Skip to content

chore(deps): update golang docker tag to v1.26 (master)#410

Open
github-actions[bot] wants to merge 1 commit intomasterfrom
renovate/master-golang-1.x
Open

chore(deps): update golang docker tag to v1.26 (master)#410
github-actions[bot] wants to merge 1 commit intomasterfrom
renovate/master-golang-1.x

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Feb 10, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change
golang stage minor 1.25-alpine -> 1.26-alpine

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

nekrich pushed a commit to nekrich/ofelia that referenced this pull request Feb 13, 2026
@CybotTM
feat(webhooks): simplify host whitelist with permissive default (mcua…
5f72894 
…dros#410)

## Summary

Simplifies webhook security to follow the same trust model as local
command execution: **if you control the configuration, you control the
behavior**.

- `webhook-allowed-hosts` defaults to `*` (allow all hosts)
- Setting specific hosts enables whitelist mode
- Removed complex SSRF blocking (inconsistent with local command trust
model)

Closes mcuadros#407

## Security Model

Since Ofelia already trusts users to:
- Run arbitrary commands via `job-local`
- Execute commands in containers via `job-exec`

It applies the same trust level to webhook destinations. The user
controls the config; the user controls what happens.

## Configuration

| Setting | Behavior |
|---------|----------|
| `webhook-allowed-hosts = *` (default) | All hosts allowed |
| `webhook-allowed-hosts = hooks.slack.com, ntfy.internal` | Whitelist
mode |

### Default (self-hosted environments)
No configuration needed - all hosts work out of the box:
```ini
# No config required - webhook-allowed-hosts defaults to "*"
```

### Whitelist mode (cloud/multi-tenant deployments)
```ini
[global]
webhook-allowed-hosts = hooks.slack.com, discord.com, ntfy.internal, 192.168.1.20
```

Supports wildcards:
```ini
[global]
webhook-allowed-hosts = *.slack.com, *.internal.example.com
```

## Test Plan

- [x] Unit tests for default `*` configuration (allow all)
- [x] Unit tests for whitelist mode with specific hosts
- [x] Unit tests for wildcard matching
- [x] Documentation updated (webhooks.md, SECURITY.md)
- [x] All existing tests pass
nekrich pushed a commit to nekrich/ofelia that referenced this pull request Feb 13, 2026
@CybotTM
docs: update changelog for v0.17.0 release (#415)
0601a87 
## Summary

Updates CHANGELOG.md with release notes for v0.17.0 including:

- **Secure Web Authentication** (mcuadros#408)
- **Doctor Command Enhancements** (mcuadros#408)
- **ntfy-token Preset** (mcuadros#409)
- **Webhook Host Whitelist** (mcuadros#410)
- **CronClock Interface** (mcuadros#412)
- **Cookie Security Hardening** (mcuadros#411)
- **GitHub Actions Pinning** (mcuadros#411)
- **Test Infrastructure Improvements** (mcuadros#412)
- **Performance Optimizations** (mcuadros#412)
- **Linting Audit** (mcuadros#413)

## Test Plan

- [x] Changelog follows Keep a Changelog format
- [x] All PR references are correct
- [x] Date is correct (2025-12-22)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants