Merge branch 'main' into chore/examples-remove-testify

Author: Joibel

.coderabbit.yaml

@@ -0,0 +1,72 @@
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
+language: en-US
+
+reviews:
+  # Disable review status comments on PRs
+  review_status: false
+
+  # Request changes when issues are found (vs just commenting)
+  request_changes_workflow: false
+
+  # Enable high-level summary of changes
+  high_level_summary: true
+
+  # Add a poem to the review (fun but optional - set false if you prefer serious reviews)
+  poem: false
+
+  # Review profile - choose from: chill, assertive, or default
+  # "chill" = fewer nitpicks, "assertive" = stricter reviews
+  profile: chill
+
+  # Collapse walkthrough comments to reduce noise
+  collapse_walkthrough: true
+
+  # Paths to ignore during reviews
+  path_filters:
+    - "!**/*.generated.go"
+    - "!**/*_generated.go"
+    - "!**/zz_generated.*.go"
+    - "!**/mocks/**"
+    - "!**/vendor/**"
+    - "!**/*.pb.go"
+    - "!**/node_modules/**"
+    - "!**/*.snap"
+    - "!**/dist/**"
+    - "!**/api/openapi-spec/*.json"
+    - "!**/sdks/java/client/**"
+    - "!**/sdks/python/client/**"
+
+  auto_review:
+    enabled: false
+
+  # Tools configuration
+  tools:
+    # Go linting
+    golangci-lint:
+      enabled: true
+
+    # Shell script analysis
+    shellcheck:
+      enabled: true
+
+    # YAML validation (great for K8s manifests)
+    yamllint:
+      enabled: true
+
+    # Markdown linting for docs
+    markdownlint:
+      enabled: true
+
+    # GitHub Actions workflow validation
+    actionlint:
+      enabled: true
+
+chat:
+  # Enable chat interactions on PRs
+  auto_reply: true
+
+# Knowledge base - helps CodeRabbit understand project context
+knowledge_base:
+  # Learn from merged PRs
+  learnings:
+    scope: auto

.devcontainer/devcontainer.json

@@ -5,7 +5,7 @@
   // This image is built and pushed by .github/workflows/devcontainer.yaml using .devcontainer/builder/devcontainer.json
   "image": "quay.io/argoproj/argo-workflows-devcontainer",
 
-  "forwardPorts": [9000, 9001, 9090, 2746, 8080, 5556, 6060, 9091, 3306, 5432, 10000, 8000],
+  "forwardPorts": [9000, 9001, 9090, 2746, 8080, 5556, 5554, 6060, 9091, 3306, 5432, 10000, 8000],
   "hostRequirements": {
     "cpus": 4
   },

.features/pending/14679-cronworkflow-delete-warning.md

@@ -0,0 +1,7 @@
+Component: UI
+Issues: 14679
+Description: Add an informational message to the CronWorkflow delete confirmation modal indicating that Workflows created by the CronSchedule will also be deleted.
+Author: [minsun yun](https://github.com/miinsun)
+
+- UI/UX only; **no functional logic** is changed.
+- Verified manually by deleting a CronWorkflow in the Workflows UI and confirming the message renders correctly.

.features/pending/cel-validation.md

@@ -0,0 +1,71 @@
+Description: Added CRD validation rules
+Authors: [Alan Clucas](https://github.com/Joibel
+Component: General
+Issues: 13503
+
+Added some validation rules to the full CRDs which allow some simpler validation to happen as the object is added to the kubernetes cluster.
+This is useful if you're using a mechanism which bypasses the validator such as kubectl apply.
+It will inform you of
+
+**Note:** Some validations cannot be implemented as CEL rules due to Kubernetes limitations.
+Fields marked with `+kubebuilder:validation:Schemaless` (like `withItems`) or `+kubebuilder:pruning:PreserveUnknownFields` (like `inline`) are not visible to CEL validation expressions.
+
+**CEL Budget Management:** Kubernetes limits the total cost of CEL validation rules per CRD. To stay within these limits:
+* All `status` blocks have CEL validations automatically stripped during CRD generation
+* Controller-managed CRDs (WorkflowTaskSet, WorkflowTaskResult, WorkflowArtifactGCTask) have all CEL validations removed from both spec and status
+* Server-side validations in `workflow/validate/validate.go` supplement CEL for fields that cannot be validated with CEL (e.g., schemaless fields)
+
+**Array and String Size Limits:** To manage CEL validation costs, the following maximum sizes are enforced:
+* Templates per workflow: 200
+* DAG tasks per DAG template: 200
+* Parameters: 500
+* Prometheus metrics per template: 100
+* Gauge metric value string: 256 characters
+
+#### Mutual Exclusivity Rules:
+* only one template type per template
+* only one of sequence count/end
+* only one of manifest/manifestFrom
+* cannot use both depends and dependencies in DAG tasks.
+
+#### DAG Task Constraints:
+* task names cannot start with digit when using depends/dependencies
+* cannot use continueOn with depends.
+
+#### Timeout on Non-Leaf Templates:
+* Timeout cannot be set on steps or dag templates (only on leaf templates).
+
+#### Cron Schedule Format:
+* CronWorkflow schedules must be valid 5-field cron expressions, specialdescriptors (@yearly, @hourly, etc.), or interval format (@every).
+
+#### Metric Validation:
+* metric and label names validation
+* help and value fields required
+* real-time gauges cannot use resourcesDuration metrics
+
+#### Artifact:
+* At most one artifact location may be specified
+* Artifact.Mode must be between 0 and 511 (0777 octal) for file permissions.
+
+#### Enum Validations:
+* PodGC strategy
+* ConcurrencyPolicy
+* RetryPolicy
+* GaugeOperation
+* Resource action
+* MergeStrategy
+  all have restricted allowed values.
+
+#### Name Pattern Constraints:
+* Template/Step/Task names: max 128 chars, pattern ^[a-zA-Z0-9][-a-zA-Z0-9]*$;
+* Parameter/Artifact names: pattern ^[a-zA-Z0-9_][-a-zA-Z0-9_]*$.
+
+#### Minimum Array Sizes:
+* Template.Steps requires at least one step group
+* Parameter.Enum requires at least one value
+* CronWorkflow.Schedules requires at least one schedule
+* DAG.Tasks requires at least one task.
+
+#### Numeric Constraints:
+* Parallelism minimum 1
+* StartingDeadlineSeconds minimum 0.

.features/pending/convert.md

@@ -0,0 +1,9 @@
+Description: `convert` CLI command to convert to new workflow format
+Authors: [Alan Clucas](https://github.com/Joibel)
+Component: CLI
+Issues: 14977
+
+A new CLI command `convert` which will convert Workflows, CronWorkflows, and (Cluster)WorkflowTemplates to the new format.
+It will remove `schedule` from CronWorkflows, moving that into `schedules`
+It will remove `mutex` and `semaphore` from `synchronization` blocks and move them to the plural version.
+Otherwise this command works much the same as linting.

.features/pending/custom-sso-ca-configuration.md

@@ -0,0 +1,26 @@
+Description: Allow custom CA certificate configuration for SSO OIDC provider connections
+Authors: [bradfordwagner](https://github.com/bradfordwagner)
+Component: General
+Issues: 7198
+
+This feature adds support for custom TLS configuration when connecting to OIDC providers for SSO authentication.
+This is particularly useful when your OIDC provider uses self-signed certificates or custom Certificate Authorities (CAs).
+
+* Use this feature when your OIDC provider uses custom self-signed CA certificates
+* Configure custom CA certificates either inline or by file path
+
+### Configuration Examples
+
+#### Inline PEM content
+```yaml
+sso:
+  # Custom PEM encoded CA certificate file contents
+  rootCA: |-
+    -----BEGIN CERTIFICATE-----
+    MIIDXTCCAkWgAwIBAgIJAKoK/heBjcOuMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+    ...
+    -----END CERTIFICATE-----
+```
+
+The system will automatically use certificates configured with SSL_CERT_DIR, and SSL_CERT_FILE for non macOS environments.
+For production environments, always use proper CA certificates instead of skipping TLS verification.

.features/pending/disable-write-back-informer.md

@@ -0,0 +1,7 @@
+Description: Disable write back informer by default
+Author: [Eduardo Rodrigues](https://github.com/eduardodbr)
+Component: General
+Issues: 12352
+
+Update the controller’s default behavior to disable the write-back informer. We’ve seen several cases of unexpected behavior that appear to be caused by the write-back mechanism, and Kubernetes docs recommend avoiding writes to the informer store. Although turning it off may increase the frequency of 409 Conflict errors, it should help reduce unpredictable controller behavior.
+

.features/pending/not-equals-filter.md

@@ -0,0 +1,8 @@
+Description: Name Not Equals filter now available in the UI for filtering workflows
+Authors: [Miltiadis Alexis](https://github.com/miltalex)
+Component: UI
+Issues: #13468
+
+You can now use the "Name Not Equals" filter in the workflow list to exclude workflows by name.
+This complements the existing "Name Exact" filter and provides more flexible filtering options.
+Use this filter when you want to view all workflows except those matching a specific name pattern.

.features/pending/operators-field-selector.md

@@ -0,0 +1,10 @@
+Description: Support metadata.name= and metadata.name!= in field selectors
+Authors: [Miltiadis Alexis](https://github.com/miltalex)
+Component: General
+Issues: #13468
+
+Field selectors for `metadata.name` now support the `==` and `!=` operators, giving you more flexible control over resource filtering.
+
+Use the `==` operator to match resources with an exact name, or use `!=` to exclude resources by name.
+
+This brings field selector behavior in line with native Kubernetes functionality and enables more precise resource queries.

.gitattributes

@@ -1,4 +1,3 @@
-sdks/python/client/** linguist-generated
 sdks/java/client/** linguist-generated
 manifests/base/crds/*/argoproj.io*.yaml linguist-generated
 manifests/quick-start-*.yaml linguist-generated