Merge branch 'main' into request_sharig_clone_impl_fix

Author: metalurgical

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/devcontainers/base:bullseye
+FROM mcr.microsoft.com/devcontainers/base:bookworm
 
 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     # Remove imagemagick due to https://security-tracker.debian.org/tracker/CVE-2019-10131

.devcontainer/devcontainer.json

@@ -16,7 +16,7 @@
         },
         "ghcr.io/devcontainers/features/rust:1": {},
 		"ghcr.io/devcontainers/features/git:1": {},
-		"ghcr.io/nlordell/features/foundry": {},
+		"ghcr.io/nlordell/features/foundry": { "version": "v1.7.1" },
 		"ghcr.io/devcontainers/features/docker-in-docker:2": {
             "dockerDashComposeVersion": "v2"
         },
@@ -33,6 +33,17 @@
         "seccomp=unconfined"
     ],
 
+    "containerEnv": {
+        "PGHOST": "localhost",
+        "PGPORT": "5432",
+        "PGUSER": "vscode",
+        "PGDATABASE": "vscode",
+        // Drop debug info from dev/test builds: the e2e test binary's debug info
+        // is large enough to get the linker OOM-killed on a stock setup.
+        "CARGO_PROFILE_DEV_DEBUG": "0",
+        "CARGO_PROFILE_TEST_DEBUG": "0"
+    },
+
     "customizations": {
         "vscode": {
             "settings": {
@@ -51,7 +62,10 @@
 
 	// Use 'postCreateCommand' to run commands after the container is created.
 	// "postCreateCommand": "rustc --version",
-	"postCreateCommand": "rustup toolchain install nightly && cargo install flamegraph",
+	"postCreateCommand": "rustup toolchain install nightly --component rustfmt && cargo install flamegraph && cargo install cargo-nextest --locked && cargo install just --locked && bash .devcontainer/setup-e2e.sh",
+
+	// (Re)start the local Postgres cluster on every container start.
+	"postStartCommand": "bash .devcontainer/start-postgres.sh",
 
 	// Set `remoteUser` to `root` to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
 	"remoteUser": "vscode"

.devcontainer/setup-e2e.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+#
+# Provisions the one thing the e2e test suite needs but the base image can't
+# provide out of the box:
+#
+#   * Postgres server – we run a native server (rather than the docker-compose
+#              one) so it survives container restarts and is up before any test
+#              runs, then apply the flyway migrations the harness expects to
+#              already exist.
+#
+# anvil/forge come from the foundry devcontainer feature; their prebuilt binaries
+# run directly on the bookworm base image (glibc >= 2.32), so nothing to do here.
+#
+# Runs as `postCreateCommand` (once, when the container is created).
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+# -----------------------------------------------------------------------------
+echo "==> postgres"
+# Install a server only if no cluster exists yet (fresh container). Reuse whatever
+# version is already present otherwise, so this is safe to re-run.
+if ! ls -d /etc/postgresql/*/main >/dev/null 2>&1; then
+    echo "    installing postgresql-16..."
+    sudo apt-get update -qq
+    sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq postgresql-16
+fi
+PG_VERSION="$(ls /etc/postgresql | sort -n | tail -1)"
+echo "    using cluster ${PG_VERSION}/main"
+
+# Start the cluster (shared with postStart so the two can't drift).
+bash "$REPO_ROOT/.devcontainer/start-postgres.sh"
+
+# Trust auth for local connections (development container only).
+HBA="/etc/postgresql/${PG_VERSION}/main/pg_hba.conf"
+sudo tee "$HBA" >/dev/null <<'EOF'
+local   all   all                  trust
+host    all   all   127.0.0.1/32   trust
+host    all   all   ::1/128        trust
+EOF
+sudo pg_ctlcluster "$PG_VERSION" main reload
+
+# The e2e harness connects with the bare url `postgresql://`, which resolves to a
+# role and database named after $PGUSER/$PGDATABASE (see containerEnv in
+# devcontainer.json and DatabasePoolConfig::test_default).
+psql -h 127.0.0.1 -U postgres -d postgres -tAc \
+    "SELECT 1 FROM pg_roles WHERE rolname='${PGUSER}'" | grep -q 1 \
+    || psql -h 127.0.0.1 -U postgres -d postgres -c \
+        "CREATE ROLE \"${PGUSER}\" LOGIN SUPERUSER;"
+psql -h 127.0.0.1 -U postgres -d postgres -tAc \
+    "SELECT 1 FROM pg_database WHERE datname='${PGDATABASE}'" | grep -q 1 \
+    || psql -h 127.0.0.1 -U postgres -d postgres -c \
+        "CREATE DATABASE \"${PGDATABASE}\" OWNER \"${PGUSER}\";"
+
+# Apply the migrations with the same flyway image the rest of the repo uses
+# (see docker-compose.yaml). Flyway tracks what it has already applied, so this is
+# incremental and idempotent: re-running only applies new migrations and fails
+# loudly if one is incompatible with the current schema. The native server runs
+# on the host network namespace, so `--network=host` lets flyway reach it on
+# 127.0.0.1:${PGPORT}.
+echo "    applying flyway migrations..."
+docker run --rm --network=host \
+    -v "$REPO_ROOT/database/sql:/flyway/sql:ro" \
+    -v "$REPO_ROOT/database/conf:/flyway/conf:ro" \
+    flyway/flyway:10.7.1 \
+    -url="jdbc:postgresql://127.0.0.1:${PGPORT}/${PGDATABASE}?user=${PGUSER}&password=" \
+    migrate
+
+echo "==> e2e environment ready (postgres)"

.devcontainer/start-postgres.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+# Starts the local Postgres cluster on every container start. There is no init
+# system in the container, so the cluster does not come up on its own after a
+# stop/start. Provisioning (install, role, db, migrations) is done once by
+# setup-e2e.sh; this only (re)starts what already exists.
+#
+# Runs as `postStartCommand`.
+set -euo pipefail
+
+PG_VERSION="$(ls /etc/postgresql | sort -n | tail -1)"
+
+# `start` errors if the cluster is already running, so only start it when it
+# isn't online; a genuine start failure then surfaces instead of being swallowed.
+if ! pg_lsclusters -h "$PG_VERSION" main | grep -q online; then
+    sudo pg_ctlcluster "$PG_VERSION" main start
+fi

.github/CODEOWNERS

@@ -1,2 +1,2 @@
 * @cowprotocol/backend
-
+.github/workflows/ @cowprotocol/devops @cowprotocol/backend

.github/renovate.json5

@@ -0,0 +1,27 @@
+// This file follows JSON5 syntax, to make it
+// easier to maintain.
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  // Disable every built-in manager (npm, dockerfile, ...) except github-actions.
+  enabledManagers: ["github-actions"],
+  // PR titles use Conventional Commits: `deps(<action>): ...`
+  semanticCommits: "enabled",
+  semanticCommitType: "deps",
+  packageRules: [
+    // GitHub Actions updates: run weekly, skip releases newer than 2 weeks
+    // to avoid picking up freshly published versions that may be unstable or
+    // compromised, and pin to full commit SHAs (with the version as a
+    // trailing comment) rather than mutable tags.
+    // When both major and minor releases exist, propose only the latest bump
+    // (typically major) instead of a separate minor PR.
+    {
+      matchManagers: ["github-actions"],
+      schedule: ["on monday"],
+      minimumReleaseAge: "14 days",
+      pinDigests: true,
+      separateMajorMinor: false,
+      semanticCommitScope: "{{depName}}",
+      commitMessageTopic: "{{depName}}",
+    },
+  ],
+}

.github/workflows/add-to-project.yml

@@ -10,7 +10,7 @@ jobs:
     name: Add issue to project
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+      - uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0
         with:
           project-url: https://github.com/orgs/cowprotocol/projects/8
           github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}

.github/workflows/claude-review.yml

@@ -4,23 +4,6 @@ on:
     types: [opened, ready_for_review]
   issue_comment:
     types: [created]
-  # Manual trigger so workflow changes can be exercised from a feature branch
-  # without merging. Pick the feature branch in the Actions UI and pass the
-  # PR number to review.
-  workflow_dispatch:
-    inputs:
-      pr_number:
-        description: "PR number to review"
-        required: true
-        type: string
-
-# Cancel an in-flight review if another trigger fires on the same PR (e.g.
-# back-to-back `@claude` comments, or a draft→ready transition while an
-# earlier run is still going). Note: `synchronize` is not in the trigger
-# list, so plain pushes do not trigger or cancel anything.
-concurrency:
-  group: claude-review-${{ github.event.pull_request.number || github.event.issue.number || inputs.pr_number }}
-  cancel-in-progress: true
 
 jobs:
   review:
@@ -43,7 +26,7 @@ jobs:
         github.event.issue.pull_request != null &&
         contains(github.event.comment.body, '@claude') &&
         contains(fromJSON('["OWNER", "MEMBER"]'), github.event.comment.author_association)
-      ) || github.event_name == 'workflow_dispatch'
+      )
     runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
@@ -53,7 +36,7 @@ jobs:
       id-token: write
       actions: read
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           # Full history lets the action compute an accurate diff vs the base
           # branch instead of just the latest commit.
@@ -67,5 +50,4 @@ jobs:
           claude_args: |
             --model claude-opus-4-7
             --max-turns 30
-          prompt: |
-            ${{ github.event_name == 'workflow_dispatch' && format('Review PR #{0}. ', inputs.pr_number) || 'Review this PR.' }} Use the pr-review skill if available.
+          prompt: "Review this PR. Use the pr-review skill if available."

.github/workflows/codeql.yml

@@ -26,16 +26,16 @@ jobs:
           build-mode: none
     steps:
     - name: Checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+      uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
         config-file: .github/codeql/codeql-config.yml
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+      uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/deploy.yaml

@@ -28,13 +28,13 @@ jobs:
       packages: write
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # Without this the fetch depth defaults to 1, which only includes the most recent commit. We want to know the full history so that `git describe` can give more information when it is invoked in the orderbook's crate build script.
           fetch-depth: '0'
           persist-credentials: false
 
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -69,7 +69,7 @@ jobs:
 
       - name: Services image metadata
         id: meta_services
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
           images: ghcr.io/${{ github.repository }}
           tags: |
@@ -79,7 +79,7 @@ jobs:
           labels: |
             org.opencontainers.image.licenses=GPL-3.0-or-later
       - name: Services image build
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: .
           file: Dockerfile
@@ -92,7 +92,7 @@ jobs:
 
       - name: Migration image metadata
         id: meta_migration
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
           images: ghcr.io/${{ github.repository }}-migration
           tags: |
@@ -102,7 +102,7 @@ jobs:
           labels: |
             org.opencontainers.image.licenses=GPL-3.0-or-later
       - name: Migration image build
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: .
           file: Dockerfile