backport of commit 7726ae6

.github/workflows/build.yml

@@ -98,7 +98,7 @@ jobs:
         run: make deps
 
       - name: Setup node and yarn
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: "18"
           cache-dependency-path: "ui/yarn.lock"
@@ -150,7 +150,7 @@ jobs:
         run: make deps
 
       - name: Setup node and yarn
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: "18"
           cache-dependency-path: "ui/yarn.lock"
@@ -275,7 +275,7 @@ jobs:
         run: make deps
 
       - name: Setup node and yarn
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: "18"
           cache-dependency-path: "ui/yarn.lock"

.github/workflows/checks.yaml

@@ -43,7 +43,7 @@ jobs:
         run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
       - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          cache: ${{ contains(runner.name, 'Github Actions') }}
+          cache: true
           go-version-file: .go-version
           cache-dependency-path: '**/go.sum'
       - name: Run make check

.github/workflows/ember-test-audit.yml

@@ -0,0 +1,87 @@
+name: Ember test audit comparison
+on:
+  pull_request:
+    paths:
+    - '.github/workflows/ember*'
+    - 'ui/**'
+
+defaults:
+  run:
+    working-directory: ui
+
+# There’s currently no way to share steps between jobs so there’s a lot of duplication
+# for running the audit for the base and PR.
+jobs:
+  time-base:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.base.sha }}
+      - uses: nanasess/setup-chromedriver@42cc2998329f041de87dc3cfa33a930eacd57eaa # v2.2.2
+      - name: Use Node.js
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        with:
+          node-version: '18'
+      - run: yarn --frozen-lockfile
+      - run: mkdir -p /tmp/test-reports
+      - run: npx ember-test-audit 1 --json --output ../base-audit.json
+      - name: Upload result
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: base-audit
+          path: base-audit.json
+  time-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: nanasess/setup-chromedriver@42cc2998329f041de87dc3cfa33a930eacd57eaa # v2.2.2
+      - name: Use Node.js
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        with:
+          node-version: '18'
+      - run: yarn --frozen-lockfile
+      - run: mkdir -p /tmp/test-reports
+      - run: npx ember-test-audit 1 --json --output ../pr-audit.json
+      - name: Upload result
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: pr-audit
+          path: pr-audit.json
+  compare:
+    needs: [time-base, time-pr]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: base-audit
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: pr-audit
+      - uses: backspace/ember-test-audit-comparison-action@21e9492d0033bc7e84b6189ae94537a6ed045cfa # v2
+        with:
+          base-report-path: base-audit.json
+          comparison-report-path: pr-audit.json
+          base-identifier: ${{ github.event.pull_request.base.ref }}
+          comparison-identifier: ${{ github.event.pull_request.head.sha }}
+          timing-output-path: audit-diff.md
+          flakiness-output-path: flakiness-report.md
+      - uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          path: audit-diff.md
+      - name: Check for existence of flakiness report
+        id: check_file
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0
+        with:
+          files: "flakiness-report.md"
+      - name: comment PR
+        if: steps.check_file.outputs.files_exists == 'true'
+        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          message-path: flakiness-report.md
+permissions:
+  contents: read
+  pull-requests: write

.github/workflows/release.yml

@@ -87,7 +87,7 @@ jobs:
           go-version: ${{ steps.get-go-version.outputs.go-version }}
 
       - name: Setup node and yarn
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: "18"
           cache-dependency-path: "ui/yarn.lock"

.github/workflows/test-ui.yml

@@ -2,14 +2,14 @@ name: test-ui
 on:
   pull_request:
     paths:
-      - "ui/**"
+      - 'ui/**'
   push:
     branches:
       - main
       - release/**
       - test-ui
     paths:
-      - "ui/**"
+      - 'ui/**'
 
 jobs:
   pre-test:
@@ -36,15 +36,14 @@ jobs:
       - pre-test
     runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux", "type=m7a.2xlarge;m6a.2xlarge"]') || 'ubuntu-latest' }}
     timeout-minutes: 30
+    continue-on-error: true
     defaults:
       run:
         working-directory: ui
     strategy:
       matrix:
         partition: [1, 2, 3, 4]
         split: [4]
-        # Note: If we ever change the number of partitions, we'll need to update the
-        # finalize.combine step to match
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: ./.github/actions/setup-js
@@ -64,19 +63,8 @@ jobs:
         env:
           PERCY_TOKEN: ${{ env.PERCY_TOKEN || secrets.PERCY_TOKEN }}
           PERCY_PARALLEL_NONCE: ${{ needs.pre-test.outputs.nonce }}
-        run: |
-          yarn exam:parallel --split=${{ matrix.split }} --partition=${{ matrix.partition }} --json-report=test-results/test-results.json
-        continue-on-error: true
-      - name: Express timeout failure
-        if: ${{ failure() }}
-        run: exit 1
-      - name: Upload partition test results
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        with:
-          name: test-results-${{ matrix.partition }}
-          path: ui/test-results/test-results.json
-          retention-days: 90
+        run: yarn exam:parallel --split=${{ matrix.split }} --partition=${{ matrix.partition }}
+
   finalize:
     needs:
       - pre-test
@@ -100,24 +88,6 @@ jobs:
           jwtGithubAudience: ${{ vars.CI_VAULT_AUD }}
           secrets: |-
             kv/data/teams/nomad/ui PERCY_TOKEN ;
-      - name: Download all test results
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          pattern: test-results-*
-          path: test-results
-
-      - name: Combine test results for comparison
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        run: node ../scripts/combine-ui-test-results.js
-      - name: Upload combined results for comparison
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        with:
-          name: test-results-${{ github.sha }}
-          path: ui/combined-test-results.json
-          retention-days: 90
-
       - name: finalize
         env:
           PERCY_TOKEN: ${{ env.PERCY_TOKEN || secrets.PERCY_TOKEN }}

.gitignore

@@ -137,10 +137,3 @@ tools/missing/missing
 
 # allow security scanner file
 !scan.hcl
-
-# generated variables for upgrade tests
-enos.vars.hcl
-enos/modules/*/*.tfvars
-
-# local license files
-*.hclic

CHANGELOG.md

@@ -94,18 +94,6 @@ BUG FIXES:
 * template: Fixed a panic on client restart when using change_mode=script [[GH-24057](https://github.com/hashicorp/nomad/issues/24057)]
 * ui: Fixes an issue where variables paths would not let namespaced users write variables unless they also had wildcard namespace variable write permissions [[GH-24073](https://github.com/hashicorp/nomad/issues/24073)]
 
-## 1.8.7 Enterprise (November 8, 2024)
-
-SECURITY:
-
-* csi: Fixed a bug where a user with csi-write-volume permissions to one namespace can create volumes in another namespace (CVE-2024-10975) [[GH-24396](https://github.com/hashicorp/nomad/issues/24396)]
-
-BUG FIXES:
-
-* connect: add validation to ensure that connect native services specify a port [[GH-24329](https://github.com/hashicorp/nomad/issues/24329)]
-* keyring: Fixed a panic on server startup when decrypting AEAD key data with empty RSA block [[GH-24383](https://github.com/hashicorp/nomad/issues/24383)]
-* scheduler: fixed a bug where resource calculation did not account correctly for poststart tasks [[GH-24297](https://github.com/hashicorp/nomad/issues/24297)]
-
 ## 1.8.6 Enterprise(October 21, 2024)
 
 IMPROVEMENTS:
@@ -245,7 +233,7 @@ BUG FIXES:
 * server: Fixed a bug where expiring heartbeats for garbage collected nodes could panic the server [[GH-23383](https://github.com/hashicorp/nomad/issues/23383)]
 * template: Fix template rendering on Windows [[GH-23432](https://github.com/hashicorp/nomad/issues/23432)]
 * ui: Actions run from jobs with explicit name properties now work from the web UI [[GH-23553](https://github.com/hashicorp/nomad/issues/23553)]
-* ui: Don't show keyboard nav hints when taking a screenshot [[GH-23365](https://github.com/hashicorp/nomad/issues/23365)]
+* ui: Dont show keyboard nav hints when taking a screenshot [[GH-23365](https://github.com/hashicorp/nomad/issues/23365)]
 * ui: Fix an issue where a remotely purged job would prevent redirect from taking place in the web UI [[GH-23492](https://github.com/hashicorp/nomad/issues/23492)]
 * ui: Fix an issue where access to Job Templates in the UI was restricted to variable.write access [[GH-23458](https://github.com/hashicorp/nomad/issues/23458)]
 * ui: Fix the Upload Jobspec button on the Run Job page [[GH-23548](https://github.com/hashicorp/nomad/issues/23548)]
@@ -342,18 +330,6 @@ BUG FIXES:
 * ui: Show the namespace in the web UI exec command hint [[GH-20218](https://github.com/hashicorp/nomad/issues/20218)]
 * windows: Fixed a regression where scanning task processes was inefficient [[GH-20619](https://github.com/hashicorp/nomad/issues/20619)]
 
-## 1.7.15 (November 8, 2024)
-
-SECURITY:
-
-* csi: Fixed a bug where a user with csi-write-volume permissions to one namespace can create volumes in another namespace (CVE-2024-10975) [[GH-24396](https://github.com/hashicorp/nomad/issues/24396)]
-
-BUG FIXES:
-
-* connect: add validation to ensure that connect native services specify a port [[GH-24329](https://github.com/hashicorp/nomad/issues/24329)]
-* deps: Fixed a bug where restarting Nomad could cause an unrelated process with the same PID as a failed executor to be killed [[GH-24265](https://github.com/hashicorp/nomad/issues/24265)]
-* scheduler: fixed a bug where resource calculation did not account correctly for poststart tasks [[GH-24297](https://github.com/hashicorp/nomad/issues/24297)]
-
 ## 1.7.14 Enterprise (October 21, 2024)
 
 IMPROVEMENTS:
@@ -645,7 +621,7 @@ IMPROVEMENTS:
 
 * audit (Enterprise): Added ACL token role links to audit log auth objects [[GH-19415](https://github.com/hashicorp/nomad/issues/19415)]
 * ui: Added a new example template with Task Actions [[GH-19153](https://github.com/hashicorp/nomad/issues/19153)]
-* ui: Don't allow new jobspec download until template is populated, and remove group count from jobs index [[GH-19377](https://github.com/hashicorp/nomad/issues/19377)]
+* ui: dont allow new jobspec download until template is populated, and remove group count from jobs index [[GH-19377](https://github.com/hashicorp/nomad/issues/19377)]
 * ui: make the exec window look nicer on mobile screens [[GH-19332](https://github.com/hashicorp/nomad/issues/19332)]
 
 BUG FIXES:
@@ -720,7 +696,7 @@ IMPROVEMENTS:
 * ui: for system and sysbatch jobs, now show client name on hover in job panel [[GH-19051](https://github.com/hashicorp/nomad/issues/19051)]
 * ui: nicer comment styles in UI example jobs [[GH-19037](https://github.com/hashicorp/nomad/issues/19037)]
 * ui: show plan output warnings alongside placement failures and dry-run info when running a job through the web ui [[GH-19225](https://github.com/hashicorp/nomad/issues/19225)]
-* ui: simplify presentation of task event times (10m2.230948s becomes 10m2s etc.) [[GH-18595](https://github.com/hashicorp/nomad/issues/18595)]
+* ui: simplify presentation of task event times (10m2.230948s bceomes 10m2s etc.) [[GH-18595](https://github.com/hashicorp/nomad/issues/18595)]
 * vars: Added a locking feature for Nomad Variables [[GH-18520](https://github.com/hashicorp/nomad/issues/18520)]
 
 DEPRECATIONS:

CODEOWNERS

@@ -2,11 +2,3 @@
 
 /.release/                              @hashicorp/github-nomad-core @hashicorp/nomad-eng
 /.github/workflows/build.yml            @hashicorp/github-nomad-core @hashicorp/nomad-eng
-
-# codeowner default
-*                              @hashicorp/github-nomad-core @hashicorp/nomad-eng
-
-
-# web presence and education
-
-/website/       @hashicorp/nomad-docs @hashicorp/web-presence @hashicorp/github-nomad-core @hashicorp/nomad-eng

acl/acl_test.go

@@ -79,12 +79,10 @@ func TestACLManagement(t *testing.T) {
 	// Check default namespace rights
 	must.True(t, acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
 	must.True(t, acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
-	must.True(t, acl.AllowNamespaceOperation("default", NamespaceCapabilityHostVolumeCreate))
 	must.True(t, acl.AllowNamespace("default"))
 
 	// Check non-specified namespace
 	must.True(t, acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
-	must.True(t, acl.AllowNamespaceOperation("foo", NamespaceCapabilityHostVolumeCreate))
 	must.True(t, acl.AllowNamespace("foo"))
 
 	// Check node pool rights.
@@ -157,11 +155,9 @@ func TestACLMerge(t *testing.T) {
 	// Check default namespace rights
 	must.True(t, acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
 	must.False(t, acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
-	must.False(t, acl.AllowNamespaceOperation("default", NamespaceCapabilityHostVolumeRegister))
 
 	// Check non-specified namespace
 	must.False(t, acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
-	must.False(t, acl.AllowNamespaceOperation("foo", NamespaceCapabilityHostVolumeCreate))
 
 	// Check rights in the node pool specified in policies.
 	must.True(t, acl.AllowNodePoolOperation("my-pool", NodePoolCapabilityRead))