Skip to content
This repository was archived by the owner on Jul 13, 2025. It is now read-only.
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1698 commits
Select commit Hold shift + click to select a range
ef1bb5a
util/cibuild, cache_key_test: skip TestTsgoRevInCacheKey outside Tail…
bradfitz May 14, 2026
1d3562b
licenses: update license notices
May 11, 2026
c355618
wgengine/router/osrouter: skip netfilter add-ons when chain setup fai…
fserb May 15, 2026
0cb432e
all: update more references to Tailnet/Network Lock
alexwlchan May 15, 2026
894ff5d
cmd/hello: split css and js into separate files (#19771)
noelob May 15, 2026
5d1bf80
feature/routecheck: add ts_omit_routecheck feature flag (#19638)
sfllaw May 15, 2026
2b338dd
wgengine, cmd/tailscaled, control/controlclient: remove Engine watchdog
bradfitz May 14, 2026
5d56cc8
util/linuxfw: return error instead of nil pointer dereference
tendstofortytwo May 19, 2026
ee0a03b
net/dnscache: run happy eyeballs with more than one dest IP (#19770)
cmol May 19, 2026
95d874e
cmd/testwrapper: surface race reports and skip retries when detected
bradfitz May 19, 2026
04ae61f
tstest/integration/jswasmtest: add headless-Chromium tests for @tails…
bradfitz May 19, 2026
93dbd33
ipn/ipnlocal: stub system interfaces for TestShouldUseOneCGNATRoute (…
sfllaw May 20, 2026
c094070
ipn/ipnlocal/netmapcache: add UpdateSelfOnly method (#19818)
creachadair May 20, 2026
61277e3
Construct IPv6 ingress URLs correctly
aredridel May 19, 2026
36c52ef
tstest/integration/testcontrol: fix serveMap read-modify-write race
raggi May 21, 2026
f3a117e
net/tsdial: run happy eyeballs across A and AAAA in UserDial
bradfitz May 20, 2026
dbe92f9
feature/conn25: set assignment expiry based on dns response TTL
franbull May 18, 2026
7ebca58
net/traffic,ipn/ipnlocal: extract traffic steering utilities (#19682)
sfllaw May 21, 2026
2703f91
wgengine/magicsock: fix data race in TestSetDERPMapDoReStun
bradfitz May 21, 2026
aa5da2e
ipn/ipnlocal, control/controlclient: process node adds/removes in con…
bradfitz Apr 30, 2026
7dabebc
net/traffic: switch rendezvous hashing from SHA256 to FNV-1a (#19821)
sfllaw May 21, 2026
fd2405c
tstest/integration: mark TestNoControlConnWhenDown as a flaky test (#…
sfllaw May 22, 2026
e32b9bd
control/controlclient: fix deadlock in map session change queue proce…
amalscale May 22, 2026
5295e3e
ipn/{ipnstate,ipnlocal}: add integer NodeID to PeerStatus
bradfitz May 21, 2026
5d8f401
net/dns: fix handling non-IP single split DNS
sailorfrag May 22, 2026
988615d
ipn/ipnlocal,tstest/integration: pause the control client consistentl…
sfllaw May 23, 2026
da8cd5c
ipn/ipnlocal: fix documentation typo, NodeAttrCacheNetworkMaps (#19851)
sfllaw May 23, 2026
26952d5
scripts/installer.sh: update KDE Linux link (#19857)
xuars May 24, 2026
5877809
feature/conn25: unify FlowTable storage to prepare for expiry
mzbenami May 19, 2026
2eb45c2
feature/conn25: extend assignment expiry on use
franbull May 19, 2026
e5a8cf3
control/controlknobs,feature/*,ipn/ipnlocal,tailcfg: add runtimemetrics
jwhited May 22, 2026
0ed6da2
cmd/k8s-operator, net/netutil: support 4via6 in egress proxy and conn…
BeckyPauley May 27, 2026
e2a0d45
cmd/tailscale/cli: fix time parsing in debug daemon-logs (#19875)
Erisa May 27, 2026
0e2b3f3
cmd/k8s-operator: stabilize StaticEndpoints order in ProxyGroup recon…
jasondillingham May 27, 2026
a8f40a2
ipn/ipnlocal: add missing bus notify of peers on full netmap
bradfitz May 27, 2026
2c965ab
types/netmap, ipn/ipnlocal, control/controlclient: rename NodeMutatio…
bradfitz May 27, 2026
7701035
licenses: update license notices
May 25, 2026
5652b6c
cmd/k8s-operator: fix token exchange for identity federation (#19845)
matshch May 27, 2026
4aef023
cmd/tailscaled,types/logger: remove TS_DEBUG_MEMORY and associated lo…
jwhited May 27, 2026
b553969
ipnlocal: try ACME TLS-ALPN for Funnel renewals
bradfitz May 26, 2026
9be2108
wgengine/{,magicsock},tstest/natlab/vmtest: send disco on cached netm…
cmol May 27, 2026
f277bfb
release/dist/synology: add GOARM=7,softfloat mode for hi3535
bradfitz May 22, 2026
d191216
feature/taildrop: replace outgoing-file progress channel with synchro…
raggi May 26, 2026
dea49bb
net/batching: add envknobs to disable UDP GRO & GSO
raggi Nov 26, 2025
8501be1
go.mod: bump dependencies to resolve govulncheck warnings (#19884)
patrickod May 27, 2026
80dc7a8
feature/conn25: disallow addrs assignment overwriting.
franbull May 20, 2026
364b952
cmd/containerboot: track peers from IPN bus updates, stop using netma…
bradfitz May 26, 2026
c9fb05b
ipn/ipnlocal: don't dup-suppress UserProfiles on IPNBus on profile sw…
bradfitz May 27, 2026
1a17ec1
net/netmon: in Android, replace system/bin/ip call with cached LinkPr…
kari-ts May 27, 2026
db60aa8
logtail: gate "logtail started" behind TS_DEBUG_LOGTAIL envknob (#19891)
scottjab May 27, 2026
94af1b0
cmd/testwrapper, tstest: move test sharding out of test code
bradfitz May 27, 2026
25b8ed8
control/controlknobs,net/{batching,tstun},wgengine: add nodecaps to d…
raggi May 27, 2026
782c73b
cmd/containerboot: fix data race in TestContainerBoot
bradfitz May 27, 2026
4b8115b
cmd/containerboot: clamp MSS to PMTU for proxy group pods (#19686)
dragondscv May 28, 2026
446ae97
ipn: improve --exit-node hostname error during startup
alexwlchan May 28, 2026
f4a280c
all: update a few more references to network/tailnet lock
alexwlchan May 28, 2026
8d90a6a
ipn/ipnlocal: add HTTP/2 Content-Type tests for serve reverse proxy (…
bcreane May 28, 2026
9d126ae
all: remove network lock references from private method names
alexwlchan May 28, 2026
c086992
cmd/tailscale/cli: add whoami subcommand
bradfitz May 28, 2026
524a374
tsnet: wait for peer in netmap before pinging in setupTwoClientTest
raggi May 28, 2026
788a49e
.github/workflows: run vet on GitHub-hosted runners (#19913)
tomhjp May 28, 2026
412c812
ipn/ipnlocal: use ACME ALPN for authorized Funnel non-CertDomain domains
bradfitz May 28, 2026
3d51020
feature/conn25: use new pool nodeattr
franbull May 26, 2026
7355116
ipn/store: make WriteState(id, nil) delete key instead of adding nil …
kari-ts May 29, 2026
8b58bd6
net/batching: implement NodeAttrNeverGSOEqualTail
jwhited May 28, 2026
5d935c8
net/traffic: add fuzz test for sorting nodes by traffic score (#19893)
sfllaw May 29, 2026
c933385
appc,feature/conn25: use custom scheme resolvers for conn25
franbull May 5, 2026
3e34e72
tsnet: add opt-in SSH support (Server.ListenSSH)
bradfitz Mar 10, 2026
8a294e3
net/batching: reset Buffers len in WriteBatchTo
jwhited May 29, 2026
4c8c0ba
derp/derphttp: honor DERPNode.DERPPort in proxied CONNECT dial
mzihlmann May 14, 2026
48eba4e
derp/derphttp: add tests for proxied CONNECT port selection
mzihlmann May 14, 2026
3ef42d8
derp/derphttp: drop dial-only proxy port test
mzihlmann May 14, 2026
2ba4268
ipn/ipnlocal: fix 'tailscale status --peers=false' missing user profile
bradfitz Jun 1, 2026
651049e
ssh/tailssh: reject dangerous LD_/DYLD_ env vars in acceptEnv filteri…
patrickod Jun 1, 2026
2880167
net/routecheck: introduce new package for checking peer reachability …
sfllaw Jun 1, 2026
2ee9eac
client/local,ipn/localapi: add /localapi/v0/routecheck endpoint (#19640)
sfllaw Jun 1, 2026
d961e44
cmd/testwrapper: auto-retry every failing test
bradfitz May 20, 2026
4f07a07
client/systray: don't repeat account name for single-user tailnets (#…
Lykathia Jun 1, 2026
da51072
feature/conn25: send TSMP message to client for no IP mapping on conn…
tendstofortytwo May 27, 2026
2d6844c
cmd/tailscale/cli: add routecheck command (#19641)
sfllaw Jun 1, 2026
0d92a69
cmd/tailscale/cli: add "tailscale get" command
bradfitz Apr 8, 2026
5495eb7
licenses: update license notices
Jun 1, 2026
7f3bbc9
net/netutil: add NewDefaultTransport to avoid http.DefaultTransport p…
achille-roussel May 31, 2026
c234dcc
go.mod: bump wireguard-go
bradfitz Jun 1, 2026
d64aaff
control/controlclient: fix map context race
bradfitz Jun 1, 2026
8a63c02
tailcfg: add a node attribute to explicitly disable netmap caching (#…
creachadair Jun 1, 2026
92bfda5
cmd/tailscale/cli: fix time in `tailscale routecheck` (#19956)
sfllaw Jun 1, 2026
a6ab7ef
ipn/ipnlocal, cmd/tailscale/cli: auto-renew TLS certs and warn while …
bradfitz May 28, 2026
3f70abd
cmd/tailscaled, version/distro: default to userspace-networking on Cr…
ferrumclaudepilgrim May 4, 2026
b47dd93
cmd/tailscale/cli: use tstime constant for `tailscale routecheck` (#1…
sfllaw Jun 2, 2026
7ba49cb
words: add 'flops' to the list of scales
char Jun 2, 2026
c898aeb
.github/workflows: fix `-run='^$'` quoting when skipping all tests (#…
sfllaw Jun 2, 2026
a3bec69
wgengine/magicsock,types/logger: add latency logs for initial peer co…
creachadair Jun 2, 2026
e69e24d
go.mod: bump golang.org/x/image@v0.41.0 (#19970)
patrickod Jun 2, 2026
a846665
Add --strip option to build_dist
JamieSinn Jun 2, 2026
52400dc
ipn/ipnlocal: add back a watchdog after earlier removal from engine
bradfitz Jun 2, 2026
c91b718
ipn/localapi,tstest/natlab: fix debug derp TLS check for sha256-raw C…
bradfitz Jun 2, 2026
9107354
tstest/natlab/vnet: send unsolicited IPv6 Router Advertisements
bradfitz Jun 2, 2026
01c59d8
cmd/tailscale/cli: show services in serve status (#19600)
kabirsikand Jun 2, 2026
40c98cd
tstest/natlab/vmtest: deflake, de-strictify TestSelfSignedDERPHashPin…
bradfitz Jun 3, 2026
fa54242
ipn,ipn/localapi: require local admin to serve Unix domain sockets
hwh33 May 21, 2026
b26dadf
net/dns/resolver: skip DNS health warning when doing split DNS (#19959)
bcreane Jun 3, 2026
cdcb1cb
go.toolchain.rev: bump to Go 1.26.4
mpminardi Jun 3, 2026
98f1ac0
cmd/k8s-operator, net/netutil: revert 4via6 changes (#19990)
BeckyPauley Jun 3, 2026
66c8844
VERSION.txt: this is v1.101.0 (#19992)
croakerbcts Jun 3, 2026
3f5eb31
go.mod: update tailscale/gliderssh (#19995)
patrickod Jun 4, 2026
dfb605d
cmd/ssh-auth-none-demo: update SSH demo a bit
bradfitz Jun 4, 2026
f05e145
cmd/tailscale/cli/jsonoutput: improve doc comments and add examples (…
sfllaw Jun 4, 2026
0bbaed6
cmd/tailscale/cli/jsonoutput: rename exported identifiers (#19994)
sfllaw Jun 4, 2026
6ff761c
cmd/tailscale/cli/jsonoutput: fix flag parsing for boolean values (#1…
sfllaw Jun 4, 2026
772be1b
gokrazy, clientupdate: add start of Gokrazy auto-updates, tests
bradfitz Jun 4, 2026
6cd185b
tailcfg: add Attributes to Service Actions
adrianosela May 30, 2026
638b73a
gokrazy: add two arm64 variants for Pi & VMs
bradfitz Jun 4, 2026
6cb3852
go.mod: bump wireguard-go for memory leak fix
bradfitz Jun 4, 2026
fc9b18f
tailcfg: add ServiceActionType constants
adrianosela Jun 4, 2026
e8d169d
client/systray: fix setting StatusNotifierItem ID
willnorris Jun 4, 2026
d0b12da
words: they say the long tail tips the scales
raggi Jun 4, 2026
84ffcd2
cmd/tailscale/cli/jsonoutput: provide examples for jsonoutput.DNS* (#…
sfllaw Jun 5, 2026
26864f1
tstest/natlab: add ACME cert vmtest
bradfitz Jun 2, 2026
6a70921
ipn/ipnlocal,wgengine/magicsock: re-report NetInfo to new control cli…
mikeodr Jun 5, 2026
c07bf57
cmd/tailscaled: only warn about unsupported attestation when enabled …
awly Jun 5, 2026
eda975a
wgengine/magicsock: emit first-netmap latency for uncached resets too…
creachadair Jun 5, 2026
c0d0621
logpolicy,tsnet: remove syspolicy dependency
nickkhyl Jun 5, 2026
83c8440
cmd/tailscale/cli: add service support to tailscale ip
adrianosela Jun 5, 2026
254bb6a
CODEOWNERS: auto-request k8s-devs review for Kubernetes/container pat…
fserb Jun 7, 2026
65a1171
all: rename NetworkLock functions/types to TailnetLock
alexwlchan Jun 4, 2026
618b606
feature/conn25: expire idle flows from FlowTable
mzbenami May 22, 2026
732bde6
tstest/natlab: test home DERP is re-reported after a profile switch (…
mikeodr Jun 8, 2026
4b1408f
words: June is so full of color
willnorris Jun 8, 2026
2767100
net/netmon: skip RTM_MISS route messages on darwin (#20050)
dougbryant-ant Jun 8, 2026
819f3ba
cmd/k8s-operator: allow custom annotations on deployment (#17143)
anthosz Jun 9, 2026
60b935e
net/dns/resolver: remove deprecated 4via6 magic-dns formats (#20057)
BeckyPauley Jun 9, 2026
edcc2c9
ipn: enforce lossless IPN bus delta streams
bradfitz Jun 8, 2026
913df7e
cmd/tailscale/cli: unit tests for tailscale ip
adrianosela Jun 6, 2026
1deb6a8
ipn: add no-disconnect in-process bus subscribers
bradfitz Jun 9, 2026
3e0d89d
logtail: reject absurdly large retryAfter values (#20070)
dsnet Jun 9, 2026
632293d
logtail: reject absurdly large retryAfter values (#20070) (#20071)
dsnet Jun 9, 2026
e4ea65d
cmd/k8s-operator: workload identity support for multi-tailnet (#20016)
davidsbond Jun 10, 2026
2690d58
wgengine/magicsock,tstest/natlab/vmtest: only send callMeMaybe with e…
cmol Jun 10, 2026
92ab486
wgengine/magicsock: increase discoKeyAdvertisementInterval to 2 minut…
cmol Jun 10, 2026
a31e527
CODEOWNERS: remove blocking reviews
bradfitz Jun 11, 2026
6ab5d91
go.mod: bump some deps to match corp
bradfitz Jun 11, 2026
57246f4
go.mod: bump more things to match corp
bradfitz Jun 11, 2026
e95e2a5
tka: use a named constant to tidy up sig_test.go
alexwlchan Jun 11, 2026
abe5fbb
all: make this spelling mistake non-existant
alexwlchan Jun 11, 2026
be44e66
cmd/tailscale: stop defaulting ssh username to local username (#19358)
op Jun 11, 2026
7fb6751
cmd/k8s-operator: rework [unexpected] log lines (#20065)
davidsbond Jun 11, 2026
6a822dc
control/controlclient: continue map poll during key expiry to receive…
apenwarr Apr 11, 2026
5be05f2
control/controlclient: discard stale auth results in authRoutine
neinkeinkaffee May 21, 2026
ec8ab87
tstest/integration/testcontrol: expire individual node keys
neinkeinkaffee Jun 3, 2026
3172013
tsnet: test key extension after server restart
neinkeinkaffee Jun 3, 2026
f368a96
ssh/tailssh: dissallow purely numeric usernames for SSH
mpminardi Jun 11, 2026
b6713e9
cmd/tailscale/cli: check kubeconfig writability instead of refusing $…
raggi Jun 12, 2026
241456a
ipn/ipnlocal: add metrics for inbound and outbound bytes on Serve con…
rajsinghtech Jun 12, 2026
da11aa5
words: add "cat" to scales.txt (#20106)
aspynect Jun 12, 2026
2a0eafc
feature/conn25: drop returned error from NewFlow signature
mzbenami Jun 11, 2026
6f281cc
feature/conn25: add on-remove hook for flows in FlowTable
mzbenami Jun 11, 2026
0108fb7
tstest/natlab/vmtest: skipe tests marked as flakey (#20122)
cmol Jun 12, 2026
b23089a
wgengine/magicsock: update netmap cache flag on receipt of a delta (#…
creachadair Jun 12, 2026
9cb0716
ipn/ipnlocal: update netmap cache after peer deltas are applied (#20111)
creachadair Jun 12, 2026
a9ea633
wgengine: delete Conn25 packet hooks
mzbenami Jun 12, 2026
7d18a06
go.mod,wgengine/magicsock: pull wireguard-go fix for roaming endpoint…
illotum Jun 12, 2026
c48f953
cmd/tailscale/cli, ipn/conffile: accept legacy serve config in set-co…
bcreane Jun 13, 2026
449233d
.github/workflows: auto-request k8s-devs review for Kubernetes/contai…
fserb Jun 15, 2026
4d9d8cf
misc: rename install-git-hooks.go to add-git-hooks.go (#20144)
fserb Jun 15, 2026
f002f6b
ipn/ipnlocal: remove logs for peer delta cache updates (#20145)
creachadair Jun 15, 2026
4c4ec3d
net/packet,wgengine/filter: handle IPv6 fragment extension header
schavery Jun 14, 2026
ae74364
ipn/ipnlocal: revert earlier change, force Reconfig + SetNetworkMap n…
bradfitz Jun 14, 2026
6596d23
ipn/ipnlocal: add wireguard session state metrics + publish on IPN bus
bradfitz Jun 5, 2026
eddd019
ipn/ipnlocal: protect populatePeerStatusLocked from nil Hostinfo (#20…
sfllaw Jun 15, 2026
94fbb03
logtail: add stateless generic UploadLogs (#20005)
scottjab Jun 15, 2026
ca20611
util: add parse fallback helpers (#20022)
ibobgunardi Jun 15, 2026
26b2ed0
net/packet: clarify minFragBlks reuse for IPv6 and test chained ext h…
raggi Jun 15, 2026
f0a1aa8
tailcfg: fix typo in doc comment for tailcfg.Node.DisplayNames (#20155)
sfllaw Jun 16, 2026
88f5206
types/geo: add support for ScalarMarshaler and ScalarUnmarshaler (#20…
sfllaw Jun 16, 2026
47333e9
feature/conn25: recreate transit IP mappings when connector loses them
tendstofortytwo Jun 17, 2026
994b2c8
tsnet: fix tests that have a ping that races its destination node (#2…
sfllaw Jun 17, 2026
8f21045
wgengine/netlog: stop using netmap.NetworkMap type, use LocalBackend
bradfitz Jun 16, 2026
be2f554
control/controlknobs,wgengine/magicsock: disable TSMP disco advert if…
jwhited Jun 18, 2026
e3b1613
util/set: add iterator support to Set[T] (#20159)
sfllaw Jun 18, 2026
35a1a41
cmd/{containerboot,k8s-operator}: add 4via6 support in singleton egre…
BeckyPauley Jun 18, 2026
c3c2aa7
all: don't repeat the the word "the" unnecessarily
alexwlchan Jun 18, 2026
00b9e8d
ipn: add fmt.Stringer support to NotifyWatchOpt (#20072)
sfllaw Jun 18, 2026
5400575
wgengine/magicsock: suppress TSMP disco advert when bestAddr is peer …
jwhited Jun 18, 2026
0861daf
net/dns: restore SELinux context on /etc/resolv.conf after rename (#2…
bcreane Jun 18, 2026
53ef7f9
sessionrecording: close idle connections after upload
neinkeinkaffee Jun 19, 2026
07f6353
licenses: update license notices
Jun 15, 2026
59159d9
prober: add HTTP bandwidth probe and dial-address override (#20185)
mikeodr Jun 19, 2026
6a275c0
util/linuxfw: clamp MSS to PMTU in both forward directions (#20077)
SamyDjemai Jun 22, 2026
f442cda
ipn/ipnlocal: consider all DERP regions for exit node recommendations
knyar Jun 15, 2026
e9e2096
net/netcheck: ensure recent history has a full report
knyar Jun 17, 2026
568c0bd
go.mod: bump wireguard-go (#20203)
illotum Jun 22, 2026
e0677cc
net/tstun, wgengine/filter: track UDP flow state for injected packets
bradfitz Jun 22, 2026
d6c8702
tstest/natlab/vnet: deflake TestPacketSideEffects and TestProtocolQEMU
bradfitz Jun 18, 2026
0b55198
cmd/k8s-operator: scope HA Service hostname check per-tailnet (#20114)
tsushanth Jun 23, 2026
af2f228
ipn/ipnlocal, types/netmap, tsnet: filter unsigned peers on delta path
bradfitz Jun 23, 2026
295bf20
prober: deflake TestHTTPBandwidth
bradfitz Jun 23, 2026
988b090
wgengine/wglog: stop using netmap.NetworkMap here too
bradfitz Jun 18, 2026
1d69894
ipn/ipnlocal, drive: stop using netmap.NetworkMap in Taildrive too
bradfitz Jun 18, 2026
d22bf51
util/cloudenv: detect Hetzner Cloud
bradfitz Jun 23, 2026
72876a9
.github: pin govulncheck@1.3.0 (#20219)
patrickod Jun 23, 2026
49e060b
wgengine: add Engine.ProbeLocks, drop PeerForIP lock-probe overload
bradfitz Jun 23, 2026
b7422fa
.gitattributes: explicitly mark text files as such with eol
raggi Jun 22, 2026
badd0c4
wgengine/magicsock: consider VNI as part of peer relay handshake supp…
jwhited Jun 23, 2026
e9ae398
wgengine: drop userspaceEngine.peerSequence
bradfitz Jun 23, 2026
d4f2917
wgengine, ipn/ipnlocal: route PeerForIP through LocalBackend's live data
bradfitz Jun 23, 2026
c33a557
ipn/ipnlocal: reduce excessive logging of exit node suggestions (#20237)
amalscale Jun 24, 2026
281404e
cmd/tailscale/cli: fix capitalisation of flags
alexwlchan Jun 24, 2026
0bc0cb8
tstest/natlab/vmtest: retry SSHExec on transient SSH failures
bradfitz Jun 24, 2026
8dde9b7
tstest/natlab/vmtest: serialize ensureDebugSSHKey across parallel boots
bradfitz Jun 24, 2026
aefb153
net/tsdial, ipn/ipnlocal: stop using netmap.NetworkMap in Dialer
bradfitz Jun 24, 2026
453c078
.github: add zizmor GitHub Actions linting (#20243)
patrickod Jun 24, 2026
77d2c87
wgengine/router/osrouter,util/linuxfw: remove orphaned tailnet addrs …
bcreane Jun 24, 2026
1b2062f
net/tstun: invoke conn25 app connector hook on injected reads
mzbenami Jun 23, 2026
87cb2a8
wgengine: replace Engine.SetNetworkMap with SetSelfNode
bradfitz Jun 24, 2026
dd1df38
ipn/ipnlocal: pass capability set, not netmap, to two helpers
bradfitz Jun 24, 2026
9f92a47
util/cmpver: add a test for comparing three-digit versions
alexwlchan Jun 24, 2026
6e1de5b
cmd/containerboot: refresh DNS config on SelfChange (#20236)
ChaosInTheCRD Jun 25, 2026
9169b20
Revert "control/controlclient: continue map poll during key expiry to…
alexwlchan Jun 25, 2026
2fbd308
tailcfg,net/routecheck: add NodeAttrClientSideReachabilityRouteCheck …
sfllaw Jun 26, 2026
6fc5290
tool/gocross: retry downloading Go three times
alexwlchan Jun 26, 2026
af999f0
k8s-operator/dnsrecords: fix dnsRR dropping reconcile events on lock …
Briansbum Jun 26, 2026
e21fd6b
ipn/ipnlocal: add webclient support for tvOS (#20256)
barnstar Jun 26, 2026
8379d59
ipn: remove the last traces of Prefs.AllowSingleHosts
alexwlchan Jun 26, 2026
f5eac39
feature/acme, ipn/ipnlocal: start moving ACME/cert state into an exte…
bradfitz Jun 25, 2026
a95119a
CODEOWNERS,.policy.yml: replace CODEOWNERS with a policy-bot policy
bradfitz Jun 25, 2026
79e3bbb
.policy.yml: tweak policy after testing
bradfitz Jun 26, 2026
b64209b
ipn/config: add RelayServerPort and RelayServerStaticEndpoints to con…
rajsinghtech Jun 26, 2026
97e7ea8
go.mod,tsnet,tstest/natlab/vmtest: bump prometheus/common to v0.69.0
bradfitz Jun 26, 2026
5bd5266
.github,.policy-tests.yml: test .policy.yml in CI
bradfitz Jun 26, 2026
1c0e833
ipn/ipnlocal: normalize IPv6-mapped IPv4 addrs in WhoIs
bouk Jun 24, 2026
4bb6f35
ipn/ipnlocal: consolidate test-only LocalBackend methods behind ForTest
bradfitz Jun 27, 2026
5ebc749
tsnet: link in feature/acme by default
bradfitz Jun 29, 2026
28e1320
wgengine/magicsock: fix warnings about nil health.Tracker (#20264)
sfllaw Jun 29, 2026
825b7c4
wgengine/magicsock: fix data race in TestNetworkSendErrors (#20261)
sfllaw Jun 29, 2026
1c77079
ipn/ipnlocal, feature/acme: move most remaining cert code into featur…
bradfitz Jun 27, 2026
477d5a4
ipn/ipnlocal, feature/conn25: add hook for accepting PeerAPI DNS
sailorfrag Jun 29, 2026
ec6e598
kube/certs: widen runCertLoop per-call timeout to 30m (#20289)
ChaosInTheCRD Jun 30, 2026
8b5060f
ipn/ipnlocal: sort profiles by date created when possible (#20223)
willh-ts Jun 30, 2026
66af257
tstest/natlab/vmtest, client/web: add web client integration tests
bradfitz Jun 29, 2026
fad8b9b
clientupdate, cmd/tailscale: verify signed GAFs, wire up tailscale up…
bradfitz Jun 29, 2026
07cefc0
ipn/{ipn,ipnlocal}: add per-user policy snapshots to IPN bus (#20135)
kari-ts Jun 30, 2026
b6e17df
cmd/tailscaled, util/syspolicy: add JSON syspolicy file support
bradfitz Jun 30, 2026
b228748
feature/conn25: return expired addrs from index lookups
franbull Jun 29, 2026
85d8644
feature/conn25: keep mappings with active flows
franbull Jun 29, 2026
64422f2
kube/certs: use Let's Encrypt's recommended retry schedule (#20292)
ChaosInTheCRD Jul 1, 2026
d0fcb66
cmd/tailscale/cli: add 'tailscale configure flash-appliance'
bradfitz Jun 30, 2026
a8f3c86
util/progresstracking: add Ticker, NewWriter, and CountingWriter
bradfitz Jul 1, 2026
df40abc
ipn/ipnlocal: fix reporting of active ipnext extensions
nickkhyl Jul 1, 2026
f96db5e
go.mod: update ts-gokrazy for local dev workflow
bradfitz Jul 1, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
62 changes: 60 additions & 2 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -1,2 +1,60 @@
go.mod filter=go-mod
*.go diff=golang
go.mod filter=go-mod eol=lf text
*.go diff=golang eol=lf text
*.adml eol=lf text
*.admx eol=lf text
*.bash eol=lf text
*.c eol=lf text
*.cgi eol=lf text
*.conf eol=lf text
*.css eol=lf text
*.csv eol=lf text
*.desktop eol=lf text
*.fish eol=lf text
*.gitattributes eol=lf text
*.gitignore eol=lf text
*.gitkeep eol=lf text
*.go eol=lf text
*.h eol=lf text
*.helmignore eol=lf text
*.htaccess eol=lf text
*.html eol=lf text
*.hujson eol=lf text
*.in eol=lf text
*.init eol=lf text
*.js eol=lf text
*.json eol=lf text
*.lock eol=lf text
*.lua eol=lf text
*.md eol=lf text
*.mod eol=lf text
*.nix eol=lf text
*.openrc eol=lf text
*.pbxproj eol=lf text
*.pem eol=lf text
*.plg eol=lf text
*.plist eol=lf text
*.rc eol=lf text
*.resolved eol=lf text
*.rev eol=lf text
*.rs eol=lf text
*.sc eol=lf text
*.service eol=lf text
*.sh eol=lf text
*.socket eol=lf text
*.stignore eol=lf text
*.sum eol=lf text
*.svg eol=lf text
*.swift eol=lf text
*.tmpl eol=lf text
*.toml eol=lf text
*.ts eol=lf text
*.tsx eol=lf text
*.txt eol=lf text
*.version eol=lf text
*.xcscheme eol=lf text
*.xcsettings eol=lf text
*.xib eol=lf text
*.xml eol=lf text
*.yaml eol=lf text
*.yml eol=lf text
*.zsh eol=lf text
59 changes: 59 additions & 0 deletions .github/actions/go-cache/action.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
#!/usr/bin/env bash
#
# This script sets up cigocacher, but should never fail the build if unsuccessful.
# It expects to run on a GitHub-hosted runner, and connects to cigocached over a
# private Azure network that is configured at the runner group level in GitHub.
#
# Usage: ./action.sh
# Inputs:
# URL: The cigocached server URL.
# HOST: The cigocached server host to dial.
# Outputs:
# success: Whether cigocacher was set up successfully.

set -euo pipefail

if [ -z "${GITHUB_ACTIONS:-}" ]; then
echo "This script is intended to run within GitHub Actions"
exit 1
fi

if [ -z "${URL:-}" ]; then
echo "No cigocached URL is set, skipping cigocacher setup"
exit 0
fi

BIN_PATH="$(PATH="$PATH:$HOME/bin" command -v cigocacher || true)"
if [ -z "${BIN_PATH}" ]; then
echo "cigocacher not found in PATH, attempting to build or fetch it"

GOPATH=$(command -v go || true)
if [ -z "${GOPATH}" ]; then
if [ ! -f "tool/go" ]; then
echo "Go not available, unable to proceed"
exit 1
fi
GOPATH="./tool/go"
fi

BIN_PATH="${RUNNER_TEMP:-/tmp}/cigocacher$(${GOPATH} env GOEXE)"
if [ -d "cmd/cigocacher" ]; then
echo "cmd/cigocacher found locally, building from local source"
"${GOPATH}" build -o "${BIN_PATH}" ./cmd/cigocacher
else
echo "cmd/cigocacher not found locally, fetching from tailscale.com/cmd/cigocacher"
"${GOPATH}" build -o "${BIN_PATH}" tailscale.com/cmd/cigocacher
fi
fi

CIGOCACHER_TOKEN="$("${BIN_PATH}" --auth --cigocached-url "${URL}" --cigocached-host "${HOST}" )"
if [ -z "${CIGOCACHER_TOKEN:-}" ]; then
echo "Failed to fetch cigocacher token, skipping cigocacher setup"
exit 0
fi

echo "Fetched cigocacher token successfully"
echo "::add-mask::${CIGOCACHER_TOKEN}"

echo "GOCACHEPROG=${BIN_PATH} --cache-dir ${CACHE_DIR} --cigocached-url ${URL} --cigocached-host ${HOST} --token ${CIGOCACHER_TOKEN}" >> "${GITHUB_ENV}"
echo "success=true" >> "${GITHUB_OUTPUT}"
35 changes: 35 additions & 0 deletions .github/actions/go-cache/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: go-cache
description: Set up build to use cigocacher

inputs:
cigocached-url:
description: URL of the cigocached server
required: true
cigocached-host:
description: Host to dial for the cigocached server
required: true
checkout-path:
description: Path to cloned repository
required: true
cache-dir:
description: Directory to use for caching
required: true

outputs:
success:
description: Whether cigocacher was set up successfully
value: ${{ steps.setup.outputs.success }}

runs:
using: composite
steps:
- name: Setup cigocacher
id: setup
shell: bash
env:
URL: ${{ inputs.cigocached-url }}
HOST: ${{ inputs.cigocached-host }}
CACHE_DIR: ${{ inputs.cache-dir }}
working-directory: ${{ inputs.checkout-path }}
# https://github.com/orgs/community/discussions/25910
run: $GITHUB_ACTION_PATH/action.sh
2 changes: 1 addition & 1 deletion .github/workflows/checklocks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
runs-on: [ ubuntu-latest ]
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Build checklocks
run: ./tool/go build -o /tmp/checklocks gvisor.dev/gvisor/tools/checklocks/cmd/checklocks
Expand Down
73 changes: 73 additions & 0 deletions .github/workflows/cigocacher.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
name: Build cigocacher

on:
# Released on-demand. The commit will be used as part of the tag, so generally
# prefer to release from main where the commit is stable in linear history.
workflow_dispatch:

jobs:
build:
strategy:
matrix:
GOOS: ["linux", "darwin", "windows"]
GOARCH: ["amd64", "arm64"]
runs-on: ubuntu-24.04
env:
GOOS: "${{ matrix.GOOS }}"
GOARCH: "${{ matrix.GOARCH }}"
CGO_ENABLED: "0"
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Build
run: |
OUT="cigocacher$(./tool/go env GOEXE)"
./tool/go build -o "${OUT}" ./cmd/cigocacher/
tar -zcf cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}.tar.gz "${OUT}"

- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}
path: cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}.tar.gz

release:
runs-on: ubuntu-24.04
needs: build
permissions:
contents: write
steps:
- name: Download all artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: 'cigocacher-*'
merge-multiple: true
# This step is a simplified version of actions/create-release and
# actions/upload-release-asset, which are archived and unmaintained.
- name: Create release
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
const fs = require('fs');
const path = require('path');

const { data: release } = await github.rest.repos.createRelease({
owner: context.repo.owner,
repo: context.repo.repo,
tag_name: `cmd/cigocacher/${{ github.sha }}`,
name: `cigocacher-${{ github.sha }}`,
draft: false,
prerelease: true,
target_commitish: `${{ github.sha }}`
});

const files = fs.readdirSync('.').filter(f => f.endsWith('.tar.gz'));

for (const file of files) {
await github.rest.repos.uploadReleaseAsset({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: release.id,
name: file,
data: fs.readFileSync(file)
});
console.log(`Uploaded ${file}`);
}
10 changes: 5 additions & 5 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,17 +45,17 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

# Install a more recent Go that understands modern go.mod content.
- name: Install Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # zizmor: ignore[cache-poisoning] v6.3.0
with:
go-version-file: go.mod

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -66,7 +66,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
Expand All @@ -80,4 +80,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
29 changes: 29 additions & 0 deletions .github/workflows/docker-base.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: "Validate Docker base image"
on:
workflow_dispatch:
pull_request:
paths:
- "Dockerfile.base"
- ".github/workflows/docker-base.yml"
jobs:
build-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: "build and test"
run: |
set -e
IMG="test-base:$(head -c 8 /dev/urandom | xxd -p)"
docker build -t "$IMG" -f Dockerfile.base .

iptables_version=$(docker run --rm "$IMG" iptables --version)
if [[ "$iptables_version" != *"(legacy)"* ]]; then
echo "ERROR: Docker base image should contain legacy iptables; found ${iptables_version}"
exit 1
fi

ip6tables_version=$(docker run --rm "$IMG" ip6tables --version)
if [[ "$ip6tables_version" != *"(legacy)"* ]]; then
echo "ERROR: Docker base image should contain legacy ip6tables; found ${ip6tables_version}"
exit 1
fi
4 changes: 1 addition & 3 deletions .github/workflows/docker-file-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,10 @@ on:
branches:
- main
pull_request:
branches:
- "*"
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: "Build Docker image"
run: docker build .
6 changes: 3 additions & 3 deletions .github/workflows/flakehub-publish-tagged.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,11 @@ jobs:
id-token: "write"
contents: "read"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
- uses: "DeterminateSystems/nix-installer-action@main"
- uses: "DeterminateSystems/flakehub-push@main"
- uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
- uses: DeterminateSystems/flakehub-push@71f57208810a5d299fc6545350981de98fdbc860 # v6
with:
visibility: "public"
tag: "${{ inputs.tag }}"
20 changes: 14 additions & 6 deletions .github/workflows/golangci-lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,11 @@ name: golangci-lint
on:
# For now, only lint pull requests, not the main branches.
pull_request:

paths:
- ".github/workflows/golangci-lint.yml"
- "**.go"
- "go.mod"
- "go.sum"
# TODO(andrew): enable for main branch after an initial waiting period.
#push:
# branches:
Expand All @@ -23,17 +27,21 @@ jobs:
name: lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: go.mod
cache: false
cache: true

- name: golangci-lint
uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0
uses: golangci/golangci-lint-action@b7bcab6379029e905e3f389a6bf301f1bc220662 # head as of 2026-03-04
with:
version: v2.0.2
version: v2.10.1

# Show only new issues if it's a pull request.
only-new-issues: true

# Loading packages with a cold cache takes a while:
args: --timeout=10m

6 changes: 3 additions & 3 deletions .github/workflows/govulncheck.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,17 +14,17 @@ jobs:

steps:
- name: Check out code into the Go module directory
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install govulncheck
run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@0782b76014f15f24e22a438f30f308df42899ba1 # 1.3.0

- name: Scan source code for known vulnerabilities
run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...

- name: Post to slack
if: failure() && github.event_name == 'schedule'
uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
with:
method: chat.postMessage
token: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
Expand Down
Loading