chore: split release notes#9312
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
@codex review |
|
Codex Review: Didn't find any major issues. Delightful! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
3909ccf to
d7301ba
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #9312 +/- ##
==========================================
- Coverage 75.21% 75.19% -0.03%
==========================================
Files 252 252
Lines 41049 41049
==========================================
- Hits 30877 30865 -12
- Misses 8078 8089 +11
- Partials 2094 2095 +1 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Review Findings (ordered by severity)
Required fixes
- tools/src/release-notes-docs/compile.py:75-77 —
versionis not validated before being used in the output path (path traversal / invalid filenames risk). - tools/src/release-notes-docs/compile.py:78-80 — defaulting the compiled release note
dateto"Pending"can generate a versioned YAML thatyml2md.pycannot parse (docs generation failure). - tools/src/release-notes-docs/compile.py:63-67 — empty fragment files are silently ignored (and won’t be removed), contradicting the “clear fragments” guarantee; also fragment reads should use an explicit UTF-8 encoding.
- tools/src/release-notes-docs/compile.py:95-97 — compiler overwrites existing
release-notes/<version>.yamlwithout guard (risk of clobbering prior release notes). - tools/make/docs.mk:248 —
release-notes-genshould fail fast with a clear error ifRELEASE_NOTE_DATEis unset/empty.
Summary
This PR replaces the monolithic release-notes/current.yaml workflow with per-PR release note fragments under release-notes/current/, adds tooling to compile fragments into a versioned release note file, and updates lint/docs/release process documentation accordingly.
Changes:
- Add a compiler script and
make release-notes-gento generaterelease-notes/<version>.yamlfromrelease-notes/current/fragments and then clear consumed fragments. - Update linting to validate both versioned release note filenames and the fragment directory layout/filename conventions.
- Migrate existing
release-notes/current.yamlentries into fragment files and update contributor/release documentation and templates.
Reviewed changes
Copilot reviewed 49 out of 56 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/src/release-notes-docs/compile.py | New fragment compiler that outputs versioned YAML and deletes consumed fragment files. |
| tools/make/lint.mk | Updates lint target description for expanded release-notes validation. |
| tools/make/docs.mk | Adds release-notes-gen Make target to run the compiler. |
| tools/hack/check-release-notes-filenames.sh | Extends validation to cover release-notes/current/ fragment layout and naming. |
| site/content/en/community/RELEASING.md | Updates release process docs to compile fragments via make release-notes-gen. |
| release-notes/current/README.md | Documents the new fragment workflow, naming rules, and release compilation command. |
| release-notes/current.yaml | Removes the legacy shared “current” release notes file. |
| .github/PULL_REQUEST_TEMPLATE.md | Updates contributor instructions to add a fragment file instead of editing current.yaml. |
| .agents/skills/pr-review/SKILL.md | Updates internal review guidance to match fragment-based release notes. |
| release-notes/current/breaking_changes/.gitkeep | Keeps the breaking_changes section directory tracked. |
| release-notes/current/breaking_changes/9024-moved-gateway-api-safe-upgrades-validatingadmissionpolicy.md | Breaking-change fragment migrated from prior current.yaml. |
| release-notes/current/breaking_changes/9081-lua-envoyextensionpolicies-disabled-default-use-enablelua.md | Breaking-change fragment migrated from prior current.yaml. |
| release-notes/current/breaking_changes/9224-xratelimitheadersoptiondisabled-constant-backendtrafficpolicy-correctly-holds-value.md | Breaking-change fragment migrated from prior current.yaml. |
| release-notes/current/breaking_changes/9250-securitypolicy-spec-apikeyauth-extractfrom-admission-validation.md | Breaking-change fragment migrated from prior current.yaml. |
| release-notes/current/security_updates/.gitkeep | Keeps the security_updates section directory tracked. |
| release-notes/current/security_updates/8986-xds-server-authentication-bypass-gatewaynamespacemode-adding.md | Security update fragment migrated from prior current.yaml. |
| release-notes/current/new_features/.gitkeep | Keeps the new_features section directory tracked. |
| release-notes/current/new_features/8576-spec-clientipdetection-xforwardedfor-disablexforwardedforappend-clienttrafficpolicy-disable.md | New feature fragment migrated from prior current.yaml. |
| release-notes/current/new_features/8730-filtercontext-lua-envoyextensionpolicy-allowing-shared-lua.md | New feature fragment migrated from prior current.yaml. |
| release-notes/current/new_features/8850-disabling-crds-dependency-gateway-helm-chart.md | New feature fragment migrated from prior current.yaml. |
| release-notes/current/new_features/9008-authorization-path-match.md | New feature fragment migrated from prior current.yaml. |
| release-notes/current/new_features/9026-listenerset-targetref-kind-clienttrafficpolicy-allowing-client.md | New feature fragment migrated from prior current.yaml. |
| release-notes/current/new_features/9111-requestbody-http-active-health-checker-backendtrafficpolicy.md | New feature fragment migrated from prior current.yaml. |
| release-notes/current/new_features/9137-autosnifromendpointhostname-tls-setting-backends-allowing-sni.md | New feature fragment migrated from prior current.yaml. |
| release-notes/current/new_features/9205-xdsnacktotal-metric-track-number-nacks-received.md | New feature fragment migrated from prior current.yaml. |
| release-notes/current/new_features/9216-frommetadata-global-rate-limit-limit-backendtrafficpolicy.md | New feature fragment migrated from prior current.yaml. |
| release-notes/current/new_features/9265-failedrefetchduration-jwt-providers-securitypolicy-configuring-how.md | New feature fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/.gitkeep | Keeps the bug_fixes section directory tracked. |
| release-notes/current/bug_fixes/8744-tls-secrets-non-canonical-pem-formatting.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/8909-deduplicate-ca-certificates-clienttrafficpolicy-mtls.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/8959-xds-server-gatewaynamespacemode-serving-stale-certificate.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/8998-controller-panic-processing-backend-tls-settings.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9028-maxstreamduration-being-set-commonhttpprotocoloptions-non-route.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9042-api-key-auth-credential-ordering-avoid.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9050-envoyproxy-resource-allowing-ipv6-ranges-loadbalancersourceranges.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9056-egctl-config-commands-hanging-envoy-pod.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9068-backendtlspolicy-selection-prefer-section-name-over.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9072-missing-deprecated-warning-clienttrafficpolicy-securitypolicy.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9073-clienttrafficpolicy-tls-cipher-validation-rejecting-supported.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9099-egctl-x-status-all-xroute-xpolicy.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9100-kubernetes-provider-namespace-scoped-watches-always.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9129-httproute-grpcroute-tlsroute-tcproute-udproute-accepted.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9138-kubernetes-service-serviceimport-appprotocol-values-kubernetes.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9162-backend-tls-alpnprotocols-disable-upstream-alpn.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9182-generated-install-yaml-creating-duplicate-validatingadmissionpolicy.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9190-externalname-service-referenced-route-backend-producing.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9192-listenerset-hostname-conflict-resolution-apply-listener.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9209-gateway-status-reporting-programmed-false-reason.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9214-envoygateway-config-hot-reload-apply-defaults.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9234-upstream-proxy-protocol-clusters-preserve-generated.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9238-httproute-per-retry-timeout-derived-rule.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/bug_fixes/9245-shared-global-rate-limit-rules-cost.md | Bug fix fragment migrated from prior current.yaml. |
| release-notes/current/deprecations/.gitkeep | Keeps the deprecations section directory tracked. |
| release-notes/current/deprecations/9081-disablelua-extensionapis-deprecated-favor-enablelua.md | Deprecation fragment migrated from prior current.yaml. |
| release-notes/current/performance_improvements/.gitkeep | Keeps the performance_improvements section directory tracked. |
| release-notes/current/other_changes/.gitkeep | Keeps the other_changes section directory tracked. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
There was a problem hiding this comment.
Git ignores empty directories, so we need this file to keep these directories tracked.
|
/retest |
|
LGTM, thanks! |
* split release notes Signed-off-by: Huabing (Robin) Zhao <[email protected]> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> * address copilot comments Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Copilot Autofix powered by AI <[email protected]> Signed-off-by: liuhy <[email protected]>
Drop the stripPortMode (Any|Matching) enum on ClientTrafficPolicy's host section and replace it with a stripPort *bool that maps to Envoy's strip_any_host_port (unconditional stripping). The Matching mode mapped to strip_matching_host_port, which compares the Host header port against the Envoy listener port. Since a Gateway listener on e.g. port 80 is translated to an Envoy listener on port 10080, Matching never strips the port clients actually use, so it was silently ineffective. As discussed in the PR review, only unconditional stripping is exposed, expressed as a boolean per maintainer suggestion. Regenerated CRDs, deepcopy, helm snapshots, docs and golden testdata, and renamed the strip-port-matching gatewayapi test to strip-port. The release note is now a fragment under release-notes/current/new_features/ following the split-release-notes workflow (envoyproxy#9312). Signed-off-by: Salim Boulkour <[email protected]>
…ilters Geo/IP deny rules in SecurityPolicy.authorization were not enforced before OAuth2/OIDC and other authentication filters, so a blocked client received a 302 redirect to the IdP instead of a 403. Implement Option A (auto-split, no API change) from envoyproxy#8913: - Emit an internal pre-auth RBAC filter (envoy.filters.http.pre_auth_rbac) before the authentication filters that enforces the leading contiguous run of authentication-independent rules (clientCIDRs / clientIPGeoLocations) with an Allow default action. - Keep the main RBAC filter after authentication enforcing the full policy and the real default action. - Move the GeoIP filter ahead of both so geo headers are populated first. The pre-auth filter holds a duplicated leading prefix (not a partition) to preserve first-match-wins semantics; it can only deny requests the main filter would also deny. It is only emitted when the route has both a pre-RBAC authentication mechanism and a non-empty auth-independent prefix. Add unit tests for the prefix/eligibility helpers, filter-ordering and custom filterOrder regression tests, and two translator golden scenarios (single geo deny + OIDC, and a mixed geo/CIDR deny + JWT-claim policy). Release notes are provided as fragments under release-notes/current/ (breaking_changes and bug_fixes) following the split-release-notes workflow (envoyproxy#9312). Fixes envoyproxy#8913 Signed-off-by: Salim Boulkour <[email protected]>
Replace the removed monolithic release-notes/current.yaml edits with per-section fragment files introduced by envoyproxy#9312: * breaking_changes/8956: clientIPDetection now requires exactly one mode. * new_features/8956: add directRemoteAddress for L4-transparent geoip. Signed-off-by: Salim Boulkour <[email protected]>
Replace the removed monolithic release-notes/current.yaml edits with per-section fragment files introduced by envoyproxy#9312: * breaking_changes/8956: clientIPDetection now requires exactly one mode. * new_features/8956: add directRemoteAddress for L4-transparent geoip. Signed-off-by: Salim Boulkour <[email protected]>
* split release notes Signed-off-by: Huabing (Robin) Zhao <[email protected]> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> * address copilot comments Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Replace the removed monolithic release-notes/current.yaml edits with per-section fragment files introduced by envoyproxy#9312: * breaking_changes/8956: clientIPDetection now requires exactly one mode. * new_features/8956: add directRemoteAddress for L4-transparent geoip. Signed-off-by: Salim Boulkour <[email protected]>
Replace the removed monolithic release-notes/current.yaml edits with per-section fragment files introduced by envoyproxy#9312: * breaking_changes/8956: clientIPDetection now requires exactly one mode. * new_features/8956: add directRemoteAddress for L4-transparent geoip. Signed-off-by: Salim Boulkour <[email protected]>
What type of PR is this?
What this PR does / why we need it:
This PR splits
current.yamlinto multiple release note fragments, so multiple PRs can add release notes independently without frequent merge conflicts or needing to rebase on main as often.Inspired by envoy changelogs.
Which issue(s) this PR fixes:
Fixes #
Release Notes: No