fix(test): Add Authority Key Identifier to SSL certificates (#4162 )

Allow configuring Sentry taskworker concurrency via env (#4149 )
* Allow configuring Sentry taskworker concurrency via env * Update comment for SENTRY_TASKWORKER_CONCURRENCY ENV
2026-02-06 10:57:17 +00:00 · 2026-02-06 05:06:13 +07:00 · 2026-02-04 12:04:48 +07:00 · 2026-02-04 05:12:21 +07:00 · 2026-02-03 19:39:56 +07:00 · 2026-02-03 18:23:31 +07:00
12 changed files with 77 additions and 32 deletions
--- a/.craft.yml
+++ b/.craft.yml
@ -3,4 +3,6 @@ changelogPolicy: auto
 artifactProvider:
  name: none
 targets:
-  - name: github
+- name: github
+versioning:
+  policy: calver
--- a/.env
+++ b/.env
@ -9,13 +9,15 @@ SENTRY_EVENT_RETENTION_DAYS=90
 SENTRY_BIND=9000
 # Set SENTRY_MAIL_HOST to a valid FQDN (host/domain name) to be able to send emails!
 # SENTRY_MAIL_HOST=example.com
-SENTRY_IMAGE=ghcr.io/getsentry/sentry:26.1.0
-SNUBA_IMAGE=ghcr.io/getsentry/snuba:26.1.0
-RELAY_IMAGE=ghcr.io/getsentry/relay:26.1.0
-SYMBOLICATOR_IMAGE=ghcr.io/getsentry/symbolicator:26.1.0
-TASKBROKER_IMAGE=ghcr.io/getsentry/taskbroker:26.1.0
-VROOM_IMAGE=ghcr.io/getsentry/vroom:26.1.0
-UPTIME_CHECKER_IMAGE=ghcr.io/getsentry/uptime-checker:26.1.0
+# Parallel taskworker processes (higher values increase memory usage; >32 not recommended)
+SENTRY_TASKWORKER_CONCURRENCY=4
+SENTRY_IMAGE=ghcr.io/getsentry/sentry:nightly
+SNUBA_IMAGE=ghcr.io/getsentry/snuba:nightly
+RELAY_IMAGE=ghcr.io/getsentry/relay:nightly
+SYMBOLICATOR_IMAGE=ghcr.io/getsentry/symbolicator:nightly
+TASKBROKER_IMAGE=ghcr.io/getsentry/taskbroker:nightly
+VROOM_IMAGE=ghcr.io/getsentry/vroom:nightly
+UPTIME_CHECKER_IMAGE=ghcr.io/getsentry/uptime-checker:nightly
 HEALTHCHECK_INTERVAL=30s
 HEALTHCHECK_TIMEOUT=1m30s
 HEALTHCHECK_RETRIES=10
--- a/.github/workflows/changelog-preview.yml
+++ b/.github/workflows/changelog-preview.yml
@ -0,0 +1,19 @@
+name: Changelog Preview
+on:
+  pull_request_target:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - edited
+    - labeled
+    - unlabeled
+permissions:
+  contents: write
+  pull-requests: write
+  statuses: write
+
+jobs:
+  changelog-preview:
+    uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2
+    secrets: inherit
--- a/.github/workflows/fast-revert.yml
+++ b/.github/workflows/fast-revert.yml
@ -19,7 +19,7 @@ jobs:
    if: |
      github.event_name == 'workflow_dispatch' || github.event.label.name == 'Trigger: Revert'
    steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ secrets.BUMP_SENTRY_TOKEN }}
      - uses: getsentry/action-fast-revert@35b4b6c1f8f91b5911159568b3b15e531b5b8174 # v2.0.1
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@ -12,8 +12,8 @@ jobs:
  pre-commit:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
-    - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: 3.x
    - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -3,7 +3,7 @@ on:
  workflow_dispatch:
    inputs:
      version:
-        description: Version to release (optional)
+        description: Version to release (or "auto")
        required: false
      force:
        description: Force a release even when there are release-blockers (optional)
@ -27,13 +27,13 @@ jobs:
        with:
          app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
          private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ steps.token.outputs.token }}
          fetch-depth: 0
      - name: Prepare release
        id: prepare-release
-        uses: getsentry/action-prepare-release@3cea80dc3938c0baf5ec4ce752ecb311f8780cdc # v1.6.4
+        uses: getsentry/craft@beea4aba589c66381258cbd131c5551ae8245b82 # v2
        env:
          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
        with:
@ -48,10 +48,10 @@ jobs:
    name: Create release on self-hosted dogfood instance
    needs: release
    steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
-      - uses: getsentry/action-release@128c5058bbbe93c8e02147fe0a9c713f166259a6 # v3.4.0
+      - uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3.5.0
        env:
          SENTRY_ORG: self-hosted
          SENTRY_PROJECT: installer
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Repository checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -32,7 +32,7 @@ jobs:
    name: ${{ matrix.os == 'ubuntu-24.04-arm' && 'unit tests (arm64)' || 'unit tests' }}
    steps:
      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Get Compose
        uses: ./get-compose-action
@ -56,7 +56,7 @@ jobs:
      CONTAINER_ENGINE_PODMAN: ${{ matrix.container_engine == 'podman' && '1' || '0' }}
    steps:
      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Podman
        if: matrix.container_engine == 'podman'
--- a/_integration-test/test_01_basics.py
+++ b/_integration-test/test_01_basics.py
@ -203,7 +203,11 @@ def test_custom_certificate_authorities():
        .add_extension(
            x509.NameConstraints([x509.DNSName("self.test")], None), critical=True
        )
-        .sign(private_key=ca_key, algorithm=hashes.SHA256(), backend=default_backend())
+        .add_extension(
+            x509.SubjectKeyIdentifier.from_public_key(ca_key.public_key()),
+            critical=False,
+        )
+        .sign(private_key=ca_key, algorithm=hashes.SHA256())
    )

    ca_key_path = f"{test_nginx_conf_path}/ca.key"
@ -262,12 +266,24 @@ def test_custom_certificate_authorities():
        )
        .issuer_name(ca_cert.issuer)
        .serial_number(x509.random_serial_number())
-        .not_valid_before(datetime.datetime.utcnow())
-        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=1))
+        .not_valid_before(datetime.datetime.now(datetime.timezone.utc))
+        .not_valid_after(
+            datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=1)
+        )
        .public_key(self_test_req.public_key())
        .add_extension(
            x509.SubjectAlternativeName([x509.DNSName("self.test")]), critical=False
        )
+        .add_extension(
+            x509.SubjectKeyIdentifier.from_public_key(self_test_req.public_key()),
+            critical=False,
+        )
+        .add_extension(
+            x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
+                ca_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
+            ),
+            critical=False,
+        )
        .sign(private_key=ca_key, algorithm=hashes.SHA256())
    )

@ -305,12 +321,18 @@ def test_custom_certificate_authorities():
            )
        )
        .serial_number(x509.random_serial_number())
-        .not_valid_before(datetime.datetime.utcnow())
-        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=1))
+        .not_valid_before(datetime.datetime.now(datetime.timezone.utc))
+        .not_valid_after(
+            datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=1)
+        )
        .public_key(fake_test_key.public_key())
        .add_extension(
            x509.SubjectAlternativeName([x509.DNSName("fake.test")]), critical=False
        )
+        .add_extension(
+            x509.SubjectKeyIdentifier.from_public_key(fake_test_key.public_key()),
+            critical=False,
+        )
        .sign(private_key=fake_test_key, algorithm=hashes.SHA256())
    )

--- a/action.yaml
+++ b/action.yaml
@ -52,7 +52,7 @@ runs:
        df -h

    - name: Setup uv
-      uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+      uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
      with:
        working-directory: ${{ github.action_path }}
        version: "0.9.15"
@ -190,7 +190,7 @@ runs:
        free -h

    - name: Setup Nodejs
-      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
      with:
        node-version: "22.x"

@ -217,7 +217,7 @@ runs:
    - name: Upload coverage to Codecov
      if: inputs.CODECOV_TOKEN
      continue-on-error: true
-      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
      with:
        directory: ${{ github.action_path }}
        token: ${{ inputs.CODECOV_TOKEN }}
@ -226,7 +226,7 @@ runs:
    - name: Upload test results to Codecov
      if: inputs.CODECOV_TOKEN && !cancelled()
      continue-on-error: true
-      uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1.1.1
+      uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1.2.1
      with:
        directory: ${{ github.action_path }}
        token: ${{ inputs.CODECOV_TOKEN }}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -745,7 +745,7 @@ services:
    command: run taskworker-scheduler
  taskworker:
    <<: *sentry_defaults
-    command: run taskworker --concurrency=4 --rpc-host=taskbroker:50051 --health-check-file-path=/tmp/health.txt
+    command: run taskworker --concurrency=$SENTRY_TASKWORKER_CONCURRENCY --rpc-host=taskbroker:50051 --health-check-file-path=/tmp/health.txt
    healthcheck:
      <<: *file_healthcheck_defaults
  vroom:
--- a/uv.lock
+++ b/uv.lock
@ -541,11 +541,11 @@ wheels = [

 [[package]]
 name = "urllib3"
-version = "2.5.0"
+version = "2.6.3"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/15/22/9ee70a2574a4f4599c47dd506532914ce044817c7752a79b6a51286319bc/urllib3-2.5.0.tar.gz", hash = "sha256:3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbff92760", size = 393185, upload-time = "2025-06-18T14:07:41.644Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/a7/c2/fe1e52489ae3122415c51f387e221dd0773709bad6c6cdaa599e8a2c5185/urllib3-2.5.0-py3-none-any.whl", hash = "sha256:e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc", size = 129795, upload-time = "2025-06-18T14:07:40.39Z" },
+    { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" },
 ]

 [[package]]
Author	SHA1	Message	Date
Alexander Tarasov	1ca56db7b2	fix(test): Add Authority Key Identifier to SSL certificates (#4162 )	2026-02-06 05:06:13 +07:00
Kliachin Aleksei	16982c307f	Allow configuring Sentry taskworker concurrency via env (#4149 ) * Allow configuring Sentry taskworker concurrency via env * Update comment for SENTRY_TASKWORKER_CONCURRENCY ENV	2026-02-04 12:04:48 +07:00
dependabot[bot]	940074a527	build(deps): bump getsentry/action-release from 3.4.0 to 3.5.0 (#4133 )	2026-02-04 05:12:21 +07:00
dependabot[bot]	66a3091d46	build(deps): bump actions/checkout from 6.0.0 to 6.0.2 (#4155 ) Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](`1af3b93b68...de0fac2e45`) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-03 19:39:56 +07:00
Burak Yigit Kaya	f69cca201d	ci: Fix changelog-preview for external contributors (#4158 )	2026-02-03 18:23:31 +07:00
dependabot[bot]	2fafd08ee2	build(deps): bump actions/setup-python from 6.1.0 to 6.2.0 (#4154 ) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 6.1.0 to 6.2.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](`83679a892e...a309ff8b42`) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-03 14:30:13 +07:00
dependabot[bot]	b0927e7791	build(deps): bump getsentry/craft from 2.19.0 to 2.20.1 (#4152 ) Bumps [getsentry/craft](https://github.com/getsentry/craft) from 2.19.0 to 2.20.1. - [Release notes](https://github.com/getsentry/craft/releases) - [Changelog](https://github.com/getsentry/craft/blob/master/CHANGELOG.md) - [Commits](`c6e2f04939...beea4aba58`) --- updated-dependencies: - dependency-name: getsentry/craft dependency-version: 2.20.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-03 13:41:41 +07:00
dependabot[bot]	febec823fc	build(deps): bump actions/setup-node from 6.1.0 to 6.2.0 (#4153 )	2026-02-02 18:44:27 +07:00
Burak Yigit Kaya	f7afd67325	ci: Fix changelog-preview permissions (#4156 ) New versions need `statuses: check` for the quiet workflow	2026-02-02 11:43:35 +00:00
dependabot[bot]	db2ac8108a	build(deps): bump astral-sh/setup-uv from 7.1.6 to 7.2.0 (#4132 )	2026-02-01 11:38:27 +00:00
dependabot[bot]	fdf5222edc	build(deps): bump codecov/test-results-action from 1.1.1 to 1.2.1 (#4115 )	2026-02-01 11:36:00 +00:00
dependabot[bot]	a88cdf565a	build(deps): bump codecov/codecov-action from 5.5.1 to 5.5.2 (#4102 )	2026-02-01 11:35:18 +00:00
dependabot[bot]	e57a68d852	build(deps): bump urllib3 from 2.5.0 to 2.6.3 (#4150 )	2026-02-01 18:21:56 +07:00
Burak Yigit Kaya	7a4ea817f4	ci(release): Switch from action-prepare-release to Craft (#4129 )	2026-01-31 06:51:55 +07:00
getsentry-bot	4fc7f4a217	build: Set master version to nightly #skip-changelog	2026-01-15 22:33:41 +00:00
getsentry-bot	8ae7a4b03f	Merge branch 'release/26.1.0'	2026-01-15 22:33:39 +00:00