backport of commit fbc584e

.github/workflows/backport.yml

@@ -14,26 +14,8 @@ jobs:
   backport:
     if: github.event.pull_request.merged
     runs-on: ${{ fromJSON(vars.RUNNER) }}
-    container: hashicorpdev/backport-assistant:0.5.1
+    container: hashicorpdev/backport-assistant:0.2.3
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          fetch-depth: 0 # Fetch all branches and tags
-      - name: Check if any migrations have changed
-        run: |
-          if git diff --exit-code --name-only "origin/${{ github.event.pull_request.base.ref }}"...HEAD -- internal/db/schema/migrations; then
-            echo "No migrations have changed, continuing with backport"
-          else
-            # Post comment on PR.
-            echo "Posting new backport-failure GitHub comment under PR #${{ github.event.pull_request.number }}"
-            curl -sX POST \
-              -H "Accept: application/vnd.github+json" \
-              -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-              -d '{"body": "Backport Assistant: you attempted to automatically backport changes in this PR, but because it contained changes to migration files, this was rejected. Please carefully manually backport the changes."}' \
-              "$GITHUB_API_URL/repos/$GITHUB_REPOSITORY/issues/${{ github.event.pull_request.number }}/comments"
-            echo "Migrations have changed, refusing to backport. Please carefully manually backport the changes."
-            exit 1
-          fi
       - name: Backport changes to stable-website
         run: |
           backport-assistant backport -automerge

.github/workflows/enos-run.yml

@@ -119,7 +119,7 @@ jobs:
           key: ${{ needs.setup.outputs.go-cache-key }}
           restore-keys: |
             ${{ runner.os }}-go
-          fail-on-cache-miss: false
+          fail-on-cache-miss: true
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36    # TSCCR: loading action configs: failed to query HEAD reference: failed to get advertised references: authorization failed
         with:

.github/workflows/security-scan.yml

@@ -12,7 +12,10 @@ on:
 jobs:
   scan:
     runs-on: ${{ fromJSON(vars.RUNNER_LARGE) }}
-    if: ${{ github.actor != 'dependabot[bot]' || github.actor != 'hc-github-team-secure-boundary' }}
+    if: |
+      ! github.event.pull_request.head.repo.fork &&
+      github.actor != 'dependabot[bot]' &&
+      github.actor != 'hc-github-team-secure-boundary'
     steps:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 

.github/workflows/test-race.yml

@@ -109,7 +109,7 @@ jobs:
           key: ${{ needs.setup.outputs.go-cache-key }}
           restore-keys: |
             ${{ runner.os }}-go
-          fail-on-cache-miss: false
+          fail-on-cache-miss: true
       - name: Test ${{ matrix.module }} Module
         run: |
           make test-${{ matrix.module }}
@@ -141,7 +141,7 @@ jobs:
           key: ${{ needs.setup.outputs.go-cache-key }}
           restore-keys: |
             ${{ runner.os }}-go
-          fail-on-cache-miss: false
+          fail-on-cache-miss: true
       - name: Set up plugin cache
         id: plugin-cache
         uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2

.github/workflows/test.yml

@@ -109,7 +109,7 @@ jobs:
           key: ${{ needs.setup.outputs.go-cache-key }}
           restore-keys: |
             ${{ runner.os }}-go
-          fail-on-cache-miss: false
+          fail-on-cache-miss: true
       - name: Test ${{ matrix.module }} Module
         run: |
           make test-${{ matrix.module }}
@@ -141,7 +141,7 @@ jobs:
           key: ${{ needs.setup.outputs.go-cache-key }}
           restore-keys: |
             ${{ runner.os }}-go
-          fail-on-cache-miss: false
+          fail-on-cache-miss: true
       - name: Set up plugin cache
         id: plugin-cache
         uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2

.go-version

@@ -1 +1 @@
-1.23.0
+1.22.5

CHANGELOG.md

@@ -4,28 +4,19 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
 
 ## Next
 
-## 0.17.2 (Unreleased)
-
-### Changes
-
-* The Go API properly uses the passed in value for `WithRecursive` and
-  `WithSkipCurlOutput` instead of always setting to true regardless of the
-  passed-in value. ([PR](https://github.com/hashicorp/boundary/pull/5066))
-
-## 0.17.1 (2024/08/21)
+## 0.17.1 (2024/08/22)
 
 ### New and Improved
 
-* Add `GetDownstreamWorkersTimeout` config option which represents the period of
-  time (as a duration) timeout for GetDownstreamWorkers call in
-  DownstreamWorkerTicker. This is currently not documented and considered
-  internal. ([PR](https://github.com/hashicorp/boundary/pull/5007))
+* Add `GetDownstreamWorkersTimeout` config option which represents the period of time (as a duration) timeout
+  for GetDownstreamWorkers call in DownstreamWorkerTicker. This is currently not documented and considered internal.
+  ([PR](https://github.com/hashicorp/boundary/pull/5007))
 
 ### Bug Fixes
 
 * Fixed issue where storage policies were not deleted when scopes are deleted
   ([PR](https://github.com/hashicorp/boundary/pull/5014))
-* Contains Bug Fixes from 0.16.3
+* Contains Bug Fixes from 0.16.3 
 
 ### Security
 
@@ -35,76 +26,55 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
 
 ### New and Improved
 
-* Add `GetDownstreamWorkersTimeout` config option which represents the period of
-  time (as a duration) timeout for GetDownstreamWorkers call in
-  DownstreamWorkerTicker. This is currently not documented and considered
-  internal. ([PR](https://github.com/hashicorp/boundary/pull/5007))
+* Add `GetDownstreamWorkersTimeout` config option which represents the period of time (as a duration) timeout
+  for GetDownstreamWorkers call in DownstreamWorkerTicker. This is currently not documented and considered internal.
+  ([PR](https://github.com/hashicorp/boundary/pull/5007))
 
 ### Bug Fixes
 
-* Minio large file support: Disable multipart uploads via minio to fix an issue
-  where the file checksum is set incorrectly on each part of the upload, causing
-  it to fail. This change fixes file uploads larger than 16MB and limits upload
-  sizes to 5GB. ([PR](https://github.com/hashicorp/boundary/pull/5013)) and
-  ([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/21))
-* Resolved an issue where session authorization was returning a `401` if the
-  alias is non-existent or the alias does not resolve to anything. A `404`
-  status code is now returned.
-  ([PR](https://github.com/hashicorp/boundary/pull/5006)))
+* Minio large file support: Disable multipart uploads via minio to fix an issue where the file checksum is set incorrectly on each part 
+  of the upload, causing it to fail. This change fixes file uploads larger than 16MB and limits upload sizes to 5GB.
+  ([PR](https://github.com/hashicorp/boundary/pull/5013)) and ([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/21))
+* Resolved an issue where session authorization was returning a `401` if the alias is non-existent or the alias does not resolve to anything.
+  A `404` status code is now returned.
+  ([PR](https://github.com/hashicorp/boundary/pull/5006))
 
 ### Security
 
-* curl (enterprise): The curl binary is no longer included in the published
-  Docker container images for Boundary Enterprise to address the CVE-2024-7264
-  vulnerability.
+* curl (enterprise): The curl binary is no longer included in the published Docker container images for Boundary Enterprise to address the 
+  CVE-2024-7264 vulnerability.
   [CVE-2024-7264](https://github.com/advisories/GHSA-97c4-2w4v-c7r8)  
 
 ## 0.17.0 (2024/07/17)
 
 ### New and Improved
 
-* SBC (Storage Bucket Credential): This release introduces, SBC, a resource that
-represents credentials for authentication and authorization with an external
-object store. There are two SBC types, managed secret and environmental.
-([PR](https://github.com/hashicorp/boundary/pull/4933)),
-([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/18)) and
-([PR](https://github.com/hashicorp/boundary-plugin-aws/pull/46))
-  * SBC State: This release introduces, SBC State, which represents the ability
-  for a worker to perform a specific action using the storage bucket. SBC
-  permission types (write, read, & delete) represent an action that is required
-  for the storage bucket to do as a routine task on an external object store.
-  Each permission type has a permission state (ok, error, unknown). 
-  * SBC Worker Filtering: For protocol aware workers that require interaction
-  with an external storage service, the workers will be filtered by the SBC
-  state depending on the action and permission required.
-* ui: Add multiple grant scope support for roles
-  ([PR](https://github.com/hashicorp/boundary-ui/pull/2388))
-* ui: Add API tags support for workers and improve worker filtering for targets
-  ([PR](https://github.com/hashicorp/boundary-ui/pull/2393))
-
-### Bug Fixes
+* SBC (Storage Bucket Credential): This release introduces, SBC, a resource that represents credentials for 
+authentication and authorization with an external object store. There are two SBC types, managed secret and environmental.
+([PR](https://github.com/hashicorp/boundary/pull/4933)), ([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/18)) and ([PR](https://github.com/hashicorp/boundary-plugin-aws/pull/46))
+  * SBC State: This release introduces, SBC State, which represents the ability for a worker to perform a specific action 
+  using the storage bucket. SBC permission types (write, read, & delete) represent an action that is required for the 
+  storage bucket to do as a routine task on an external object store. Each permission type has a permission state 
+  (ok, error, unknown). 
+  * SBC Worker Filtering: For protocol aware workers that require interaction with an external storage service, the 
+  workers will be filtered by the SBC state depending on the action and permission required.
+* ui: Add multiple grant scope support for roles ([PR](https://github.com/hashicorp/boundary-ui/pull/2388))
+* ui: Add API tags support for workers and improve worker filtering for targets ([PR](https://github.com/hashicorp/boundary-ui/pull/2393))
 
 ## 0.16.2 (2024/06/10)
 
 ### New and Improved
 
-* Updated Minio plugin to allow for potential use with other S3-compatible
-storage providers.
-([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/16)) and
-([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/17))
+* Updated Minio plugin to allow for potential use with other S3-compatible storage providers.
+([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/16)) and ([PR](https://github.com/hashicorp/boundary-plugin-minio/pull/17))
 
 ### Bug Fixes
-
-* Fixed a bug where a worker credential rotation request suceeded on the
-controller but the response to the worker was lost. This resulted in the
-controller using a separate set of credentials than the worker, causing the
-worker to be unable to connect to the controller. The fix implements the new
-nodeenrollment library NodeIdLoader interface, which ensures that on store, if
-worker NodeInformation has a previous key set, the worker will check and correct
-its stored credential set to match. LodeNodeInformation was also updated to fix
-a bug where in this split credential scenario, the current credential key was
-assumed to be the incoming worker key, which caused the wrong key information to
-be populated for the key id.
+* Fixed a bug where a worker credential rotation request suceeded on the controller but the response to the worker was lost.
+This resulted in the controller using a separate set of credentials than the worker, causing the worker to be unable to connect 
+to the controller. The fix implements the new nodeenrollment library NodeIdLoader interface, which ensures that on store, 
+if worker NodeInformation has a previous key set, the worker will check and correct its stored credential set to match. 
+LodeNodeInformation was also updated to fix a bug where in this split credential scenario, the current credential key was
+assumed to be the incoming worker key, which caused the wrong key information to be populated for the key id.
 ([PR](https://github.com/hashicorp/boundary/pull/4870))
 
 ### New and Improved
@@ -165,24 +135,17 @@ be populated for the key id.
 
 ### New and Improved
 
-* Target aliases have been added: You can now create an alias for a target. In
-  most situations where you would use a target id, you can now instead use the
-  alias value. Create an alias with `boundary aliases create target -value
-  example.boundary -destination-id ttcp_1234567890` and connect to a target
-  using an alias using `boundary connect example.boundary`
-* Worker local storage state: Self managed workers that are configured to be
-  used for session recordings will report the state of the its disk space. To
-  learn more about this new feature, refer to the
-  [documentation](http://developer.hashicorp.com/boundary/docs/configuration/session-recording/create-storage-bucket#local-storage).
-* MinIO storage plugin: You can now create a storage bucket that allows Boundary
-  to interoperate with a MinIO cluster for Session Recording storage. This
-  includes some added functionality such as credential rotation and credential
-  management. To learn more about the plugin, refer to the
-  [readme](https://github.com/hashicorp/boundary-plugin-minio?tab=readme-ov-file#minio-plugin-for-hashicorp-boundary).
-  *Note:* Due to a library incompatibility, this release is not yet compatible
-  with the `netbsd` operating system. Please refer to the following
-  [documentation](http://developer.hashicorp.com/boundary/docs/configuration/session-recording/create-storage-bucket)
-  to learn how to create a storage bucket.
+* Target aliases have been added: You can now create an alias for a target.
+  In most situations where you would use a target id, you can now instead use
+  the alias value. Create an alias with
+  `boundary aliases create target -value example.boundary -destination-id ttcp_1234567890`
+  and connect to a target using an alias using `boundary connect example.boundary`
+* Worker local storage state: Self managed workers that are configured to be used for
+  session recordings will report the state of the its disk space. To learn more about this
+  new feature, refer to the [documentation](http://developer.hashicorp.com/boundary/docs/configuration/session-recording/create-storage-bucket#local-storage).
+* MinIO storage plugin: You can now create a storage bucket that allows Boundary to interoperate
+  with a MinIO cluster for Session Recording storage. This includes some added functionality such
+  as credential rotation and credential management. To learn more about the plugin, refer to the [readme](https://github.com/hashicorp/boundary-plugin-minio?tab=readme-ov-file#minio-plugin-for-hashicorp-boundary). *Note:* Due to a library incompatibility, this release is not yet compatible with the `netbsd` operating system. Please refer to the following [documentation](http://developer.hashicorp.com/boundary/docs/configuration/session-recording/create-storage-bucket) to learn how to create a storage bucket.
 * ui: Add UI support for filtering and pagination
   ([PR](https://github.com/hashicorp/boundary-ui/pull/2237))
 * ui: Add UI support for MinIO (Enterprise and HCP Boundary only)