Merge branch '3007.x' into fix/add-nftables-icmpv6-support

Author: jdelic

.github/ISSUE_TEMPLATE/config.yml

@@ -6,6 +6,3 @@ contact_links:
   - name: Salt-Users Forum
     url: https://groups.google.com/forum/#!forum/salt-users
     about: Please ask and answer questions here.
-  - name: Salt on LiberaChat
-    url: https://web.libera.chat/#salt
-    about: Please ask and answer questions here.

.github/ISSUE_TEMPLATE/tech-debt.md

@@ -8,7 +8,7 @@ assignees: ''
 ---
 
 ### Description of the tech debt to be addressed, include links and screenshots
-<!-- Note: Please direct questions to the salt-users google group, IRC or Community Discord. -->
+<!-- Note: Please direct questions to the salt-users google group, GitHub Discussions or Community Discord. -->
 
 ### Versions Report
 (Provided by running `salt --versions-report`. Please also mention any differences in master/minion versions.)

.github/actionlint.yaml

@@ -1,14 +1,5 @@
 self-hosted-runner:
   # Labels of self-hosted runner in array of string
   labels:
-    - bastion
-    - x86_64
-    - arm64
-    - aarch64
-    - amd64
-    - repo-nightly
-    - repo-staging
-    - repo-release
-    - medium
-    - large
-    - macos-13-xlarge
+    - linux-x86_64
+    - linux-arm64

.github/actions/build-onedir-salt/action.yml

@@ -29,21 +29,13 @@ runs:
 
   steps:
 
-    - name: Download Cached Deps Onedir Package Directory
-      id: onedir-bare-cache
-      uses: ./.github/actions/cache
+    - name: Install Salt Packaging Dependencies into Relenv Onedir
+      uses: ./.github/actions/build-onedir-deps
       with:
-        path: artifacts/${{ inputs.package-name }}
-        key: >
-          ${{ inputs.cache-prefix }}|${{ inputs.python-version }}|deps|${{ inputs.platform }}|${{ inputs.arch }}|${{ inputs.package-name }}|${{
-            hashFiles(
-              format('{0}/.relenv/**/*.xz', github.workspace),
-              'requirements/static/pkg/*/*.txt',
-              '.github/actions/build-onedir-deps/action.yml',
-              '.github/workflows/build-deps-onedir-*.yml',
-              'cicd/shared-gh-workflows-context.yml'
-            )
-          }}
+        platform: ${{ inputs.platform }}
+        arch: ${{ inputs.arch }}
+        python-version: "${{ inputs.python-version }}"
+        cache-prefix: ${{ inputs.cache-seed }}|relenv|${{ inputs.salt-version }}
 
     - name: Download Source Tarball
       uses: actions/download-artifact@v4

.github/actions/cache/action.yml

@@ -26,10 +26,6 @@ inputs:
     description: 'Check if a cache entry exists for the given input(s) (key, restore-keys) without downloading the cache'
     default: 'false'
     required: false
-  save-always:
-    description: 'Run the post step to save the cache even if another step before fails'
-    default: 'false'
-    required: false
 
 outputs:
   cache-hit:
@@ -49,7 +45,6 @@ runs:
         echo "GHA_CACHE_ENABLE_CROSS_OS_ARCHIVE=${{ inputs.enableCrossOsArchive }}" | tee -a "${GITHUB_ENV}"
         echo "GHA_CACHE_FAIL_ON_CACHE_MISS=${{ inputs.fail-on-cache-miss }}" | tee -a "${GITHUB_ENV}"
         echo "GHA_CACHE_LOOKUP_ONLY=${{ inputs.lookup-only }}" | tee -a "${GITHUB_ENV}"
-        echo "GHA_CACHE_SAVE_ALWAYS=${{ inputs.save-always }}" | tee -a "${GITHUB_ENV}"
         echo "GHA_CACHE_RESTORE_KEYS=${{ inputs.restore-keys }}" | tee -a "${GITHUB_ENV}"
         echo "GHA_CACHE_UPLOAD_CHUNK_SIZE=${{ inputs.upload-chunk-size }}" | tee -a "${GITHUB_ENV}"
 
@@ -63,7 +58,6 @@ runs:
         enableCrossOsArchive: ${{ env.GHA_CACHE_ENABLE_CROSS_OS_ARCHIVE }}
         fail-on-cache-miss: ${{ env.GHA_CACHE_FAIL_ON_CACHE_MISS }}
         lookup-only: ${{ env.GHA_CACHE_LOOKUP_ONLY }}
-        save-always: ${{ env.GHA_CACHE_SAVE_ALWAYS }}
         restore-keys: ${{ env.GHA_CACHE_RESTORE_KEYS }}
         upload-chunk-size: ${{ env.GHA_CACHE_UPLOAD_CHUNK_SIZE }}
 
@@ -97,7 +91,6 @@ runs:
         enableCrossOsArchive: ${{ env.GHA_CACHE_ENABLE_CROSS_OS_ARCHIVE }}
         fail-on-cache-miss: ${{ env.GHA_CACHE_FAIL_ON_CACHE_MISS }}
         lookup-only: ${{ env.GHA_CACHE_LOOKUP_ONLY }}
-        save-always: ${{ env.GHA_CACHE_SAVE_ALWAYS }}
         restore-keys: ${{ env.GHA_CACHE_RESTORE_KEYS }}
         upload-chunk-size: ${{ env.GHA_CACHE_UPLOAD_CHUNK_SIZE }}
 

.github/actions/setup-python-tools-scripts/action.yml

@@ -54,10 +54,13 @@ runs:
       working-directory: ${{ inputs.cwd }}
       run: |
         PYTHON_EXE=${{ steps.tools-virtualenv.outputs.python-executable }}
+        ${PYTHON_EXE} -m ensurepip --upgrade
         (${PYTHON_EXE} -m pip install --help | grep break-system-packages > /dev/null 2>&1) && exitcode=0 || exitcode=1
         if [ $exitcode -eq 0 ]; then
+          ${PYTHON_EXE} -m pip install --break-system-packages --upgrade setuptools
           ${PYTHON_EXE} -m pip install --break-system-packages -r requirements/static/ci/py${{ steps.get-python-version.outputs.version }}/tools.txt
         else
+          ${PYTHON_EXE} -m pip install --upgrade setuptools
           ${PYTHON_EXE} -m pip install -r requirements/static/ci/py${{ steps.get-python-version.outputs.version }}/tools.txt
         fi
 

.github/actions/ssh-tunnel/README.md

@@ -0,0 +1,100 @@
+# SSH Tunnel
+
+The ssh-tunnel action will create a reverse tunnel over webrtc to port 22 on the runner.
+
+## Usage
+
+In order to use this action you must have a sdp offer from your local host and a ssh key pair.
+Start with creating an sdp offer on your local machine. Provide these values to the ssh-tunnel
+action and wait for output from the action with the sdp reply. Provide the reply to the local
+rtcforward.py process by pasting it to stdin. If all goes well the local port on your maching
+will be forwarded to the ssh port on the runner.
+
+### Getting an sdp offer
+
+To get an sdp offer start rtcforward.py on you local machine with the offer command.
+You can also specify which port on the local machine will be used for the tunnel.
+
+``` bash
+$ python3 .github/actions/ssh-tunnel/rtcforward.py offer --port 5222
+```
+
+rtcforward.py will create an offer an display it to your terminal. (This example offer has been truncated)
+After showing the offer the `rtcforward.py` process will wait for a reply.
+```
+-- offer --
+eyJzZHAiOiAidj0wXHJcbm89LSAzOTQ3Mzg4NjUzIDM5NDczODg2NTMgSU4gSVA0IDAuMC4wLjBcclxu
+cz0tXHJcbnQ9MCAwXHJcbmE9Z3JvdXA6QlVORExFIDBcclxuYT1tc2lkLXNlbWFudGljOldNUyAqXHJc
+bm09YXBwbGljYXRpb24gMzUyNjkgRFRMUy9TQ1RQIDUwMDBcclxuYz1JTiBJUDQgMTkyLjE2OC4wLjIw
+IHVkcCAxNjk0NDk4ODE1IDE4NC4xNzkuMjEwLjE1MiAzNTI2OSB0eXAgc3JmbHggcmFkZHIgMTkyLjE2
+OC4wLjIwMSBycG9ydCAzNTI2OVxyXG5hPWNhbmRpZGF0ZTozZWFjMzJiZTZkY2RkMTAwZDcwMTFiNWY0
+NTo4Qzo2MDoxMTpFQTo3NzpDMTo5RTo1QTo3QzpDQzowRDowODpFQzo2NDowQToxM1xyXG5hPWZpbmdl
+cnByaW50OnNoYS01MTIgNjY6MzI6RUQ6MDA6N0I6QjY6NTQ6NzA6MzE6OTA6M0I6Mjg6Q0I6QTk6REU6
+MzQ6QjI6NDY6NzE6NUI6MjM6ODA6Nzg6Njg6RDA6QTA6QTg6MjU6QkY6MDQ6ODY6NUY6OTA6QUY6MUQ6
+QjA6QzY6ODA6QUY6OTc6QTI6MkM6NDI6QUU6MkI6Q0Q6Mjk6RUQ6MkI6ODc6NTU6ODg6NDY6QTM6ODk6
+OEY6ODk6OTE6QTE6QTI6NDM6NTc6M0E6MjZcclxuYT1zZXR1cDphY3RwYXNzXHJcbiIsICJ0eXBlIjog
+Im9mZmVyIn0=
+-- end offer --
+-- Please enter a message from remote party --
+```
+
+### Getting an sdp answer
+
+Provide the offer to the ssh-tunnel action. When the action runs, an answer to the offer will be generated.
+In the action output you will see that the offer was recieved and the reply in the output.
+
+```
+-- Please enter a message from remote party --
+-- Message received --
+-- reply --
+eyJzZHAiOiAidj0wXHJcbm89LSAzOTQ3Mzg3NDcxIDM5NDczODc0NzEgSU4gSVA0IDAuMC4wLjBcclxu
+cz0tXHJcbnQ9MCAwXHJcbmE9Z3JvdXA6QlVORExFIDBcclxuYT1tc2lkLXNlbWFudGljOldNUyAqXHJc
+bm09YXBwbGljYXRpb24gNTcwMzkgRFRMUy9TQ1RQIDUwMDBcclxuYz1JTiBJUDQgMTkyLjE2OC42NC4x
+MFxyXG5hPW1pZDowXHJcbmE9c2N0cG1hcDo1MDAwIHdlYnJ0Yy1kYXRhY2hhbm5lbCA2NTUzNVxyXG5h
+MTc6MEI6RTA6OTA6QUM6RjU6RTk6RUI6Q0E6RUE6NTY6REI6NTA6QTk6REY6NTU6MzY6MkM6REI6OUE6
+MDc6Mzc6QTM6NDc6NjlcclxuYT1maW5nZXJwcmludDpzaGEtNTEyIDMyOjRDOjk0OkRDOjNFOkU5OkU3
+OjNCOjc5OjI4OjZDOjc5OkFEOkVDOjIzOkJDOjRBOjRBOjE5OjlCOjg5OkE3OkE2OjZBOjAwOjJFOkM5
+OkE0OjlEOjAwOjM0OjFFOjRDOkVGOjcwOkY5OkNBOjg0OjlEOjcxOjI5OkVCOkIxOkREOkFEOjg5OjUx
+OkZFOjhCOjI3OjFDOjFBOkJEOjUxOjQ2OjE4OjBBOjhFOjVBOjI1OjQzOjQzOjZGOkRBXHJcbmE9c2V0
+dXA6YWN0aXZlXHJcbiIsICJ0eXBlIjogImFuc3dlciJ9
+-- end reply --
+```
+
+# Finalizing the tunnel
+
+Paste the sdp reply from the running action into the running `rtcforward.py` process that created the offer.
+After receiveing the offer you will see `-- Message received --` and tunnel will be created.
+
+```
+-- offer --
+eyJzZHAiOiAidj0wXHJcbm89LSAzOTQ3Mzg4NjUzIDM5NDczODg2NTMgSU4gSVA0IDAuMC4wLjBcclxu
+cz0tXHJcbnQ9MCAwXHJcbmE9Z3JvdXA6QlVORExFIDBcclxuYT1tc2lkLXNlbWFudGljOldNUyAqXHJc
+bm09YXBwbGljYXRpb24gMzUyNjkgRFRMUy9TQ1RQIDUwMDBcclxuYz1JTiBJUDQgMTkyLjE2OC4wLjIw
+IHVkcCAxNjk0NDk4ODE1IDE4NC4xNzkuMjEwLjE1MiAzNTI2OSB0eXAgc3JmbHggcmFkZHIgMTkyLjE2
+OC4wLjIwMSBycG9ydCAzNTI2OVxyXG5hPWNhbmRpZGF0ZTozZWFjMzJiZTZkY2RkMTAwZDcwMTFiNWY0
+NTo4Qzo2MDoxMTpFQTo3NzpDMTo5RTo1QTo3QzpDQzowRDowODpFQzo2NDowQToxM1xyXG5hPWZpbmdl
+cnByaW50OnNoYS01MTIgNjY6MzI6RUQ6MDA6N0I6QjY6NTQ6NzA6MzE6OTA6M0I6Mjg6Q0I6QTk6REU6
+MzQ6QjI6NDY6NzE6NUI6MjM6ODA6Nzg6Njg6RDA6QTA6QTg6MjU6QkY6MDQ6ODY6NUY6OTA6QUY6MUQ6
+QjA6QzY6ODA6QUY6OTc6QTI6MkM6NDI6QUU6MkI6Q0Q6Mjk6RUQ6MkI6ODc6NTU6ODg6NDY6QTM6ODk6
+OEY6ODk6OTE6QTE6QTI6NDM6NTc6M0E6MjZcclxuYT1zZXR1cDphY3RwYXNzXHJcbiIsICJ0eXBlIjog
+Im9mZmVyIn0=
+-- end offer --
+-- Please enter a message from remote party --
+eyJzZHAiOiAidj0wXHJcbm89LSAzOTQ3Mzg3NDcxIDM5NDczODc0NzEgSU4gSVA0IDAuMC4wLjBcclxu
+cz0tXHJcbnQ9MCAwXHJcbmE9Z3JvdXA6QlVORExFIDBcclxuYT1tc2lkLXNlbWFudGljOldNUyAqXHJc
+bm09YXBwbGljYXRpb24gNTcwMzkgRFRMUy9TQ1RQIDUwMDBcclxuYz1JTiBJUDQgMTkyLjE2OC42NC4x
+MFxyXG5hPW1pZDowXHJcbmE9c2N0cG1hcDo1MDAwIHdlYnJ0Yy1kYXRhY2hhbm5lbCA2NTUzNVxyXG5h
+MTc6MEI6RTA6OTA6QUM6RjU6RTk6RUI6Q0E6RUE6NTY6REI6NTA6QTk6REY6NTU6MzY6MkM6REI6OUE6
+MDc6Mzc6QTM6NDc6NjlcclxuYT1maW5nZXJwcmludDpzaGEtNTEyIDMyOjRDOjk0OkRDOjNFOkU5OkU3
+OjNCOjc5OjI4OjZDOjc5OkFEOkVDOjIzOkJDOjRBOjRBOjE5OjlCOjg5OkE3OkE2OjZBOjAwOjJFOkM5
+OkE0OjlEOjAwOjM0OjFFOjRDOkVGOjcwOkY5OkNBOjg0OjlEOjcxOjI5OkVCOkIxOkREOkFEOjg5OjUx
+OkZFOjhCOjI3OjFDOjFBOkJEOjUxOjQ2OjE4OjBBOjhFOjVBOjI1OjQzOjQzOjZGOkRBXHJcbmE9c2V0
+dXA6YWN0aXZlXHJcbiIsICJ0eXBlIjogImFuc3dlciJ9
+-- Message received --
+```
+
+SSH to your local port.
+
+```
+ssh -o StrictHostKeychecking=no -o TCPKeepAlive=no -o StrictHostKeyChecking=no -vv -p 5222 runner@localhost
+```

.github/actions/ssh-tunnel/action.yml

@@ -0,0 +1,107 @@
+name: ssh-tunnel
+description: SSH Reverse Tunnel
+
+inputs:
+  public_key:
+    required: true
+    type: string
+    description: Public key to accept for reverse tunnel. Warning, this should not be the public key for the 'private_key' input.
+  offer:
+    required: true
+    type: string
+    description: RTC offer
+  debug:
+    required: false
+    type: bool
+    default: false
+    description: Run sshd with debug enabled.
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/checkout@v4
+
+    - uses: actions/setup-python@v5
+      with:
+        python-version: '3.10'
+
+    - name: Install ssh
+      if: ${{ runner.os == 'Windows' }}
+      shell: powershell
+      run: |
+          python3.exe -m pip install requests
+          python3.exe .github/actions/ssh-tunnel/installssh.py
+
+    - name: Start SSH
+      shell: bash
+      run: |
+        if [ "$RUNNER_OS" = "Windows" ]; then
+          powershell.exe -command "Start-Service sshd"
+        elif [ "$RUNNER_OS" = "macOS" ]; then
+          sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
+        else
+          sudo systemctl start ssh
+        fi
+
+    - name: Show sshd configuration
+      shell: bash
+      run: |
+        if [ "$RUNNER_OS" = "Linux" ]; then
+          cat /etc/ssh/sshd_config
+        elif [ "$RUNNER_OS" = "macOS" ]; then
+          cat /private/etc/ssh/sshd_config
+        else
+          cat "C:\ProgramData\ssh\sshd_config"
+        fi
+
+    - name: Add ssh public key
+      shell: bash
+      run: |
+        if [ "$RUNNER_OS" = "Linux" ]; then
+          mkdir -p /home/runner/.ssh
+          chmod 700 /home/runner/.ssh
+          touch /home/runner/.ssh/authorized_keys
+          echo "${{ inputs.public_key }}" | tee -a /home/runner/.ssh/authorized_keys
+        elif [ "$RUNNER_OS" = "macOS" ]; then
+          mkdir -p /Users/runner/.ssh
+          chmod 700 /Users/runner/.ssh
+          touch /Users/runner/.ssh/authorized_keys
+          echo "${{ inputs.public_key }}" | tee -a /Users/runner/.ssh/authorized_keys
+        else
+          echo "${{ inputs.public_key }}" | tee -a "C:\ProgramData\ssh\administrators_authorized_keys"
+        fi
+
+    - name: Stop SSHD
+      if: ${{ inputs.debug }}
+      shell: bash
+      run: |
+        if [ "${{ inputs.debug }}" = "true" ]; then
+          if [ "$RUNNER_OS" = "Windows" ]; then
+            powershell.exe -command "Stop-Service sshd"
+          elif [ "$RUNNER_OS" = "macOS" ]; then
+            sudo launchctl unload  /System/Library/LaunchDaemons/ssh.plist
+          else
+            sudo systemctl stop ssh
+          fi
+        fi
+
+    - name: Create rtc tunnel
+      shell: bash
+      run: |
+        if [ "${{ inputs.debug }}" = "true" ]; then
+          if [ "$RUNNER_OS" = "Windows" ]; then
+            ./OpenSSH-Win64/sshd.exe -d &
+          elif [ "$RUNNER_OS" = "macOS" ]; then
+            sudo /usr/sbin/sshd -d &
+          else
+            sudo mkdir -p /run/sshd
+            sudo chmod 755 /run/sshd
+            sudo /usr/sbin/sshd -d &
+          fi
+        fi
+        if [ "$RUNNER_OS" = "Windows" ]; then
+          python3 -m pip install aiortc
+        else
+          python3 -m pip install aiortc uvloop
+        fi
+        echo '${{ inputs.offer }}' | python .github/actions/ssh-tunnel/rtcforward.py --port 22 answer

.github/actions/ssh-tunnel/installssh.py

@@ -0,0 +1,44 @@
+"""
+"""
+
+import pathlib
+import subprocess
+import zipfile
+
+import requests
+
+fwrule = """
+New-NetFirewallRule `
+  -Name sshd `
+  -DisplayName 'OpenSSH SSH Server' `
+  -Enabled True `
+  -Direction Inbound `
+  -Protocol TCP `
+  -Action Allow `
+  -LocalPort 22 `
+  -Program "{}"
+"""
+
+
+def start_ssh_server():
+    """
+    Pretty print the GH Actions event.
+    """
+    resp = requests.get(
+        "https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.8.1.0p1-Preview/OpenSSH-Win64.zip",
+        allow_redirects=True,
+    )
+    with open("openssh.zip", "wb") as fp:
+        fp.write(resp.content)
+    with zipfile.ZipFile("openssh.zip") as fp:
+        fp.extractall()
+    install_script = pathlib.Path("./OpenSSH-Win64/install-sshd.ps1").resolve()
+    print(f"{install_script}")
+    subprocess.call(["powershell.exe", f"{install_script}"])
+    with open("fwrule.ps1", "w") as fp:
+        fp.write(fwrule.format(install_script.parent / "sshd.exe"))
+    subprocess.call(["powershell.exe", f"fwrule.ps1"])
+
+
+if __name__ == "__main__":
+    start_ssh_server()