Merge branch 'release/1.16.x' into backport/miagilepner/VAULT-36229-recovery-rekey-cancel/1.16

Author: miagilepner

.github/actions/build-vault/action.yml

@@ -92,7 +92,7 @@ runs:
       shell: bash
       run: git config --global url."https://${{ inputs.github-token }}:@github.com".insteadOf "https://github.com"
     - name: Restore UI from cache
-      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         # Restore the UI asset from the UI build workflow. Never use a partial restore key.
         enableCrossOsArchive: true
@@ -146,7 +146,7 @@ runs:
         BUNDLE_PATH: out/${{ steps.metadata.outputs.artifact-basename }}.zip
       shell: bash
       run: make ci-bundle
-    - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+    - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
       with:
         name: ${{ steps.metadata.outputs.artifact-basename }}.zip
         path: out/${{ steps.metadata.outputs.artifact-basename }}.zip
@@ -178,13 +178,13 @@ runs:
           echo "deb-files=$(basename out/*.deb)"
         } | tee -a "$GITHUB_OUTPUT"
     - if: inputs.create-packages == 'true'
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
       with:
         name: ${{ steps.package-files.outputs.rpm-files }}
         path: out/${{ steps.package-files.outputs.rpm-files }}
         if-no-files-found: error
     - if: inputs.create-packages == 'true'
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
       with:
         name: ${{ steps.package-files.outputs.deb-files }}
         path: out/${{ steps.package-files.outputs.deb-files }}

.github/actions/changed-files/action.yml

@@ -2,72 +2,45 @@
 # SPDX-License-Identifier: BUSL-1.1
 
 ---
-name: Determine what files changed between two git referecnes.
+name: Determine what files have changed on either a pull request or commit.
 description: |
-  Determine what files have changed between two git references. If the github.event_type is
-  pull_request we'll compare the github.base_ref (merge target) and pull request head SHA.
-  For other event types we'll gather the changed files from the most recent commit. This allows
-  us to support PR and merge workflows.
+  Determine what files have changed on either a pull request or commit.
+  Writes the list of files to
+
+inputs:
+  github-token:
+    description: A preferred Github token to access private modules if necessary.
 
 outputs:
-  app-changed:
-    description: Whether or not the vault Go app was modified.
-    value: ${{ steps.changed-files.outputs.app-changed }}
-  docs-changed:
-    description: Whether or not the documentation was modified.
-    value: ${{ steps.changed-files.outputs.docs-changed }}
-  ui-changed:
-    description: Whether or not the web UI was modified.
-    value: ${{ steps.changed-files.outputs.ui-changed }}
-  files:
-    description: All of the file names that changed.
-    value: ${{ steps.changed-files.outputs.files }}
+  changed-files:
+    description: All of the files that changed.
+    value: ${{ steps.changed-files.outputs.changed-files }}
 
 runs:
   using: composite
   steps:
-    - id: ref
+    - id: changed-files-set-up-pipeline
+      name: Set up the pipeline tool
+      uses: ./.github/actions/set-up-pipeline
+      with:
+        github-token: ${{ inputs.github-token || github.token }}
+    - id: changed-files
+      name: Determine the changed files
       shell: bash
-      name: ref
+      env:
+        GITHUB_TOKEN: ${{ inputs.github-token || github.token }}
       run: |
-        # Determine our desired checkout ref.
-        #
-        # * If the trigger event is pull_request we will default to a magical merge SHA that Github
-        #   creates. This SHA is the product of what merging our PR into the merge target branch at
-        #   at the point in time when we created the PR. When you push a change to a PR branch
-        #   Github updates this branch if it can. When you rebase a PR it updates this branch.
-        #
-        # * If the trigger event is pull_request and a `checkout-head` tag is present or the
-        #   checkout-head input is set, we'll use HEAD of the PR branch instead of the magical
-        #   merge SHA.
-        #
-        # * If the trigger event is a push (merge) then we'll get the latest commit that was pushed.
-        #
-        # * For anything any other event type we'll default to whatever is default in Github.
+        # Get a list of changed files and write the "changed-files" output to $GITHUB_OUTPUT
         if [ '${{ github.event_name }}' = 'pull_request' ]; then
-          checkout_ref='${{ github.event.pull_request.head.sha }}'
-        elif [ '${{ github.event_name }}' = 'push' ]; then
-          # Our checkout ref for any other event type should default to the github ref.
-          checkout_ref='${{ github.event.after && github.event.after || github.event.push.after }}'
+          pipeline github list changed-files \
+            --owner hashicorp \
+            --repo '${{ github.event.pull_request.head.repo.name }}' \
+            --pr '${{ github.event.pull_request.number }}' \
+            --github-output
         else
-          checkout_ref='${{ github.ref }}'
+          pipeline github list changed-files \
+            --owner hashicorp \
+            --repo '${{ github.event.repository.name }}' \
+            --commit '${{ github.event.after && github.event.after || github.event.push.after && github.event.push.after || github.sha }}' \
+            --github-output
         fi
-        echo "ref=${checkout_ref}" | tee -a "$GITHUB_OUTPUT"
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      with:
-        repository: ${{ github.repository }}
-        path: "changed-files"
-        # The fetch-depth could probably be optimized at some point. It's currently set to zero to
-        # ensure that we have a successfull diff, regardless of how many commits might be present
-        # present between the two references we're comparing. It would be nice to change this
-        # depending on the number of commits by using the push.commits and/or pull_request.commits
-        # payload fields, however, they have different behavior and limitations. For now we'll do
-        # the slow but sure thing of getting the whole repository.
-        fetch-depth: 0
-        ref: ${{ steps.ref.outputs.ref }}
-    - id: changed-files
-      name: changed-files
-      # This script writes output values to $GITHUB_OUTPUT and STDOUT
-      shell: bash
-      run: ./.github/scripts/changed-files.sh ${{ github.event_name }} ${{ github.ref_name }} ${{ github.base_ref }}
-      working-directory: changed-files

.github/actions/checkout/action.yml

@@ -70,7 +70,7 @@ runs:
           echo "ref=${checkout_ref}"
           echo "depth=${fetch_depth}"
         } | tee -a "$GITHUB_OUTPUT"
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: ${{ inputs.path }}
         fetch-depth: ${{ steps.ref.outputs.depth }}

.github/actions/containerize/action.yml

@@ -10,31 +10,24 @@ description: |
 
 inputs:
   docker:
-    type: boolean
     description: |
       Package the binary into a Docker container suitable for the Docker and AWS registries. We'll
       automatically determine the correct tags and target depending on the vault edition.
-    default: true
+    default: 'true'
   goarch:
-    type: string
     description: The Go GOARCH value environment variable to set during the build.
   goos:
-    type: string
     description: The Go GOOS value environment variable to set during the build.
   redhat:
-    type: boolean
     description: Package the binary into a UBI container suitable for the Redhat Quay registry.
-    default: false
+    default: 'false'
   vault-binary-path:
-    type: string
     description: The path to the vault binary.
     default: dist/vault
   vault-edition:
-    type: string
     description: The edition of vault to build.
     default: ce
   vault-version:
-    type: string
     description: The vault version.
 
 outputs:
@@ -48,31 +41,52 @@ runs:
     - id: vars
       shell: bash
       run: |
-        if [[ '${{ inputs.vault-edition }}' =~ 'ce' ]]; then
-          # CE containers
-          container_version='${{ inputs.vault-version }}'
-          docker_container_tags='docker.io/hashicorp/vault:${{ inputs.vault-version }} public.ecr.aws/hashicorp/vault:${{ inputs.vault-version }}'
-          docker_container_target='default'
-          redhat_container_tags='quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ inputs.vault-version }}-ubi'
-          redhat_container_target='ubi'
-        else
-          # Ent containers
-          container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
-
-          if [[ '${{ inputs.vault-edition }}' =~ 'fips' ]]; then
-            # Ent FIPS 140-2 containers
-            docker_container_tags='docker.io/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }} public.ecr.aws/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
-            docker_container_target='ubi-fips'
-            redhat_container_tags='quay.io/redhat-isv-containers/6283f645d02c6b16d9caeb8e:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
-            redhat_container_target='ubi-fips'
-          else
-            # All other Ent containers
+        case '${{ inputs.vault-edition }}' in
+          "ce")
+            container_version='${{ inputs.vault-version }}'
+            docker_container_tags='docker.io/hashicorp/vault:${{ inputs.vault-version }} public.ecr.aws/hashicorp/vault:${{ inputs.vault-version }}'
+            docker_container_target='default'
+            redhat_container_tags='quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ inputs.vault-version }}-ubi'
+            redhat_container_target='ubi'
+          ;;
+          "ent")
+            container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
             docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
             docker_container_target='default'
             redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
             redhat_container_target='ubi'
-          fi
-        fi
+          ;;
+          "ent.hsm")
+            container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
+            docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
+            docker_container_target='ubi-hsm'
+            redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
+            redhat_container_target='ubi-hsm'
+          ;;
+          "ent.hsm.fips1402")
+            container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
+            docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
+            docker_container_target='ubi-hsm-fips'
+            redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
+            redhat_container_target='ubi-hsm-fips'
+          ;;
+          "ent.fips1402")
+            # NOTE: For compatibility we still publish the ent.fips1402 containers to different
+            # namespaces. All ent, ent.hsm, and ent.hsm.fips1402 containers are released in the
+            # enterprise namespaces. After we've updated the upstream docker action to support
+            # multiple tags we can start to tag images with both namespaces, publish to both, and
+            # eventually sunset the fips1402 specific namespaces.
+            container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
+            docker_container_tags='docker.io/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }} public.ecr.aws/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
+            docker_container_target='ubi-fips'
+            redhat_container_tags='quay.io/redhat-isv-containers/6283f645d02c6b16d9caeb8e:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
+            redhat_container_target='ubi-fips'
+          ;;
+          *)
+            echo "Cannot generate container tags for unknown vault edition: ${{ inputs.vault-edition }}" 2>&1
+            exit 1
+          ;;
+        esac
         {
           echo "container-version=${container_version}"
           echo "docker-container-tags=${docker_container_tags}"
@@ -90,7 +104,7 @@ runs:
         [[ ! -d "$dest_dir" ]] && mkdir -p "$dest_dir"
         [[ ! -f "$dest_path" ]] && cp ${{ inputs.vault-binary-path }} "${dest_path}"
     - if: inputs.docker == 'true'
-      uses: hashicorp/actions-docker-build@v2
+      uses: hashicorp/actions-docker-build@f22d5ac7d36868afaa4be1cc1203ec1b5865cadd
       with:
         arch: ${{ inputs.goarch }}
         do_zip_extract_step: 'false' # Don't download and extract an already present binary
@@ -99,7 +113,7 @@ runs:
         revision: ${{ steps.vars.outputs.revision }}
         version: ${{ steps.vars.outputs.container-version }}
     - if: inputs.redhat == 'true'
-      uses: hashicorp/actions-docker-build@v2
+      uses: hashicorp/actions-docker-build@f22d5ac7d36868afaa4be1cc1203ec1b5865cadd
       with:
         arch: ${{ inputs.goarch }}
         do_zip_extract_step: 'false' # Don't download and extract an already present binary

.github/actions/create-dynamic-config/action.yml

@@ -0,0 +1,52 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+---
+name: Create dynamic pipeline configuration
+description: Create dynamic test configuration by restoring existing valid config or creating new config
+
+inputs:
+  github-token:
+    description: An elevated Github token to access private HashiCorp modules.
+  vault-edition:
+    description: The vault edition to use when generating the dynamic config
+  vault-version:
+    description: The vault version to use when generating the dynamic config
+
+runs:
+  using: composite
+  steps:
+    - name: dyn-cfg-metadata
+      id: dyn-cfg-metadata
+      shell: bash
+      run: |
+        # We're using a weekly cache key here so that we only regenerate the configuration on a
+        # weekly basis. If/when Github decides to purge our tiny config file cache we'll also
+        # recreate it as necessary.
+        #
+        # Uses GITHUB_ENV instead of GITHUB_OUTPUT because composite actions are broken,
+        # see: https://github.com/actions/cache/issues/803#issuecomment-1793565071
+        {
+          echo "DYNAMIC_CONFIG_KEY=${{ inputs.vault-version }}-$(date +%Y-%m-%U)"
+          echo "DYNAMIC_CONFIG_PATH=enos/enos-dynamic-config.hcl"
+        } | tee -a "$GITHUB_ENV"
+    - name: Try to restore dynamic config from cache
+      id: dyn-cfg-cache
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+      with:
+        path: ${{ env.DYNAMIC_CONFIG_PATH }}
+        key: dyn-cfg-${{ env.DYNAMIC_CONFIG_KEY }}
+    - if: steps.dyn-cfg-cache.outputs.cache-hit != 'true'
+      id: dyn-cfg-set-up-pipeline
+      # If we can't restore it from config then set up pipeline and generate it
+      name: Set up the pipeline tool
+      uses: ./.github/actions/set-up-pipeline
+      with:
+        github-token: ${{ inputs.github-token }}
+    - if: steps.dyn-cfg-cache.outputs.cache-hit != 'true'
+      id: dyn-cfg-generate
+      name: Create dynamic configuration
+      shell: bash
+      run: |
+        # Make sure that any branch specific dynamic config has been generated
+        pipeline generate enos-dynamic-config -d ./enos -f enos-dynamic-config.hcl -v ${{ inputs.vault-version }} -e ${{ inputs.vault-edition }} -n 3 --log debug

.github/actions/install-external-tools/action.yml

@@ -13,22 +13,23 @@ runs:
   steps:
     - uses: ./.github/actions/set-up-buf
       with:
-        version: v1.25.0 # This should match the version in tools/tool.sh
+        version: v1.45.0 # This should match the version in tools/tool.sh
     - uses: ./.github/actions/set-up-gofumpt
     - uses: ./.github/actions/set-up-gotestsum
     - uses: ./.github/actions/set-up-misspell
+    - uses: ./.github/actions/set-up-shfmt
     - uses: ./.github/actions/set-up-staticcheck
       # We assume that the Go toolchain will be managed by the caller workflow so we don't set one
       # up here.
-    - run: go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
+    - run: ./.github/scripts/retry-command.sh go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.1
       shell: bash
-    - run: go install google.golang.org/grpc/cmd/[email protected]
+    - run: ./.github/scripts/retry-command.sh go install google.golang.org/grpc/cmd/[email protected]
       shell: bash
-    - run: go install github.com/favadi/protoc-go-inject-tag@latest
+    - run: ./.github/scripts/retry-command.sh go install github.com/favadi/protoc-go-inject-tag@latest
       shell: bash
-    - run: go install golang.org/x/tools/cmd/goimports@latest
+    - run: ./.github/scripts/retry-command.sh go install golang.org/x/tools/cmd/goimports@latest
       shell: bash
-    - run: go install github.com/golangci/revgrep/cmd/revgrep@latest
+    - run: ./.github/scripts/retry-command.sh go install github.com/golangci/revgrep/cmd/revgrep@latest
       shell: bash
-    - run: go install github.com/loggerhead/enumer@latest
+    - run: ./.github/scripts/retry-command.sh go install github.com/stevendpclark/enumer@v0.0.0-20250122154818-a42b666c3cd3
       shell: bash