Merge branch 'main' into replace-deprecated-otelhttp-interceptors

.github/workflows/boulder-ci.yml

@@ -41,7 +41,7 @@ jobs:
         tests:
           # Run ./test.sh --help for a description of each of the flags.
           - "./t.sh --lints --generate"
-          - "./t.sh --integration && ./test/test-caa-log-checker.sh"
+          - "./t.sh --integration"
           # Testing Config Changes:
           # Config changes that have landed in main but not yet been applied to
           # production can be made in `test/config-next/<component>.json`.
@@ -71,7 +71,7 @@ jobs:
       - name: Docker Login
         # You may pin to the exact commit or the version.
         # uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@v3.1.0
         with:
           # Username used to log against the Docker registry
           username: ${{ secrets.DOCKER_USERNAME}}

.github/workflows/cps-review.yml

@@ -0,0 +1,69 @@
+name: Check PR for changes that trigger CP/CPS review
+
+on:
+  pull_request:
+    types: [ready_for_review, review_requested]
+    paths:
+      - 'features/features.go'
+
+jobs:
+  check-features:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "stable"
+
+      - name: Checkout Upstream
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.base.ref }}
+      - name: Get Current Flags
+        run: go run ./test/list-features/list-features.go | sort >| /tmp/currflags.txt
+
+      - name: Checkout PR
+        uses: actions/checkout@v4
+      - name: Get PR Flags
+        run: go run ./test/list-features/list-features.go | sort >| /tmp/prflags.txt
+
+      - name: Identify New Flags
+        id: newflags
+        run: echo flagnames=$(comm -13 /tmp/currflags.txt /tmp/prflags.txt | paste -sd,) >> $GITHUB_OUTPUT
+
+      - name: Comment PR
+        if: ${{ steps.newflags.outputs.flagnames != '' }}
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { owner, repo, number: issue_number } = context.issue;
+
+            // No need to comment if the PR description already has a CPS review.
+            const reviewRegexp = /^CPS Compliance Review:/;
+            if (reviewRegexp.test(context.payload.pull_request.body)) {
+              return;
+            }
+
+            // No need to comment if this task has previously commented on this PR.
+            const commentMarker = '<!-- cps_review_check -->';
+            const comments = await github.rest.issues.listComments({
+              owner,
+              repo,
+              issue_number
+            });
+            if (comments.data.find(c => c.body.includes(commentMarker))) {
+              return;
+            }
+
+            // No existing review or comment found, post the comment.
+            const prAuthor = context.payload.pull_request.user.login;
+            const flagNames = '${{ steps.newflags.outputs.flagnames }}';
+            const commentBody = `${commentMarker}\n@${prAuthor}, this PR adds one or more new feature flags: ${flagNames}. As such, this PR must be accompanied by a review of the Let's Encrypt CP/CPS to ensure that our behavior both before and after this flag is flipped is compliant with that document.\n\nPlease conduct such a review, then add your findings to the PR description in a paragraph beginning with "CPS Compliance Review:".`;
+            await github.rest.issues.createComment({
+              owner,
+              repo,
+              issue_number,
+              body: commentBody
+            });

.github/workflows/issue-for-sre-handoff.yml

@@ -2,7 +2,7 @@ name: Check PR for configuration and SQL changes
 
 on:
   pull_request:
-    types: [opened, synchronize, reopened]
+    types: [ready_for_review, review_requested]
     paths:
     - 'test/config-next/*.json'
     - 'test/config-next/*.yaml'

akamai/cache-client.go

@@ -17,11 +17,12 @@ import (
 	"time"
 
 	"github.com/jmhodges/clock"
+	"github.com/prometheus/client_golang/prometheus"
+	"golang.org/x/crypto/ocsp"
+
 	"github.com/letsencrypt/boulder/core"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
-	"github.com/prometheus/client_golang/prometheus"
-	"golang.org/x/crypto/ocsp"
 )
 
 const (
@@ -279,7 +280,7 @@ func (cpc *CachePurgeClient) authedRequest(endpoint string, body v3PurgeRequest)
 // and returning ErrAllRetriesFailed.
 func (cpc *CachePurgeClient) Purge(urls []string) error {
 	successful := false
-	for i := 0; i <= cpc.retries; i++ {
+	for i := range cpc.retries + 1 {
 		cpc.clk.Sleep(core.RetryBackoff(i, cpc.retryBackoff, time.Minute, 1.3))
 
 		err := cpc.purgeURLs(urls)

akamai/cache-client_test.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/jmhodges/clock"
+
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
 	"github.com/letsencrypt/boulder/test"
@@ -247,7 +248,7 @@ func TestBigBatchPurge(t *testing.T) {
 	test.AssertNotError(t, err, "Failed to create CachePurgeClient")
 
 	var urls []string
-	for i := 0; i < 250; i++ {
+	for i := range 250 {
 		urls = append(urls, fmt.Sprintf("http://test.com/%d", i))
 	}
 

bdns/dns_test.go

@@ -827,7 +827,7 @@ func TestRotateServerOnErr(t *testing.T) {
 	// in the list. Since we configured maxTries to be larger than the number of
 	// servers *all* queries should eventually succeed by being retried against
 	// server "[2606:4700:4700::1111]:53".
-	for i := 0; i < maxTries*2; i++ {
+	for range maxTries * 2 {
 		_, resolvers, err := client.LookupTXT(context.Background(), "example.com")
 		test.AssertEquals(t, len(resolvers), 1)
 		test.AssertEquals(t, resolvers[0], "[2606:4700:4700::1111]:53")