tailscale-custom

Author	SHA1	Message	Date
huanld	2fb067ecbf	feat: security hardening, production roadmap, admin panel v1 checklocks / checklocks (push) Has been cancelled Details CodeQL / Analyze (go) (push) Has been cancelled Details natlab-integrationtest / natlab-integrationtest (push) Has been cancelled Details CI / gomod-cache (push) Has been cancelled Details CI / race-root-integration (1/4) (push) Has been cancelled Details CI / race-root-integration (2/4) (push) Has been cancelled Details CI / race-root-integration (3/4) (push) Has been cancelled Details CI / race-root-integration (4/4) (push) Has been cancelled Details CI / test (-race, amd64, 1/3) (push) Has been cancelled Details CI / test (-race, amd64, 2/3) (push) Has been cancelled Details CI / test (-race, amd64, 3/3) (push) Has been cancelled Details CI / test (386) (push) Has been cancelled Details CI / test (amd64) (push) Has been cancelled Details CI / Windows (benchmarks) (push) Has been cancelled Details CI / Windows (1/2) (push) Has been cancelled Details CI / Windows (2/2) (push) Has been cancelled Details CI / macos (push) Has been cancelled Details CI / privileged (push) Has been cancelled Details CI / vm (push) Has been cancelled Details CI / cross (386, linux) (push) Has been cancelled Details CI / cross (amd64, darwin) (push) Has been cancelled Details CI / cross (amd64, freebsd) (push) Has been cancelled Details CI / cross (amd64, openbsd) (push) Has been cancelled Details CI / cross (amd64, windows) (push) Has been cancelled Details CI / cross (arm, 5, linux) (push) Has been cancelled Details CI / cross (arm, 7, linux) (push) Has been cancelled Details CI / cross (arm64, darwin) (push) Has been cancelled Details CI / cross (arm64, linux) (push) Has been cancelled Details CI / cross (arm64, windows) (push) Has been cancelled Details CI / cross (loong64, linux) (push) Has been cancelled Details CI / ios (push) Has been cancelled Details CI / crossmin (amd64, illumos) (push) Has been cancelled Details CI / crossmin (amd64, plan9) (push) Has been cancelled Details CI / crossmin (amd64, solaris) (push) Has been cancelled Details CI / crossmin (ppc64, aix) (push) Has been cancelled Details CI / android (push) Has been cancelled Details CI / wasm (push) Has been cancelled Details CI / tailscale_go (push) Has been cancelled Details CI / fuzz (push) Has been cancelled Details CI / depaware (push) Has been cancelled Details CI / go_generate (push) Has been cancelled Details CI / make_tidy (push) Has been cancelled Details CI / licenses (push) Has been cancelled Details CI / staticcheck (macOS) (push) Has been cancelled Details CI / staticcheck (Linux) (push) Has been cancelled Details CI / staticcheck (Windows) (push) Has been cancelled Details CI / staticcheck (Portable (1/4)) (push) Has been cancelled Details CI / staticcheck (Portable (2/4)) (push) Has been cancelled Details CI / staticcheck (Portable (3/4)) (push) Has been cancelled Details CI / staticcheck (Portable (4/4)) (push) Has been cancelled Details CI / notify_slack (push) Has been cancelled Details CI / merge_blocker (push) Has been cancelled Details CI / check_mergeability_strict (push) Has been cancelled Details CI / check_mergeability (push) Has been cancelled Details Dockerfile build / deploy (push) Has been cancelled Details test installer.sh / test (curl, alpine:3.21) (push) Has been cancelled Details test installer.sh / test (curl, alpine:edge) (push) Has been cancelled Details test installer.sh / test (curl, alpine:latest) (push) Has been cancelled Details test installer.sh / test (curl, amazonlinux:latest) (push) Has been cancelled Details test installer.sh / test (curl, archlinux:latest) (push) Has been cancelled Details test installer.sh / test (curl, debian:oldstable-slim) (push) Has been cancelled Details test installer.sh / test (curl, debian:sid-slim) (push) Has been cancelled Details test installer.sh / test (curl, debian:stable-slim, 1.80.0) (push) Has been cancelled Details test installer.sh / test (curl, debian:testing-slim) (push) Has been cancelled Details test installer.sh / test (curl, elementary/docker:stable) (push) Has been cancelled Details test installer.sh / test (curl, elementary/docker:unstable) (push) Has been cancelled Details test installer.sh / test (curl, fedora:latest, 1.80.0) (push) Has been cancelled Details test installer.sh / test (curl, kalilinux/kali-dev) (push) Has been cancelled Details test installer.sh / test (curl, kalilinux/kali-rolling) (push) Has been cancelled Details test installer.sh / test (curl, opensuse/leap:latest) (push) Has been cancelled Details test installer.sh / test (curl, opensuse/tumbleweed:latest) (push) Has been cancelled Details test installer.sh / test (curl, oraclelinux:8) (push) Has been cancelled Details test installer.sh / test (curl, oraclelinux:9) (push) Has been cancelled Details test installer.sh / test (curl, parrotsec/core:latest) (push) Has been cancelled Details test installer.sh / test (curl, rockylinux:8.7) (push) Has been cancelled Details test installer.sh / test (curl, rockylinux:9) (push) Has been cancelled Details test installer.sh / test (curl, ubuntu:20.04) (push) Has been cancelled Details test installer.sh / test (curl, ubuntu:22.04) (push) Has been cancelled Details test installer.sh / test (curl, ubuntu:24.04, 1.80.0) (push) Has been cancelled Details test installer.sh / test (wget, debian:oldstable-slim) (push) Has been cancelled Details test installer.sh / test (wget, debian:sid-slim) (push) Has been cancelled Details update-flake / update-flake (push) Has been cancelled Details tailscale.com/cmd/vet / vet (push) Has been cancelled Details test installer.sh / notify-slack (push) Has been cancelled Details Client security fixes (cmd/tailscale-tray/main.go): - SSRF protection in Add Server dialog (validateControlURL): reject private/loopback/link-local/cloud-metadata IPs via DNS resolution - RCE gate on AuthURL/BrowseToURL exec paths (validateAuthURL) - Sanitized URL logging (sanitizeURLForLog drops query auth tokens) - Error handling on exec.Command with user-facing showError() Admin panel security (web-admin): - Bcrypt password hashing (replaces SHA256) - Rate limiting: 5 failed logins → 15-min lockout - Session + login attempt cleanup goroutine (hourly) - url.QueryEscape / encodeURIComponent for all API params - Fail-hard startup when no TLS and non-loopback bind - ADMIN_PASSWORD required (no default), password min 12 chars - Username regex whitelist Installer hardening (Setup.wxs): - util:PermissionEx restricts SCM access: only Administrators + SYSTEM can start/stop/reconfigure service. Authenticated Users limited to QueryStatus/QueryConfig/Interrogate - Vital="yes" on ServiceInstall Docs & roadmap: - PRODUCTION_ROADMAP.md: 5-milestone plan (security + features + distribution + ops) with granular tasks, effort, done-when - CLIENT_SECURITY_AUDIT.md, SECURITY_FIXES.md, DEPLOYMENT.md - AI assistant rules (.cursorrules, .antigravityrules, etc.) Build & distribution: - build-msi.ps1, deploy-and-sign.ps1, sign-release.ps1 - redeploy.ps1, tray-deploy.ps1, test-msi.ps1 - installer/msi/ alternative WXS setup - Restored .github/workflows/ removed in mirror cleanup .gitignore hardened: .pfx, .p12, .key, .pem, .env*	2026-04-22 15:18:11 +07:00
huanld	a4d9f21553	chore: remove workflows for public mirror	2026-04-12 12:06:27 +07:00
dependabot[bot]	8be5affa6d	.github: bump actions/checkout from 6.0.1 to 6.0.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8e8c483db84b4bee98b60c0593521ed34d9990e8...de0fac2e4500dabe0009e67214ff5f5447ce83dd) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-23 08:44:40 -07:00
dependabot[bot]	9a6282b515	.github: Bump actions/checkout from 4.2.2 to 5.0.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/11bd71901bbe5b1630ceea73d27597364c9af683...08c6903cd8c0fde910a37f88322edcfb5dd907a8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-01-06 11:48:32 -07:00
Irbe Krumina	077d52b22f	.github/workflows: removes extra '$' Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2025-06-16 15:04:10 -07:00
dependabot[bot]	0aa54151f2	.github: Bump actions/checkout from 3.6.0 to 4.2.2 (#14139 ) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.6.0...11bd71901bbe5b1630ceea73d27597364c9af683) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-01-28 15:03:13 -07:00
Mario Minardi	07991dec83	.github: pin actions/checkout to latest v3 or v4 as appropriate (#13551 ) Pin actions/checkout usage to latest 3.x or 4.x as appropriate. These were previously pointing to `@4` or `@3` which pull in the latest versions at these tags as they are released, with the potential to break our workflows if a breaking change or malicious version for either of these streams are released. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>	2024-09-23 14:52:19 -06:00
Andrew Dunham	0323dd01b2	ci: enable checklocks workflow for specific packages This turns the checklocks workflow into a real check, and adds annotations to a few basic packages as a starting point. Updates #12625 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I2b0185bae05a843b5257980fc6bde732b1bdd93f	2024-06-26 13:55:07 -04:00
dependabot[bot]	b1a0caf056	.github: Bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2023-11-01 13:26:33 -07:00
James Tucker	237b4b5a2a	.github/workflows: add checklocks Currently the checklocks step is not configured to fail, as we do not yet have the appropriate annotations. Updates tailscale/corp#14381 Signed-off-by: James Tucker <james@tailscale.com>	2023-10-25 16:39:31 -07:00

10 Commits