lets pipelines with skewed test-count
distributions run concurrently instead of serially.

## Test plan
- [x] Verify against `splunk-add-on-for-amazon-web-services`
(`feature/spl2-content-for-aws-ta`) via a throwaway PR pointing
`build-test-release.yml`'s `uses:` at this branch — confirm shard
discovery finds
`aws_cloudtrail`/`aws_cloudwatch`/`aws_cloudwatchlogs_vpcflow`/`__root__`,
all four run in parallel, and total test count/pass-fail matches the
current single-job baseline.
[link](https://github.com/splunk/splunk-add-on-for-amazon-web-services/actions/runs/28942569538/job/85878959228a)

🤖 Generated with [Claude Code](https://claude.com/claude-code)
## Summary

- Add `actions/upload-artifact@v4` step to `run-spl2-tests` job so test
results are preserved as downloadable artifacts after each run
- Matches the artifact upload pattern already used in
`run-knowledge-tests` and `run-unit-tests`
- Artifact named `spl2 test results`, contains the `test-results/`
directory with JUnit XML output

## Test plan

- [ ] Verify CI runs `run-spl2-tests` and produces a downloadable `spl2
test results` artifact
- [ ] Confirm artifact contains `test-results/report.xml`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…sable release workflow (#503)

## Summary

This PR updates the reusable add-on build-test-release workflow to split
FOSSA findings into separate license and vulnerability checks, improve
release gating, and document the new workflow behavior.
JIRA Link - []https://splunk.atlassian.net/browse/ADDON-87374

## Changes

- Extends `fossa-scan` to run `fossa test --debug` in a dedicated step
(only when analyze succeeds) and upload its output as the
`fossa-test-output` artifact
- Adds separate lightweight FOSSA CI jobs that parse
`fossa-test-output`:
- `fossa-license-test` — extracts and counts issues from the `COMPLIANCE
ISSUES` section
- `fossa-vulnerability-test` — extracts and counts issues from the
`SECURITY ISSUES` section
  - Exposes separate pipeline outputs for:
    - active license issues
    - active vulnerability issues
    - release-blocking vulnerability issues
- Publishes separate job summaries for license and vulnerability
findings.
- Updates `pre-publish` release gating so release paths can block
independently on:
    - unresolved vulnerability issues
- Keeps merge-to-develop and other non-release workflows usable by
reporting split FOSSA results without enforcing release gating there.
- Updates README documentation for the new split FOSSA jobs and release
gating behavior.

### Checklist

- [X] `README.md` has been updated
- [ ] push trigger tests
- [ ] manual release test
- [ ] automated releases test
- [X] pull request trigger tests
- [ ] schedule trigger tests
- [ ] workflow errors/warnings reviewed and addressed

### Tested TA GitHub Actions run:
1. Successful FOSSA Tests for Apache web server TA -
[]https://github.com/splunk/splunk-add-on-for-apache-web-server/actions/runs/29075781494
2. Crowdstrike TA FOSSA tests failure -
[]https://github.com/splunk/splunk-add-on-for-crowdstrike-fdr/actions/runs/29077637023
3. Salesforce TA FOSSA tests failure -
[]https://github.com/splunk/splunk-add-on-for-salesforce/actions/runs/29077050887

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
### Description

This PR bumps matrix version to 3.2 including Splunk 10.4
### Checklist

- [ ] `README.md` has been updated or is not required
- [ ] push trigger tests
- [ ] manual release test
- [ ] automated releases test
- [ ] pull request trigger tests
- [ ] schedule trigger tests
- [ ] workflow errors/warnings reviewed and addressed

### Testing done 
(for each selected checkbox, the corresponding test results link should
be listed here)
…execution ADDON-88924" (#516)

Reverts #513
No longer needed due to improvements on spl2-cli side
## Summary
- Adds a step to the `validate-pr-title` job that enforces `ADDON-XXXXX`
(5–6 digit Jira ticket number) in the PR title, failing with a clear
`::error::` annotation if missing (runs after the existing semantic PR
title check).
- Adds a new `comment-on-jira` job: on push to `main`/`develop`, scans
commit messages for `ADDON-XXXXX` references and posts a comment on each
referenced ticket linking back to the commit (and originating PR, if
found), worded to match the existing GitLab→Jira integration convention
(`{author} mentioned this issue in a commit of {repo} on branch
{branch}:`).
- Auth via `ATLASSIAN_EMAIL`/`ATLASSIAN_TOKEN` secrets (hardcoded
`https://splunk.atlassian.net` base URL), matching the naming convention
already used by `addonfactory-docs-on-github-integration`; posts via raw
Jira REST API v3 + ADF body rather than `atlassian/gajira-comment`
(which has a known RCE, CVE-2020-14189).
- Never fails the workflow: a failed Jira API call only logs a
`::warning::`.

## Test plan
- [x] Open a PR without `ADDON-XXXXX` in the title → job fails with the
error message
- [x] Open a PR with `ADDON-12345` or `ADDON-123456` in the title → job
passes
- [x] Verify existing semantic PR title validation still works
- [x] **Live end-to-end verification against
`splunk/test-addonfactory-repo`** (sandbox repo, temporarily pointed at
this branch, reverted to `v5.4` after each round), commenting on real
ticket [ADDON-88759](https://splunk.atlassian.net/browse/ADDON-88759):
- `pull_request` event → `comment-on-jira` correctly `skipped` (job only
fires on `push`)
- Push directly to `main`, no originating PR → comment posted with
commit link only, no "via PR" clause
([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28979594348))
- Push to `main` via squash-merged PR → comment posted with commit link
**and** correct PR link
([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28979730875),
[PR #374](splunk/test-addonfactory-repo#374))
- Push with a mix of a ticket-referencing and a non-referencing commit →
only the referencing commit produced a comment (dedup/skip logic
confirmed)
([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28980385679))
- Bug found and fixed during testing: initial run 403'd on the PR lookup
(job only had `contents: read`) and leaked the raw error JSON into the
comment's link `href`
([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28978879858),
see resulting [malformed
comment](https://splunk.atlassian.net/browse/ADDON-88759)) — fixed by
adding `pull-requests: read` and guarding the `gh api` failure path
(`1c8ba82`)
- Final wording verified live: "mkolasinski-splunk mentioned this issue
in a commit of splunk/test-addonfactory-repo on branch main:"
([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28980385679))

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude <noreply@anthropic.com>
Adds a fossa-ignore-vulnerabilities workflow_call input (JSON array of
"package@version" strings) so callers can filter out known false
positives, such as urllib3@1.26.19, before the fossa-vulnerability-test
job counts issues and fails.

### Description

(PR description goes here)

### Checklist

- [ ] `README.md` has been updated or is not required
- [ ] push trigger tests
- [ ] manual release test
- [ ] automated releases test
- [ ] pull request trigger tests
- [ ] schedule trigger tests
- [ ] workflow errors/warnings reviewed and addressed

### Testing done 
(for each selected checkbox, the corresponding test results link should
be listed here)

Co-authored-by: Claude <noreply@anthropic.com>
### Description

Utilise new feature of spl2-testing-base and add --cli_cache to speed up
spl2 tests executin

### Checklist

- [ ] `README.md` has been updated or is not required
- [ ] push trigger tests
- [ ] manual release test
- [ ] automated releases test
- [ ] pull request trigger tests
- [ ] schedule trigger tests
- [ ] workflow errors/warnings reviewed and addressed

### Testing done 
(for each selected checkbox, the corresponding test results link should
be listed here)
… to main] (#519)

## Summary

- GS Scorecard tool remains available via `execute_gs_scorecard` label —
developers can still use it
- Scorecard results (pass/fail/missing) are now reported as
`::warning::` instead of `::error::` and never cause the job to fail
- Removed the `pre-publish` gate that blocked releases when scorecard
was skipped on PRs to main
- Fixes cases where scorecard flags checks as not checked,
unintentionally blocking releases



https://github.com/splunk/splunk-add-on-for-cisco-esa/actions/runs/27544575031/job/81415137332?pr=480#step:9:268

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

### Description

(PR description goes here)

### Checklist

- [ ] `README.md` has been updated or is not required
- [ ] push trigger tests
- [ ] manual release test
- [ ] automated releases test
- [ ] pull request trigger tests
- [ ] schedule trigger tests
- [ ] workflow errors/warnings reviewed and addressed

### Testing done 
(for each selected checkbox, the corresponding test results link should
be listed here)
…t selection (#522)

## Summary

Generate and publish Swagger artifacts for add-ons with UCC modinput
tests even when the UCC test job is not selected.

## Root cause

Swagger artifact upload was tied to `execute-ucc_modinput`. When that
test job was skipped, TACO later failed because the build-specific S3
prefix did not contain `swagger_client`.

## Changes

- Detect whether `tests/ucc_modinput_functional` exists.
- Use that capability, rather than test selection, when uploading and
downloading the OpenAPI artifact.
- Preserve existing UCC test-selection behavior.

## Validation

- Parsed workflow YAML.
- Ran diff whitespace checks.

## Related

- ADDON-89264
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants