github/distribution
1
0
Fork 0
mirror of https://github.com/distribution/distribution.git synced 2026-05-01 12:55:30 +00:00
Code Issues Projects Releases Wiki Activity
5,877 Commits 24 Branches 6 Tags
main
Commit Graph

5877 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Milos Gajdos
f3af4de047 fix(storage): bounds-check the file basename in PurgeUploads Walk callback (#4860) 2026-04-22 11:07:45 -07:00
SAY-5
72c88bc960 fix(storage): bounds-check the file basename in PurgeUploads Walk callback 
PurgeUploads' Walk callback split the visited path with path.Split and
indexed file[0] immediately. path.Split returns an empty basename for
paths that end in a trailing slash - in practice this happens when an
S3 driver surfaces a bare directory (common prefix) with an empty
Key. Indexing a zero-length string then panics with
'index out of range [0] with length 0' and takes down the whole
PurgeUploads goroutine (#4713).

Guard the length before touching file[0] so a trailing-slash /
empty-basename entry is simply skipped as 'not a reserved directory',
which matches what the branch was trying to do anyway. Runtime
behaviour for every non-empty entry is unchanged.

Closes #4713

Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
 2026-04-21 10:56:45 -07:00
Milos Gajdos
1b5e226b6f feat(s3): add express zone one support to S3 driver (#4858) 2026-04-20 07:47:28 -07:00
Milos Gajdos
afd2bf0b23 fix(proxy): clamp oversized n query param instead of returning 400 (#4856) 2026-04-20 07:47:14 -07:00
Milos Gajdos
835c1c581f feat(s3): add express zone one support to S3 driver 
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2026-04-18 17:36:52 -07:00
Milos Gajdos
0f3e627937 build(deps): bump docker/bake-action from 7.0.0 to 7.1.0 (#4853) 2026-04-18 17:04:24 -07:00
Milos Gajdos
c6f552e5db fix(proxy): clamp oversized n query param instead of returning 400 
PR #4353 made MaxTags (default 1000) a hard ceiling on the `n` query
parameter — anything larger and the handler returns 400
PAGINATION_NUMBER_INVALID before the request ever reaches storage or
the proxy tag service. That broke clients like Renovate which use
n=10000 against pull-through caches. #4846 fixed a related 500 in
proxy mode but not this 400, so users reported the regression still
persisted.

The OCI distribution-spec describes pagination differently: a server
MAY return fewer than `n` results "when the total number of tags
attached to the repository is less than <int> or a Link header is
provided" — otherwise it MUST include `<int>` results. In other
words, the right answer for "client asked for more than we'll serve"
is `maxtags` results plus a Link header, not a rejection.
PAGINATION_NUMBER_INVALID isn't among the 14 error codes the spec
defines, either.

Drop the oversized-n rejection and clamp to MaxTags instead; the
existing Link-header path already handles continuation correctly.
Malformed (non-integer) and negative `n` values keep returning 400,
since the spec defines `n` as a non-negative integer and those
requests are genuinely invalid.

Verified end-to-end against registry-1.docker.io in proxy mode:
n=10000 now returns the tag list (or a clamped page with Link)
instead of 400. Also restores pre-3.1.0 behavior for Renovate-style
clients without needing proxy-specific logic.

Spec reference:
https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-tags

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2026-04-18 16:53:53 -07:00
Milos Gajdos
e39652ca1f build(deps): bump docker/login-action from 4.0.0 to 4.1.0 (#4847) 2026-04-18 16:12:05 -07:00
Milos Gajdos
3d916b8c4f build(deps): bump actions/upload-pages-artifact from 4.0.0 to 5.0.0 (#4852) 2026-04-18 16:11:52 -07:00
Milos Gajdos
17e760a9f0 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#4854) 2026-04-18 16:10:57 -07:00
Milos Gajdos
acabfb4b90 Update docker-compose structure in deploying.md (#4855) 2026-04-18 16:10:29 -07:00
John de Graaff
3cf4463982 Update docker-compose structure in deploying.md 
adding "services:" top-level key in docker-compose file example.

Signed-off-by: John de Graaff <john@de-graaff.net>
 2026-04-17 15:15:52 +02:00
dependabot[bot]
4b5154db23 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](bbbca2ddaa...043fb46d1a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-17 01:13:15 +00:00
Milos Gajdos
ca7d4de0ee fix(proxy): fix tag list endpoint in proxy mode (#4846) 2026-04-16 14:17:56 -07:00
Milos Gajdos
ece70d987f refactor: use slices.Backward to simplify the code (#4848) 2026-04-16 14:17:33 -07:00
dependabot[bot]
203c505cd3 build(deps): bump docker/bake-action from 7.0.0 to 7.1.0 
Bumps [docker/bake-action](https://github.com/docker/bake-action) from 7.0.0 to 7.1.0.
- [Release notes](https://github.com/docker/bake-action/releases)
- [Commits](82490499d2...a66e1c87e2)

---
updated-dependencies:
- dependency-name: docker/bake-action
  dependency-version: 7.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-16 01:15:10 +00:00
dependabot[bot]
fed2610157 build(deps): bump actions/upload-pages-artifact from 4.0.0 to 5.0.0 
Bumps [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) from 4.0.0 to 5.0.0.
- [Release notes](https://github.com/actions/upload-pages-artifact/releases)
- [Commits](7b1f4a764d...fc324d3547)

---
updated-dependencies:
- dependency-name: actions/upload-pages-artifact
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-15 01:15:07 +00:00
Milos Gajdos
24a4d24a24 chore(build): Bump go version to latest (#4851) 2026-04-14 14:12:13 -07:00
Milos Gajdos
839e4a7119 build(deps): bump github/codeql-action from 4.34.1 to 4.35.1 (#4840) 2026-04-14 10:01:33 -07:00
Milos Gajdos
0102b58159 Bump Go 1.26 in CI 
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2026-04-14 09:22:17 -07:00
Milos Gajdos
29eb2149df chore(build): Bump go version to latest 1.25 
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2026-04-14 09:09:22 -07:00
Milos Gajdos
3090068a9b build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.42.0 to 1.43.0 in the go_modules group across 1 directory (#4850) 2026-04-14 08:56:29 -07:00
dependabot[bot]
326a0d0b7b build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp 
Bumps the go_modules group with 1 update in the / directory: [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go).


Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` from 1.42.0 to 1.43.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.42.0...v1.43.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
  dependency-version: 1.43.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-14 15:30:39 +00:00
Milos Gajdos
9a07978fe3 build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp from 0.18.0 to 0.19.0 in the go_modules group across 1 directory (#4843) 2026-04-14 08:17:41 -07:00
Milos Gajdos
6ae29aadd7 internal/client/auth/challenge: cleanups and minor refactor (#4832) 2026-04-12 16:09:55 -07:00
chuanshanjida
0679fc13c5 refactor: use slices.Backward to simplify the code 
Signed-off-by: chuanshanjida <chuanshanjida@outlook.com>
 2026-04-12 16:01:45 +08:00
dependabot[bot]
445af38d68 build(deps): bump docker/login-action from 4.0.0 to 4.1.0 
Bumps [docker/login-action](https://github.com/docker/login-action) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](b45d80f862...4907a6ddec)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-10 01:13:26 +00:00
njucjc
60de6e3443 fix(proxy): fix tag list endpoint in proxy mode 
Signed-off-by: njucjc <njucjc@alibaba-inc.com>
Signed-off-by: chenjinci.cjc <chenjinci.cjc@alibaba-inc.com>
 2026-04-09 23:30:51 +08:00
dependabot[bot]
567670f6eb build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp 
Bumps the go_modules group with 1 update in the / directory: [go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp](https://github.com/open-telemetry/opentelemetry-go).


Updates `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp` from 0.18.0 to 0.19.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v0.18.0...v0.19.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
  dependency-version: 0.19.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-08 19:27:49 +00:00
Milos Gajdos
708f8d6b06 chore(ci): Prep for v3.1 release (#4841) 2026-04-06 08:41:42 -07:00
dependabot[bot]
5e72174444 build(deps): bump github/codeql-action from 4.34.1 to 4.35.1 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.34.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](3869755554...c10b8064de)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-06 01:17:35 +00:00
Milos Gajdos
b1d5dbcf1b chore(ci): Prep for v3.1 release 
* Release notes added
* Version bump in version package
* AUTHORS updated

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2026-04-05 18:12:29 -07:00
Milos Gajdos
078b0783f2 Merge commit from fork 
fix redis repo-scoped blob descriptor revocation
 2026-04-05 17:08:50 -07:00
Milos Gajdos
cccd0d4fb7 fix(vendor): fix broke vendor validation (#4839) 2026-04-05 16:30:19 -07:00
Milos Gajdos
49447e8e12 fix(vendor): fix broke vendpor validation 
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2026-04-05 13:35:49 -07:00
Milos Gajdos
cc5d5fa4ba Merge commit from fork 
proxy: bind bearer realms to upstream trust boundary
 2026-04-05 13:30:20 -07:00
Milos Gajdos
4cfa178962 build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0 (#4834) 2026-04-04 15:38:16 -07:00
Milos Gajdos
c4bac3bcd6 build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0 (#4836) 2026-04-04 13:50:37 -07:00
Milos Gajdos
2f2ce9fb6c Opt: refactor tag list pagination support (#4353) 2026-04-04 13:49:23 -07:00
njucjc
6a02a0e81d Opt: refactor tag list pagination support 
Signed-off-by: njucjc <njucjc@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2026-04-04 22:04:37 +02:00
Milos Gajdos
7482bff437 feat(registry): enhance authentication checks in htpasswd implementation (#4758) 2026-04-04 12:48:30 -07:00
HexMix
7ed654e0a7 feat(registry): enhance authentication checks in htpasswd implementation 
- Added a dummy hash for nonexistent users to prevent timing attacks.
- Updated test cases to include a nonexistent user scenario for better coverage.
- Introduced a global dummy hash variable to streamline authentication for nonexistent users.
- Updated the authentication logic to utilize the new dummy hash for improved consistency.
- Added support for overriding the dummy hash in the access controller for testing purposes.
- Updated the authentication logic to utilize the provided dummy hash during user authentication.
- Updated test cases to use `t.TempDir()` for creating temporary htpasswd files, enhancing test isolation and cleanup.
- Simplified file reading and error handling in the `TestCreateHtpasswdFile` function.

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: HexMix <32300164+mnixry@users.noreply.github.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2026-04-04 21:19:33 +02:00
Milos Gajdos
30210f45f4 chore(app): warn when partial TLS config is used in Redis (#4838) 2026-04-03 12:18:41 -07:00
Milos Gajdos
000567267f chore(app): warn when partial TLS config is used in Redis 
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
 2026-04-03 12:04:53 -07:00
João Pereira
17de9dfab2 build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in the go_modules group across 1 directory (#4837) 2026-04-03 08:10:25 +01:00
dependabot[bot]
2bf6ae0065 build(deps): bump github.com/go-jose/go-jose/v4 
Bumps the go_modules group with 1 update in the / directory: [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose).


Updates `github.com/go-jose/go-jose/v4` from 4.1.3 to 4.1.4
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-version: 4.1.4
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-03 04:02:21 +00:00
dependabot[bot]
f91da11464 build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.4 to 6.0.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](75cd11691c...57e3a136b7)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-03 01:13:22 +00:00
Milos Gajdos
4045624d53 build(deps): bump actions/setup-go from 6.3.0 to 6.4.0 (#4833) 2026-04-02 17:54:17 -07:00
1seal
5cda72868f fix redis repo-scoped blob descriptor revocation 2026-04-01 18:38:38 +03:00
dependabot[bot]
bbc6f54c06 build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0 
Bumps [actions/configure-pages](https://github.com/actions/configure-pages) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/actions/configure-pages/releases)
- [Commits](983d7736d9...45bfe0192c)

---
updated-dependencies:
- dependency-name: actions/configure-pages
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-01 01:18:04 +00:00