Skip to content

Release v2026.2#1835

Draft
matthew-white wants to merge 63 commits into
masterfrom
next
Draft

Release v2026.2#1835
matthew-white wants to merge 63 commits into
masterfrom
next

Conversation

@matthew-white

@matthew-white matthew-white commented Apr 22, 2026

Copy link
Copy Markdown
Member

This PR prepares the release of v2026.2. It should only contain changes from other PRs that have already been approved and merged (and possibly merge commits from the master branch).

alxndrsn and others added 30 commits April 18, 2026 08:08
@alxndrsn
ci/test-nginx: show mock-sentry logs (#1816)
6c764ea
@alxndrsn
ci/ghcr: update deprecated docker action versions (#1821)
0379dcf 
Closes #1818
@alxndrsn
test/nginx/csp: rename backend-strict policy (#1823)
ae72624 
Previously called `disallow-all`; rename to `backend-strict` to better reflect its usage rather than current implementation details.
@alxndrsn
ci: only publish containers if tests passed (#1820)
963b9dc 
Closes #1819
@alxndrsn
test/nginx/csp: remove duplicate test (#1860)
94aa904 
Looks like a merge error.
@alxndrsn
nginx/csp: blank.html: allow form-action 'self' (#1857)
1431cb1 
Closes #1856
@alxndrsn
nginx/csp: enforce policy for blank.html (#1858)
e6df530 
Switch from Content-Security-Policy-Report-Only to Content-Security-Policy.
@alxndrsn
csp: allow data: URLs in worker-src for web-forms (#1776)
9122bb2 
Closes #1775
@alxndrsn
nginx/csp: tighten favicon allowance for blank.html (#1855)
711c6ad 
In line with #1854.
@alxndrsn
nginx/csp: allow favicons for backend requests (#1854)
c9b359a 
Closes #1851
@matthew-white
Merge branch 'master' into next
d3eb696
@alxndrsn
nginx/csp: enforce policy for central-backend (#1859)
af64f1d 
Switch from Content-Security-Policy-Report-Only to Content-Security-Policy.
@alxndrsn
nginx: fix escaping in /fonts/ matcher (#1863)
625eb98
@alxndrsn
ci: simplify checkout (#1890)
97b3251 
It looks like the checkout code from the `test-images` job was copy/pasted elsewhere.

Simplifying this config should speed up git checkout in affected jobs.
@sadiqkhoja
Fixes: expected docker context is increased due to WF merge
fe411c8
@sadiqkhoja
Merge pull request #1893 from sadiqkhoja/fixes/docker-context
448b96a 
Fixes: expected docker context is increased due to WF merge
@sadiqkhoja
Fixes: install openssl in service container
1a9c7f9
@sadiqkhoja
Merge pull request #1892 from sadiqkhoja/fixes/install-openssl
b9a1d3f 
Fixes/install openssl
@alxndrsn
service: move DB_SSL check back to runtime (#1889)
e4c7b83 
The `DB_SSL` env var was made illegal in #1647.

The check was then moved from runtime to build time in #1671.

Checking at build-time allows for faster failure and clearer feedback to sysadmins who are upgrading, and previously depended on this env var.  However, the downside is that if container images are pre-built centrally, this check will be skipped.

With this commit, the check will move to container startup.  However, it will now be skipped if the container is started with a non-standard CMD/command/COMMAND.
@alxndrsn
nginx: enable Content Security Policies (#1909)
95717b1 
Switch all headers from `Content-Security-Policy-Report-Only` to `Content-Security-Policy`.
@alxndrsn
test/nginx: fix comment typo (#1938)
a4e5b06
@alxndrsn
test/nginx/docker-compose: restrict open ports to local machine (#1927)
48b7478 
Restrict TCP ports to the local machine.  This will prevent exposing these dev services on the local network or wider.
@alxndrsn
nginx: test stream interruption (#1939)
fc457ec 
Tests pass with nginx:

✅ `1.29.7`

Tests fail with nginx:

☠️ `1.29.5`
☠️ `1.29.6`

Closes #1736
@alxndrsn
dev/docker-compose: restrict open ports to local machine (#1925)
c182517 
Restrict TCP ports to the local machine.  This will prevent exposing these dev services on the local network or wider.
@alxndrsn
nginx: reject form previews with unexpected query params (#1947)
18b9667
@alxndrsn
test: disable case-sensitive routing for express servers (#1953)
007fd5c
@alxndrsn
ci: increase docker-context file size expecations (#1948)
28206d5 
Increase the lower and upper bounds to:

* take account of larger contexts in forked repositories, and
* tighten the acceptable margin
@alxndrsn
test/nginx: extract request() and add testing (#1955)
0c07aaa
@alxndrsn
ci: read node version from volta declaration (#1958)
40868ce 
One less place to keep up-to-date.
@alxndrsn
test: make ExpressJS host-bindings explicit (#1954)
f098936
alxndrsn and others added 30 commits June 11, 2026 08:38
@alxndrsn
test/check-docker-context: ignore .git directory (#1967)
c20f3ed 
Closes #1810
@alxndrsn
test: disable extended query parser for express servers (#1964)
96cf4ed 
sn>
@lognaturel
Upgrade Enketo to 7.6.2 (#1965)
ce03665
@garethbowen
fix(web-forms#535): separate enketo and web-forms into their own vue app
c91fe3d
@garethbowen
fix: reduce runtime memory usage in nginx service
1f0cf1e
@alxndrsn
nginx/web-forms: assert correct HTML is served (#1980)
6f8fe88
@alxndrsn
nginx: narrow scope of NodeJS max-old-space-size (#1993)
27cc8ef
@alxndrsn
build/nginx: reduce gc heap space allocation (#1994)
4007043 
Reduces max-old-space-size allocation by 2GB (50%).

On dev.getodk.cloud this currently:

* fails with 1024
* passes with 1536

This suggests decreasing to 2048 is:

1. a good saving, and
2. fairly safe
@alxndrsn
service: remove volume: data/transfer (#1992)
ddaf82f 
Use no longer encouraged.

Closes #1894
@alxndrsn
docker-compose: remove dangling volume: transfer (#1973)
6c70ffb 
Introduced in fe34e41, it looks like this volume was never referenced.

Ref #1894
@alxndrsn
check-docker-context: use custom builder explicitly (#1990)
e67a2fa 
Instead of changing the global builder default, just use the `docker_context_checker` custom builder for the specific job it was written for.

This is helpful for dev machines so that other docker jobs are not affected by this script.
@alxndrsn
test/nginx: remove comment re: web-forms paths (#1977)
4a88431 
The linked PR is very long, and doesn't give clear guidance/explanation of what's going on.

Ultimately this test should be the source of truth for the paths which serve web-forms content, and more context can be added here if required.
@alxndrsn
nginx: remove misleading web-forms config (#1982)
8ecbaa7 
Related: #1978
@alxndrsn
nginx/web-forms: simplify try_files directive (#1983)
3a437ac
@alxndrsn
nginx: merge duplicate web-forms regexes (#1984)
1288db9 
Closes #1975
@alxndrsn
test/nginx: add more fake webforms paths (#1985)
8967ba0
@latin-panda
chore: pass frontend Sentry DSN (#2005)
883431c
@alxndrsn
client: replace submodule with specific release (#1998)
8b8a038 
Closes #1996
@latin-panda
chore: rename variable to SENTRY_DSN_FRONTEND (#2010)
259f9fa
@latin-panda
chore: updates PR template (#2014)
7489585
@lognaturel
Update pyxform image version to v4.5.0 (#2020)
17ec5a4
@lognaturel
Upgrade node to 24.16.0
1214873 
Newer versions have been released but less than 14 days ago. None of the high priority CVEs fixed affect us.
@lognaturel
Upgrade nginx to 1.31.2
1e4cf82 
It was released only a week ago but it fixes additional buffer overread and overflow issues over 1.31.1 released a month ago.
@lognaturel
Upgrade Postgres to 14.23
ac22116
@lognaturel
Upgrade smtp image to latest in 1.2.x
eb8127f 
2.0.0 was released 3 weeks ago and followed up with point releases. Let's wait until it stabilizes, we don't need any of the udpates.
@lognaturel
Upgrade redis to latest in 8.6.x
41d0827 
8.8 has been out a month but it makes some significant changes so I'd rather be conservative
@lognaturel
Upgrade test dependencies
d058b88
@lognaturel
Upgrade playwright to fix CI
c0898a8
@lognaturel
Merge pull request #2022 from lognaturel/v2026.2-deps
2a4967e 
Update infrastructure dependencies for v2026.2
@matthew-white
Update FRONTEND_VERSION before regression testing
d30c049
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@matthew-white @alxndrsn @sadiqkhoja @lognaturel @garethbowen @latin-panda