[pull] master from trailofbits:master#113
Merged
Merged
Conversation
* Clean up README.md donation options and badges - Remove Flattr and Bountysource donation options from badges and text - Remove Actions workflow status badge - Update Twitter/X link to use x.com domain 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Update version requirements for better consistency and accuracy - Update Ubuntu references to 22.04 LTS or later throughout documentation - Ensure Python version requirement consistently states 3.10 or later - Update macOS references from Catalina (10.15) to Big Sur (11.0) for better accuracy - Update Windows references to include Windows 11 alongside Windows 10 - Update Windows Store Ubuntu link from 20.04 to 22.04 LTS These changes improve user experience by providing current and consistent version requirements across all documentation. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * refine: Simplify README version references - Feature list: Windows 11 only (cleaner than 10/11) - Remove specific Ubuntu version from feature list - Remove 'or later' from Python requirements (just Python 3.10) - Keep Linux installation section generic without version numbers --------- Co-authored-by: Claude <noreply@anthropic.com>
* fix: Add IPv6 support for WireGuard endpoint addresses Fixes issue where IPv6 addresses in WireGuard configuration files were not properly formatted with square brackets when used with port numbers. The WireGuard client configuration template now detects IPv6 addresses using the ansible.utils.ipv6 filter and wraps them in brackets as required by the WireGuard configuration format. Example outputs: - IPv4: 192.168.1.1:51820 - IPv6: [2600:3c01::f03c:91ff:fedf:3b2a]:51820 - Hostname: vpn.example.com:51820 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: Correct Azure requirements file path to fix deployment failures The previous fix in commit 7acdca0 updated to Azure collection v3.7.0 but referenced the incorrect requirements file name. The file is now called requirements.txt instead of requirements-azure.txt in v3.7.0. This fixes the Azure deployment failure where pip cannot find the requirements file, preventing users from deploying VPN servers on Azure. Also added no_log: true to prevent potential credential leakage during the pip installation process. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: resolve AWS CloudFormation linter warnings (#14294) This commit addresses all the CloudFormation linting issues identified in issue #14294: - Remove unused PublicSSHKeyParameter from CloudFormation template and task parameters The SSH public key is now injected directly via cloud-init template instead of being passed as a CloudFormation parameter - Update ImageIdParameter type from String to AWS::EC2::Image::Id for better type safety - Remove obsolete DependsOn attributes that are automatically enforced by CloudFormation through Ref and GetAtt functions All changes verified with cfn-lint which now passes without warnings. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: Replace ansible.utils.ipv6 filter with simple colon detection The ansible.utils.ipv6 filter is not available in the test environment, causing the Smart Test Selection workflow to fail. This change replaces it with a simple string check for colons (':') which reliably detects IPv6 addresses since they contain colons while IPv4 addresses do not. The fix maintains the same functionality: - IPv6 addresses: [2600:3c01::f03c:91ff:fedf:3b2a]:51820 - IPv4 addresses: 192.168.1.1:51820 This resolves the failing workflow tests in PR #14782. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
…res (#14781) * fix: Add IPv6 support for WireGuard endpoint addresses Fixes issue where IPv6 addresses in WireGuard configuration files were not properly formatted with square brackets when used with port numbers. The WireGuard client configuration template now detects IPv6 addresses using the ansible.utils.ipv6 filter and wraps them in brackets as required by the WireGuard configuration format. Example outputs: - IPv4: 192.168.1.1:51820 - IPv6: [2600:3c01::f03c:91ff:fedf:3b2a]:51820 - Hostname: vpn.example.com:51820 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: Correct Azure requirements file path to fix deployment failures The previous fix in commit 7acdca0 updated to Azure collection v3.7.0 but referenced the incorrect requirements file name. The file is now called requirements.txt instead of requirements-azure.txt in v3.7.0. This fixes the Azure deployment failure where pip cannot find the requirements file, preventing users from deploying VPN servers on Azure. Also added no_log: true to prevent potential credential leakage during the pip installation process. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: Use simple colon check for IPv6 detection in WireGuard template The previous implementation used `ansible.utils.ipv6` filter which is not available in the current environment, causing the Smart Test Selection workflow to fail with "No filter named 'ansible.utils.ipv6' found." This change replaces the filter with a simple string check for colons (':') which is a reliable way to detect IPv6 addresses since they contain colons while IPv4 addresses and hostnames typically don't. The fix maintains the same functionality: - IPv6 addresses: `[2600:3c01::f03c:91ff:fedf:3b2a]:51820` - IPv4 addresses: `192.168.1.1:51820` - Hostnames: `vpn.example.com:51820` This resolves the failing workflow tests in PR #14781. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: Remove unrelated changes and clean up Python cache - Remove WireGuard IPv6 change (belongs in separate PR) - Delete committed Python cache file - Add __pycache__/ and *.pyc to .gitignore This PR should only contain the Azure requirements file path fix. --------- Co-authored-by: Claude <noreply@anthropic.com>
* fix: Add IPv6 support for WireGuard endpoint addresses Fixes issue where IPv6 addresses in WireGuard configuration files were not properly formatted with square brackets when used with port numbers. The WireGuard client configuration template now detects IPv6 addresses using the ansible.utils.ipv6 filter and wraps them in brackets as required by the WireGuard configuration format. Example outputs: - IPv4: 192.168.1.1:51820 - IPv6: [2600:3c01::f03c:91ff:fedf:3b2a]:51820 - Hostname: vpn.example.com:51820 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: Use simple colon check for IPv6 detection in WireGuard template The original implementation tried to use `ansible.utils.ipv6` filter which is not available in the current environment. This caused the Smart Test Selection workflow to fail with "No filter named 'ansible.utils.ipv6' found." This change replaces the filter with a simple string check for colons (':') which is a reliable way to detect IPv6 addresses since they contain colons while IPv4 addresses and hostnames typically don't. The fix maintains the same functionality: - IPv6 addresses: `[2600:3c01::f03c:91ff:fedf:3b2a]:51820` - IPv4 addresses: `192.168.1.1:51820` - Hostnames: `vpn.example.com:51820` Fixes failing workflow in PR #14780. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * test: Add IPv6 endpoint formatting tests - Add comprehensive test cases for IPv4, IPv6, and hostname endpoints - Test IPv6 addresses are properly bracketed in WireGuard configs - Verify IPv4 and hostnames are not bracketed - Include edge case test for IPv6 with zone ID --------- Co-authored-by: Claude <noreply@anthropic.com>
…4788) Added configurable timeouts and retry logic to all curl commands in publicIpFromMetadata(): - --connect-timeout 5: 5 seconds to establish connection - --max-time ${METADATA_TIMEOUT:-20}: Configurable timeout (default 20 seconds) - Retry logic: Try up to 2 times with 2-second delay between attempts - Environment variable: METADATA_TIMEOUT can override default timeout This prevents the installation script from hanging indefinitely when: - Metadata services are slow or unresponsive - Network issues cause connections to stall - Script is run in non-cloud environments where metadata IPs don't respond The increased timeout (20s) and retry logic ensure compatibility with: - Azure deployments in secondary regions (known to be slower) - High-latency environments (satellite, rural connections) - Corporate environments with proxies or deep packet inspection - Temporary network glitches or cloud provider maintenance The existing fallback to publicIpFromInterface() will handle cases where metadata endpoints are unavailable after all retry attempts. Fixes #14350 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Claude <noreply@anthropic.com>
…4789) * fix: Remove POSIX-incompatible 'local' keyword from install.sh The install.sh script uses #\!/usr/bin/env sh (POSIX shell) but was using the 'local' keyword in the tryGetMetadata function, which is a bash-specific feature. This caused shellcheck to fail with SC3043 warnings in CI. Fixed by removing 'local' keywords from variable declarations in the tryGetMetadata function. The variables are still function-scoped in practice since they're assigned at the beginning of the function. This resolves the CI failure introduced in PR #14788 (run #919). * ci: Make ansible-lint stricter and fix basic issues - Remove || true from ansible-lint CI job to enforce linting - Enable name[play] rule - all plays should be named - Enable yaml[new-line-at-end-of-file] rule - Move name[missing] from skip_list to warn_list (first step) - Add names to plays in main.yml and users.yml - Document future linting improvements in comments This makes the CI stricter while fixing the easy issues first. More comprehensive fixes for the 113 name[missing] warnings can be addressed in future PRs. * fix: Add name[missing] to skip_list temporarily The ansible-lint CI is failing because name[missing] was not properly added to skip_list. This causes 113 name[missing] errors to fail the CI. Adding it to skip_list for now to fix the CI. The rule can be moved to warn_list and eventually enabled once all tasks are properly named in future PRs. * fix: Fix ansible-lint critical errors - Fix schema[tasks] error in roles/local/tasks/prompts.yml by removing with_items loop - Add missing newline at end of requirements.yml - Replace ignore_errors with failed_when in reboot task - Add pipefail to shell command with pipes in strongswan openssl task These fixes address all critical ansible-lint errors that were causing CI failures.
This addresses the issue reported in PR #14173 where local installations fail with 'sudo: a password is required' error. The sudo requirement is now properly documented in the local installation guide rather than the main README. When installing Algo locally (on the same system where the scripts are installed), administrative privileges are required to configure system services and network settings.
* chore: Conservative dependency updates for security - Update Ansible from 9.1.0 to 9.2.0 (one minor version bump only) - Update Jinja2 to ~3.1.6 to fix CVE-2025-27516 (critical security fix) - Pin netaddr to 1.3.0 (current stable version) This is a minimal, conservative update focused on: 1. Critical security fix for Jinja2 2. Minor ansible update for bug fixes 3. Pinning netaddr to prevent surprises No changes to Ansible collections - keeping them unpinned for now. * fix: Address linter issues (ruff, yamllint, shellcheck) - Fixed ruff configuration by moving linter settings to [tool.ruff.lint] section - Fixed ruff code issues: - Moved imports to top of files (E402) - Removed unused variables or commented them out - Updated string formatting from % to .format() - Replaced dict() calls with literals - Fixed assert False usage in tests - Fixed yamllint issues: - Added missing newlines at end of files - Removed trailing spaces - Added document start markers (---) to YAML files - Fixed 'on:' truthy warnings in GitHub workflows - Fixed shellcheck issues: - Properly quoted variables in shell scripts - Fixed A && B || C pattern with proper if/then/else - Improved FreeBSD rc script quoting All linters now pass without errors related to our code changes. * fix: Additional yamllint fixes for GitHub workflows - Added document start markers (---) to test-effectiveness.yml - Fixed 'on:' truthy warning by quoting as 'on:' - Removed trailing spaces from main.yml - Added missing newline at end of test-effectiveness.yml
* "Claude PR Assistant workflow" * "Claude Code Review workflow" * docs: Add CLAUDE.md for LLM guidance This comprehensive guide captures important context and learnings for LLMs working on the Algo VPN codebase, including: - Project architecture and structure - Critical dependencies and version management - Development practices and code style - Testing requirements and CI/CD pipeline - Common issues and solutions - Security considerations - Platform support details - Maintenance guidelines The guide emphasizes Algo's core values: security, simplicity, and privacy. It provides practical guidance based on extensive experience working with the codebase, helping future contributors maintain high standards while avoiding common pitfalls. * feat: Configure Claude GitHub Actions with Algo-specific settings - Add allowed_tools for running Ansible, Python, and shell linters - Enable use_sticky_comment for cleaner PR discussions - Add custom_instructions to follow Algo's security-first principles - Reference CLAUDE.md for project-specific guidance
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.1 to 4.6.2. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@5d5d22a...ea165f8) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 4.6.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [dorny/paths-filter](https://github.com/dorny/paths-filter) from 2.11.1 to 3.0.2. - [Release notes](https://github.com/dorny/paths-filter/releases) - [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md) - [Commits](dorny/paths-filter@4512585...de90cc6) --- updated-dependencies: - dependency-name: dorny/paths-filter dependency-version: 3.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@9780b0c...74a5d14) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@692973e...11bd719) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 4.2.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5.5.1 to 5.8.0. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](docker/metadata-action@8e5442c...c1e5197) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-version: 5.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.3)
Can you help keep this open source service alive? 💖 Please sponsor : )