fix(front): replace link in ssh debug dropdown

.gitignore

@@ -1,3 +1,4 @@
 */out/*
 */*/out/*
 **/_wildcard*
+**/.tool-versions

.semaphore/daily-builds.yml

@@ -725,11 +725,11 @@ blocks:
       jobs:
         - name: JS - dependencies
           commands:
-            - make check.js.deps APP_DIRECTORY=assets
+            - make check.js.deps APP_DIRECTORY=assets SCAN_RESULT_DIR=../out
         - name: JS - code
           commands:
             - export PATH=$PATH:/home/semaphore/.local/bin
-            - make check.js.code APP_DIRECTORY=assets
+            - make check.js.code APP_DIRECTORY=assets SCAN_RESULT_DIR=../out
         - name: Elixir - dependencies
           commands:
             - make check.ex.deps CHECK_DEPS_OPTS='--ignore-packages phoenix'
@@ -1993,6 +1993,9 @@ blocks:
         - name: "Test"
           commands:
             - make test
+        - name: "E2E Test"
+          commands:
+            - make test.e2e
         - name: "Lint"
           commands:
             - make lint

.semaphore/semaphore.yml

@@ -789,11 +789,11 @@ blocks:
       jobs:
         - name: JS - dependencies
           commands:
-            - make check.js.deps APP_DIRECTORY=assets
+            - make check.js.deps APP_DIRECTORY=assets SCAN_RESULT_DIR=../out
         - name: JS - code
           commands:
             - export PATH=$PATH:/home/semaphore/.local/bin
-            - make check.js.code APP_DIRECTORY=assets
+            - make check.js.code APP_DIRECTORY=assets SCAN_RESULT_DIR=../out
         - name: Elixir - dependencies
           commands:
             - make check.ex.deps CHECK_DEPS_OPTS='--ignore-packages phoenix'
@@ -2191,6 +2191,9 @@ blocks:
         - name: "Test"
           commands:
             - make test
+        - name: "E2E Test"
+          commands:
+            - make test.e2e
         - name: "Lint"
           commands:
             - make lint

GOVERNANCE.md

@@ -93,7 +93,7 @@ Semaphore follows a governance model that balances commercial stewardship with c
 ### Decision Visibility
 
 - Technical decisions documented in issues/PRs
-- Architecture decisions documented in [RFCs](../rfcs/README.md)
+- Architecture decisions documented in [RFCs](rfcs/README.md)
 - Roadmap publicly available
 
 ## Code of Conduct

LOCAL-DEVELOPMENT.md

@@ -61,9 +61,9 @@ For development and testing, you can run Semaphore locally using Minikube:
 
     ```bash
     # Get credentials
-    kubectl get secret root-user -n default -o jsonpath='{.data.email}' | base64 -d
-    kubectl get secret root-user -n default -o jsonpath='{.data.password}' | base64 -d
-    kubectl get secret root-user -n default -o jsonpath='{.data.token}' | base64 -d
+     kubectl get secret semaphore-authentication -n default -o jsonpath='{.data.ROOT_USER_EMAIL}' | base64 -d
+    kubectl get secret semaphore-authentication -n default -o jsonpath='{.data.ROOT_USER_PASSWORD}' | base64 -d
+    kubectl get secret semaphore-authentication -n default -o jsonpath='{.data.ROOT_USER_TOKEN}' | base64 -d
     ```
 
 Open `https://id.semaphore.localhost` and log in!

Makefile

@@ -76,6 +76,7 @@ DOCKER_BUILD_PATH=.
 EX_CATCH_WARRNINGS_FLAG=--warnings-as-errors
 CHECK_DEPS_EXTRA_OPTS?=-w feature_provider,grpc_health_check,tentacat,util,watchman,fun_registry,sentry_grpc,traceman,cacheman,log_tee,spec,proto,sys2app,looper,job_matrix,definition_validator,gofer_client,open_api_spex,when,uuid,esaml,openid_connect,block
 ROOT_MAKEFILE_PATH := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+SCAN_RESULT_DIR?=out
 
 #
 # Security checks
@@ -111,10 +112,10 @@ ifeq ($(CI),)
 		-v $$(pwd):/app \
 		-v $(ROOT_MAKEFILE_PATH)/security-toolbox:$(SECURITY_TOOLBOX_TMP_DIR) \
 		registry.semaphoreci.com/ruby:3 \
-		bash -c 'cd $(APP_DIRECTORY) && $(SECURITY_TOOLBOX_TMP_DIR)/dependencies --language $(LANGUAGE) -d $(CHECK_DEPS_OPTS)'
+		bash -c 'cd $(APP_DIRECTORY) && $(SECURITY_TOOLBOX_TMP_DIR)/dependencies --language $(LANGUAGE) -d --output-dir $(SCAN_RESULT_DIR) $(CHECK_DEPS_OPTS)'
 else
 	# ruby version is set in prologue
-	cd $(APP_DIRECTORY) && $(ROOT_MAKEFILE_PATH)/security-toolbox/dependencies --language $(LANGUAGE) -d $(CHECK_DEPS_OPTS)
+	cd $(APP_DIRECTORY) && $(ROOT_MAKEFILE_PATH)/security-toolbox/dependencies --language $(LANGUAGE) -d --output-dir $(SCAN_RESULT_DIR) $(CHECK_DEPS_OPTS)
 endif
 
 check.ex.deps:

artifacthub/Makefile

@@ -4,7 +4,7 @@ include ../Makefile
 
 APP_NAME=artifacthub
 APP_ENV=prod
-INTERNAL_API_BRANCH=master
+INTERNAL_API_BRANCH?=master
 
 pb.gen:
 	rm -rf tmp && mkdir -p tmp

artifacthub/pkg/api/private/privateapi.go

@@ -121,7 +121,7 @@ func ListTransferPath(ctx context.Context, client storage.Client, artifact *mode
 				return err
 			}
 
-			result = append(result, &artifacthub.ListItem{Name: item.Path, IsDirectory: item.IsDirectory})
+			result = append(result, &artifacthub.ListItem{Name: item.Path, IsDirectory: item.IsDirectory, Size: item.Size})
 		}
 
 		return nil

artifacthub/pkg/server/private/privateserver_test.go

@@ -303,8 +303,8 @@ func Test__ListPath(t *testing.T) {
 			response, err := server.ListPath(context.TODO(), request)
 			assert.Nil(t, err)
 			assert.Equal(t, []*artifacthub.ListItem{
-				{Name: "artifacts/projects/first/file1.txt", IsDirectory: false},
-				{Name: "artifacts/projects/first/dir/", IsDirectory: true},
+				{Name: "artifacts/projects/first/file1.txt", IsDirectory: false, Size: 5},
+				{Name: "artifacts/projects/first/dir/", IsDirectory: true, Size: 0},
 			}, response.Items)
 		})
 
@@ -318,9 +318,9 @@ func Test__ListPath(t *testing.T) {
 			response, err := server.ListPath(context.TODO(), request)
 			assert.Nil(t, err)
 			assert.Equal(t, []*artifacthub.ListItem{
-				{Name: "artifacts/projects/first/dir/subfile1.txt", IsDirectory: false},
-				{Name: "artifacts/projects/first/dir/subfile2.txt", IsDirectory: false},
-				{Name: "artifacts/projects/first/file1.txt", IsDirectory: false},
+				{Name: "artifacts/projects/first/dir/subfile1.txt", IsDirectory: false, Size: 5},
+				{Name: "artifacts/projects/first/dir/subfile2.txt", IsDirectory: false, Size: 5},
+				{Name: "artifacts/projects/first/file1.txt", IsDirectory: false, Size: 5},
 			}, response.Items)
 		})
 	})

artifacthub/pkg/server/public/publicserver.go

@@ -78,8 +78,6 @@ func getAuthTokenFromContext(ctx context.Context) (string, error) {
 // artifact storage, and deleting as well.
 func (s *Server) GenerateSignedURLs(ctx context.Context,
 	q *artifacts.GenerateSignedURLsRequest) (*artifacts.GenerateSignedURLsResponse, error) {
-	log.Info("[GenerateSignedURLs] Received", zap.Reflect("request", q))
-
 	response := &artifacts.GenerateSignedURLsResponse{}
 	token, err := getAuthTokenFromContext(ctx)
 	if err != nil {
@@ -93,12 +91,22 @@ func (s *Server) GenerateSignedURLs(ctx context.Context,
 		return response, nil
 	}
 
-	artifact, err := s.authenticate(token, q.Paths)
+	artifact, claims, err := s.authenticateAndGetClaims(token, q.Paths)
 	if err != nil {
 		log.Error("Error authenticating request", zap.Error(err))
 		return nil, err
 	}
 
+	log.Info("[GenerateSignedURLs] Authenticated request",
+		zap.String("type", q.Type.String()),
+		zap.Int("paths_count", len(q.Paths)),
+		zap.Strings("paths", q.Paths),
+		zap.String("artifact", claims.ArtifactID),
+		zap.String("project", claims.Project),
+		zap.String("job", claims.Job),
+		zap.String("workflow", claims.Workflow),
+	)
+
 	var us []*artifacts.SignedURL
 	switch q.Type {
 	case artifacts.GenerateSignedURLsRequest_PUSH:
@@ -177,26 +185,23 @@ func getMaxReceiveMessageSize() int {
 	return maxReceiveMsgSize
 }
 
-func (s *Server) authenticate(token string, paths []string) (*models.Artifact, error) {
+func (s *Server) authenticateAndGetClaims(token string, paths []string) (*models.Artifact, *jwt.Claims, error) {
 	resourceType, resourceID, err := s.findAndValidateResource(paths)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	claims, err := s.validateJWT(resourceType, resourceID, token)
 	if err != nil {
-		return nil, status.Error(codes.PermissionDenied, err.Error())
+		return nil, nil, status.Error(codes.PermissionDenied, err.Error())
 	}
 
-	log.Info(
-		"Granted access to artifact storage through JWT",
-		zap.String("artifact", claims.ArtifactID),
-		zap.String("project", claims.Project),
-		zap.String("job", claims.Job),
-		zap.String("workflow", claims.Workflow),
-	)
+	artifacts, err := models.FindArtifactByID(claims.ArtifactID)
+	if err != nil {
+		return nil, nil, err
+	}
 
-	return models.FindArtifactByID(claims.ArtifactID)
+	return artifacts, claims, nil
 }
 
 func (s *Server) validateJWT(resourceType, resourceID, token string) (*jwt.Claims, error) {

artifacthub/pkg/storage/client.go

@@ -55,6 +55,7 @@ type PathItem struct {
 	Path        string
 	IsDirectory bool
 	Age         *time.Duration
+	Size        int64
 }
 
 type PathIterator interface {

artifacthub/pkg/storage/gcs_bucket.go

@@ -207,7 +207,7 @@ func (b *GcsBucket) DeleteObjects(paths []string) error {
 
 func (b *GcsBucket) ListPath(options ListOptions) (PathIterator, error) {
 	query := gcsstorage.Query{Prefix: pathutil.EndsInSlash(options.Path)}
-	err := query.SetAttrSelection([]string{"Name", "Created"})
+	err := query.SetAttrSelection([]string{"Name", "Created", "Size"})
 	if err != nil {
 		return nil, err
 	}
@@ -226,7 +226,7 @@ func (b *GcsBucket) ListPath(options ListOptions) (PathIterator, error) {
 
 func (b *GcsBucket) ListObjectsWithPagination(options ListOptions) (ObjectPager, error) {
 	query := gcsstorage.Query{Prefix: pathutil.EndsInSlash(options.Path)}
-	err := query.SetAttrSelection([]string{"Name", "Created"})
+	err := query.SetAttrSelection([]string{"Name", "Created", "Size"})
 	if err != nil {
 		return nil, err
 	}

artifacthub/pkg/storage/gcs_object_iterator.go

@@ -33,6 +33,7 @@ func (i *GcsPathIterator) Next() (*PathItem, error) {
 			Path:        attrs.Prefix,
 			IsDirectory: true,
 			Age:         nil,
+			Size:        0, // Directories don't have a size
 		}, nil
 	}
 
@@ -41,6 +42,7 @@ func (i *GcsPathIterator) Next() (*PathItem, error) {
 		Path:        attrs.Name,
 		IsDirectory: false,
 		Age:         &age,
+		Size:        attrs.Size,
 	}, nil
 }
 

artifacthub/pkg/storage/inmemstorage.go

@@ -60,7 +60,7 @@ func (b *InMemoryBucket) Size() int {
 
 func (b *InMemoryBucket) Add(path string, age time.Time) error {
 	newAge := time.Since(age)
-	b.Objects = append(b.Objects, &PathItem{Path: "artifacts" + path, Age: &newAge})
+	b.Objects = append(b.Objects, &PathItem{Path: "artifacts" + path, Age: &newAge, Size: 1024}) // Default size for testing
 
 	return nil
 }
@@ -191,5 +191,11 @@ func (b *InMemoryBucket) SetCORS(ctx context.Context) error {
 }
 
 func (b *InMemoryBucket) CreateObject(ctx context.Context, name string, content []byte) error {
+	b.Objects = append(b.Objects, &PathItem{
+		Path:        name,
+		IsDirectory: false,
+		Age:         nil,
+		Size:        int64(len(content)),
+	})
 	return nil
 }

artifacthub/pkg/storage/s3_object_iterator.go

@@ -82,6 +82,7 @@ func (i *S3PathIterator) nextAndIncrement() *PathItem {
 			Path:        i.removePathPrefix(*next.Key),
 			IsDirectory: false,
 			Age:         &age,
+			Size:        *next.Size,
 		}
 	}
 
@@ -92,6 +93,7 @@ func (i *S3PathIterator) nextAndIncrement() *PathItem {
 		Path:        i.removePathPrefix(*nextPrefix.Prefix),
 		IsDirectory: true,
 		Age:         nil,
+		Size:        0, // Directories don't have a size
 	}
 }
 

artifacthub/pkg/workers/bucketcleaner/README.md

@@ -22,10 +22,10 @@ The bucket cleaner is a distributed system based on supervisor/worker pattern.
 In this system, we have:
 
 - A supervisor called "Scheduler" that schedules which buckets need to be cleaned up
-- A worker called "Worker" which listens to the suprvisor and executes the cleanup
+- A worker called "Worker" which listens to the supervisor and executes the cleanup
 
 Communication between the supervisor and the worker is done via AMQP.
-The recomended setup for the system is to have one instance (in kubernetes a pod)
+The recommended setup for the system is to have one instance (in kubernetes a pod)
 that runs the scheduler, and multiple instances that listen and do the work.
 
 Diagram of communication:

auth/lib/auth.ex

@@ -115,7 +115,7 @@ defmodule Auth do
       !org ->
         send_resp(conn, 401, "Unauthorized")
 
-      Auth.IpFilter.block?(conn, org) ->
+      Auth.IpFilter.block?(conn.remote_ip, org) ->
         send_resp(conn, 404, blocked_ip_response(conn))
 
       true ->
@@ -326,7 +326,7 @@ defmodule Auth do
       !org ->
         {:error, :missing_organization, conn}
 
-      Auth.IpFilter.block?(conn, org) ->
+      Auth.IpFilter.block?(conn.remote_ip, org) ->
         {:error, :unauthorized_ip, conn}
 
       true ->
@@ -387,7 +387,7 @@ defmodule Auth do
       !org ->
         {:error, :missing_organization, conn}
 
-      Auth.IpFilter.block?(conn, org) ->
+      Auth.IpFilter.block?(conn.remote_ip, org) ->
         {:error, :unauthorized_ip, conn}
 
       true ->
@@ -416,7 +416,7 @@ defmodule Auth do
       !org ->
         {:error, :missing_organization, conn}
 
-      Auth.IpFilter.block?(conn, org) ->
+      Auth.IpFilter.block?(conn.remote_ip, org) ->
         {:error, :unauthorized_ip, conn}
 
       true ->
@@ -680,7 +680,7 @@ defmodule Auth do
   end
 
   defp blocked_ip_response(conn) do
-    ip = Auth.IpFilter.client_ip(conn) |> Tuple.to_list() |> Enum.join(".")
+    ip = conn.remote_ip |> :inet.ntoa()
 
     """
       You cannot access this organization from your current IP address (#{ip}) due to the security settings enabled by the organization administrator.