Skip to content

chore: split release notes#9312

Merged
zhaohuabing merged 5 commits into
envoyproxy:mainfrom
zhaohuabing:split-release-notes-fragments
Jun 24, 2026
Merged

chore: split release notes#9312
zhaohuabing merged 5 commits into
envoyproxy:mainfrom
zhaohuabing:split-release-notes-fragments

Conversation

@zhaohuabing

@zhaohuabing zhaohuabing commented Jun 23, 2026

Copy link
Copy Markdown
Member

What type of PR is this?

What this PR does / why we need it:

This PR splits current.yaml into multiple release note fragments, so multiple PRs can add release notes independently without frequent merge conflicts or needing to rebase on main as often.

Inspired by envoy changelogs.

Which issue(s) this PR fixes:

Fixes #

Release Notes: No

@zhaohuabing zhaohuabing requested a review from a team as a code owner June 23, 2026 10:16
@netlify

netlify Bot commented Jun 23, 2026

Copy link
Copy Markdown

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit be48479
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6a3b3cb4a1b4bb000836e288
😎 Deploy Preview https://deploy-preview-9312--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@zhaohuabing zhaohuabing changed the title Split release notes chore: split release notes Jun 23, 2026
@zhaohuabing

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Delightful!

Reviewed commit: 3909ccf900

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
@codecov

codecov Bot commented Jun 23, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.19%. Comparing base (8bf25a6) to head (be48479).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #9312      +/-   ##
==========================================
- Coverage   75.21%   75.19%   -0.03%     
==========================================
  Files         252      252              
  Lines       41049    41049              
==========================================
- Hits        30877    30865      -12     
- Misses       8078     8089      +11     
- Partials     2094     2095       +1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Review Findings (ordered by severity)

Required fixes

  • tools/src/release-notes-docs/compile.py:75-77version is not validated before being used in the output path (path traversal / invalid filenames risk).
  • tools/src/release-notes-docs/compile.py:78-80 — defaulting the compiled release note date to "Pending" can generate a versioned YAML that yml2md.py cannot parse (docs generation failure).
  • tools/src/release-notes-docs/compile.py:63-67 — empty fragment files are silently ignored (and won’t be removed), contradicting the “clear fragments” guarantee; also fragment reads should use an explicit UTF-8 encoding.
  • tools/src/release-notes-docs/compile.py:95-97 — compiler overwrites existing release-notes/<version>.yaml without guard (risk of clobbering prior release notes).
  • tools/make/docs.mk:248release-notes-gen should fail fast with a clear error if RELEASE_NOTE_DATE is unset/empty.

Summary

This PR replaces the monolithic release-notes/current.yaml workflow with per-PR release note fragments under release-notes/current/, adds tooling to compile fragments into a versioned release note file, and updates lint/docs/release process documentation accordingly.

Changes:

  • Add a compiler script and make release-notes-gen to generate release-notes/<version>.yaml from release-notes/current/ fragments and then clear consumed fragments.
  • Update linting to validate both versioned release note filenames and the fragment directory layout/filename conventions.
  • Migrate existing release-notes/current.yaml entries into fragment files and update contributor/release documentation and templates.

Reviewed changes

Copilot reviewed 49 out of 56 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
tools/src/release-notes-docs/compile.py New fragment compiler that outputs versioned YAML and deletes consumed fragment files.
tools/make/lint.mk Updates lint target description for expanded release-notes validation.
tools/make/docs.mk Adds release-notes-gen Make target to run the compiler.
tools/hack/check-release-notes-filenames.sh Extends validation to cover release-notes/current/ fragment layout and naming.
site/content/en/community/RELEASING.md Updates release process docs to compile fragments via make release-notes-gen.
release-notes/current/README.md Documents the new fragment workflow, naming rules, and release compilation command.
release-notes/current.yaml Removes the legacy shared “current” release notes file.
.github/PULL_REQUEST_TEMPLATE.md Updates contributor instructions to add a fragment file instead of editing current.yaml.
.agents/skills/pr-review/SKILL.md Updates internal review guidance to match fragment-based release notes.
release-notes/current/breaking_changes/.gitkeep Keeps the breaking_changes section directory tracked.
release-notes/current/breaking_changes/9024-moved-gateway-api-safe-upgrades-validatingadmissionpolicy.md Breaking-change fragment migrated from prior current.yaml.
release-notes/current/breaking_changes/9081-lua-envoyextensionpolicies-disabled-default-use-enablelua.md Breaking-change fragment migrated from prior current.yaml.
release-notes/current/breaking_changes/9224-xratelimitheadersoptiondisabled-constant-backendtrafficpolicy-correctly-holds-value.md Breaking-change fragment migrated from prior current.yaml.
release-notes/current/breaking_changes/9250-securitypolicy-spec-apikeyauth-extractfrom-admission-validation.md Breaking-change fragment migrated from prior current.yaml.
release-notes/current/security_updates/.gitkeep Keeps the security_updates section directory tracked.
release-notes/current/security_updates/8986-xds-server-authentication-bypass-gatewaynamespacemode-adding.md Security update fragment migrated from prior current.yaml.
release-notes/current/new_features/.gitkeep Keeps the new_features section directory tracked.
release-notes/current/new_features/8576-spec-clientipdetection-xforwardedfor-disablexforwardedforappend-clienttrafficpolicy-disable.md New feature fragment migrated from prior current.yaml.
release-notes/current/new_features/8730-filtercontext-lua-envoyextensionpolicy-allowing-shared-lua.md New feature fragment migrated from prior current.yaml.
release-notes/current/new_features/8850-disabling-crds-dependency-gateway-helm-chart.md New feature fragment migrated from prior current.yaml.
release-notes/current/new_features/9008-authorization-path-match.md New feature fragment migrated from prior current.yaml.
release-notes/current/new_features/9026-listenerset-targetref-kind-clienttrafficpolicy-allowing-client.md New feature fragment migrated from prior current.yaml.
release-notes/current/new_features/9111-requestbody-http-active-health-checker-backendtrafficpolicy.md New feature fragment migrated from prior current.yaml.
release-notes/current/new_features/9137-autosnifromendpointhostname-tls-setting-backends-allowing-sni.md New feature fragment migrated from prior current.yaml.
release-notes/current/new_features/9205-xdsnacktotal-metric-track-number-nacks-received.md New feature fragment migrated from prior current.yaml.
release-notes/current/new_features/9216-frommetadata-global-rate-limit-limit-backendtrafficpolicy.md New feature fragment migrated from prior current.yaml.
release-notes/current/new_features/9265-failedrefetchduration-jwt-providers-securitypolicy-configuring-how.md New feature fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/.gitkeep Keeps the bug_fixes section directory tracked.
release-notes/current/bug_fixes/8744-tls-secrets-non-canonical-pem-formatting.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/8909-deduplicate-ca-certificates-clienttrafficpolicy-mtls.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/8959-xds-server-gatewaynamespacemode-serving-stale-certificate.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/8998-controller-panic-processing-backend-tls-settings.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9028-maxstreamduration-being-set-commonhttpprotocoloptions-non-route.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9042-api-key-auth-credential-ordering-avoid.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9050-envoyproxy-resource-allowing-ipv6-ranges-loadbalancersourceranges.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9056-egctl-config-commands-hanging-envoy-pod.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9068-backendtlspolicy-selection-prefer-section-name-over.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9072-missing-deprecated-warning-clienttrafficpolicy-securitypolicy.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9073-clienttrafficpolicy-tls-cipher-validation-rejecting-supported.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9099-egctl-x-status-all-xroute-xpolicy.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9100-kubernetes-provider-namespace-scoped-watches-always.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9129-httproute-grpcroute-tlsroute-tcproute-udproute-accepted.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9138-kubernetes-service-serviceimport-appprotocol-values-kubernetes.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9162-backend-tls-alpnprotocols-disable-upstream-alpn.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9182-generated-install-yaml-creating-duplicate-validatingadmissionpolicy.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9190-externalname-service-referenced-route-backend-producing.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9192-listenerset-hostname-conflict-resolution-apply-listener.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9209-gateway-status-reporting-programmed-false-reason.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9214-envoygateway-config-hot-reload-apply-defaults.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9234-upstream-proxy-protocol-clusters-preserve-generated.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9238-httproute-per-retry-timeout-derived-rule.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/bug_fixes/9245-shared-global-rate-limit-rules-cost.md Bug fix fragment migrated from prior current.yaml.
release-notes/current/deprecations/.gitkeep Keeps the deprecations section directory tracked.
release-notes/current/deprecations/9081-disablelua-extensionapis-deprecated-favor-enablelua.md Deprecation fragment migrated from prior current.yaml.
release-notes/current/performance_improvements/.gitkeep Keeps the performance_improvements section directory tracked.
release-notes/current/other_changes/.gitkeep Keeps the other_changes section directory tracked.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tools/src/release-notes-docs/compile.py
Comment thread tools/src/release-notes-docs/compile.py Outdated
Comment thread tools/src/release-notes-docs/compile.py Outdated
Comment thread tools/src/release-notes-docs/compile.py
Comment thread tools/make/docs.mk
zhaohuabing and others added 2 commits June 23, 2026 18:41
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need this?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Git ignores empty directories, so we need this file to keep these directories tracked.

@zhaohuabing

Copy link
Copy Markdown
Member Author

/retest

@zhaohuabing zhaohuabing requested review from a team and zirain June 24, 2026 00:58
@zhaohuabing zhaohuabing requested a review from a team June 24, 2026 02:18
@kkk777-7

Copy link
Copy Markdown
Member

LGTM, thanks!

@zhaohuabing zhaohuabing merged commit cdda179 into envoyproxy:main Jun 24, 2026
64 of 68 checks passed
@zhaohuabing zhaohuabing deleted the split-release-notes-fragments branch June 24, 2026 06:14
Aias00 pushed a commit to Aias00/gateway that referenced this pull request Jun 24, 2026
* split release notes

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* address copilot comments

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

---------

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Signed-off-by: liuhy <[email protected]>
sboulkour added a commit to sboulkour/gateway that referenced this pull request Jun 26, 2026
Drop the stripPortMode (Any|Matching) enum on ClientTrafficPolicy's host
section and replace it with a stripPort *bool that maps to Envoy's
strip_any_host_port (unconditional stripping).

The Matching mode mapped to strip_matching_host_port, which compares the
Host header port against the Envoy listener port. Since a Gateway listener
on e.g. port 80 is translated to an Envoy listener on port 10080, Matching
never strips the port clients actually use, so it was silently ineffective.
As discussed in the PR review, only unconditional stripping is exposed,
expressed as a boolean per maintainer suggestion.

Regenerated CRDs, deepcopy, helm snapshots, docs and golden testdata, and
renamed the strip-port-matching gatewayapi test to strip-port. The release
note is now a fragment under release-notes/current/new_features/ following
the split-release-notes workflow (envoyproxy#9312).

Signed-off-by: Salim Boulkour <[email protected]>
sboulkour added a commit to sboulkour/gateway that referenced this pull request Jun 26, 2026
…ilters

Geo/IP deny rules in SecurityPolicy.authorization were not enforced before OAuth2/OIDC and other authentication filters, so a blocked client received a 302 redirect to the IdP instead of a 403.

Implement Option A (auto-split, no API change) from envoyproxy#8913:
- Emit an internal pre-auth RBAC filter (envoy.filters.http.pre_auth_rbac) before the authentication filters that enforces the leading contiguous run of authentication-independent rules (clientCIDRs / clientIPGeoLocations) with an Allow default action.
- Keep the main RBAC filter after authentication enforcing the full policy and the real default action.
- Move the GeoIP filter ahead of both so geo headers are populated first.

The pre-auth filter holds a duplicated leading prefix (not a partition) to preserve first-match-wins semantics; it can only deny requests the main filter would also deny. It is only emitted when the route has both a pre-RBAC authentication mechanism and a non-empty auth-independent prefix.

Add unit tests for the prefix/eligibility helpers, filter-ordering and custom filterOrder regression tests, and two translator golden scenarios (single geo deny + OIDC, and a mixed geo/CIDR deny + JWT-claim policy).

Release notes are provided as fragments under release-notes/current/ (breaking_changes and bug_fixes) following the split-release-notes workflow (envoyproxy#9312).

Fixes envoyproxy#8913

Signed-off-by: Salim Boulkour <[email protected]>
sboulkour added a commit to sboulkour/gateway that referenced this pull request Jun 26, 2026
Replace the removed monolithic release-notes/current.yaml edits with
per-section fragment files introduced by envoyproxy#9312:
* breaking_changes/8956: clientIPDetection now requires exactly one mode.
* new_features/8956: add directRemoteAddress for L4-transparent geoip.

Signed-off-by: Salim Boulkour <[email protected]>
sboulkour added a commit to sboulkour/gateway that referenced this pull request Jun 30, 2026
Replace the removed monolithic release-notes/current.yaml edits with
per-section fragment files introduced by envoyproxy#9312:
* breaking_changes/8956: clientIPDetection now requires exactly one mode.
* new_features/8956: add directRemoteAddress for L4-transparent geoip.

Signed-off-by: Salim Boulkour <[email protected]>
guydc pushed a commit to guydc/gateway that referenced this pull request Jun 30, 2026
* split release notes

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* address copilot comments

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

---------

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
zhaohuabing pushed a commit to sboulkour/gateway that referenced this pull request Jul 1, 2026
Replace the removed monolithic release-notes/current.yaml edits with
per-section fragment files introduced by envoyproxy#9312:
* breaking_changes/8956: clientIPDetection now requires exactly one mode.
* new_features/8956: add directRemoteAddress for L4-transparent geoip.

Signed-off-by: Salim Boulkour <[email protected]>
zirain pushed a commit to sboulkour/gateway that referenced this pull request Jul 6, 2026
Replace the removed monolithic release-notes/current.yaml edits with
per-section fragment files introduced by envoyproxy#9312:
* breaking_changes/8956: clientIPDetection now requires exactly one mode.
* new_features/8956: add directRemoteAddress for L4-transparent geoip.

Signed-off-by: Salim Boulkour <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants