Merge branch 'cloudflare:master' into master

.ci/github.gitlab-ci.yml

@@ -0,0 +1,17 @@
+include:
+  - local: .ci/commons.gitlab-ci.yml
+
+######################################
+### Sync master branch with Github ###
+######################################
+push-github:
+  stage: sync
+  rules:
+    - !reference [.default-rules, run-on-master]
+  script:
+    - ./.ci/scripts/github-push.sh
+  secrets:
+    CLOUDFLARED_DEPLOY_SSH_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv
+      file: false
+  cache: {}

.ci/scripts/github-push.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+set -e -o pipefail
+
+BRANCH="master"
+TMP_PATH="$PWD/tmp"
+PRIVATE_KEY_PATH="$TMP_PATH/github-deploy-key"
+PUBLIC_KEY_GITHUB_PATH="$TMP_PATH/github.pub"
+
+mkdir -p $TMP_PATH
+
+# Setup Private Key
+echo "$CLOUDFLARED_DEPLOY_SSH_KEY" > $PRIVATE_KEY_PATH
+chmod 400 $PRIVATE_KEY_PATH
+
+# Download GitHub Public Key for KnownHostsFile
+ssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH
+
+# Setup git ssh command with the right configurations
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH"
+
+# Add GitHub as a new remote
+git remote add github git@github.com:cloudflare/cloudflared.git || true
+
+# GitLab doesn't pull branch references, instead it creates a new one on each pipeline.
+# Therefore, we need to manually fetch the reference to then push it to GitHub.
+git fetch origin $BRANCH:$BRANCH
+git push -u github $BRANCH
+
+if TAG="$(git describe --tags --exact-match 2>/dev/null)"; then
+  git push -u github "$TAG"
+fi

.ci/scripts/vuln-check.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+set -e
+
+# Define the file to store the list of vulnerabilities to ignore.
+IGNORE_FILE=".vulnignore"
+
+# Check if the ignored vulnerabilities file exists. If not, create an empty one.
+if [ ! -f "$IGNORE_FILE" ]; then
+    touch "$IGNORE_FILE"
+    echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE"
+    echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >> "$IGNORE_FILE"
+    echo "# You can also add comments on the same line after the ID." >> "$IGNORE_FILE"
+    echo "" >> "$IGNORE_FILE"
+fi
+
+# Run govulncheck and capture its output.
+VULN_OUTPUT=$(go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... || true)
+
+# Print the govuln output
+echo "====================================="
+echo "Full Output of govulncheck:"
+echo "====================================="
+echo "$VULN_OUTPUT"
+echo "====================================="
+echo "End of govulncheck Output"
+echo "====================================="
+
+# Process the ignore file to remove comments and empty lines.
+# The 'cut' command gets the vulnerability ID and removes anything after the '#'.
+# The 'grep' command filters out empty lines and lines starting with '#'.
+CLEAN_IGNORES=$(grep -v '^\s*#' "$IGNORE_FILE" | cut -d'#' -f1 | sed 's/ //g' | sort -u || true)
+
+# Filter out the ignored vulnerabilities.
+UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability')
+
+# If the list of ignored vulnerabilities is not empty, filter them out.
+if [ -n "$CLEAN_IGNORES" ]; then
+    UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true)
+fi
+
+# If there are any vulnerabilities that were not in our ignore list, print them and exit with an error.
+if [ -n "$UNIGNORED_VULNS" ]; then
+    echo "🚨 Found new, unignored vulnerabilities:"
+    echo "-------------------------------------"
+    echo "$UNIGNORED_VULNS"
+    echo "-------------------------------------"
+    echo "Exiting with an error. ❌"
+    exit 1
+else
+    echo "🎉 No new vulnerabilities found. All clear! ✨"
+    exit 0
+fi

.gitlab-ci.yml

@@ -7,7 +7,7 @@ default:
     VAULT_ID_TOKEN:
       aud: https://vault.cfdata.org
 
-stages: [pre-build, build, validate, test, package, release]
+stages: [sync, pre-build, build, validate, test, package, release]
 
 include:
   #####################################################
@@ -15,6 +15,11 @@ include:
   #####################################################
   - local: .ci/commons.gitlab-ci.yml
 
+  #####################################################
+  ########### Sync Repository with Github #############
+  #####################################################
+  - local: .ci/github.gitlab-ci.yml
+
   #####################################################
   ############# Build or Fetch CI Image ###############
   #####################################################

.vulnignore

@@ -0,0 +1,3 @@
+# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line.
+# You can also add comments on the same line after the ID.
+GO-2025-3942 # Ignore core-dns vulnerability since we will be removing the proxy-dns feature in the near future

Makefile

@@ -142,7 +142,7 @@ clean:
 
 .PHONY: vulncheck
 vulncheck:
-	@go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./...
+	@./.ci/scripts/vuln-check.sh
 
 .PHONY: cloudflared
 cloudflared:

RELEASE_NOTES

@@ -1,3 +1,7 @@
+2025.9.1
+- 2025-09-22 TUN-9855: Create script to ignore vulnerabilities from govuln check
+- 2025-09-19 TUN-9852: Remove fmt.Println from cloudflared access command
+
 2025.9.0
 - 2025-09-15 TUN-9820: Add support for FedRAMP in originRequest Access config
 - 2025-09-11 TUN-9800: Migrate cloudflared-ci pipelines to Gitlab CI

token/token.go

@@ -255,7 +255,6 @@ func getToken(appURL *url.URL, appInfo *AppInfo, useHostOnly bool, autoClose boo
 // getTokensFromEdge will attempt to use the transfer service to retrieve an app and org token, save them to disk,
 // and return the app token.
 func getTokensFromEdge(appURL *url.URL, appAUD, appTokenPath, orgTokenPath string, useHostOnly bool, autoClose bool, isFedramp bool, log *zerolog.Logger) (string, error) {
-	fmt.Println("Get tokens from edge ", autoClose)
 	// If no org token exists or if it couldn't be exchanged for an app token, then run the transfer service flow.
 
 	// this weird parameter is the resource name (token) and the key/value