app deployment delta adjustments#7969
app deployment delta adjustments#7969n1ru4l wants to merge 252 commits intoadam/improve-app-deployment-perffrom
Conversation
Co-authored-by: Rick Bijkerk <rickbijkerk@bol.com> Co-authored-by: Laurin Quast <laurinquast@googlemail.com>
This also enforces email verification to SSO accounts.
Co-authored-by: XiNiHa <me@xiniha.dev>
Co-authored-by: Laurin Quast <laurinquast@googlemail.com>
…ss 1 directory (#7617) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Laurin <laurinquast@googlemail.com>
#7946) Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Laurin Quast <laurinquast@googlemail.com>
Co-authored-by: kamilkisiela <8167190+kamilkisiela@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ration types `ContextArgument` and `FieldValue` on the supergraph SDL (#7967)
🚀 Snapshot Release (
|
| Package | Version | Info |
|---|---|---|
@graphql-hive/cli |
0.60.0-alpha-20260410113846-d6c77ced3272115e09e5ddfb1260079ed166eba5 |
npm ↗︎ unpkg ↗︎ |
hive |
11.1.0-alpha-20260410113846-d6c77ced3272115e09e5ddfb1260079ed166eba5 |
npm ↗︎ unpkg ↗︎ |
n1ru4l
force-pushed
the
app-deployment-delta-adjustments
branch
from
e675657 to
790c45d
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a v2 storage format for app deployments, adding CLI auto-detection for SHA256 hashes and API support for delta uploads and processing timings. The CDN worker now utilizes S3-based manifests to enforce version isolation for content-addressed documents. A security issue was identified where a missing manifest for a v2 deployment could bypass these isolation checks.
I am having trouble creating individual review comments. Click here to see my feedback.
packages/services/cdn-worker/src/artifact-storage-reader.ts (454-465)
For v2 deployments, if the hash manifest is not found, the version isolation check is skipped. This is a security risk as it could allow access to documents from other versions if their hash is known. It's safer to treat a missing manifest for a v2 deployment as an error and deny access.
// Verify version isolation via manifest
if (manifestResponse.status !== 200) {
this.breadcrumb(
"Version isolation: manifest not found (status=" + manifestResponse.status + ", key=" + manifestKey + ")",
);
return { type: 'notFound' } as const;
}
const manifestBody = await manifestResponse.text();
const allowedHashes = new Set(manifestBody.split('\n').filter(Boolean));
if (!allowedHashes.has(hash)) {
this.breadcrumb("Version isolation: hash " + hash + " not in manifest for " + manifestKey);
return { type: 'notFound' } as const;
}
n1ru4l
force-pushed
the
app-deployment-delta-adjustments
branch
from
790c45d to
694ffb3
Compare
📚 Storybook DeploymentThe latest changes are available as preview in: https://pr-7969.hive-storybook.pages.dev |
|
🐋 This PR was built and pushed to the following Docker images: Targets: Platforms: Image Tag: |
Background
See #7565
Description
Just merging main into #7565 so CI can run and enabling sha256 hashing for the web app persisted documents