Skip to content

Update module github.com/envoyproxy/gateway to v1.7.4 [SECURITY]#53764

Open
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/go-github.com-envoyproxy-gateway-vulnerability
Open

Update module github.com/envoyproxy/gateway to v1.7.4 [SECURITY]#53764
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/go-github.com-envoyproxy-gateway-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/envoyproxy/gateway v1.7.1v1.7.4 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Envoy Gateway custom backendRef cross-namespace ReferenceGrant bypass

CVE-2026-53718 / GHSA-fcrp-7gc2-93g7

More information

Details

Impact

Envoy Gateway accepts extension-managed custom backendRefs from an HTTPRoute to a backend resource in another namespace without requiring a matching Gateway API ReferenceGrant in the target namespace. This breaks the Gateway API cross-namespace consent model: the namespace that owns the referenced backend resource does not need to opt in with a ReferenceGrant before another namespace’s HTTPRoute can use that resource.

Patches

1.7.4
1.8.1

Severity

  • CVSS Score: 6.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Envoy Gateway: Wasm HTTP fetch decompresses gzip without output-size limit

CVE-2026-53716 / GHSA-cxpq-8v7q-cg56

More information

Details

Vulnerability report without repro case. Repro case may be added later after harness is complete.

Preconditions (4):

  • Tenant can create EnvoyExtensionPolicy (baseline)
  • Attacker hosts a gzip-bomb at a reachable URL
  • sha256 unset (optional field; check is post-decompression anyway)
  • No operator Wasm-URL allowlist (none exists in code)

Description

getFileFromGZ calls io.ReadAll on a raw gzip.Reader (httpfetcher.go:216) with no output bound, while the compressed input is capped at 256 MiB (httpfetcher.go:139). The bytes originate from a tenant-controlled EnvoyExtensionPolicy.spec.wasm[].code.http.url (envoyextensionpolicy.go:1077 → cache.go:248 → httpfetcher.go:147 → :233), so an untrusted tenant can point at a ~10 MiB gzip-of-zeros and force ~10 GiB allocation in the shared controller process. All candidate guards execute either before the body is buffered or after decompression. OOM-kills, restarts, re-reconciles same CR, crash-loops — persistent cross-tenant control-plane outage with PR:L/AC:L and scope change → HIGH despite availability-only.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Envoy Gateway: Nil-dereference when SecurityPolicy targets TCPRoute without spec.authorization

CVE-2026-53719 / GHSA-m2v6-2jmh-4c68

More information

Details

Vulnerability report without repro case. Repro case may be added later after harness is complete.

Preconditions (4):

  • Tenant has SecurityPolicy + TCPRoute RBAC (baseline)
  • Tenant namespace permitted to attach TCPRoute to a Gateway listener
  • spec.authorization omitted (the trigger)
  • No admission webhook blocks the shape

Description:

A namespace-scoped tenant can deterministically panic the gatewayapi runner on every reconcile with a single CRD; the recover() in message/watchutil.go:53 keeps the process alive but unwinds the entire handle() callback in runner/runner.go:192, so xDS/Infra IR publishing stalls controller-wide until an admin deletes the object. Data plane keeps serving last-good config.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Envoy Gateway: OCI layer extraction allocates make([]byte, h.Size) from untrusted tar header

CVE-2026-53717 / GHSA-h7pq-86h8-rp5x

More information

Details

Vulnerability report without repro case. Repro case may be added later after harness is complete.

Preconditions (4):

  • Tenant can create EnvoyExtensionPolicy (baseline)
  • Controller has egress to attacker-controlled OCI registry
  • No registry allowlist (none exists in code)
  • Layer presents Docker/OCI media type

Description

At imagefetcher.go:287, make([]byte, h.Size) uses the attacker-controlled tar-header size; the LimitReader at :278 bounds bytes read from the stream but not the header-declared size returned by tr.Next() (a 512-byte header can claim a multi-TB entry via PAX/GNU encoding). Reached from untrusted tenant input via EnvoyExtensionPolicy spec.wasm[].code.image.url (envoyextensionpolicy.go:1157 → cache.go:262/299 → imagefetcher.go:218 → :287), and the allocation happens for every tar entry regardless of filename. The resulting Go runtime OOM throw is unrecoverable and, because the CRD persists, crash-loops the shared controller — single-request, non-volumetric, cluster-wide DoS.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Envoy Gateway: Wasm cache ServeHTTP reads mappingPath2Cache without lock

CVE-2026-53715 / GHSA-8fv2-88gg-hm7q

More information

Details

Vulnerability report without repro case. Repro case may be added later after harness is complete.

Preconditions (4):

  • Pod-network reachability to :18002 (no auth)
  • Tenant can create EnvoyExtensionPolicy (baseline)
  • Attacker pod floods GET while churning EnvoyExtensionPolicy with distinct Wasm URLs
  • Read at :153 must overlap a write at :201/:209 (probabilistic, attacker controls both rates)

Description:

httpserver.go:153 reads s.mappingPath2Cache with no lock while httpserver.go:201/209 write it under s.Lock(); the struct uses a plain map. Writer is tenant-reachable via EnvoyExtensionPolicy translation, reader is pod-network-reachable on :18002 with per-request goroutines. Go's concurrent map read+write detection calls runtime.throw, which net/http's per-conn recover cannot catch, so the controller process exits — cross-tenant control-plane DoS. Capped at MEDIUM: DoS-only, k8s restarts pod, timing-dependent trigger.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Envoy Gateway: Authentication Bypass via Improper Input Validation in EnvoyExtensionPolicy Lua Allows Secret Disclosure

CVE-2026-53713 / GHSA-wcrf-9vrr-854f

More information

Details

Impact

The to_absolute_normalized_path function (security.lua:28-43) does not collapse redundant path separators (// → /). On Linux, //etc/passwd is equivalent to /etc/passwd (POSIX path semantics), but is_critical_path fails to match the double-slash variant because //etc/passwd does not start with /etc/.

This allows Lua code submitted as an EnvoyExtensionPolicy to read arbitrary files from the gateway controller pod's filesystem during Strict validation (the default), including:

  • /etc/passwd
  • Kubernetes SA tokens via //var/run/secrets/kubernetes.io/serviceaccount/token
  • TLS certificates via //certs/...
  • Process environment via //proc/self/environ

These credentials can be used to read sensitive information from the K8s API Server or from the Gateway XDS server.

Patches

This has been patched in versions >= v1.7.4 and v1.8.1

  • Collapse redundant path separators (// to /) so double-slash variants like //etc/passwd and //var/run/secrets/... are matched by the critical-path check.
  • Rewrite the traversal check to reject any . or .. segment in any position and across both separator styles (catches /etc/./passwd, ./etc/passwd, /etc/.).
Workarounds

Please refer to the Warning section in Lua docs for measures to reduce risk.

Credits

Envoy Gateway thanks @​dashingDragon and @​Donjon-Cerberus for reporting this issue.

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Envoy Gateway: xDS Control Plane Information Disclosure when operating in GatewayNamespaceMode

CVE-2026-53714 / GHSA-22xc-xg2r-9j7v

More information

Details

Impact

When Envoy Gateway runs in GatewayNamespaceMode (provider.kubernetes.deploy.type=GatewayNamespace), the xDS gRPC server is configured with a StreamInterceptor for JWT authentication but no UnaryInterceptor. The go-control-plane xDS server exposes both streaming and unary (Fetch) RPC methods for all registered discovery services. Since there is no unary interceptor, these Fetch endpoints are completely unauthenticated.

Additionally, the JWT authentication interceptor in GatewayNamespaceMode only validates tokens when the received gRPC message is of type discoveryv3.DeltaDiscoveryRequest . If the message is a discoveryv3.DiscoveryRequest — used by the State-of-the-World (SotW) xDS protocol — the type assertion fails, the validation block is skipped entirely, and RecvMsg returns nil (success) without any authentication.

Any pod in the cluster that can reach the xDS server (port 18000) can use the SotW protocol to bypass JWT authentication and access:

  • TLS private keys via StreamSecrets (SDS)
  • All xDS resources via StreamAggregatedResources (ADS)
  • Backend endpoints via StreamClusters / StreamEndpoints (CDS/EDS)
  • Routing rules via StreamRoutes / StreamListeners (RDS/LDS)
Credits

Envoy Gateway thanks @​dashingDragon and @​Donjon-Cerberus for reporting this issue.

Severity

  • CVSS Score: 7.4 / 10 (High)
  • Vector String: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

envoyproxy/gateway (github.com/envoyproxy/gateway)

v1.7.4

Compare Source

Release Announcement

Check out the v1.7.4 release announcement to learn more about the release.

What's Changed

Full Changelog: envoyproxy/gateway@v1.7.3...v1.7.4

v1.7.3

Compare Source

Release Announcement

Check out the v1.7.3 release announcement to learn more about the release.

What's Changed

Full Changelog: envoyproxy/gateway@v1.7.2...v1.7.3

v1.7.2

Compare Source

Release Announcement

Check out the [v1.7.2 release announcement]
(https://gateway.envoyproxy.io/news/releases/notes/v1.7.2) to learn more about the release.

What's Changed

Full Changelog: envoyproxy/gateway@v1.7.1...v1.7.2


Configuration

📅 Schedule: (in timezone Europe/Paris)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added changelog/no-changelog No changelog entry needed dependencies PRs that bump a dependency dependencies-go PRs that bump a go dependency qa/no-code-change No code change in Agent code requiring validation labels Jul 16, 2026
@dd-prapprover-prod-77c48c

dd-prapprover-prod-77c48c Bot commented Jul 16, 2026

Copy link
Copy Markdown

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

  • ✅ PR is eligible for auto-approval by rule datadog-agent-renovate - 2026-07-16T20:43:30Z
  • ✅ CI tests passed - 2026-07-17T00:00:38Z
  • ✅ Approved (commit: 952566a) - 2026-07-17T00:00:41Z
  • Manual merge required: this rule does not auto-merge.

➡️ Current phase: approved - manual merge required (this rule does not auto-merge)

@dd-octo-sts dd-octo-sts Bot added the internal Identify a non-fork PR label Jul 16, 2026
@github-actions github-actions Bot added the short review PR is simple enough to be reviewed quickly label Jul 16, 2026
@datadog-prod-us1-5

datadog-prod-us1-5 Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 52.00% (+0.13%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 952566a | Docs | Datadog PR Page | Give us feedback!

@renovate
renovate Bot force-pushed the renovate/go-github.com-envoyproxy-gateway-vulnerability branch from 11eff3f to edc7ac2 Compare July 16, 2026 20:32
@dd-octo-sts

dd-octo-sts Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Files inventory check summary

File checks results against ancestor 8ebb23d3:

Results for datadog-agent_7.83.0~devel.git.176.952566a.pipeline.125137774-1_amd64.deb:

No change detected

This commit was created from the local commit with hash 7640cf5d2cb13d86379cf3445bc402c897f96dcb.
@dd-octo-sts

dd-octo-sts Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

/merge

@rdesgroppes rdesgroppes added the stop-updating Prevent auto updates from Renovate label Jul 16, 2026
@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jul 16, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-07-16 20:59:16 UTC ℹ️ Start processing command /merge


2026-07-16 20:59:23 UTC ℹ️ MergeQueue: waiting for PR to be ready

This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
It will be added to the queue as soon as checks pass and/or get approvals. View in MergeQueue UI.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.


2026-07-16 22:05:09 UTC ℹ️ MergeQueue: merge request added to the queue

The expected merge time in main is approximately 2h (p90).


2026-07-16 23:35:21 UTC 🚨 MergeQueue: This merge request is in error

error while getting head build completion result

Details

Error: GET https://api.github.com/repos/DataDog/datadog-agent/commits/e0122667588552a30660dcbb6932c95f257866c3/check-runs?per_page=100: 503 [] (Request ID: 873A:2E6E8D:242DF3D:7D61879:6A5968A7)

FullStacktrace:
child workflow execution error (type: mergequeue_private.MergeQueue_WaitForChecksOrUntilIsFinal, workflowID: wait_checks_e0122667588552a30660dcbb6932c95f257866c3, runID: 019f6cf7-0e1a-7615-9846-27b0272b4489, initiatedEventID: 127, startedEventID: 129): child workflow execution error (type: mergequeue.MergeQueue_WaitForCompletionOfRef, workflowID: 019f6cf7-0e1a-7615-9846-27b0272b4489_8, runID: 019f6cf7-0ece-7e60-a122-44afb7407930, initiatedEventID: 8, startedEventID: 10): activity error (type: github.GithubService_GetCheckRunsFromRef, scheduledEventID: 378, startedEventID: 379, identity: 1@github-worker-655b4479f5-2kqjr@): GET https://api.github.com/repos/DataDog/datadog-agent/commits/e0122667588552a30660dcbb6932c95f257866c3/check-runs?per_page=100: 503 [] (Request ID: 873A:2E6E8D:242DF3D:7D61879:6A5968A7) (type: GitError, retryable: true)

@dd-octo-sts

dd-octo-sts Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 8ebb23d
📊 Static Quality Gates Dashboard
🔗 SQG Job

32 successful checks with minimal change (< 2 KiB)
Quality gate Current Size
agent_deb_amd64 750.057 MiB
agent_deb_amd64_fips 704.966 MiB
agent_heroku_amd64 307.921 MiB
agent_rpm_amd64 750.041 MiB
agent_rpm_amd64_fips 704.950 MiB
agent_rpm_arm64 726.644 MiB
agent_rpm_arm64_fips 685.238 MiB
agent_suse_amd64 750.041 MiB
agent_suse_amd64_fips 704.950 MiB
agent_suse_arm64 726.644 MiB
agent_suse_arm64_fips 685.238 MiB
docker_agent_amd64 808.760 MiB
docker_agent_arm64 810.371 MiB
docker_agent_jmx_amd64 999.658 MiB
docker_agent_jmx_arm64 989.921 MiB
docker_cluster_agent_amd64 209.791 MiB
docker_cluster_agent_arm64 222.889 MiB
docker_cws_instrumentation_amd64 7.447 MiB
docker_cws_instrumentation_arm64 6.877 MiB
docker_dogstatsd_amd64 39.223 MiB
docker_dogstatsd_arm64 37.367 MiB
docker_host_profiler_amd64 303.100 MiB
docker_host_profiler_arm64 314.592 MiB
dogstatsd_deb_amd64 29.960 MiB
dogstatsd_deb_arm64 28.003 MiB
dogstatsd_rpm_amd64 29.960 MiB
dogstatsd_suse_amd64 29.960 MiB
iot_agent_deb_amd64 46.109 MiB
iot_agent_deb_arm64 42.805 MiB
iot_agent_deb_armhf 43.573 MiB
iot_agent_rpm_amd64 46.110 MiB
iot_agent_suse_amd64 46.109 MiB

@cit-pr-commenter-54b7da

Copy link
Copy Markdown

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: be8cf158-1116-4291-a6a1-6fb2b3d1c48e

Baseline: ccd03be
Comparison: 952566a
Diff

❌ Experiments with retried target crashes

This is a critical error. One or more replicates failed with a non-zero exit code. These replicates may have been retried. See Replicate Execution Details for more information.

  • quality_gate_idle_all_features

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI trials links
quality_gate_metrics_logs memory utilization +0.89 [+0.64, +1.14] 1 Logs bounds checks dashboard
quality_gate_logs % cpu utilization +0.48 [-0.50, +1.45] 1 Logs bounds checks dashboard
quality_gate_idle_all_features memory utilization +0.48 [+0.41, +0.54] 1 Logs bounds checks dashboard
quality_gate_security_mean_fs_load memory utilization +0.23 [+0.20, +0.27] 1 Logs bounds checks dashboard
quality_gate_security_no_fs_load memory utilization -0.11 [-0.20, -0.02] 1 Logs bounds checks dashboard
quality_gate_idle memory utilization -0.15 [-0.20, -0.10] 1 Logs bounds checks dashboard
quality_gate_security_idle memory utilization -0.34 [-0.40, -0.27] 1 Logs bounds checks dashboard

Bounds Checks: ✅ Passed

perf experiment bounds_check_name replicates_passed observed_value links
quality_gate_idle intake_connections 10/10 3 ≤ 4 bounds checks dashboard
quality_gate_idle memory_usage 10/10 147.31MiB ≤ 154MiB bounds checks dashboard
quality_gate_idle total_bytes_received 10/10 734.86KiB ≤ 819.20KiB bounds checks dashboard
quality_gate_idle_all_features intake_connections 10/10 3 ≤ 4 bounds checks dashboard
quality_gate_idle_all_features memory_usage 10/10 491.88MiB ≤ 495MiB bounds checks dashboard
quality_gate_idle_all_features total_bytes_received 10/10 1.12MiB ≤ 1.25MiB bounds checks dashboard
quality_gate_logs intake_connections 10/10 4 ≤ 6 bounds checks dashboard
quality_gate_logs memory_usage 10/10 183.68MiB ≤ 195MiB bounds checks dashboard
quality_gate_logs missed_bytes 10/10 0B = 0B bounds checks dashboard
quality_gate_logs total_bytes_received 10/10 264.16MiB ≤ 292MiB bounds checks dashboard
quality_gate_metrics_logs cpu_usage 10/10 363.72 ≤ 2000 bounds checks dashboard
quality_gate_metrics_logs intake_connections 10/10 3 ≤ 6 bounds checks dashboard
quality_gate_metrics_logs memory_usage 10/10 401.13MiB ≤ 430MiB bounds checks dashboard
quality_gate_metrics_logs missed_bytes 10/10 0B = 0B bounds checks dashboard
quality_gate_metrics_logs total_bytes_received 10/10 0.94GiB ≤ 1.04GiB bounds checks dashboard
quality_gate_security_idle cpu_usage 10/10 31.18 ≤ 100 bounds checks dashboard
quality_gate_security_idle memory_usage 10/10 297.33MiB ≤ 330MiB bounds checks dashboard
quality_gate_security_mean_fs_load cpu_usage 10/10 61.46 ≤ 200 bounds checks dashboard
quality_gate_security_mean_fs_load memory_usage 10/10 274.00MiB ≤ 310MiB bounds checks dashboard
quality_gate_security_no_fs_load cpu_usage 10/10 22.58 ≤ 100 bounds checks dashboard
quality_gate_security_no_fs_load memory_usage 10/10 284.58MiB ≤ 320MiB bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

Replicate Execution Details

We run multiple replicates for each experiment/variant. However, we allow replicates to be automatically retried if there are any failures, up to 8 times, at which point the replicate is marked dead and we are unable to run analysis for the entire experiment. We call each of these attempts at running replicates a replicate execution. This section lists all replicate executions that failed due to the target crashing or being oom killed.

Note: In the below tables we bucket failures by experiment, variant, and failure type. For each of these buckets we list out the replicate indexes that failed with an annotation signifying how many times said replicate failed with the given failure mode. In the below example the baseline variant of the experiment named experiment_with_failures had two replicates that failed by oom kills. Replicate 0, which failed 8 executions, and replicate 1 which failed 6 executions, all with the same failure mode.

Experiment Variant Replicates Failure Logs Debug Dashboard
experiment_with_failures baseline 0 (x8) 1 (x6) Oom killed Debug Dashboard

The debug dashboard links will take you to a debugging dashboard specifically designed to investigate replicate execution failures.

❌ Retried Normal Replicate Execution Failures (non-profiling)

Experiment Variant Replicates Failure Debug Dashboard
quality_gate_idle_all_features comparison 9 Oom killed Debug Dashboard

❌ Retried Profiling Replicate Execution Failures (ddprof)

Note: Profiling replicas may still be executing. See the debug dashboard for up to date status.

Experiment Variant Replicates Failure Debug Dashboard
quality_gate_idle baseline 10 Oom killed Debug Dashboard
quality_gate_idle comparison 10 Oom killed Debug Dashboard
quality_gate_idle_all_features baseline 10 Oom killed Debug Dashboard
quality_gate_idle_all_features comparison 10 Oom killed Debug Dashboard
quality_gate_logs baseline 10 Oom killed Debug Dashboard
quality_gate_logs comparison 10 Oom killed Debug Dashboard
quality_gate_metrics_logs baseline 10 Oom killed Debug Dashboard
quality_gate_metrics_logs comparison 10 Oom killed Debug Dashboard
quality_gate_security_no_fs_load baseline 10 Crashed (exit code: 134) Debug Dashboard
quality_gate_security_no_fs_load comparison 10 Crashed (exit code: 134) Debug Dashboard

CI Pass/Fail Decision

Passed. All Quality Gates passed.

  • quality_gate_security_no_fs_load, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_security_no_fs_load, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_idle_all_features, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
  • quality_gate_security_idle, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_security_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_security_mean_fs_load, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_security_mean_fs_load, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.

@dd-prapprover-prod-77c48c dd-prapprover-prod-77c48c Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR has been automatically approved by the DD PR Approver bot.

@dd-octo-sts

dd-octo-sts Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jul 17, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-07-17 00:00:54 UTC ℹ️ Start processing command /merge


2026-07-17 00:00:59 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 2h (p90).


2026-07-17 01:17:36 UTCMergeQueue: The build pipeline contains failing jobs for this merge request

Build pipeline has failing jobs for 49ee361:

⚠️ Do NOT retry failed jobs directly (why?).

What to do next?

  • Investigate the failures and when ready, re-add your pull request to the queue!
  • If your PR checks are green, try to rebase/merge. It might be because the CI run is a bit old.
  • Any question, go check the FAQ.
Details

Since those jobs are not marked as being allowed to fail, the pipeline will most likely fail.
Therefore, and to allow other builds to be processed, this merge request has been rejected and the pipeline got canceled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

changelog/no-changelog No changelog entry needed dependencies PRs that bump a dependency dependencies-go PRs that bump a go dependency internal Identify a non-fork PR qa/no-code-change No code change in Agent code requiring validation short review PR is simple enough to be reviewed quickly stop-updating Prevent auto updates from Renovate

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant