fix(test): Add Authority Key Identifier to SSL certificates (#4162)

* Allow configuring Sentry taskworker concurrency via env

* Update comment for SENTRY_TASKWORKER_CONCURRENCY ENV

.craft.yml

@@ -3,4 +3,6 @@ changelogPolicy: auto
 artifactProvider:
   name: none
 targets:
-  - name: github
+- name: github
+versioning:
+  policy: calver

.env

@@ -9,13 +9,15 @@ SENTRY_EVENT_RETENTION_DAYS=90
 SENTRY_BIND=9000
 # Set SENTRY_MAIL_HOST to a valid FQDN (host/domain name) to be able to send emails!
 # SENTRY_MAIL_HOST=example.com
-SENTRY_IMAGE=ghcr.io/getsentry/sentry:25.12.1
-SNUBA_IMAGE=ghcr.io/getsentry/snuba:25.12.1
-RELAY_IMAGE=ghcr.io/getsentry/relay:25.12.1
-SYMBOLICATOR_IMAGE=ghcr.io/getsentry/symbolicator:25.12.1
-TASKBROKER_IMAGE=ghcr.io/getsentry/taskbroker:25.12.1
-VROOM_IMAGE=ghcr.io/getsentry/vroom:25.12.1
-UPTIME_CHECKER_IMAGE=ghcr.io/getsentry/uptime-checker:25.12.1
+# Parallel taskworker processes (higher values increase memory usage; >32 not recommended)
+SENTRY_TASKWORKER_CONCURRENCY=4
+SENTRY_IMAGE=ghcr.io/getsentry/sentry:nightly
+SNUBA_IMAGE=ghcr.io/getsentry/snuba:nightly
+RELAY_IMAGE=ghcr.io/getsentry/relay:nightly
+SYMBOLICATOR_IMAGE=ghcr.io/getsentry/symbolicator:nightly
+TASKBROKER_IMAGE=ghcr.io/getsentry/taskbroker:nightly
+VROOM_IMAGE=ghcr.io/getsentry/vroom:nightly
+UPTIME_CHECKER_IMAGE=ghcr.io/getsentry/uptime-checker:nightly
 HEALTHCHECK_INTERVAL=30s
 HEALTHCHECK_TIMEOUT=1m30s
 HEALTHCHECK_RETRIES=10

.github/workflows/changelog-preview.yml

@@ -0,0 +1,19 @@
+name: Changelog Preview
+on:
+  pull_request_target:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - edited
+    - labeled
+    - unlabeled
+permissions:
+  contents: write
+  pull-requests: write
+  statuses: write
+
+jobs:
+  changelog-preview:
+    uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2
+    secrets: inherit

.github/workflows/fast-revert.yml

@@ -19,7 +19,7 @@ jobs:
     if: |
       github.event_name == 'workflow_dispatch' || github.event.label.name == 'Trigger: Revert'
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ secrets.BUMP_SENTRY_TOKEN }}
       - uses: getsentry/action-fast-revert@35b4b6c1f8f91b5911159568b3b15e531b5b8174 # v2.0.1

.github/workflows/pre-commit.yml

@@ -12,8 +12,8 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
-    - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: 3.x
     - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

.github/workflows/release.yml

@@ -3,7 +3,7 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: Version to release (optional)
+        description: Version to release (or "auto")
         required: false
       force:
         description: Force a release even when there are release-blockers (optional)
@@ -27,13 +27,13 @@ jobs:
         with:
           app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
           private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ steps.token.outputs.token }}
           fetch-depth: 0
       - name: Prepare release
         id: prepare-release
-        uses: getsentry/action-prepare-release@3cea80dc3938c0baf5ec4ce752ecb311f8780cdc # v1.6.4
+        uses: getsentry/craft@beea4aba589c66381258cbd131c5551ae8245b82 # v2
         env:
           GITHUB_TOKEN: ${{ steps.token.outputs.token }}
         with:
@@ -48,10 +48,10 @@ jobs:
     name: Create release on self-hosted dogfood instance
     needs: release
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - uses: getsentry/action-release@128c5058bbbe93c8e02147fe0a9c713f166259a6 # v3.4.0
+      - uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3.5.0
         env:
           SENTRY_ORG: self-hosted
           SENTRY_PROJECT: installer

.github/workflows/shellcheck.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Repository checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 

.github/workflows/test.yml

@@ -32,7 +32,7 @@ jobs:
     name: ${{ matrix.os == 'ubuntu-24.04-arm' && 'unit tests (arm64)' || 'unit tests' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Get Compose
         uses: ./get-compose-action
@@ -56,7 +56,7 @@ jobs:
       CONTAINER_ENGINE_PODMAN: ${{ matrix.container_engine == 'podman' && '1' || '0' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Podman
         if: matrix.container_engine == 'podman'

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## 26.1.0
+
+### New Features ✨
+
+- Switch nodestore-s3 package to getsentry org by @aldy505 in [#4119](https://github.com/getsentry/self-hosted/pull/4119)
+
+### Build / dependencies / internal 🔧
+
+- (deps) Bump astral-sh/setup-uv from 7.1.5 to 7.1.6 by @dependabot in [#4100](https://github.com/getsentry/self-hosted/pull/4100)
+
+### Other
+
+- Include SDK version 10 when using local JS SDK assets by @hsgt-brice in [#4130](https://github.com/getsentry/self-hosted/pull/4130)
+
 ## 25.12.1
 
 ### Build / dependencies / internal 🔧

_integration-test/test_01_basics.py

@@ -203,7 +203,11 @@ def test_custom_certificate_authorities():
         .add_extension(
             x509.NameConstraints([x509.DNSName("self.test")], None), critical=True
         )
-        .sign(private_key=ca_key, algorithm=hashes.SHA256(), backend=default_backend())
+        .add_extension(
+            x509.SubjectKeyIdentifier.from_public_key(ca_key.public_key()),
+            critical=False,
+        )
+        .sign(private_key=ca_key, algorithm=hashes.SHA256())
     )
 
     ca_key_path = f"{test_nginx_conf_path}/ca.key"
@@ -262,12 +266,24 @@ def test_custom_certificate_authorities():
         )
         .issuer_name(ca_cert.issuer)
         .serial_number(x509.random_serial_number())
-        .not_valid_before(datetime.datetime.utcnow())
-        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=1))
+        .not_valid_before(datetime.datetime.now(datetime.timezone.utc))
+        .not_valid_after(
+            datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=1)
+        )
         .public_key(self_test_req.public_key())
         .add_extension(
             x509.SubjectAlternativeName([x509.DNSName("self.test")]), critical=False
         )
+        .add_extension(
+            x509.SubjectKeyIdentifier.from_public_key(self_test_req.public_key()),
+            critical=False,
+        )
+        .add_extension(
+            x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
+                ca_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
+            ),
+            critical=False,
+        )
         .sign(private_key=ca_key, algorithm=hashes.SHA256())
     )
 
@@ -305,12 +321,18 @@ def test_custom_certificate_authorities():
             )
         )
         .serial_number(x509.random_serial_number())
-        .not_valid_before(datetime.datetime.utcnow())
-        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=1))
+        .not_valid_before(datetime.datetime.now(datetime.timezone.utc))
+        .not_valid_after(
+            datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=1)
+        )
         .public_key(fake_test_key.public_key())
         .add_extension(
             x509.SubjectAlternativeName([x509.DNSName("fake.test")]), critical=False
         )
+        .add_extension(
+            x509.SubjectKeyIdentifier.from_public_key(fake_test_key.public_key()),
+            critical=False,
+        )
         .sign(private_key=fake_test_key, algorithm=hashes.SHA256())
     )
 

_unit-test/js-sdk-assets-test.sh

@@ -13,28 +13,28 @@ sdk_files=$($dcr --no-deps nginx ls -lah /var/www/js-sdk/)
 sdk_tree=$($dcr --no-deps nginx tree /var/www/js-sdk/ | tail -n 1)
 non_empty_file_count=$($dcr --no-deps nginx find /var/www/js-sdk/ -type f -size +1k | wc -l)
 
-# `sdk_files` should contains 5 lines, '4.*', '5.*', '6.*', `7.*` and `8.*`
+# `sdk_files` should contains 7 lines, '4.*', '5.*', '6.*', `7.*`, `8.*`, `9.*`, and `10.*`
 echo $sdk_files
-total_directories=$(echo "$sdk_files" | grep -c '[45678]\.[0-9]*\.[0-9]*$')
+total_directories=$(echo "$sdk_files" | grep -c '[4-9|10]\.[0-9]*\.[0-9]*$')
 echo $total_directories
-test "5" == "$total_directories"
+test "7" == "$total_directories"
 echo "Pass"
 
-# `sdk_tree` should output "6 directories, 23 files"
+# `sdk_tree` should output "7 directories, 29 files"
 echo "$sdk_tree"
-test "6 directories, 23 files" == "$(echo "$sdk_tree")"
+test "7 directories, 29 files" == "$(echo "$sdk_tree")"
 echo "Pass"
 
 # Files should all be >1k (ensure they are not empty)
 echo "Testing file sizes"
-test "23" == "$non_empty_file_count"
+test "29" == "$non_empty_file_count"
 echo "Pass"
 
 # Files should be owned by the root user
 echo "Testing file ownership"
 directory_owners=$(echo "$sdk_files" | awk '$3=="root" { print $0 }' | wc -l)
 echo "$directory_owners"
-test "$directory_owners" == "8"
+test "$directory_owners" == "9"
 echo "Pass"
 
 report_success

action.yaml

@@ -52,7 +52,7 @@ runs:
         df -h
 
     - name: Setup uv
-      uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5
+      uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
       with:
         working-directory: ${{ github.action_path }}
         version: "0.9.15"
@@ -190,7 +190,7 @@ runs:
         free -h
 
     - name: Setup Nodejs
-      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
       with:
         node-version: "22.x"
 
@@ -217,7 +217,7 @@ runs:
     - name: Upload coverage to Codecov
       if: inputs.CODECOV_TOKEN
       continue-on-error: true
-      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
       with:
         directory: ${{ github.action_path }}
         token: ${{ inputs.CODECOV_TOKEN }}
@@ -226,7 +226,7 @@ runs:
     - name: Upload test results to Codecov
       if: inputs.CODECOV_TOKEN && !cancelled()
       continue-on-error: true
-      uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1.1.1
+      uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1.2.1
       with:
         directory: ${{ github.action_path }}
         token: ${{ inputs.CODECOV_TOKEN }}

docker-compose.yml

@@ -745,7 +745,7 @@ services:
     command: run taskworker-scheduler
   taskworker:
     <<: *sentry_defaults
-    command: run taskworker --concurrency=4 --rpc-host=taskbroker:50051 --health-check-file-path=/tmp/health.txt
+    command: run taskworker --concurrency=$SENTRY_TASKWORKER_CONCURRENCY --rpc-host=taskbroker:50051 --health-check-file-path=/tmp/health.txt
     healthcheck:
       <<: *file_healthcheck_defaults
   vroom:

install/setup-js-sdk-assets.sh

@@ -21,17 +21,18 @@ if [[ "${SETUP_JS_SDK_ASSETS:-}" == "1" ]]; then
   # We want to remove everything before the first '{'.
   loader_registry=$(echo "$loader_registry" | sed '0,/{/s/[^{]*//')
 
-  #  Sentry backend provides SDK versions from v4.x up to v8.x.
+  #  Sentry backend provides SDK versions from v4.x up to v10.x.
   latest_js_v4=$(echo "$loader_registry" | $jq -r '.versions | reverse | map(select(.|any(.; startswith("4.")))) | .[0]')
   latest_js_v5=$(echo "$loader_registry" | $jq -r '.versions | reverse | map(select(.|any(.; startswith("5.")))) | .[0]')
   latest_js_v6=$(echo "$loader_registry" | $jq -r '.versions | reverse | map(select(.|any(.; startswith("6.")))) | .[0]')
   latest_js_v7=$(echo "$loader_registry" | $jq -r '.versions | reverse | map(select(.|any(.; startswith("7.")))) | .[0]')
   latest_js_v8=$(echo "$loader_registry" | $jq -r '.versions | reverse | map(select(.|any(.; startswith("8.")))) | .[0]')
   latest_js_v9=$(echo "$loader_registry" | $jq -r '.versions | reverse | map(select(.|any(.; startswith("9.")))) | .[0]')
+  latest_js_v10=$(echo "$loader_registry" | $jq -r '.versions | reverse | map(select(.|any(.; startswith("10.")))) | .[0]')
 
-  echo "Found JS SDKs: v${latest_js_v4}, v${latest_js_v5}, v${latest_js_v6}, v${latest_js_v7}, v${latest_js_v8}, v${latest_js_v9}"
+  echo "Found JS SDKs: v${latest_js_v4}, v${latest_js_v5}, v${latest_js_v6}, v${latest_js_v7}, v${latest_js_v8}, v${latest_js_v9}, v${latest_js_v10}"
 
-  versions="{$latest_js_v4,$latest_js_v5,$latest_js_v6,$latest_js_v7,$latest_js_v8,$latest_js_v9}"
+  versions="{$latest_js_v4,$latest_js_v5,$latest_js_v6,$latest_js_v7,$latest_js_v8,$latest_js_v9,$latest_js_v10}"
   variants="{bundle,bundle.tracing,bundle.tracing.replay,bundle.replay,bundle.tracing.replay.feedback,bundle.feedback}"
 
   # Download those versions & variants using curl

sentry/Dockerfile

@@ -1,7 +1,7 @@
 ARG SENTRY_IMAGE
 FROM ${SENTRY_IMAGE}
 
-RUN pip install https://github.com/stayallive/sentry-nodestore-s3/archive/main.zip
+RUN pip install https://github.com/getsentry/sentry-nodestore-s3/archive/main.zip
 
 COPY . /usr/src/sentry
 

uv.lock

@@ -541,11 +541,11 @@ wheels = [
 
 [[package]]
 name = "urllib3"
-version = "2.5.0"
+version = "2.6.3"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/15/22/9ee70a2574a4f4599c47dd506532914ce044817c7752a79b6a51286319bc/urllib3-2.5.0.tar.gz", hash = "sha256:3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbff92760", size = 393185, upload-time = "2025-06-18T14:07:41.644Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/a7/c2/fe1e52489ae3122415c51f387e221dd0773709bad6c6cdaa599e8a2c5185/urllib3-2.5.0-py3-none-any.whl", hash = "sha256:e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc", size = 129795, upload-time = "2025-06-18T14:07:40.39Z" },
+    { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" },
 ]
 
 [[package]]