Merge branch 'main' into has/secrethub/oidc-short-sub

Author: hamir-suspect

docs/docs/getting-started/changelog.md

@@ -8,6 +8,32 @@ Thank you for using Semaphore!
 We continuously deploy changes that improve our product for our customers.
 This page is updated on a weekly basis.
 
+### Week of Sept 29 2025
+
+**(New)** New macOS Image will be released
+
+- Name: macos-xcode26
+- Availability: a2-standard-4 agent type
+
+**(New)** New packages:
+
+- Xcode 26
+- iOS simulator 26
+- iOS simulator 18.6
+
+**(Updated)** Updated packages:
+- macOS 16 -> 26
+- (System) Ruby 3.4.4 -> 3.4.6
+- Flutter 3.32.1 -> 3.35.4
+- Homebrew 4.5.3 -> 4.6.11
+- Fastlane 2.227.2 -> 2.228.0
+- Postgres 14.18 -> 14.19
+
+**(Removed)** Removed packages:
+- iOS simulator versions below 18.6
+
+
+
 ### Week of Jun 9 2025
 
 **(Improved) macos-xcode16 (apple silicon) image update**

encryptor/Dockerfile

@@ -11,7 +11,7 @@ ENV APP_NAME=${APP_NAME}
 RUN echo "Build of $APP_NAME started"
 
 RUN apt-get update -y && apt-get install --no-install-recommends -y ca-certificates unzip curl libc-bin libc6 \
-    && apt-get clean && rm -f /var/lib/apt/lists/*_*
+  && apt-get clean && rm -f /var/lib/apt/lists/*_*
 
 WORKDIR /app
 COPY pkg pkg
@@ -32,7 +32,7 @@ RUN curl -sL https://github.com/google/protobuf/releases/download/v3.3.0/protoc-
 WORKDIR /app
 RUN go install github.com/mgechev/[email protected]
 RUN go install gotest.tools/[email protected]
-RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.36.7
 
 CMD [ "/bin/bash",  "-c \"while sleep 1000; do :; done\"" ]
 
@@ -48,7 +48,7 @@ LABEL org.opencontainers.image.source https://github.com/semaphoreio/semaphore
 # postgresql-client needs to be installed here too,
 # otherwise the createdb command won't work.
 RUN apt-get update -y && apt-get install --no-install-recommends -y ca-certificates \
-    && apt-get clean && rm -f /var/lib/apt/lists/*_*
+  && apt-get clean && rm -f /var/lib/apt/lists/*_*
 
 # We don't need Docker health checks, since these containers
 # are intended to run in Kubernetes pods, which have probes.

guard/config/config.exs

@@ -126,4 +126,7 @@ config :guard, Guard.OrganizationCleaner,
 
 config :guard, :hard_destroy_grace_period_days, 30
 
+config :guard, :posthog_api_key, ""
+config :guard, :posthog_host, "https://app.posthog.com"
+
 import_config "#{config_env()}.exs"

guard/config/runtime.exs

@@ -166,6 +166,9 @@ config :guard,
        :hide_gitlab_login_page,
        System.get_env("HIDE_GITLAB_LOGIN_PAGE") == "true"
 
+config :guard, :posthog_api_key, System.get_env("POSTHOG_API_KEY")
+config :guard, :posthog_host, System.get_env("POSTHOG_HOST") || "https://app.posthog.com"
+
 if System.get_env("AMQP_URL") != nil do
   config :amqp,
     connections: [

guard/lib/guard/id/api.ex

@@ -188,6 +188,12 @@ defmodule Guard.Id.Api do
   end
 
   defp render_signup_page(conn, assigns) do
+    assigns =
+      Keyword.merge(assigns,
+        posthog_api_key: Application.get_env(:guard, :posthog_api_key, ""),
+        posthog_host: Application.get_env(:guard, :posthog_host, "https://app.posthog.com")
+      )
+
     html_content = Guard.TemplateRenderer.render_template([assigns: assigns], "signup.html")
 
     conn
@@ -326,6 +332,12 @@ defmodule Guard.Id.Api do
   end
 
   defp render_login_page(conn, assigns) do
+    assigns =
+      Keyword.merge(assigns,
+        posthog_api_key: Application.get_env(:guard, :posthog_api_key, ""),
+        posthog_host: Application.get_env(:guard, :posthog_host, "https://app.posthog.com")
+      )
+
     html_content = Guard.TemplateRenderer.render_template([assigns: assigns], "login.html")
 
     conn

guard/templates/login.html.eex

@@ -41,6 +41,17 @@
       <meta name="twitter:data1" content="1 minute" />
       <meta name="twitter:label2" content="Written by" />
       <meta name="twitter:data2" content="Semaphore Team" />
+      <%= if assigns[:posthog_api_key] && assigns[:posthog_api_key] != "" do %>
+      <script>
+        !function(t,e){var o,n,p,r;e.__SV||(window.posthog=e,e._i=[],e.init=function(i,s,a){function g(t,e){var o=e.split(".");2==o.length&&(t=t[o[0]],e=o[1]),t[e]=function(){t.push([e].concat(Array.prototype.slice.call(arguments,0)))}}(p=t.createElement("script")).type="text/javascript",p.crossOrigin="anonymous",p.async=!0,p.src=s.api_host.replace(".i.posthog.com","-assets.i.posthog.com")+"/static/array.js",(r=t.getElementsByTagName("script")[0]).parentNode.insertBefore(p,r);var u=e;for(void 0!==a?u=e[a]=[]:a="posthog",u.people=u.people||[],u.toString=function(t){var e="posthog";return"posthog"!==a&&(e+="."+a),t||(e+=" (stub)"),e},u.people.toString=function(){return u.toString(1)+".people (stub)"},o="init Ce js Ls Te Fs Ds capture Ye calculateEventProperties Us register register_once register_for_session unregister unregister_for_session Ws getFeatureFlag getFeatureFlagPayload isFeatureEnabled reloadFeatureFlags updateEarlyAccessFeatureEnrollment getEarlyAccessFeatures on onFeatureFlags onSurveysLoaded onSessionId getSurveys getActiveMatchingSurveys renderSurvey displaySurvey canRenderSurvey canRenderSurveyAsync identify setPersonProperties group resetGroups setPersonPropertiesForFlags resetPersonPropertiesForFlags setGroupPropertiesForFlags resetGroupPropertiesForFlags reset get_distinct_id getGroups get_session_id get_session_replay_url alias set_config startSessionRecording stopSessionRecording sessionRecordingStarted captureException loadToolbar get_property getSessionProperty Bs zs createPersonProfile Hs Ms Gs opt_in_capturing opt_out_capturing has_opted_in_capturing has_opted_out_capturing get_explicit_consent_status is_capturing clear_opt_in_out_capturing Ns debug L qs getPageViewId captureTraceFeedback captureTraceMetric".split(" "),n=0;n<o.length;n++)g(u,o[n]);e._i.push([i,s,a])},e.__SV=1)}(document,window.posthog||[]);
+
+        posthog.init('<%= assigns[:posthog_api_key] %>', {
+          api_host: '<%= assigns[:posthog_host] %>',
+          defaults: '2025-05-24',
+          person_profiles: 'identified_only'
+        });
+      </script>
+      <% end %>
    </head>
    <body class="page-template-default page page-id-19406 wp-embed-responsive no-sidebar">
       <div id="page" class="site no-header-no-footer green   v8theme ">

guard/templates/signup.html.eex

@@ -44,6 +44,17 @@
     <meta name="twitter:data1" content="1 minute">
     <meta name="twitter:label2" content="Written by">
     <meta name="twitter:data2" content="Semaphore Team">
+    <%= if assigns[:posthog_api_key] && assigns[:posthog_api_key] != "" do %>
+    <script>
+      !function(t,e){var o,n,p,r;e.__SV||(window.posthog=e,e._i=[],e.init=function(i,s,a){function g(t,e){var o=e.split(".");2==o.length&&(t=t[o[0]],e=o[1]),t[e]=function(){t.push([e].concat(Array.prototype.slice.call(arguments,0)))}}(p=t.createElement("script")).type="text/javascript",p.crossOrigin="anonymous",p.async=!0,p.src=s.api_host.replace(".i.posthog.com","-assets.i.posthog.com")+"/static/array.js",(r=t.getElementsByTagName("script")[0]).parentNode.insertBefore(p,r);var u=e;for(void 0!==a?u=e[a]=[]:a="posthog",u.people=u.people||[],u.toString=function(t){var e="posthog";return"posthog"!==a&&(e+="."+a),t||(e+=" (stub)"),e},u.people.toString=function(){return u.toString(1)+".people (stub)"},o="init Ce js Ls Te Fs Ds capture Ye calculateEventProperties Us register register_once register_for_session unregister unregister_for_session Ws getFeatureFlag getFeatureFlagPayload isFeatureEnabled reloadFeatureFlags updateEarlyAccessFeatureEnrollment getEarlyAccessFeatures on onFeatureFlags onSurveysLoaded onSessionId getSurveys getActiveMatchingSurveys renderSurvey displaySurvey canRenderSurvey canRenderSurveyAsync identify setPersonProperties group resetGroups setPersonPropertiesForFlags resetPersonPropertiesForFlags setGroupPropertiesForFlags resetGroupPropertiesForFlags reset get_distinct_id getGroups get_session_id get_session_replay_url alias set_config startSessionRecording stopSessionRecording sessionRecordingStarted captureException loadToolbar get_property getSessionProperty Bs zs createPersonProfile Hs Ms Gs opt_in_capturing opt_out_capturing has_opted_in_capturing has_opted_out_capturing get_explicit_consent_status is_capturing clear_opt_in_out_capturing Ns debug L qs getPageViewId captureTraceFeedback captureTraceMetric".split(" "),n=0;n<o.length;n++)g(u,o[n]);e._i.push([i,s,a])},e.__SV=1)}(document,window.posthog||[]);
+
+      posthog.init('<%= assigns[:posthog_api_key] %>', {
+        api_host: '<%= assigns[:posthog_host] %>',
+        defaults: '2025-05-24',
+        person_profiles: 'identified_only'
+      });
+    </script>
+    <% end %>
   </head>
   <body class="page-template-default page page-id-19406 wp-embed-responsive no-sidebar">
     <header>

public-api-gateway/Dockerfile

@@ -11,7 +11,7 @@ ENV APP_NAME=${APP_NAME}
 RUN echo "Build of $APP_NAME started"
 
 RUN apt-get update -y && apt-get install --no-install-recommends -y ca-certificates unzip curl libc-bin libc6 \
-    && apt-get clean && rm -f /var/lib/apt/lists/*_*
+  && apt-get clean && rm -f /var/lib/apt/lists/*_*
 
 WORKDIR /tmp
 RUN curl -sL https://github.com/google/protobuf/releases/download/v3.3.0/protoc-3.3.0-linux-x86_64.zip -o protoc && \
@@ -22,8 +22,8 @@ WORKDIR /app
 
 RUN go install github.com/mgechev/[email protected]
 RUN go install gotest.tools/[email protected]
-RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
-RUN go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.36.7
+RUN go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.3.0
 
 FROM base AS dev
 

repohub/Dockerfile

@@ -61,9 +61,9 @@ RUN curl -sL https://github.com/golang-migrate/migrate/releases/download/v4.18.1
 
 WORKDIR /app
 RUN go install github.com/mgechev/[email protected]
-RUN go install gotest.tools/gotestsum@latest
-RUN go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
-RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
+RUN go install gotest.tools/gotestsum@v1.12.1
+RUN go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.3.0
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.36.8
 
 CMD [ "/bin/bash",  "-c \"while sleep 1000; do :; done\"" ]
 

repository_hub/lib/repository_hub/clients/github_client.ex

@@ -32,6 +32,8 @@ defmodule RepositoryHub.GithubClient do
   @err_not_found "Repository not found. If this is a private repository, it looks like you haven't authorized Semaphore with GitHub, please visit https://docs.semaphoreci.com/using-semaphore/connect-github#troubleshooting-guide to read more."
   @err_not_authorized "It looks like you haven't authorized Semaphore with GitHub, please visit https://docs.semaphoreci.com/using-semaphore/connect-github#troubleshooting-guide to read more."
 
+  @api_url "https://api.github.com"
+
   def repository_permissions(params, opts \\ []) do
     owner = params.repo_owner
     repo = params.repo_name
@@ -641,33 +643,28 @@ defmodule RepositoryHub.GithubClient do
   end
 
   @impl true
+  # https://docs.github.com/en/rest/repos/webhooks?apiVersion=2022-11-28#delete-a-repository-webhook
   def remove_webhook(params, opts \\ []) do
-    with_client(opts[:token], params.repo_owner, :remove_webhook, fn client ->
-      client
-      |> Tentacat.Hooks.remove(
-        params.repo_owner,
-        params.repo_name,
-        params.webhook_id
-      )
-      |> case do
-        {204, _, _} ->
-          wrap(:ok)
+    "#{@api_url}/repos/#{params.repo_owner}/#{params.repo_name}/hooks/#{params.webhook_id}"
+    |> http_delete(opts[:token])
+    |> unwrap(fn response ->
+      {response.status_code, response.body, response.headers, response.request_url}
+    end)
+    |> unwrap(fn
+      {204, _, _, _} ->
+        wrap(:ok)
 
-        {307, _, response} ->
-          fail_with(:precondition, "Removing webhook failed. #{fetch_status_message(response)}")
+      {404, _, _, _} ->
+        wrap(:ok)
 
-        {404, _, _} ->
-          wrap(:ok)
-
-        {status, _, resp} ->
-          log_error([
-            "removing webhook #{params.repo_owner}/#{params.repo_name}",
-            "status: #{status}",
-            "response: #{inspect_response(resp)}"
-          ])
+      {status, encoded_body, _, _} ->
+        log_error([
+          "removing webhook #{params.repo_owner}/#{params.repo_name}",
+          "status: #{status}",
+          "response: #{inspect(encoded_body)}"
+        ])
 
-          fail_with(:precondition, "Removing webhook failed.")
-      end
+        fail_with(:precondition, "Removing webhook failed.")
     end)
   end
 
@@ -941,6 +938,25 @@ defmodule RepositoryHub.GithubClient do
     inspect(%{response | request: %{response.request | headers: request_headers}})
   end
 
+  defp http_delete(resource, token) do
+    resource
+    |> HTTPoison.delete(request_headers(token), options())
+  end
+
+  defp options(opts \\ []) do
+    [recv_timeout: 25_000]
+    |> Keyword.merge(opts)
+  end
+
+  defp request_headers(token) do
+    [
+      {"Content-Type", "application/json"},
+      {"Accept", "application/vnd.github+json"},
+      {"X-GitHub-Api-Version", "2022-11-28"},
+      {"Authorization", "Bearer #{token}"}
+    ]
+  end
+
   defmodule Webhook do
     def url(project_id) do
       host = Application.fetch_env!(:repository_hub, :webhook_host)