TPT-4277: Merge main

.github/workflows/ci.yml

@@ -19,7 +19,35 @@ on:
 jobs:
   lint-tidy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
+      # Enforce TPT-1234: prefix on PR titles, with the following exemptions:
+      # - PRs labeled 'dependencies' (e.g. Dependabot PRs)
+      # - PRs labeled 'hotfix' (urgent fixes that may not have a ticket)
+      # - PRs labeled 'community-contribution' (external contributors without TPT tickets)
+      # - PRs labeled 'ignore-for-release' (release PRs that don't need a ticket prefix)
+      - name: Validate PR Title
+        if: github.event_name == 'pull_request'
+        uses: amannn/action-semantic-pull-request@v6
+        with:
+          types: |
+            TPT-\d+
+          requireScope: false
+          # Override the default header pattern to allow hyphens and digits in the type
+          # (e.g. "TPT-4298: Description"). The default pattern only matches word
+          # characters (\w) which excludes hyphens.
+          headerPattern: '^([\w-]+):\s?(.*)$'
+          headerPatternCorrespondence: type, subject
+          ignoreLabels: |
+            dependencies
+            hotfix
+            community-contribution
+            ignore-for-release
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
@@ -99,7 +127,7 @@ jobs:
 
     steps:
       - name: Notify Slack
-        uses: slackapi/slack-github-action@v2.1.1
+        uses: slackapi/slack-github-action@v3
         with:
           method: chat.postMessage
           token: ${{ secrets.SLACK_BOT_TOKEN }}

.github/workflows/clean-release-notes.yml

@@ -0,0 +1,37 @@
+name: Clean Release Notes
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  clean-release-notes:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Remove ticket prefixes from release notes
+        uses: actions/github-script@v9
+        with:
+          script: |
+            const release = context.payload.release;
+
+            let body = release.body;
+
+            if (!body) {
+              console.log("Release body empty, nothing to clean.");
+              return;
+            }
+
+            // Remove ticket prefixes like "TPT-1234: " or "TPT-1234:"
+            body = body.replace(/TPT-\d+:\s*/g, '');
+
+            await github.rest.repos.updateRelease({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              release_id: release.id,
+              body: body
+            });
+
+            console.log("Release notes cleaned.");

.github/workflows/integration_tests_pr.yml

@@ -71,7 +71,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@v9
         id: update-check-run
         if: ${{ inputs.pull_request_number != '' && fromJson(steps.commit-hash.outputs.data).repository.pullRequest.headRef.target.oid == inputs.sha }}
         env:

.github/workflows/nightly_smoke_tests.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Notify Slack
         if: (success() || failure()) && github.repository == 'linode/linodego'
-        uses: slackapi/slack-github-action@v2.1.1
+        uses: slackapi/slack-github-action@v3
         with:
           method: chat.postMessage
           token: ${{ secrets.SLACK_BOT_TOKEN }}

.github/workflows/release-notify-slack.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Notify Slack - Main Message
-        uses: slackapi/slack-github-action@v2.1.1
+        uses: slackapi/slack-github-action@v3
         with:
           method: chat.postMessage
           token: ${{ secrets.SLACK_BOT_TOKEN }}

CODEOWNERS

@@ -1 +1 @@
-* @linode/dx
+* @linode/dx @linode/dx-sdets

account_settings.go

@@ -30,7 +30,6 @@ type AccountSettings struct {
 	// A string like "disabled", "suspended", or "active" describing the status of this account’s Object Storage service enrollment.
 	ObjectStorage *string `json:"object_storage"`
 
-	// NOTE: Interfaces for new linode setting may not currently be available to all users.
 	// A new configuration flag defines whether new Linodes can use Linode and/or legacy config interfaces.
 	InterfacesForNewLinodes InterfacesForNewLinodes `json:"interfaces_for_new_linodes"`
 

client.go

@@ -66,6 +66,12 @@ Body: {{.Body}}`))
 
 var envDebug = false
 
+// redactHeadersMap is a map of headers that should be redacted in logs,
+// mapping the header name to its redacted value.
+var redactHeadersMap = map[string]string{
+	"Authorization": "Bearer *******************************",
+}
+
 // Client is a wrapper around the Resty client
 type Client struct {
 	resty             *resty.Client
@@ -394,6 +400,19 @@ func (c *httpClient) applyAfterResponse(resp *http.Response) error {
 	return nil
 }
 
+// nolint:unused
+func redactHeaders(headers http.Header) http.Header {
+	redacted := headers.Clone()
+
+	for header, redactedValue := range redactHeadersMap {
+		if headers.Get(header) != "" {
+			redacted.Set(header, redactedValue)
+		}
+	}
+
+	return redacted
+}
+
 // nolint:unused
 func (c *httpClient) logRequest(req *http.Request, method, url string, bodyBuffer *bytes.Buffer) {
 	var reqBody string
@@ -408,7 +427,7 @@ func (c *httpClient) logRequest(req *http.Request, method, url string, bodyBuffe
 	err := reqLogTemplate.Execute(&logBuf, map[string]any{
 		"Method":  method,
 		"URL":     url,
-		"Headers": req.Header,
+		"Headers": redactHeaders(req.Header),
 		"Body":    reqBody,
 	})
 	if err == nil {
@@ -456,7 +475,7 @@ func (c *httpClient) logResponse(resp *http.Response) (*http.Response, error) {
 
 	err := respLogTemplate.Execute(&logBuf, map[string]any{
 		"Status":  resp.Status,
-		"Headers": resp.Header,
+		"Headers": redactHeaders(resp.Header),
 		"Body":    respBody.String(),
 	})
 	if err == nil {
@@ -736,7 +755,7 @@ func (c *Client) addCachedResponse(endpoint string, response any, expiry *time.D
 	}
 
 	switch responseValue.Kind() {
-	case reflect.Ptr:
+	case reflect.Pointer:
 		// We want to automatically deref pointers to
 		// avoid caching mutable data.
 		entry.Data = responseValue.Elem().Interface()
@@ -827,10 +846,22 @@ func (c *Client) updateHostURL() {
 	)
 }
 
+func redactLogHeaders(header http.Header) {
+	for h, redactedValue := range redactHeadersMap {
+		if header.Get(h) != "" {
+			header.Set(h, redactedValue)
+		}
+	}
+}
+
 func (c *Client) enableLogSanitization() *Client {
 	c.resty.OnRequestLog(func(r *resty.RequestLog) error {
-		// masking authorization header
-		r.Header.Set("Authorization", "Bearer *******************************")
+		redactLogHeaders(r.Header)
+		return nil
+	})
+
+	c.resty.OnResponseLog(func(r *resty.ResponseLog) error {
+		redactLogHeaders(r.Header)
 		return nil
 	})
 

client_test.go

@@ -17,6 +17,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/jarcoal/httpmock"
 	"github.com/linode/linodego/internal/testutil"
+	"github.com/stretchr/testify/require"
 )
 
 func TestClient_SetAPIVersion(t *testing.T) {
@@ -703,3 +704,101 @@ func TestMonitorClient_SetAPIBasics(t *testing.T) {
 		t.Fatal(cmp.Diff(client.resty.BaseURL, expectedHost))
 	}
 }
+
+func TestRedactHeaders(t *testing.T) {
+	tests := []struct {
+		name    string
+		headers http.Header
+		wantVal map[string]string
+	}{
+		{
+			name: "redacts authorization header",
+			headers: http.Header{
+				"Authorization": []string{"Bearer supersecrettoken"},
+				"Content-Type":  []string{"application/json"},
+			},
+			wantVal: map[string]string{
+				"Authorization": redactHeadersMap["Authorization"],
+				"Content-Type":  "application/json",
+			},
+		},
+		{
+			name: "leaves non-sensitive headers unchanged",
+			headers: http.Header{
+				"Content-Type": []string{"application/json"},
+				"Accept":       []string{"application/json"},
+			},
+			wantVal: map[string]string{
+				"Content-Type": "application/json",
+				"Accept":       "application/json",
+			},
+		},
+		{
+			name:    "handles empty headers",
+			headers: http.Header{},
+			wantVal: map[string]string{},
+		},
+		{
+			name: "does not mutate original headers",
+			headers: http.Header{
+				"Authorization": []string{"Bearer supersecrettoken"},
+			},
+			wantVal: map[string]string{
+				"Authorization": redactHeadersMap["Authorization"],
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			originalAuth := tt.headers.Get("Authorization")
+
+			result := redactHeaders(tt.headers)
+
+			// Verify expected values in result
+			for key, expectedVal := range tt.wantVal {
+				if got := result.Get(key); got != expectedVal {
+					t.Errorf("redactHeaders() header %q = %q, want %q", key, got, expectedVal)
+				}
+			}
+
+			// Verify original was not mutated
+			if tt.headers.Get("Authorization") != originalAuth {
+				t.Error("redactHeaders() mutated the original headers")
+			}
+		})
+	}
+}
+
+func TestEnableLogSanitization(t *testing.T) {
+	mockClient := testutil.CreateMockClient(t, NewClient)
+	mockClient.SetDebug(true)
+
+	plainTextToken := "supersecrettoken"
+	mockClient.SetToken(plainTextToken)
+
+	var logBuf bytes.Buffer
+	logger := testutil.CreateLogger()
+	logger.L.SetOutput(&logBuf)
+	mockClient.SetLogger(logger)
+
+	httpmock.RegisterResponder("GET", "=~.*",
+		httpmock.NewStringResponder(200, `{}`).HeaderSet(http.Header{
+			"Authorization": []string{"Bearer " + plainTextToken},
+		}))
+
+	_, err := mockClient.resty.R().Get("https://api.linode.com/v4/test")
+	require.NoError(t, err)
+
+	logOutput := logBuf.String()
+
+	// Verify token is not present in either request or response logs
+	if strings.Contains(logOutput, plainTextToken) {
+		t.Errorf("log output contains raw token %q, expected it to be redacted", plainTextToken)
+	}
+
+	// Verify Authorization header still appears (as redacted value) in request log
+	if !strings.Contains(logOutput, "Authorization") {
+		t.Error("expected Authorization header to appear in request log output")
+	}
+}

firewall_devices.go

@@ -57,10 +57,11 @@ func (device *FirewallDevice) UnmarshalJSON(b []byte) error {
 
 // FirewallDeviceEntity contains information about a device associated with a Firewall
 type FirewallDeviceEntity struct {
-	ID    int                `json:"id"`
-	Type  FirewallDeviceType `json:"type"`
-	Label string             `json:"label"`
-	URL   string             `json:"url"`
+	ID           int                   `json:"id"`
+	Type         FirewallDeviceType    `json:"type"`
+	Label        string                `json:"label"`
+	URL          string                `json:"url"`
+	ParentEntity *FirewallDeviceEntity `json:"parent_entity"`
 }
 
 // ListFirewallDevices get devices associated with a given Firewall

firewalls.go

@@ -20,20 +20,21 @@ const (
 
 // A Firewall is a set of networking rules (iptables) applied to Devices with which it is associated
 type Firewall struct {
-	ID      int             `json:"id"`
-	Label   string          `json:"label"`
-	Status  FirewallStatus  `json:"status"`
-	Tags    []string        `json:"tags,omitempty"`
-	Rules   FirewallRuleSet `json:"rules"`
-	Created *time.Time      `json:"-"`
-	Updated *time.Time      `json:"-"`
+	ID       int                    `json:"id"`
+	Label    string                 `json:"label"`
+	Status   FirewallStatus         `json:"status"`
+	Tags     []string               `json:"tags"`
+	Rules    FirewallRuleSet        `json:"rules"`
+	Entities []FirewallDeviceEntity `json:"entities"`
+	Created  *time.Time             `json:"-"`
+	Updated  *time.Time             `json:"-"`
 }
 
 // DevicesCreationOptions fields are used when adding devices during the Firewall creation process.
 type DevicesCreationOptions struct {
-	Linodes       []int `json:"linodes,omitempty"`
-	NodeBalancers []int `json:"nodebalancers,omitempty"`
-	Interfaces    []int `json:"interfaces,omitempty"`
+	Linodes          []int `json:"linodes,omitempty"`
+	NodeBalancers    []int `json:"nodebalancers,omitempty"`
+	LinodeInterfaces []int `json:"linode_interfaces,omitempty"`
 }
 
 // FirewallCreateOptions fields are those accepted by CreateFirewall

go.mod

@@ -5,10 +5,10 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/google/go-querystring v1.2.0
 	github.com/jarcoal/httpmock v1.4.1
-	golang.org/x/net v0.51.0
-	golang.org/x/oauth2 v0.35.0
-	golang.org/x/text v0.34.0
-	gopkg.in/ini.v1 v1.67.1
+	golang.org/x/net v0.53.0
+	golang.org/x/oauth2 v0.36.0
+	golang.org/x/text v0.36.0
+	gopkg.in/ini.v1 v1.67.2
 )
 
 require (