Skip to content

chore: backport server-independent changes from main to release/1.8.x#1104

Open
chaptersix wants to merge 23 commits into
release/1.8.xfrom
backport/1.8.x-server-independent
Open

chore: backport server-independent changes from main to release/1.8.x#1104
chaptersix wants to merge 23 commits into
release/1.8.xfrom
backport/1.8.x-server-independent

Conversation

@chaptersix

@chaptersix chaptersix commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Backports server-independent changes from main into release/1.8.x. Every commit here was verified to build and pass codegen against the release line's current dependency pins (server v1.31.0, sdk v1.41.1, api v1.62.8) — nothing pulls in the newer server/SDK/API that landed on main via #1017.

Scope agreed as: bug fixes + CLI changes + CI/tooling. Dependency bumps (#1040, #1052, #1063) and server-version-dependent features are intentionally excluded.

Included (22 commits, cherry-picked with -x)

CLI / bug fixes

Tests

CI / tooling

Excluded (rely on the new server/SDK version)

#1017 (server bump v1.31.0 -> v1.32.0-157.0), #1046, #1087, #1001, #1091, #1084

Verification

  • go build ./... passes
  • all test packages compile
  • make gen reports no codegen drift
  • server/sdk/api pins unchanged from release/1.8.x

CI endpoint fix (added)

Also backports the API-key CI test endpoint change from #1087 (us-east-1 -> ca-central-1) as a standalone CI-only commit. This resolves the Request unauthorized failure in the "Test cloud API key" steps on release/1.8.x. The rest of #1087 (Nexus Operation command code) is excluded as it depends on the new server version.

chaptersix and others added 22 commits July 2, 2026 11:13
## Summary
- Pin Alpine base image from `3.23` (minor) to `3.23.4` (patch) for
reproducible builds

(cherry picked from commit 4d183ea)
## Summary
- avoid routing built-in help invocations through extension probing when
known value flags are present
- initialize Cobra's default help flag before extension preflight parses
command flags
- add regression coverage for `--help` combined with `--address` and
`--namespace`

## Root Cause
Extension preflight checked raw remaining args with a string-prefix
heuristic. Values for known flags, such as `123` in `--address 123`,
looked like positional extension args, so the preflight parsed `--help`
before Cobra had registered the default help flag and surfaced `pflag:
help requested` as a real error.

Fixes #1003.

## Validation
- `go run ./cmd/temporal workflow list --address 123 --help`
- `go test ./internal/temporalcli -run 'TestHelp|TestExtension'
-count=1`
- `go test ./internal/temporalcli -count=1`

---------

Co-authored-by: alex.stanfield <13949480+chaptersix@users.noreply.github.com>
(cherry picked from commit 1a064e5)
## Summary
- Disable EC2 IMDS lookups inside
`TestCreateWorkerDeploymentVersion_Errors`.
- Keep the fake AWS Lambda validation failure deterministic and local.

## Root Cause
The test intentionally passes fake AWS Lambda and assume-role inputs.
Server-side worker-deployment validation uses
`go.temporal.io/auto-scaled-workers`, which imports the AWS SDK and
validates the `aws-lambda` compute provider. That path builds default
AWS config and calls STS/Lambda validation.

Before STS can assume the fake role, the AWS SDK needs base credentials.
In a local or CI environment with no AWS env creds/profile/container
creds, the AWS SDK falls back to EC2 Instance Metadata Service. Outside
EC2, that means waiting on IMDS/network retries even though the test
only wants an expected validation failure.

## Scope of the Fix
This is broader AWS SDK behavior: `AWS_EC2_METADATA_DISABLED=true` is
useful for any test/process that invokes AWS SDK default credential
resolution without real credentials and should not hit EC2 IMDS.

In this CLI test suite, the enabled surface is narrow:
- `TestCreateWorkerDeploymentVersion_Errors` is the only enabled test
that passes a complete fake AWS Lambda compute config to the server.
- The later missing-field subcases in that same test fail in CLI-side
validation before server-side AWS validation.
- `TestCreateWorkerDeploymentVersion_LambdaComputeConfig` would also hit
the AWS path, but it is skipped because it needs real AWS fixtures.

So the fix is intentionally test-local rather than package-wide, to
avoid changing behavior for future tests that might intentionally
exercise AWS credential resolution.

## Validation
- `go test -mod=readonly ./internal/temporalcli -run
'TestSharedServerSuite/TestCreateWorkerDeploymentVersion_Errors'
-count=1 -v`

Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com>
(cherry picked from commit 569da5e)
<!--- Note to EXTERNAL Contributors -->
<!-- Thanks for opening a PR!
If it is a significant code change, please **make sure there is an open
issue** for this.
We work best with you when we have accepted the idea first before you
code. -->

<!--- For ALL Contributors 👇 -->

## What was changed
Sort output of listing search attributes

## Why?
Easier to check the list than viewing a random order of search
attributes.

## Checklist
<!--- add/delete as needed --->

1. Closes <!-- add issue number here -->

2. How was this tested:
<!--- Please describe how you tested your changes/how we can test them
-->

3. Any docs updates needed?
<!--- update README if applicable
      or point out where to update docs.temporal.io -->

(cherry picked from commit 3f779e1)
<!--- Note to EXTERNAL Contributors -->
<!-- Thanks for opening a PR!
If it is a significant code change, please **make sure there is an open
issue** for this.
We work best with you when we have accepted the idea first before you
code. -->

<!--- For ALL Contributors 👇 -->

## What was changed
<!-- Describe what has changed in this PR -->

Mirrors the existing `forceSearchAttributesCacheRefreshOnRead` default:
makes Nexus endpoint writes immediately visible to readers instead of
after the next background long-poll refresh.

It was added here temporalio/temporal#10208

## Why

Better development experience.

(cherry picked from commit fee2351)
<!--- Note to EXTERNAL Contributors -->
<!-- Thanks for opening a PR!
If it is a significant code change, please **make sure there is an open
issue** for this.
We work best with you when we have accepted the idea first before you
code. -->

<!--- For ALL Contributors 👇 -->

## What was changed

1. Added a warning to `temporal workflow delete` explaining that
deleting Workflow Executions in a
global Namespace removes them from all replicas, and that requests sent
to a passive cluster are forwarded to the active cluster by default
unless `--grpc-meta xdc-redirection=false` is specified.

2. Delete workflow now prompts for confirmation

## Why?
The CLI should make that blast radius clear before users confirm
deletion.

The passive-cluster note helps users who intentionally want to target a
passive cluster avoid the default frontend forwarding behavior.

## Checklist
<!--- add/delete as needed --->

1. Closes <!-- add issue number here -->

2. How was this tested:
<!--- Please describe how you tested your changes/how we can test them
-->

unit-test and local run.

single deletion
```
go run ./cmd/temporal  workflow delete -w pay-retention-92728
WARNING: Deleting Workflow Executions in a global Namespace removes them from all replicas. Requests sent to a passive cluster are forwarded to the active cluster by default; to target the passive cluster directly, specify `--grpc-meta xdc-redirection=false`.
Delete Workflow "pay-retention-92728"? y/N
Error: user denied confirmation
exit status 1
```

batch deletion
```
go run ./cmd/temporal workflow delete --query "WorkflowId = 'pay-retention-92728'"

WARNING: Deleting Workflow Executions in a global Namespace removes them from all replicas. Requests sent to a passive cluster are forwarded to the active cluster by default; to target the passive cluster directly, specify `--grpc-meta xdc-redirection=false`.
Start batch against approximately 1 workflow(s)? y/N y
Started batch for job ID: ddab94d3-719f-4a4a-b379-12cdd8229e36
```

3. Any docs updates needed?
<!--- update README if applicable
      or point out where to update docs.temporal.io -->

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
(cherry picked from commit b281f4b)
> 🏕️ This pull request was created by
[camper](https://github.com/temporalio/camper), an automated security
campaign tool.

## Finding

<table>

<tr><td><strong>Rule</strong></td><td><code>missing-dependency-cooldown</code></td></tr>
  <tr><td><strong>Severity</strong></td><td>MEDIUM</td></tr>

<tr><td><strong>Repository</strong></td><td><code>temporalio/cli</code></td></tr>
<tr><td><strong>Ticket</strong></td><td><a
href="https://temporalio.atlassian.net/browse/VLN-1350">VLN-1350</a></td></tr>
</table>

## Summary

- `.github/dependabot.yml`: Created Dependabot configuration with
`gomod` and `github-actions` update entries, each set to
`schedule.interval: weekly` and `cooldown.default-days: 14`.

## Instructions

- **Approve** to merge this fix
- **Request changes** to trigger a new remediation attempt
- `/camper rebase` — rebase onto the base branch
- `/camper close` — close this PR without merging
- `/camper retry` — close and retry with a new fix

Co-authored-by: picatz <14850816+picatz@users.noreply.github.com>
Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com>
(cherry picked from commit 7a10bc5)
Bumps
[actions/upload-artifact](https://github.com/actions/upload-artifact)
from 4 to 7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's
releases</a>.</em></p>
<blockquote>
<h2>v7.0.0</h2>
<h2>v7 What's new</h2>
<h3>Direct Uploads</h3>
<p>Adds support for uploading single files directly (unzipped). Callers
can set the new <code>archive</code> parameter to <code>false</code> to
skip zipping the file during upload. Right now, we only support single
files. The action will fail if the glob passed resolves to multiple
files. The <code>name</code> parameter is also ignored with this
setting. Instead, the name of the artifact will be the name of the
uploaded file.</p>
<h3>ESM</h3>
<p>To support new versions of the <code>@actions/*</code> packages,
we've upgraded the package to ESM.</p>
<h2>What's Changed</h2>
<ul>
<li>Add proxy integration test by <a
href="https://github.com/Link"><code>@​Link</code></a>- in <a
href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li>
<li>Upgrade the module to ESM and bump dependencies by <a
href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
<a
href="https://redirect.github.com/actions/upload-artifact/pull/762">actions/upload-artifact#762</a></li>
<li>Support direct file uploads by <a
href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
<a
href="https://redirect.github.com/actions/upload-artifact/pull/764">actions/upload-artifact#764</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/Link"><code>@​Link</code></a>- made
their first contribution in <a
href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v6...v7.0.0">https://github.com/actions/upload-artifact/compare/v6...v7.0.0</a></p>
<h2>v6.0.0</h2>
<h2>v6 - What's new</h2>
<blockquote>
<p>[!IMPORTANT]
actions/upload-artifact@v6 now runs on Node.js 24 (<code>runs.using:
node24</code>) and requires a minimum Actions Runner version of 2.327.1.
If you are using self-hosted runners, ensure they are updated before
upgrading.</p>
</blockquote>
<h3>Node.js 24</h3>
<p>This release updates the runtime to Node.js 24. v5 had preliminary
support for Node.js 24, however this action was by default still running
on Node.js 20. Now this action by default will run on Node.js 24.</p>
<h2>What's Changed</h2>
<ul>
<li>Upload Artifact Node 24 support by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/719">actions/upload-artifact#719</a></li>
<li>fix: update <code>@​actions/artifact</code> for Node.js 24 punycode
deprecation by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/744">actions/upload-artifact#744</a></li>
<li>prepare release v6.0.0 for Node.js 24 support by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/745">actions/upload-artifact#745</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0">https://github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0</a></p>
<h2>v5.0.0</h2>
<h2>What's Changed</h2>
<p><strong>BREAKING CHANGE:</strong> this update supports Node
<code>v24.x</code>. This is not a breaking change per-se but we're
treating it as such.</p>
<ul>
<li>Update README.md by <a
href="https://github.com/GhadimiR"><code>@​GhadimiR</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/681">actions/upload-artifact#681</a></li>
<li>Update README.md by <a
href="https://github.com/nebuk89"><code>@​nebuk89</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/712">actions/upload-artifact#712</a></li>
<li>Readme: spell out the first use of GHES by <a
href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
<a
href="https://redirect.github.com/actions/upload-artifact/pull/727">actions/upload-artifact#727</a></li>
<li>Update GHES guidance to include reference to Node 20 version by <a
href="https://github.com/patrikpolyak"><code>@​patrikpolyak</code></a>
in <a
href="https://redirect.github.com/actions/upload-artifact/pull/725">actions/upload-artifact#725</a></li>
<li>Bump <code>@actions/artifact</code> to <code>v4.0.0</code></li>
<li>Prepare <code>v5.0.0</code> by <a
href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
<a
href="https://redirect.github.com/actions/upload-artifact/pull/734">actions/upload-artifact#734</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/upload-artifact/commit/043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"><code>043fb46</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/797">#797</a>
from actions/yacaovsnc/update-dependency</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/634250c1388765ea7ed0f053e636f1f399000b94"><code>634250c</code></a>
Include changes in typespec/ts-http-runtime 0.3.5</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/e454baaac2be505c9450e11b8f3215c6fc023ce8"><code>e454baa</code></a>
Readme: bump all the example versions to v7 (<a
href="https://redirect.github.com/actions/upload-artifact/issues/796">#796</a>)</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/74fad66b98a6d799dc004d3353ccd0e6f6b2530e"><code>74fad66</code></a>
Update the readme with direct upload details (<a
href="https://redirect.github.com/actions/upload-artifact/issues/795">#795</a>)</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f"><code>bbbca2d</code></a>
Support direct file uploads (<a
href="https://redirect.github.com/actions/upload-artifact/issues/764">#764</a>)</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/589182c5a4cec8920b8c1bce3e2fab1c97a02296"><code>589182c</code></a>
Upgrade the module to ESM and bump dependencies (<a
href="https://redirect.github.com/actions/upload-artifact/issues/762">#762</a>)</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/47309c993abb98030a35d55ef7ff34b7fa1074b5"><code>47309c9</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/754">#754</a>
from actions/Link-/add-proxy-integration-tests</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/02a8460834e70dab0ce194c64360c59dc1475ef0"><code>02a8460</code></a>
Add proxy integration test</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/b7c566a772e6b6bfb58ed0dc250532a479d7789f"><code>b7c566a</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/745">#745</a>
from actions/upload-artifact-v6-release</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/e516bc8500aaf3d07d591fcd4ae6ab5f9c391d5b"><code>e516bc8</code></a>
docs: correct description of Node.js 24 support in README</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/upload-artifact/compare/v4...v7">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=4&new-version=7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com>
(cherry picked from commit 25551a5)
## What changed?

Adds a PR template to guide contributors through the checklist of CLI
design principles, help text standards, and testing expectations.

(cherry picked from commit c4061c4)
## What was changed
- Group all GitHub Actions updates into a single PR
- Ignore indirect Go dependencies (only direct deps get PRs)
- Ignore all `go.temporal.io/*` dependencies — these are managed
manually to ensure coordinated upgrades across all temporal packages

(cherry picked from commit 87ea7e0)
…1056)

The `temporal task-queue config set` help text referenced three flags
that don't exist:

- `--fairness-key-weight-set <key>=<weight>`
- `--fairness-key-weight-unset <key>`
- `--fairness-key-weight-unset-all`

The real flags, defined a few lines below in the same YAML block, are:

- `--fairness-key-weight <key>=<weight>` (with `<key>=default` to unset
a single key)
- `--fairness-key-weight-clear-all`

This PR updates the example block and the unset instructions in
`commands.yaml` to match, and regenerates `commands.gen.go`. Verified
locally with `go run ./cmd/temporal task-queue config set --help`.

This bug also surfaces in the auto-generated docs site at
[docs/cli/task-queue.mdx](https://docs.temporal.io/cli/task-queue#set),
which a customer hit in [this Slack
thread](https://temporaltechnologies.slack.com/archives/C0748KDH2DD/p1779899719317389?thread_ts=1779898503.202859&cid=C0748KDH2DD).
The docs PR over in `temporalio/documentation#4625` works around it by
referencing the real flag names directly.

Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com>
(cherry picked from commit 2a4ea2a)
VLN-1354: pin and bump GitHub Actions to latest versions

Pin all GitHub Actions to full 40-character commit SHAs and bump to
latest versions across all workflows:

- actions/checkout v4.3.1 -> v6.0.2
- actions/setup-go -> v6.4.0
- actions/upload-artifact (already pinned, kept current)
- actions/create-github-app-token v2.2.2 -> v3.1.1 (#1037)
- actions/github-script v8.0.0 -> v9.0.0 (#1036)
- docker/setup-qemu-action v3.2.0 -> v4.1.0
- docker/setup-buildx-action v3.10.0 -> v4.1.0 (#1035)
- docker/login-action v3.5.0 -> v4.2.0
- goreleaser/goreleaser-action v6.4.0 -> v7.2.1 (#1039)

Resolves open Dependabot PRs #1035, #1036, #1037, #1038, #1039.
Left temporalio/public-actions refs unchanged per exception policy.
---------

Co-authored-by: picatz <14850816+picatz@users.noreply.github.com>
Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com>
(cherry picked from commit 12655a4)
## Related issues

Closes #1030

## What changed?

Adds `temporal schedule list-matching-times` command implementing the `ListScheduleMatchingTimes` RPC. Allows users to preview when a schedule's spec would match within a given time range (past or future) without taking any actions.

## Checklist

**Stability**
- [x] Breaking changes are marked with 💥 in the PR title and release notes
- [x] Changes to JSON output (`-o json` / `-o jsonl`) are treated as breaking changes

**Design**
- [x] This feature does not depend on Cloud-only APIs or behavior (it works against an OSS server)
- [x] New commands follow `temporal <noun> <verb>` structure (e.g. `temporal workflow start`)
- [x] New flags are named after the API concept, not the implementation mechanism (good: `--search-attribute`, bad: `--index-field`)
- [x] New flags don't duplicate an existing flag that serves the same purpose
- [x] New flags do not have short aliases without strong justification
- [x] Experimental features are marked with `(Experimental feature)` in `commands.yaml`

**Help text** (see style guide at the top of `commands.yaml`)
- [x] All flags shown in help text and examples are implemented and functional
- [x] Summaries use sentence case and have no trailing period
- [x] Long descriptions end with a period and include at least one example invocation
- [x] Examples use long flags (`--namespace`, not `-n`), one flag per line
- [x] Placeholder values use `YourXxx` form (`YourWorkflowId`, `YourNamespace`)

**Behavior**
- [x] Results go to stdout; errors and warnings go to stderr
- [x] Error messages are lowercase with no trailing punctuation

**Tests**
- [x] Added functional test(s) (`SharedServerSuite`)
- [ ] Added unit test(s) (`func TestXxx`) where applicable

## Manual tests

**Setup**
```
temporal server start-dev --headless
temporal schedule create \
    --schedule-id YourScheduleId \
    --interval 1h \
    --workflow-id YourWorkflowId \
    --task-queue YourTaskQueue \
    --workflow-type YourWorkflowType
```

**Happy path**
```
$ temporal schedule list-matching-times \
    --schedule-id YourScheduleId \
    --start-time 2025-01-01T00:00:00Z \
    --end-time 2025-01-01T23:59:59Z
  Time
  2025-01-01T00:00:00Z
  2025-01-01T01:00:00Z
  ...

$ temporal schedule list-matching-times \
    --schedule-id YourScheduleId \
    --start-time 2025-01-01T00:00:00Z \
    --end-time 2025-01-01T23:59:59Z \
    -o json
{"startTime":["2025-01-01T00:00:00Z","2025-01-01T01:00:00Z",...]}
```

**Error case**
```
$ temporal schedule list-matching-times \
    --schedule-id nonexistent-id \
    --start-time 2025-01-01T00:00:00Z \
    --end-time 2025-01-01T23:59:59Z
Error: ...
$ echo $?
1
```

**Composition**
```
$ temporal schedule list-matching-times \
    --schedule-id YourScheduleId \
    --start-time 2025-06-01T00:00:00Z \
    --end-time 2025-06-07T23:59:59Z \
    -o json | jq '.startTime | length'
168
```

(cherry picked from commit 5380e71)
- remove time.Sleep() needed before v1.26.2 because of server cache bug
- update test assertions of "2 seconds ago" to "now" since we won't wait

<!--- Note to EXTERNAL Contributors -->
<!-- Thanks for opening a PR!
If it is a significant code change, please **make sure there is an open
issue** for this.
We work best with you when we have accepted the idea first before you
code. -->

<!--- For ALL Contributors 👇 -->

## What was changed
test `TestTaskQueue_Describe_Simple` at `commands.taskqueue_test.go` was
updated to remove unnecessary `time.Sleep(1 * time.Second) `

## Why?
<!-- Tell your future self why have you made these changes -->
The waiting was a necessary workaround of server cache bug, bug was
fixed on v1.26.2

## Checklist
<!--- add/delete as needed --->

1. Closes
 #741

3. How was this tested:
<!--- Please describe how you tested your changes/how we can test them
-->
Running the unit tests

4. Any docs updates needed?
<!--- update README if applicable
      or point out where to update docs.temporal.io -->

Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com>
(cherry picked from commit 90f1364)
<!--- For ALL Contributors -->

## What was changed

`temporal server start-dev` now prints a `Persistence:` line at the end
of the startup banner.

In-memory (no `--db-filename`):
```
Persistence:      in-memory (Workflow Executions are lost when the server process exits)
```

File-backed:
```
Persistence:      file (/path/to/dev.sqlite)
```

## Why?
Per #634, the start-dev banner did not surface what form of persistence
the dev server uses, so users could not tell at a glance whether
Workflow Executions would survive a restart.

## Checklist

1. Closes #634

2. How was this tested:

Two new tests in `internal/temporalcli/commands.server_test.go` start
the dev server, capture stdout, and assert that the banner contains
`Persistence:` plus the expected backend description. Both pass locally
and fail when the banner change is reverted.

```
$ go test -run TestServer_StartDev_BannerPersistence ./internal/temporalcli/
ok  	github.com/temporalio/cli/internal/temporalcli	10.318s
```

---------

Signed-off-by: Sai Asish Y <say.apm35@gmail.com>
Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com>
(cherry picked from commit f015ce2)
Closes #838.

Implements the design @cretz proposed in the issue thread: when `--yes`
bypasses the confirmation prompt, skip the `CountWorkflowExecutions`
request entirely.

## What was changed

-
[internal/temporalcli/commands.workflow.go](internal/temporalcli/commands.workflow.go)
— `SingleWorkflowOrBatchOptions.workflowExecOrBatch`: `CountWorkflow`
only runs in the `!s.Yes` branch.
-
[internal/temporalcli/commands.workflow_reset.go](internal/temporalcli/commands.workflow_reset.go)
— same pattern in `TemporalWorkflowResetCommand`'s batch path.

When `--yes` skips the count, the prompt text changes from `Start batch
against approximately N workflow(s)? y/N` to `Start batch against
workflows matching query "<query>"? y/N`, so the output (which
`promptYes` still prints in the auto-confirm path) stays informative.

The non-`--yes` interactive flow is untouched: it still counts, still
prompts, still prints the same `approximately N workflow(s)` message.

## Why

`workflowExecOrBatch` (terminate / signal / cancel) and the reset
command both unconditionally call `CountWorkflowExecutions` before
starting a batch. The result is only used to fill in the `approximately
N workflow(s)` confirmation. When `--yes` is set, the prompt is skipped
— but the count call still runs, and on clusters where the visibility
API is timing out it fails the entire batch start. The original report
is from a Postgres-backed cluster where the batch query itself works but
the count times out; users can't start batch jobs they otherwise have
permission to run.

## How was this tested

Added `TestWorkflow_Terminate_BatchWorkflow_SkipsCountWhenYes` that:

1. Installs a unary gRPC interceptor that counts
`CountWorkflowExecutionsRequest` and `StartBatchOperationRequest` calls.
2. Starts one workflow, then runs `workflow terminate --query ...
--yes`.
3. Asserts: 0 `CountWorkflow` calls, 1 `StartBatchOperation` call,
prompt text contains `matching query` and not `approximately`.

The interceptor pattern matches the existing
`testTerminateBatchWorkflow` helper.

Ran the new test plus a sample of the existing batch tests locally; they
pass. (`TestWorkflow_Terminate_BatchWorkflowSuccess` flakes locally on
the unrelated `Completed` assertion both with and without my changes —
pre-existing timing issue, not caused by this PR.)

---------

Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com>
(cherry picked from commit 7e5ba38)
…nfig (#1057)

## Summary
- `dependency-type` is only valid inside `allow`, not `ignore` in
dependabot.yml
- Replaces the invalid `ignore` entry with `allow: [{dependency-type:
direct}]` to achieve the same goal of skipping indirect/transitive
dependency updates
- Adds a CI workflow using `check-jsonschema` to validate
`dependabot.yml` on PRs and pushes to main
- Fixes the Dependabot config validation failure introduced in #1044

## Test plan
- [ ] Verify the `.github/dependabot.yml` validation check passes on
this PR
- [ ] Verify `check-jsonschema --builtin-schema vendor.dependabot
.github/dependabot.yml` passes locally

(cherry picked from commit 8bb57b7)
Bumps the github-actions group with 2 updates:
[goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action)
and
[actions/create-github-app-token](https://github.com/actions/create-github-app-token).

Updates `goreleaser/goreleaser-action` from 7.2.1 to 7.2.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/goreleaser/goreleaser-action/releases">goreleaser/goreleaser-action's
releases</a>.</em></p>
<blockquote>
<h2>v7.2.2</h2>
<h2>What's Changed</h2>
<ul>
<li>ci(deps): bump the actions group with 3 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/goreleaser/goreleaser-action/pull/560">goreleaser/goreleaser-action#560</a></li>
<li>fix: nightly resolution to select newest published release by <a
href="https://github.com/Copilot"><code>@​Copilot</code></a> in <a
href="https://redirect.github.com/goreleaser/goreleaser-action/pull/562">goreleaser/goreleaser-action#562</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/Copilot"><code>@​Copilot</code></a> made
their first contribution in <a
href="https://redirect.github.com/goreleaser/goreleaser-action/pull/562">goreleaser/goreleaser-action#562</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/goreleaser/goreleaser-action/compare/v7...v7.2.2">https://github.com/goreleaser/goreleaser-action/compare/v7...v7.2.2</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/goreleaser/goreleaser-action/commit/5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89"><code>5daf1e9</code></a>
fix: nightly resolution to select newest published release (<a
href="https://redirect.github.com/goreleaser/goreleaser-action/issues/562">#562</a>)</li>
<li><a
href="https://github.com/goreleaser/goreleaser-action/commit/5cc7ebb73d78b8f1d7b03c568e7df999c2889ccf"><code>5cc7ebb</code></a>
ci: update actions</li>
<li><a
href="https://github.com/goreleaser/goreleaser-action/commit/702f5f91c9334614254ddeabeebaf820d707f0d6"><code>702f5f9</code></a>
ci(deps): bump the actions group with 3 updates (<a
href="https://redirect.github.com/goreleaser/goreleaser-action/issues/560">#560</a>)</li>
<li>See full diff in <a
href="https://github.com/goreleaser/goreleaser-action/compare/1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8...5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89">compare
view</a></li>
</ul>
</details>
<br />

Updates `actions/create-github-app-token` from 3.1.1 to 3.2.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/create-github-app-token/releases">actions/create-github-app-token's
releases</a>.</em></p>
<blockquote>
<h2>v3.2.0</h2>
<h2><a
href="https://github.com/actions/create-github-app-token/compare/v3.1.1...v3.2.0">3.2.0</a>
(2026-05-12)</h2>
<h3>Features</h3>
<ul>
<li>add support for enterprise-level GitHub Apps (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/263">#263</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/952a2a7073df6bfa5f49bc469ec895b6ec1acea4">952a2a7</a>)</li>
<li>support full repository names in <code>repositories</code> input (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/372">#372</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/85eb8dd41472213aed25d1a126460e0069138ab6">85eb8dd</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> bump <code>@​actions/core</code> from 3.0.0
to 3.0.1 in the production-dependencies group (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/364">#364</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/43e5c345bfd4d4f3ecea019ad0042001a09dd857">43e5c34</a>)</li>
<li>validate private-key input (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/376">#376</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/f24bbd89643991c0de27ae823c01791b2c6bafdd">f24bbd8</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md">actions/create-github-app-token's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2><a
href="https://github.com/actions/create-github-app-token/compare/v3.1.1...v3.2.0">3.2.0</a>
(2026-05-12)</h2>
<h3>Features</h3>
<ul>
<li>add support for enterprise-level GitHub Apps (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/263">#263</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/952a2a7073df6bfa5f49bc469ec895b6ec1acea4">952a2a7</a>)</li>
<li>support full repository names in <code>repositories</code> input (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/372">#372</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/85eb8dd41472213aed25d1a126460e0069138ab6">85eb8dd</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> bump <code>@​actions/core</code> from 3.0.0
to 3.0.1 in the production-dependencies group (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/364">#364</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/43e5c345bfd4d4f3ecea019ad0042001a09dd857">43e5c34</a>)</li>
<li>validate private-key input (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/376">#376</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/f24bbd89643991c0de27ae823c01791b2c6bafdd">f24bbd8</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/create-github-app-token/commit/bcd2ba49218906704ab6c1aa796996da409d3eb1"><code>bcd2ba4</code></a>
chore(main): release 3.2.0 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/370">#370</a>)</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/f24bbd89643991c0de27ae823c01791b2c6bafdd"><code>f24bbd8</code></a>
fix: validate private-key input (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/376">#376</a>)</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/363531b6d972a60a00b3f1e6bb139e5e6c764cd9"><code>363531b</code></a>
docs: capitalize Git as a proper noun in README (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/374">#374</a>)</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/fd2801133e469d2950f2c5af5e591d6b2ad833c8"><code>fd28011</code></a>
docs: update procedure to configure Git (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/287">#287</a>)</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/85eb8dd41472213aed25d1a126460e0069138ab6"><code>85eb8dd</code></a>
feat: support full repository names in <code>repositories</code> input
(<a
href="https://redirect.github.com/actions/create-github-app-token/issues/372">#372</a>)</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/c9aabb83728c3bd519212fa657ebc07e1f2a5dec"><code>c9aabb8</code></a>
build(deps-dev): bump yaml from 2.8.3 to 2.8.4 in the
development-dependencie...</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/e02e816e5591415258a53bf735aff57977dcd5e2"><code>e02e816</code></a>
build(deps-dev): bump undici from 7.24.6 to 8.2.0 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/366">#366</a>)</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/8d835bfd37aa48fcb8e709925115857568d98bc4"><code>8d835bf</code></a>
build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 in the
development-depend...</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/952a2a7073df6bfa5f49bc469ec895b6ec1acea4"><code>952a2a7</code></a>
feat: add support for enterprise-level GitHub Apps (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/263">#263</a>)</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/43e5c345bfd4d4f3ecea019ad0042001a09dd857"><code>43e5c34</code></a>
fix(deps): bump <code>@​actions/core</code> from 3.0.0 to 3.0.1 in the
production-dependenc...</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/create-github-app-token/compare/1b10c78c7865c340bc4f6099eb2f838309f1e8c3...bcd2ba49218906704ab6c1aa796996da409d3eb1">compare
view</a></li>
</ul>
</details>
<br />

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit dd0524a)
## Related issues

<!-- Closes #123 -->
Closes #609

## What changed?

<!-- Describe what this PR does at a high level. -->
Prefix generated dev server cluster IDs with `dev-server-` for better
identification. Previously cluster IDs were plain UUIDs with no
indication they came from a dev server.

## Checklist

<!-- Your PR should satisfy all these requirements. However, feel free
to remove items that don't apply to the PR. Consider giving this
checklist to an AI agent before opening your PR. -->

**Stability**
- [x] Breaking changes are marked with 💥 in the PR title and release
notes

**Design**
- [x] This feature does not depend on Cloud-only APIs or behavior (it
works against an OSS server)

**Tests**
- [x] Added functional test(s) — existing tests cover this change

## Manual tests

<!-- Edit the code samples below to provide setup and happy-path and
error-path testing instructions. -->

**Setup**
```
temporal server start-dev --headless
```

**Happy path**
```
$ temporal operator cluster describe
ClusterId  dev-server-<uuid>
```

**Error case**
N/A

Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com>
(cherry picked from commit 2ae37a3)
## Related issues

Closes #673

## What changed?

Auto-generate deprecation warnings from a `deprecated: true` YAML flag
instead of manually writing CAUTION boxes in command descriptions.
Deprecation warnings are also printed to stderr at runtime so users see
them when invoking deprecated commands, without breaking JSON output.

### Before

Deprecation required manually adding a CAUTION box to the description
and `(Deprecated)` to the summary:

```yaml
- name: temporal task-queue get-build-id-reachability
  summary: Show Build ID availability (Deprecated)
  description: |
    ` ``
    +-----------------------------------------------------------------------------+
    | CAUTION: This command is deprecated and will be removed in a later release. |
    +-----------------------------------------------------------------------------+
    ` ``

    Show if a given Build ID can be used for new, existing, or closed Workflows...
```

No runtime warning was shown when invoking the command.

### After

Set `deprecated: true` and optionally `deprecation-message`. The CAUTION
box, `(Deprecated)` summary suffix, and stderr runtime warning are all
auto-generated:

```yaml
- name: temporal task-queue get-build-id-reachability
  deprecated: true
  description: |
    Show if a given Build ID can be used for new, existing, or closed Workflows...

- name: temporal task-queue versioning
  deprecated: true
  deprecation-message: This API has been deprecated by Worker Deployment.
  description: |
    Provides commands to add, list, remove, or replace...
```

Runtime stderr output:

```
$ temporal task-queue get-build-id-reachability --task-queue foo --build-id bar
warning: this command is deprecated and will be removed in a later release
...
```

JSON output is not affected (warning goes to stderr only):

```
$ temporal task-queue get-build-ids -o json --task-queue foo 2>/dev/null
[{"buildIds":["1.0"],"defaultForSet":"1.0","isDefaultSet":true}]
```

## Checklist

**Stability**
- [x] Breaking changes are marked with 💥 in the PR title and
release notes
- [x] Changes to JSON output (`-o json` / `-o jsonl`) are treated as
breaking changes

**Design**
- [x] This feature does not depend on Cloud-only APIs or behavior (it
works against an OSS server)

**Help text** (see style guide at the top of `commands.yaml`)
- [x] Summaries use sentence case and have no trailing period
- [x] Long descriptions end with a period and include at least one
example invocation

**Behavior**
- [x] Results go to stdout; errors and warnings go to stderr
- [x] Error messages are lowercase with no trailing punctuation

**Tests**
- [x] Added functional test(s) (`SharedServerSuite`)
- [x] Added unit test(s) (`func TestXxx`) where applicable

## Manual tests

**Setup**
```
temporal server start-dev --headless
```

**Happy path -- stderr warning on deprecated command**
```
$ temporal task-queue get-build-ids \
    --task-queue YourTaskQueue
warning: this command is deprecated and will be removed in a later release
...
```

**Happy path -- JSON output not polluted**
```
$ temporal task-queue get-build-ids \
    -o json \
    --task-queue YourTaskQueue 2>/dev/null
[...]
```

**Happy path -- help text shows CAUTION box**
```
$ temporal task-queue get-build-id-reachability --help
+-----------------------------------------------------------------------------+
| CAUTION: This command is deprecated and will be removed in a later release. |
+-----------------------------------------------------------------------------+

Show if a given Build ID can be used for new, existing, or closed Workflows...
```

**Happy path -- custom deprecation message**
```
$ temporal task-queue versioning --help
+-------------------------------------------------------------+
| CAUTION: This API has been deprecated by Worker Deployment. |
+-------------------------------------------------------------+
...
```

(cherry picked from commit e20ca61)
## Related issues

Closes #1077

## What changed?

The helper to iterate over `envConfigPropsToFieldNames` has a side
effect if the parent is nil and `failIfParentNotFound=true` it will set
`confProfile.TLS = &envconvfig.ClientConfigTLS{}`. When the `k=="tls"`
check happens, `confProfile.TLS != nil` and it will emit `tls: true`.
Map iteration is non-deterministic and there are 9 `tls.*` keys vs 1
`tls` key so the mutation is more likely to happen before checking the
`tls` key.

## Checklist

**Tests**
- [X] Added unit test

Co-authored-by: Alex Stanfield <13949480+chaptersix@users.noreply.github.com>
(cherry picked from commit 79e9f8f)
## What changed?

Clarifies `temporal activity pause --help` to state that pausing an
Activity does not stop or extend the Activity's Schedule-To-Close
Timeout.

Regenerated `internal/temporalcli/commands.gen.go` from
`internal/temporalcli/commands.yaml`.

## Why?

The existing help explains that Pause prevents future retries and does
not interrupt some in-flight attempts, but it does not mention that
Schedule-To-Close continues running while paused.

That can surprise operators because "pause" can imply the Activity is
safe from timing out. This adds the timeout caveat and points users to
`temporal activity update-options` before a long pause.

## Testing

```bash
go run ./cmd/gen-commands \
  -input internal/temporalcli/commands.yaml \
  -pkg temporalcli \
  -context "*CommandContext" \
  > internal/temporalcli/commands.gen.go

go run ./cmd/temporal activity pause --help

go test ./cmd/gen-commands
```

Verified the help output includes the Schedule-To-Close warning.

(cherry picked from commit 8c3e3b2)
@chaptersix chaptersix requested a review from a team as a code owner July 2, 2026 16:17
Backports the CI endpoint fix from #1087 (us-east-1 -> ca-central-1)
without the server-dependent Nexus command changes. Fixes the
'Request unauthorized' failure in the cloud API key test steps.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.