chore: backport server-independent changes from main to release/1.8.x#1104
Open
chaptersix wants to merge 23 commits into
Open
chore: backport server-independent changes from main to release/1.8.x#1104chaptersix wants to merge 23 commits into
chaptersix wants to merge 23 commits into
Conversation
## Summary - Pin Alpine base image from `3.23` (minor) to `3.23.4` (patch) for reproducible builds (cherry picked from commit 4d183ea)
## Summary - avoid routing built-in help invocations through extension probing when known value flags are present - initialize Cobra's default help flag before extension preflight parses command flags - add regression coverage for `--help` combined with `--address` and `--namespace` ## Root Cause Extension preflight checked raw remaining args with a string-prefix heuristic. Values for known flags, such as `123` in `--address 123`, looked like positional extension args, so the preflight parsed `--help` before Cobra had registered the default help flag and surfaced `pflag: help requested` as a real error. Fixes #1003. ## Validation - `go run ./cmd/temporal workflow list --address 123 --help` - `go test ./internal/temporalcli -run 'TestHelp|TestExtension' -count=1` - `go test ./internal/temporalcli -count=1` --------- Co-authored-by: alex.stanfield <13949480+chaptersix@users.noreply.github.com> (cherry picked from commit 1a064e5)
## Summary - Disable EC2 IMDS lookups inside `TestCreateWorkerDeploymentVersion_Errors`. - Keep the fake AWS Lambda validation failure deterministic and local. ## Root Cause The test intentionally passes fake AWS Lambda and assume-role inputs. Server-side worker-deployment validation uses `go.temporal.io/auto-scaled-workers`, which imports the AWS SDK and validates the `aws-lambda` compute provider. That path builds default AWS config and calls STS/Lambda validation. Before STS can assume the fake role, the AWS SDK needs base credentials. In a local or CI environment with no AWS env creds/profile/container creds, the AWS SDK falls back to EC2 Instance Metadata Service. Outside EC2, that means waiting on IMDS/network retries even though the test only wants an expected validation failure. ## Scope of the Fix This is broader AWS SDK behavior: `AWS_EC2_METADATA_DISABLED=true` is useful for any test/process that invokes AWS SDK default credential resolution without real credentials and should not hit EC2 IMDS. In this CLI test suite, the enabled surface is narrow: - `TestCreateWorkerDeploymentVersion_Errors` is the only enabled test that passes a complete fake AWS Lambda compute config to the server. - The later missing-field subcases in that same test fail in CLI-side validation before server-side AWS validation. - `TestCreateWorkerDeploymentVersion_LambdaComputeConfig` would also hit the AWS path, but it is skipped because it needs real AWS fixtures. So the fix is intentionally test-local rather than package-wide, to avoid changing behavior for future tests that might intentionally exercise AWS credential resolution. ## Validation - `go test -mod=readonly ./internal/temporalcli -run 'TestSharedServerSuite/TestCreateWorkerDeploymentVersion_Errors' -count=1 -v` Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com> (cherry picked from commit 569da5e)
<!--- Note to EXTERNAL Contributors -->
<!-- Thanks for opening a PR!
If it is a significant code change, please **make sure there is an open
issue** for this.
We work best with you when we have accepted the idea first before you
code. -->
<!--- For ALL Contributors 👇 -->
## What was changed
Sort output of listing search attributes
## Why?
Easier to check the list than viewing a random order of search
attributes.
## Checklist
<!--- add/delete as needed --->
1. Closes <!-- add issue number here -->
2. How was this tested:
<!--- Please describe how you tested your changes/how we can test them
-->
3. Any docs updates needed?
<!--- update README if applicable
or point out where to update docs.temporal.io -->
(cherry picked from commit 3f779e1)
<!--- Note to EXTERNAL Contributors --> <!-- Thanks for opening a PR! If it is a significant code change, please **make sure there is an open issue** for this. We work best with you when we have accepted the idea first before you code. --> <!--- For ALL Contributors 👇 --> ## What was changed <!-- Describe what has changed in this PR --> Mirrors the existing `forceSearchAttributesCacheRefreshOnRead` default: makes Nexus endpoint writes immediately visible to readers instead of after the next background long-poll refresh. It was added here temporalio/temporal#10208 ## Why Better development experience. (cherry picked from commit fee2351)
<!--- Note to EXTERNAL Contributors -->
<!-- Thanks for opening a PR!
If it is a significant code change, please **make sure there is an open
issue** for this.
We work best with you when we have accepted the idea first before you
code. -->
<!--- For ALL Contributors 👇 -->
## What was changed
1. Added a warning to `temporal workflow delete` explaining that
deleting Workflow Executions in a
global Namespace removes them from all replicas, and that requests sent
to a passive cluster are forwarded to the active cluster by default
unless `--grpc-meta xdc-redirection=false` is specified.
2. Delete workflow now prompts for confirmation
## Why?
The CLI should make that blast radius clear before users confirm
deletion.
The passive-cluster note helps users who intentionally want to target a
passive cluster avoid the default frontend forwarding behavior.
## Checklist
<!--- add/delete as needed --->
1. Closes <!-- add issue number here -->
2. How was this tested:
<!--- Please describe how you tested your changes/how we can test them
-->
unit-test and local run.
single deletion
```
go run ./cmd/temporal workflow delete -w pay-retention-92728
WARNING: Deleting Workflow Executions in a global Namespace removes them from all replicas. Requests sent to a passive cluster are forwarded to the active cluster by default; to target the passive cluster directly, specify `--grpc-meta xdc-redirection=false`.
Delete Workflow "pay-retention-92728"? y/N
Error: user denied confirmation
exit status 1
```
batch deletion
```
go run ./cmd/temporal workflow delete --query "WorkflowId = 'pay-retention-92728'"
WARNING: Deleting Workflow Executions in a global Namespace removes them from all replicas. Requests sent to a passive cluster are forwarded to the active cluster by default; to target the passive cluster directly, specify `--grpc-meta xdc-redirection=false`.
Start batch against approximately 1 workflow(s)? y/N y
Started batch for job ID: ddab94d3-719f-4a4a-b379-12cdd8229e36
```
3. Any docs updates needed?
<!--- update README if applicable
or point out where to update docs.temporal.io -->
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
(cherry picked from commit b281f4b)
> 🏕️ This pull request was created by [camper](https://github.com/temporalio/camper), an automated security campaign tool. ## Finding <table> <tr><td><strong>Rule</strong></td><td><code>missing-dependency-cooldown</code></td></tr> <tr><td><strong>Severity</strong></td><td>MEDIUM</td></tr> <tr><td><strong>Repository</strong></td><td><code>temporalio/cli</code></td></tr> <tr><td><strong>Ticket</strong></td><td><a href="https://temporalio.atlassian.net/browse/VLN-1350">VLN-1350</a></td></tr> </table> ## Summary - `.github/dependabot.yml`: Created Dependabot configuration with `gomod` and `github-actions` update entries, each set to `schedule.interval: weekly` and `cooldown.default-days: 14`. ## Instructions - **Approve** to merge this fix - **Request changes** to trigger a new remediation attempt - `/camper rebase` — rebase onto the base branch - `/camper close` — close this PR without merging - `/camper retry` — close and retry with a new fix Co-authored-by: picatz <14850816+picatz@users.noreply.github.com> Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com> (cherry picked from commit 7a10bc5)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v7.0.0</h2> <h2>v7 What's new</h2> <h3>Direct Uploads</h3> <p>Adds support for uploading single files directly (unzipped). Callers can set the new <code>archive</code> parameter to <code>false</code> to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The <code>name</code> parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.</p> <h3>ESM</h3> <p>To support new versions of the <code>@actions/*</code> packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Add proxy integration test by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> <li>Upgrade the module to ESM and bump dependencies by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/762">actions/upload-artifact#762</a></li> <li>Support direct file uploads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/764">actions/upload-artifact#764</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Link"><code>@Link</code></a>- made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v6...v7.0.0">https://github.com/actions/upload-artifact/compare/v6...v7.0.0</a></p> <h2>v6.0.0</h2> <h2>v6 - What's new</h2> <blockquote> <p>[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (<code>runs.using: node24</code>) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.</p> </blockquote> <h3>Node.js 24</h3> <p>This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.</p> <h2>What's Changed</h2> <ul> <li>Upload Artifact Node 24 support by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/719">actions/upload-artifact#719</a></li> <li>fix: update <code>@actions/artifact</code> for Node.js 24 punycode deprecation by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/744">actions/upload-artifact#744</a></li> <li>prepare release v6.0.0 for Node.js 24 support by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/745">actions/upload-artifact#745</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0">https://github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0</a></p> <h2>v5.0.0</h2> <h2>What's Changed</h2> <p><strong>BREAKING CHANGE:</strong> this update supports Node <code>v24.x</code>. This is not a breaking change per-se but we're treating it as such.</p> <ul> <li>Update README.md by <a href="https://github.com/GhadimiR"><code>@GhadimiR</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/681">actions/upload-artifact#681</a></li> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/712">actions/upload-artifact#712</a></li> <li>Readme: spell out the first use of GHES by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/727">actions/upload-artifact#727</a></li> <li>Update GHES guidance to include reference to Node 20 version by <a href="https://github.com/patrikpolyak"><code>@patrikpolyak</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/725">actions/upload-artifact#725</a></li> <li>Bump <code>@actions/artifact</code> to <code>v4.0.0</code></li> <li>Prepare <code>v5.0.0</code> by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/734">actions/upload-artifact#734</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"><code>043fb46</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/797">#797</a> from actions/yacaovsnc/update-dependency</li> <li><a href="https://github.com/actions/upload-artifact/commit/634250c1388765ea7ed0f053e636f1f399000b94"><code>634250c</code></a> Include changes in typespec/ts-http-runtime 0.3.5</li> <li><a href="https://github.com/actions/upload-artifact/commit/e454baaac2be505c9450e11b8f3215c6fc023ce8"><code>e454baa</code></a> Readme: bump all the example versions to v7 (<a href="https://redirect.github.com/actions/upload-artifact/issues/796">#796</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/74fad66b98a6d799dc004d3353ccd0e6f6b2530e"><code>74fad66</code></a> Update the readme with direct upload details (<a href="https://redirect.github.com/actions/upload-artifact/issues/795">#795</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f"><code>bbbca2d</code></a> Support direct file uploads (<a href="https://redirect.github.com/actions/upload-artifact/issues/764">#764</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/589182c5a4cec8920b8c1bce3e2fab1c97a02296"><code>589182c</code></a> Upgrade the module to ESM and bump dependencies (<a href="https://redirect.github.com/actions/upload-artifact/issues/762">#762</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/47309c993abb98030a35d55ef7ff34b7fa1074b5"><code>47309c9</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/754">#754</a> from actions/Link-/add-proxy-integration-tests</li> <li><a href="https://github.com/actions/upload-artifact/commit/02a8460834e70dab0ce194c64360c59dc1475ef0"><code>02a8460</code></a> Add proxy integration test</li> <li><a href="https://github.com/actions/upload-artifact/commit/b7c566a772e6b6bfb58ed0dc250532a479d7789f"><code>b7c566a</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/745">#745</a> from actions/upload-artifact-v6-release</li> <li><a href="https://github.com/actions/upload-artifact/commit/e516bc8500aaf3d07d591fcd4ae6ab5f9c391d5b"><code>e516bc8</code></a> docs: correct description of Node.js 24 support in README</li> <li>Additional commits viewable in <a href="https://github.com/actions/upload-artifact/compare/v4...v7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com> (cherry picked from commit 25551a5)
## What changed? Adds a PR template to guide contributors through the checklist of CLI design principles, help text standards, and testing expectations. (cherry picked from commit c4061c4)
## What was changed - Group all GitHub Actions updates into a single PR - Ignore indirect Go dependencies (only direct deps get PRs) - Ignore all `go.temporal.io/*` dependencies — these are managed manually to ensure coordinated upgrades across all temporal packages (cherry picked from commit 87ea7e0)
…1056) The `temporal task-queue config set` help text referenced three flags that don't exist: - `--fairness-key-weight-set <key>=<weight>` - `--fairness-key-weight-unset <key>` - `--fairness-key-weight-unset-all` The real flags, defined a few lines below in the same YAML block, are: - `--fairness-key-weight <key>=<weight>` (with `<key>=default` to unset a single key) - `--fairness-key-weight-clear-all` This PR updates the example block and the unset instructions in `commands.yaml` to match, and regenerates `commands.gen.go`. Verified locally with `go run ./cmd/temporal task-queue config set --help`. This bug also surfaces in the auto-generated docs site at [docs/cli/task-queue.mdx](https://docs.temporal.io/cli/task-queue#set), which a customer hit in [this Slack thread](https://temporaltechnologies.slack.com/archives/C0748KDH2DD/p1779899719317389?thread_ts=1779898503.202859&cid=C0748KDH2DD). The docs PR over in `temporalio/documentation#4625` works around it by referencing the real flag names directly. Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com> (cherry picked from commit 2a4ea2a)
VLN-1354: pin and bump GitHub Actions to latest versions Pin all GitHub Actions to full 40-character commit SHAs and bump to latest versions across all workflows: - actions/checkout v4.3.1 -> v6.0.2 - actions/setup-go -> v6.4.0 - actions/upload-artifact (already pinned, kept current) - actions/create-github-app-token v2.2.2 -> v3.1.1 (#1037) - actions/github-script v8.0.0 -> v9.0.0 (#1036) - docker/setup-qemu-action v3.2.0 -> v4.1.0 - docker/setup-buildx-action v3.10.0 -> v4.1.0 (#1035) - docker/login-action v3.5.0 -> v4.2.0 - goreleaser/goreleaser-action v6.4.0 -> v7.2.1 (#1039) Resolves open Dependabot PRs #1035, #1036, #1037, #1038, #1039. Left temporalio/public-actions refs unchanged per exception policy. --------- Co-authored-by: picatz <14850816+picatz@users.noreply.github.com> Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com> (cherry picked from commit 12655a4)
## Related issues Closes #1030 ## What changed? Adds `temporal schedule list-matching-times` command implementing the `ListScheduleMatchingTimes` RPC. Allows users to preview when a schedule's spec would match within a given time range (past or future) without taking any actions. ## Checklist **Stability** - [x] Breaking changes are marked with 💥 in the PR title and release notes - [x] Changes to JSON output (`-o json` / `-o jsonl`) are treated as breaking changes **Design** - [x] This feature does not depend on Cloud-only APIs or behavior (it works against an OSS server) - [x] New commands follow `temporal <noun> <verb>` structure (e.g. `temporal workflow start`) - [x] New flags are named after the API concept, not the implementation mechanism (good: `--search-attribute`, bad: `--index-field`) - [x] New flags don't duplicate an existing flag that serves the same purpose - [x] New flags do not have short aliases without strong justification - [x] Experimental features are marked with `(Experimental feature)` in `commands.yaml` **Help text** (see style guide at the top of `commands.yaml`) - [x] All flags shown in help text and examples are implemented and functional - [x] Summaries use sentence case and have no trailing period - [x] Long descriptions end with a period and include at least one example invocation - [x] Examples use long flags (`--namespace`, not `-n`), one flag per line - [x] Placeholder values use `YourXxx` form (`YourWorkflowId`, `YourNamespace`) **Behavior** - [x] Results go to stdout; errors and warnings go to stderr - [x] Error messages are lowercase with no trailing punctuation **Tests** - [x] Added functional test(s) (`SharedServerSuite`) - [ ] Added unit test(s) (`func TestXxx`) where applicable ## Manual tests **Setup** ``` temporal server start-dev --headless temporal schedule create \ --schedule-id YourScheduleId \ --interval 1h \ --workflow-id YourWorkflowId \ --task-queue YourTaskQueue \ --workflow-type YourWorkflowType ``` **Happy path** ``` $ temporal schedule list-matching-times \ --schedule-id YourScheduleId \ --start-time 2025-01-01T00:00:00Z \ --end-time 2025-01-01T23:59:59Z Time 2025-01-01T00:00:00Z 2025-01-01T01:00:00Z ... $ temporal schedule list-matching-times \ --schedule-id YourScheduleId \ --start-time 2025-01-01T00:00:00Z \ --end-time 2025-01-01T23:59:59Z \ -o json {"startTime":["2025-01-01T00:00:00Z","2025-01-01T01:00:00Z",...]} ``` **Error case** ``` $ temporal schedule list-matching-times \ --schedule-id nonexistent-id \ --start-time 2025-01-01T00:00:00Z \ --end-time 2025-01-01T23:59:59Z Error: ... $ echo $? 1 ``` **Composition** ``` $ temporal schedule list-matching-times \ --schedule-id YourScheduleId \ --start-time 2025-06-01T00:00:00Z \ --end-time 2025-06-07T23:59:59Z \ -o json | jq '.startTime | length' 168 ``` (cherry picked from commit 5380e71)
- remove time.Sleep() needed before v1.26.2 because of server cache bug - update test assertions of "2 seconds ago" to "now" since we won't wait <!--- Note to EXTERNAL Contributors --> <!-- Thanks for opening a PR! If it is a significant code change, please **make sure there is an open issue** for this. We work best with you when we have accepted the idea first before you code. --> <!--- For ALL Contributors 👇 --> ## What was changed test `TestTaskQueue_Describe_Simple` at `commands.taskqueue_test.go` was updated to remove unnecessary `time.Sleep(1 * time.Second) ` ## Why? <!-- Tell your future self why have you made these changes --> The waiting was a necessary workaround of server cache bug, bug was fixed on v1.26.2 ## Checklist <!--- add/delete as needed ---> 1. Closes #741 3. How was this tested: <!--- Please describe how you tested your changes/how we can test them --> Running the unit tests 4. Any docs updates needed? <!--- update README if applicable or point out where to update docs.temporal.io --> Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com> (cherry picked from commit 90f1364)
<!--- For ALL Contributors --> ## What was changed `temporal server start-dev` now prints a `Persistence:` line at the end of the startup banner. In-memory (no `--db-filename`): ``` Persistence: in-memory (Workflow Executions are lost when the server process exits) ``` File-backed: ``` Persistence: file (/path/to/dev.sqlite) ``` ## Why? Per #634, the start-dev banner did not surface what form of persistence the dev server uses, so users could not tell at a glance whether Workflow Executions would survive a restart. ## Checklist 1. Closes #634 2. How was this tested: Two new tests in `internal/temporalcli/commands.server_test.go` start the dev server, capture stdout, and assert that the banner contains `Persistence:` plus the expected backend description. Both pass locally and fail when the banner change is reverted. ``` $ go test -run TestServer_StartDev_BannerPersistence ./internal/temporalcli/ ok github.com/temporalio/cli/internal/temporalcli 10.318s ``` --------- Signed-off-by: Sai Asish Y <say.apm35@gmail.com> Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com> (cherry picked from commit f015ce2)
Closes #838. Implements the design @cretz proposed in the issue thread: when `--yes` bypasses the confirmation prompt, skip the `CountWorkflowExecutions` request entirely. ## What was changed - [internal/temporalcli/commands.workflow.go](internal/temporalcli/commands.workflow.go) — `SingleWorkflowOrBatchOptions.workflowExecOrBatch`: `CountWorkflow` only runs in the `!s.Yes` branch. - [internal/temporalcli/commands.workflow_reset.go](internal/temporalcli/commands.workflow_reset.go) — same pattern in `TemporalWorkflowResetCommand`'s batch path. When `--yes` skips the count, the prompt text changes from `Start batch against approximately N workflow(s)? y/N` to `Start batch against workflows matching query "<query>"? y/N`, so the output (which `promptYes` still prints in the auto-confirm path) stays informative. The non-`--yes` interactive flow is untouched: it still counts, still prompts, still prints the same `approximately N workflow(s)` message. ## Why `workflowExecOrBatch` (terminate / signal / cancel) and the reset command both unconditionally call `CountWorkflowExecutions` before starting a batch. The result is only used to fill in the `approximately N workflow(s)` confirmation. When `--yes` is set, the prompt is skipped — but the count call still runs, and on clusters where the visibility API is timing out it fails the entire batch start. The original report is from a Postgres-backed cluster where the batch query itself works but the count times out; users can't start batch jobs they otherwise have permission to run. ## How was this tested Added `TestWorkflow_Terminate_BatchWorkflow_SkipsCountWhenYes` that: 1. Installs a unary gRPC interceptor that counts `CountWorkflowExecutionsRequest` and `StartBatchOperationRequest` calls. 2. Starts one workflow, then runs `workflow terminate --query ... --yes`. 3. Asserts: 0 `CountWorkflow` calls, 1 `StartBatchOperation` call, prompt text contains `matching query` and not `approximately`. The interceptor pattern matches the existing `testTerminateBatchWorkflow` helper. Ran the new test plus a sample of the existing batch tests locally; they pass. (`TestWorkflow_Terminate_BatchWorkflowSuccess` flakes locally on the unrelated `Completed` assertion both with and without my changes — pre-existing timing issue, not caused by this PR.) --------- Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com> (cherry picked from commit 7e5ba38)
…nfig (#1057) ## Summary - `dependency-type` is only valid inside `allow`, not `ignore` in dependabot.yml - Replaces the invalid `ignore` entry with `allow: [{dependency-type: direct}]` to achieve the same goal of skipping indirect/transitive dependency updates - Adds a CI workflow using `check-jsonschema` to validate `dependabot.yml` on PRs and pushes to main - Fixes the Dependabot config validation failure introduced in #1044 ## Test plan - [ ] Verify the `.github/dependabot.yml` validation check passes on this PR - [ ] Verify `check-jsonschema --builtin-schema vendor.dependabot .github/dependabot.yml` passes locally (cherry picked from commit 8bb57b7)
Bumps the github-actions group with 2 updates: [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) and [actions/create-github-app-token](https://github.com/actions/create-github-app-token). Updates `goreleaser/goreleaser-action` from 7.2.1 to 7.2.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/goreleaser/goreleaser-action/releases">goreleaser/goreleaser-action's releases</a>.</em></p> <blockquote> <h2>v7.2.2</h2> <h2>What's Changed</h2> <ul> <li>ci(deps): bump the actions group with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/560">goreleaser/goreleaser-action#560</a></li> <li>fix: nightly resolution to select newest published release by <a href="https://github.com/Copilot"><code>@Copilot</code></a> in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/562">goreleaser/goreleaser-action#562</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Copilot"><code>@Copilot</code></a> made their first contribution in <a href="https://redirect.github.com/goreleaser/goreleaser-action/pull/562">goreleaser/goreleaser-action#562</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/goreleaser/goreleaser-action/compare/v7...v7.2.2">https://github.com/goreleaser/goreleaser-action/compare/v7...v7.2.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89"><code>5daf1e9</code></a> fix: nightly resolution to select newest published release (<a href="https://redirect.github.com/goreleaser/goreleaser-action/issues/562">#562</a>)</li> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/5cc7ebb73d78b8f1d7b03c568e7df999c2889ccf"><code>5cc7ebb</code></a> ci: update actions</li> <li><a href="https://github.com/goreleaser/goreleaser-action/commit/702f5f91c9334614254ddeabeebaf820d707f0d6"><code>702f5f9</code></a> ci(deps): bump the actions group with 3 updates (<a href="https://redirect.github.com/goreleaser/goreleaser-action/issues/560">#560</a>)</li> <li>See full diff in <a href="https://github.com/goreleaser/goreleaser-action/compare/1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8...5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89">compare view</a></li> </ul> </details> <br /> Updates `actions/create-github-app-token` from 3.1.1 to 3.2.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/create-github-app-token/releases">actions/create-github-app-token's releases</a>.</em></p> <blockquote> <h2>v3.2.0</h2> <h2><a href="https://github.com/actions/create-github-app-token/compare/v3.1.1...v3.2.0">3.2.0</a> (2026-05-12)</h2> <h3>Features</h3> <ul> <li>add support for enterprise-level GitHub Apps (<a href="https://redirect.github.com/actions/create-github-app-token/issues/263">#263</a>) (<a href="https://github.com/actions/create-github-app-token/commit/952a2a7073df6bfa5f49bc469ec895b6ec1acea4">952a2a7</a>)</li> <li>support full repository names in <code>repositories</code> input (<a href="https://redirect.github.com/actions/create-github-app-token/issues/372">#372</a>) (<a href="https://github.com/actions/create-github-app-token/commit/85eb8dd41472213aed25d1a126460e0069138ab6">85eb8dd</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> bump <code>@actions/core</code> from 3.0.0 to 3.0.1 in the production-dependencies group (<a href="https://redirect.github.com/actions/create-github-app-token/issues/364">#364</a>) (<a href="https://github.com/actions/create-github-app-token/commit/43e5c345bfd4d4f3ecea019ad0042001a09dd857">43e5c34</a>)</li> <li>validate private-key input (<a href="https://redirect.github.com/actions/create-github-app-token/issues/376">#376</a>) (<a href="https://github.com/actions/create-github-app-token/commit/f24bbd89643991c0de27ae823c01791b2c6bafdd">f24bbd8</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md">actions/create-github-app-token's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2><a href="https://github.com/actions/create-github-app-token/compare/v3.1.1...v3.2.0">3.2.0</a> (2026-05-12)</h2> <h3>Features</h3> <ul> <li>add support for enterprise-level GitHub Apps (<a href="https://redirect.github.com/actions/create-github-app-token/issues/263">#263</a>) (<a href="https://github.com/actions/create-github-app-token/commit/952a2a7073df6bfa5f49bc469ec895b6ec1acea4">952a2a7</a>)</li> <li>support full repository names in <code>repositories</code> input (<a href="https://redirect.github.com/actions/create-github-app-token/issues/372">#372</a>) (<a href="https://github.com/actions/create-github-app-token/commit/85eb8dd41472213aed25d1a126460e0069138ab6">85eb8dd</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> bump <code>@actions/core</code> from 3.0.0 to 3.0.1 in the production-dependencies group (<a href="https://redirect.github.com/actions/create-github-app-token/issues/364">#364</a>) (<a href="https://github.com/actions/create-github-app-token/commit/43e5c345bfd4d4f3ecea019ad0042001a09dd857">43e5c34</a>)</li> <li>validate private-key input (<a href="https://redirect.github.com/actions/create-github-app-token/issues/376">#376</a>) (<a href="https://github.com/actions/create-github-app-token/commit/f24bbd89643991c0de27ae823c01791b2c6bafdd">f24bbd8</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/create-github-app-token/commit/bcd2ba49218906704ab6c1aa796996da409d3eb1"><code>bcd2ba4</code></a> chore(main): release 3.2.0 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/370">#370</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/f24bbd89643991c0de27ae823c01791b2c6bafdd"><code>f24bbd8</code></a> fix: validate private-key input (<a href="https://redirect.github.com/actions/create-github-app-token/issues/376">#376</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/363531b6d972a60a00b3f1e6bb139e5e6c764cd9"><code>363531b</code></a> docs: capitalize Git as a proper noun in README (<a href="https://redirect.github.com/actions/create-github-app-token/issues/374">#374</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/fd2801133e469d2950f2c5af5e591d6b2ad833c8"><code>fd28011</code></a> docs: update procedure to configure Git (<a href="https://redirect.github.com/actions/create-github-app-token/issues/287">#287</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/85eb8dd41472213aed25d1a126460e0069138ab6"><code>85eb8dd</code></a> feat: support full repository names in <code>repositories</code> input (<a href="https://redirect.github.com/actions/create-github-app-token/issues/372">#372</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/c9aabb83728c3bd519212fa657ebc07e1f2a5dec"><code>c9aabb8</code></a> build(deps-dev): bump yaml from 2.8.3 to 2.8.4 in the development-dependencie...</li> <li><a href="https://github.com/actions/create-github-app-token/commit/e02e816e5591415258a53bf735aff57977dcd5e2"><code>e02e816</code></a> build(deps-dev): bump undici from 7.24.6 to 8.2.0 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/366">#366</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/8d835bfd37aa48fcb8e709925115857568d98bc4"><code>8d835bf</code></a> build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 in the development-depend...</li> <li><a href="https://github.com/actions/create-github-app-token/commit/952a2a7073df6bfa5f49bc469ec895b6ec1acea4"><code>952a2a7</code></a> feat: add support for enterprise-level GitHub Apps (<a href="https://redirect.github.com/actions/create-github-app-token/issues/263">#263</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/43e5c345bfd4d4f3ecea019ad0042001a09dd857"><code>43e5c34</code></a> fix(deps): bump <code>@actions/core</code> from 3.0.0 to 3.0.1 in the production-dependenc...</li> <li>Additional commits viewable in <a href="https://github.com/actions/create-github-app-token/compare/1b10c78c7865c340bc4f6099eb2f838309f1e8c3...bcd2ba49218906704ab6c1aa796996da409d3eb1">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit dd0524a)
## Related issues <!-- Closes #123 --> Closes #609 ## What changed? <!-- Describe what this PR does at a high level. --> Prefix generated dev server cluster IDs with `dev-server-` for better identification. Previously cluster IDs were plain UUIDs with no indication they came from a dev server. ## Checklist <!-- Your PR should satisfy all these requirements. However, feel free to remove items that don't apply to the PR. Consider giving this checklist to an AI agent before opening your PR. --> **Stability** - [x] Breaking changes are marked with 💥 in the PR title and release notes **Design** - [x] This feature does not depend on Cloud-only APIs or behavior (it works against an OSS server) **Tests** - [x] Added functional test(s) — existing tests cover this change ## Manual tests <!-- Edit the code samples below to provide setup and happy-path and error-path testing instructions. --> **Setup** ``` temporal server start-dev --headless ``` **Happy path** ``` $ temporal operator cluster describe ClusterId dev-server-<uuid> ``` **Error case** N/A Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com> (cherry picked from commit 2ae37a3)
## Related issues Closes #673 ## What changed? Auto-generate deprecation warnings from a `deprecated: true` YAML flag instead of manually writing CAUTION boxes in command descriptions. Deprecation warnings are also printed to stderr at runtime so users see them when invoking deprecated commands, without breaking JSON output. ### Before Deprecation required manually adding a CAUTION box to the description and `(Deprecated)` to the summary: ```yaml - name: temporal task-queue get-build-id-reachability summary: Show Build ID availability (Deprecated) description: | ` `` +-----------------------------------------------------------------------------+ | CAUTION: This command is deprecated and will be removed in a later release. | +-----------------------------------------------------------------------------+ ` `` Show if a given Build ID can be used for new, existing, or closed Workflows... ``` No runtime warning was shown when invoking the command. ### After Set `deprecated: true` and optionally `deprecation-message`. The CAUTION box, `(Deprecated)` summary suffix, and stderr runtime warning are all auto-generated: ```yaml - name: temporal task-queue get-build-id-reachability deprecated: true description: | Show if a given Build ID can be used for new, existing, or closed Workflows... - name: temporal task-queue versioning deprecated: true deprecation-message: This API has been deprecated by Worker Deployment. description: | Provides commands to add, list, remove, or replace... ``` Runtime stderr output: ``` $ temporal task-queue get-build-id-reachability --task-queue foo --build-id bar warning: this command is deprecated and will be removed in a later release ... ``` JSON output is not affected (warning goes to stderr only): ``` $ temporal task-queue get-build-ids -o json --task-queue foo 2>/dev/null [{"buildIds":["1.0"],"defaultForSet":"1.0","isDefaultSet":true}] ``` ## Checklist **Stability** - [x] Breaking changes are marked with 💥 in the PR title and release notes - [x] Changes to JSON output (`-o json` / `-o jsonl`) are treated as breaking changes **Design** - [x] This feature does not depend on Cloud-only APIs or behavior (it works against an OSS server) **Help text** (see style guide at the top of `commands.yaml`) - [x] Summaries use sentence case and have no trailing period - [x] Long descriptions end with a period and include at least one example invocation **Behavior** - [x] Results go to stdout; errors and warnings go to stderr - [x] Error messages are lowercase with no trailing punctuation **Tests** - [x] Added functional test(s) (`SharedServerSuite`) - [x] Added unit test(s) (`func TestXxx`) where applicable ## Manual tests **Setup** ``` temporal server start-dev --headless ``` **Happy path -- stderr warning on deprecated command** ``` $ temporal task-queue get-build-ids \ --task-queue YourTaskQueue warning: this command is deprecated and will be removed in a later release ... ``` **Happy path -- JSON output not polluted** ``` $ temporal task-queue get-build-ids \ -o json \ --task-queue YourTaskQueue 2>/dev/null [...] ``` **Happy path -- help text shows CAUTION box** ``` $ temporal task-queue get-build-id-reachability --help +-----------------------------------------------------------------------------+ | CAUTION: This command is deprecated and will be removed in a later release. | +-----------------------------------------------------------------------------+ Show if a given Build ID can be used for new, existing, or closed Workflows... ``` **Happy path -- custom deprecation message** ``` $ temporal task-queue versioning --help +-------------------------------------------------------------+ | CAUTION: This API has been deprecated by Worker Deployment. | +-------------------------------------------------------------+ ... ``` (cherry picked from commit e20ca61)
## Related issues Closes #1077 ## What changed? The helper to iterate over `envConfigPropsToFieldNames` has a side effect if the parent is nil and `failIfParentNotFound=true` it will set `confProfile.TLS = &envconvfig.ClientConfigTLS{}`. When the `k=="tls"` check happens, `confProfile.TLS != nil` and it will emit `tls: true`. Map iteration is non-deterministic and there are 9 `tls.*` keys vs 1 `tls` key so the mutation is more likely to happen before checking the `tls` key. ## Checklist **Tests** - [X] Added unit test Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com> (cherry picked from commit 79e9f8f)
## What changed? Clarifies `temporal activity pause --help` to state that pausing an Activity does not stop or extend the Activity's Schedule-To-Close Timeout. Regenerated `internal/temporalcli/commands.gen.go` from `internal/temporalcli/commands.yaml`. ## Why? The existing help explains that Pause prevents future retries and does not interrupt some in-flight attempts, but it does not mention that Schedule-To-Close continues running while paused. That can surprise operators because "pause" can imply the Activity is safe from timing out. This adds the timeout caveat and points users to `temporal activity update-options` before a long pause. ## Testing ```bash go run ./cmd/gen-commands \ -input internal/temporalcli/commands.yaml \ -pkg temporalcli \ -context "*CommandContext" \ > internal/temporalcli/commands.gen.go go run ./cmd/temporal activity pause --help go test ./cmd/gen-commands ``` Verified the help output includes the Schedule-To-Close warning. (cherry picked from commit 8c3e3b2)
Backports the CI endpoint fix from #1087 (us-east-1 -> ca-central-1) without the server-dependent Nexus command changes. Fixes the 'Request unauthorized' failure in the cloud API key test steps.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backports server-independent changes from
mainintorelease/1.8.x. Every commit here was verified to build and pass codegen against the release line's current dependency pins (server v1.31.0,sdk v1.41.1,api v1.62.8) — nothing pulls in the newer server/SDK/API that landed onmainvia #1017.Scope agreed as: bug fixes + CLI changes + CI/tooling. Dependency bumps (#1040, #1052, #1063) and server-version-dependent features are intentionally excluded.
Included (22 commits, cherry-picked with
-x)CLI / bug fixes
--helpwith value flags like--address 123surfacedpflag: help requestedas an error)--yesis settemporal schedule list-matching-timescommanddev-server-Tests
time.Sleep()in commands.taskqueue_test.goCI / tooling
Excluded (rely on the new server/SDK version)
#1017 (server bump v1.31.0 -> v1.32.0-157.0), #1046, #1087, #1001, #1091, #1084
Verification
go build ./...passesmake genreports no codegen driftrelease/1.8.xCI endpoint fix (added)
Also backports the API-key CI test endpoint change from #1087 (
us-east-1->ca-central-1) as a standalone CI-only commit. This resolves theRequest unauthorizedfailure in the "Test cloud API key" steps onrelease/1.8.x. The rest of #1087 (Nexus Operation command code) is excluded as it depends on the new server version.