Cherry-picks for v2.12.1-RC.2

.github/actions/nightly-release/action.yaml

@@ -10,6 +10,11 @@ inputs:
     description: Docker hub password
     required: true
 
+  name:
+    description: The name of the build
+    default: nightly
+    required: false
+
   workdir:
     description: The working directory for actions requiring it
     required: true
@@ -21,16 +26,31 @@ runs:
       shell: bash
       run: docker login -u "${{ inputs.hub_username }}" -p "${{ inputs.hub_password }}"
 
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
     - name: Set up Go
       uses: actions/setup-go@v6
       with:
         go-version: stable
 
+    - name: Generate build metadata
+      shell: sh
+      run: |
+        echo "BUILD_DATE=$(date +%Y%m%d)" >> $GITHUB_ENV
+        echo "GIT_COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+        echo "BUILD_NAME=$(echo ${{ inputs.name }} | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9.-]/-/g')" >> $GITHUB_ENV
+
     - name: Build and push Docker images
-      # Use commit hash here to avoid a re-tagging attack, as this is a third-party action
-      # Commit 9ed2f89a662bf1735a48bc8557fd212fa902bebf = tag v6.1.0
-      uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf
+      uses: docker/build-push-action@v6
       with:
-        workdir: "${{ inputs.workdir }}"
-        version: ~> v2
-        args: release --skip=announce,validate --config .goreleaser-nightly.yml
+        context: "${{ inputs.workdir }}"
+        file: "${{ inputs.workdir }}/docker/Dockerfile.nightly"
+        build-args: |
+          VERSION=nightly-${{ env.BUILD_DATE }}
+          GIT_COMMIT=${{ env.GIT_COMMIT }}
+        platforms: linux/amd64,linux/arm64
+        push: true
+        tags: |
+          synadia/nats-server:${{ env.BUILD_NAME }}
+          synadia/nats-server:${{ env.BUILD_NAME }}-${{ env.BUILD_DATE }}

.github/workflows/nightly.yaml

@@ -29,6 +29,7 @@ jobs:
 
       - uses: ./src/github.com/nats-io/nats-server/.github/actions/nightly-release
         with:
+          name: ${{ inputs.target || 'nightly' }}
           workdir: src/github.com/nats-io/nats-server
           hub_username: "${{ secrets.DOCKER_USERNAME }}"
           hub_password: "${{ secrets.DOCKER_PASSWORD }}"

.github/workflows/release.yaml

@@ -38,8 +38,8 @@ jobs:
 
       - name: Install syft
         # Use commit hash here to avoid a re-tagging attack, as this is a third-party action
-        # Commit da167eac915b4e86f08b264dbdbc867b61be6f0c = tag v0.20.5
-        uses: anchore/sbom-action/download-syft@da167eac915b4e86f08b264dbdbc867b61be6f0c
+        # Commit f8bdd1d8ac5e901a77a92f111440fdb1b593736b = tag v0.20.6
+        uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b
         with:
           syft-version: "v1.27.1"
 

docker/Dockerfile.nightly

@@ -1,24 +1,38 @@
 FROM golang:alpine AS builder
 
 ARG VERSION="nightly"
+ARG GIT_COMMIT
+ARG TARGETOS
+ARG TARGETARCH
 
-RUN apk add --update git
-RUN mkdir -p src/github.com/nats-io && \
-    cd src/github.com/nats-io/ && \
-    git clone https://github.com/nats-io/natscli.git && \
-    cd natscli/nats && \
-    go build -ldflags "-w -X main.version=${VERSION}" -o /nats
+ENV GOOS=$TARGETOS \
+    GOARCH=$TARGETARCH \
+    GO111MODULE=on \
+    CGO_ENABLED=0
 
-RUN go install github.com/nats-io/nsc/v2@latest
+RUN apk add --no-cache git ca-certificates
+RUN mkdir -p /src/nats-server /src/natscli /src/nsc
 
-FROM alpine:latest
+COPY . /src/nats-server
+RUN git clone --depth 1 https://github.com/nats-io/natscli /src/natscli
+RUN git clone --depth 1 https://github.com/nats-io/nsc /src/nsc
+
+WORKDIR /src/nats-server
+RUN go install -v -trimpath -ldflags "-w -X server.serverVersion=${VERSION},server.gitCommit=${GIT_COMMIT}" .
+
+WORKDIR /src/natscli
+RUN go install -v -trimpath -ldflags "-w -X main.version=${VERSION}" ./nats
 
-RUN apk add --update ca-certificates && mkdir -p /nats/bin && mkdir /nats/conf
+WORKDIR /src/nsc
+RUN go install -v -trimpath .
+
+FROM alpine:latest
 
 COPY docker/nats-server.conf /nats/conf/nats-server.conf
-COPY nats-server /bin/nats-server
-COPY --from=builder /nats /bin/nats
+COPY --from=builder /go/bin/nats-server /bin/nats-server
+COPY --from=builder /go/bin/nats /bin/nats
 COPY --from=builder /go/bin/nsc /bin/nsc
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
 EXPOSE 4222 8222 6222 5222
 

go.mod

@@ -6,11 +6,11 @@ toolchain go1.24.7
 
 require (
 	github.com/antithesishq/antithesis-sdk-go v0.4.3-default-no-op
-	github.com/google/go-tpm v0.9.5
+	github.com/google/go-tpm v0.9.6
 	github.com/klauspost/compress v1.18.0
 	github.com/minio/highwayhash v1.0.3
 	github.com/nats-io/jwt/v2 v2.8.0
-	github.com/nats-io/nats.go v1.45.0
+	github.com/nats-io/nats.go v1.46.1
 	github.com/nats-io/nkeys v0.4.11
 	github.com/nats-io/nuid v1.0.1
 	go.uber.org/automaxprocs v1.6.0

go.sum

@@ -2,16 +2,16 @@ github.com/antithesishq/antithesis-sdk-go v0.4.3-default-no-op h1:+OSa/t11TFhqfr
 github.com/antithesishq/antithesis-sdk-go v0.4.3-default-no-op/go.mod h1:IUpT2DPAKh6i/YhSbt6Gl3v2yvUZjmKncl7U91fup7E=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/google/go-tpm v0.9.5 h1:ocUmnDebX54dnW+MQWGQRbdaAcJELsa6PqZhJ48KwVU=
-github.com/google/go-tpm v0.9.5/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-tpm v0.9.6 h1:Ku42PT4LmjDu1H5C5ISWLlpI1mj+Zq7sPGKoRw2XROA=
+github.com/google/go-tpm v0.9.6/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/minio/highwayhash v1.0.3 h1:kbnuUMoHYyVl7szWjSxJnxw11k2U709jqFPPmIUyD6Q=
 github.com/minio/highwayhash v1.0.3/go.mod h1:GGYsuwP/fPD6Y9hMiXuapVvlIUEhFhMTh0rxU3ik1LQ=
 github.com/nats-io/jwt/v2 v2.8.0 h1:K7uzyz50+yGZDO5o772eRE7atlcSEENpL7P+b74JV1g=
 github.com/nats-io/jwt/v2 v2.8.0/go.mod h1:me11pOkwObtcBNR8AiMrUbtVOUGkqYjMQZ6jnSdVUIA=
-github.com/nats-io/nats.go v1.45.0 h1:/wGPbnYXDM0pLKFjZTX+2JOw9TQPoIgTFrUaH97giwA=
-github.com/nats-io/nats.go v1.45.0/go.mod h1:iRWIPokVIFbVijxuMQq4y9ttaBTMe0SFdlZfMDd+33g=
+github.com/nats-io/nats.go v1.46.1 h1:bqQ2ZcxVd2lpYI97xYASeRTY3I5boe/IVmuUDPitHfo=
+github.com/nats-io/nats.go v1.46.1/go.mod h1:iRWIPokVIFbVijxuMQq4y9ttaBTMe0SFdlZfMDd+33g=
 github.com/nats-io/nkeys v0.4.11 h1:q44qGV008kYd9W1b1nEBkNzvnWxtRSQ7A8BoqRrcfa0=
 github.com/nats-io/nkeys v0.4.11/go.mod h1:szDimtgmfOi9n25JpfIdGw12tZFYXqhGxjhVxsatHVE=
 github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=

server/config_check_test.go

@@ -2398,6 +2398,98 @@ func TestConfigCheck(t *testing.T) {
 			errorLine: 9,
 			errorPos:  9,
 		},
+		{
+			name: "leafnode proxy with unsupported scheme",
+			config: `
+				leafnodes {
+					remotes = [
+						{
+							url: "ws://127.0.0.1:7422"
+							proxy {
+								url: "ftp://proxy.example.com:8080"
+							}
+						}
+					]
+				}
+			`,
+			err:       errors.New("proxy URL scheme must be http or https, got: ftp"),
+			errorLine: 6,
+			errorPos:  8,
+		},
+		{
+			name: "leafnode proxy with missing host",
+			config: `
+				leafnodes {
+					remotes = [
+						{
+							url: "ws://127.0.0.1:7422"
+							proxy {
+								url: "http://"
+							}
+						}
+					]
+				}
+			`,
+			err:       errors.New("proxy URL must specify a host"),
+			errorLine: 6,
+			errorPos:  8,
+		},
+		{
+			name: "leafnode proxy with username but no password",
+			config: `
+				leafnodes {
+					remotes = [
+						{
+							url: "ws://127.0.0.1:7422"
+							proxy {
+								url: "http://proxy.example.com:8080"
+								username: "testuser"
+							}
+						}
+					]
+				}
+			`,
+			err:       errors.New("proxy username and password must both be specified or both be empty"),
+			errorLine: 6,
+			errorPos:  8,
+		},
+		{
+			name: "leafnode proxy with password but no username",
+			config: `
+				leafnodes {
+					remotes = [
+						{
+							url: "ws://127.0.0.1:7422"
+							proxy {
+								url: "http://proxy.example.com:8080"
+								password: "testpass"
+							}
+						}
+					]
+				}
+			`,
+			err:       errors.New("proxy username and password must both be specified or both be empty"),
+			errorLine: 6,
+			errorPos:  8,
+		},
+		{
+			name: "leafnode proxy with WSS URL but no TLS config",
+			config: `
+				leafnodes {
+					remotes = [
+						{
+							url: "wss://127.0.0.1:7422"
+							proxy {
+								url: "http://proxy.example.com:8080"
+							}
+						}
+					]
+				}
+			`,
+			err:       errors.New("proxy is configured but remote URL wss://127.0.0.1:7422 requires TLS and no TLS configuration is provided"),
+			errorLine: 6,
+			errorPos:  8,
+		},
 	}
 
 	checkConfig := func(config string) error {

server/errors.json

@@ -1988,5 +1988,15 @@
     "help": "",
     "url": "",
     "deprecates": ""
+  },
+  {
+    "constant": "JSAtomicPublishContainsDuplicateMessageErr",
+    "code": 400,
+    "error_code": 10201,
+    "description": "atomic publish batch contains duplicate message id",
+    "comment": "",
+    "help": "",
+    "url": "",
+    "deprecates": ""
   }
 ]