Merge remote-tracking branch 'origin/main' into feat(webapp)-filters-update

Author: samejr

.github/VOUCHED.td

@@ -19,4 +19,5 @@ capaj
 chengzp
 bharathkumar39293
 bhekanik
-jrossi
+jrossi
+ThullyoCunha

.github/workflows/changesets-pr.yml

@@ -121,3 +121,35 @@ jobs:
           else
             echo "No changes to commit"
           fi
+
+  bump-chart-version:
+    name: Bump Helm chart version on release PR
+    runs-on: ubuntu-latest
+    needs: update-lockfile
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout release branch
+        uses: actions/checkout@v4
+        with:
+          ref: changeset-release/main
+
+      - name: Bump Chart.yaml
+        run: |
+          set -e
+          VERSION=$(jq -r '.version' packages/cli-v3/package.json)
+          sed -i "s/^version:.*/version: ${VERSION}/" ./hosting/k8s/helm/Chart.yaml
+          sed -i "s/^appVersion:.*/appVersion: v${VERSION}/" ./hosting/k8s/helm/Chart.yaml
+
+      - name: Commit and push Chart.yaml bump
+        run: |
+          set -e
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add hosting/k8s/helm/Chart.yaml
+          if ! git diff --cached --quiet; then
+            git commit -m "chore: bump helm chart version for release"
+            git push origin changeset-release/main
+          else
+            echo "Chart.yaml already at target version, no-op"
+          fi

.github/workflows/e2e-webapp.yml

@@ -0,0 +1,91 @@
+name: "🧪 E2E Tests: Webapp"
+
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+
+jobs:
+  e2eTests:
+    name: "🧪 E2E Tests: Webapp"
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    env:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+    steps:
+      - name: 🔧 Disable IPv6
+        run: |
+          sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
+          sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
+          sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=1
+
+      - name: 🔧 Configure docker address pool
+        run: |
+          CONFIG='{
+            "default-address-pools" : [
+              {
+                "base" : "172.17.0.0/12",
+                "size" : 20
+              },
+              {
+                "base" : "192.168.0.0/16",
+                "size" : 24
+              }
+            ]
+          }'
+          mkdir -p /etc/docker
+          echo "$CONFIG" | sudo tee /etc/docker/daemon.json
+
+      - name: 🔧 Restart docker daemon
+        run: sudo systemctl restart docker
+
+      - name: ⬇️ Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: ⎔ Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.23.0
+
+      - name: ⎔ Setup node
+        uses: buildjet/setup-node@v4
+        with:
+          node-version: 20.20.0
+          cache: "pnpm"
+
+      # ..to avoid rate limits when pulling images
+      - name: 🐳 Login to DockerHub
+        if: ${{ env.DOCKERHUB_USERNAME }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🐳 Skipping DockerHub login (no secrets available)
+        if: ${{ !env.DOCKERHUB_USERNAME }}
+        run: echo "DockerHub login skipped because secrets are not available."
+
+      - name: 🐳 Pre-pull testcontainer images
+        if: ${{ env.DOCKERHUB_USERNAME }}
+        run: |
+          echo "Pre-pulling Docker images with authenticated session..."
+          docker pull postgres:14
+          docker pull redis:7.2
+          docker pull testcontainers/ryuk:0.11.0
+          echo "Image pre-pull complete"
+
+      - name: 📥 Download deps
+        run: pnpm install --frozen-lockfile
+
+      - name: 📀 Generate Prisma Client
+        run: pnpm run generate
+
+      - name: 🏗️ Build Webapp
+        run: pnpm run build --filter webapp
+
+      - name: 🧪 Run Webapp E2E Tests
+        run: cd apps/webapp && pnpm exec vitest run --config vitest.e2e.config.ts --reporter=default
+        env:
+          WEBAPP_TEST_VERBOSE: "1"

.github/workflows/pr_checks.yml

@@ -6,6 +6,7 @@ on:
     paths-ignore:
       - "docs/**"
       - ".changeset/**"
+      - "hosting/**"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

.github/workflows/release-helm.yml

@@ -4,6 +4,12 @@ on:
   push:
     tags:
       - 'helm-v*'
+  workflow_call:
+    inputs:
+      chart_version:
+        description: 'Chart version to release'
+        required: true
+        type: string
   workflow_dispatch:
     inputs:
       chart_version:
@@ -86,8 +92,8 @@ jobs:
       - name: Extract version from tag or input
         id: version
         run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            VERSION="${{ github.event.inputs.chart_version }}"
+          if [ -n "${{ inputs.chart_version }}" ]; then
+            VERSION="${{ inputs.chart_version }}"
           else
             VERSION="${{ github.ref_name }}"
             VERSION="${VERSION#helm-v}"
@@ -122,9 +128,8 @@ jobs:
       - name: Create GitHub Release
         id: release
         uses: softprops/action-gh-release@v1
-        if: github.event_name == 'push'
         with:
-          tag_name: ${{ github.ref_name }}
+          tag_name: helm-v${{ steps.version.outputs.version }}
           name: "Helm Chart ${{ steps.version.outputs.version }}"
           body: |
             ### Installation

.github/workflows/release.yml

@@ -142,6 +142,13 @@ jobs:
           git tag "v.docker.${{ steps.get_version.outputs.package_version }}"
           git push origin "v.docker.${{ steps.get_version.outputs.package_version }}"
 
+      - name: Create and push Helm chart tag
+        if: steps.changesets.outputs.published == 'true'
+        run: |
+          set -e
+          git tag "helm-v${{ steps.get_version.outputs.package_version }}"
+          git push origin "helm-v${{ steps.get_version.outputs.package_version }}"
+
   # Trigger Docker builds directly via workflow_call since tags pushed with
   # GITHUB_TOKEN don't trigger other workflows (GitHub Actions limitation).
   publish-docker:
@@ -153,6 +160,21 @@ jobs:
     with:
       image_tag: v${{ needs.release.outputs.published_package_version }}
 
+  # Trigger Helm chart release directly via workflow_call (same GITHUB_TOKEN
+  # limitation as the Docker path). Runs after Docker images are published so
+  # the chart never references images that don't exist yet.
+  publish-helm:
+    name: 🧭 Publish Helm chart
+    needs: [release, publish-docker]
+    if: needs.release.outputs.published == 'true'
+    permissions:
+      contents: write
+      packages: write
+    uses: ./.github/workflows/release-helm.yml
+    secrets: inherit
+    with:
+      chart_version: ${{ needs.release.outputs.published_package_version }}
+
   # After Docker images are published, update the GitHub release with the exact GHCR tag URL.
   # The GHCR package version ID is only known after the image is pushed, so we query for it here.
   update-release:

.github/workflows/unit-tests.yml

@@ -10,6 +10,9 @@ jobs:
   webapp:
     uses: ./.github/workflows/unit-tests-webapp.yml
     secrets: inherit
+  e2e-webapp:
+    uses: ./.github/workflows/e2e-webapp.yml
+    secrets: inherit
   packages:
     uses: ./.github/workflows/unit-tests-packages.yml
     secrets: inherit

.server-changes/admin-back-office-rate-limit.md

@@ -0,0 +1,6 @@
+---
+area: webapp
+type: feature
+---
+
+Add a "Back office" tab to `/admin` and a per-organization detail page at `/admin/back-office/orgs/:orgId`. The first action available on that page is editing the org's API rate limit: admins can save a `tokenBucket` override (refill rate, interval, max tokens) and see a plain-English preview of the resulting sustained rate and burst allowance. Writes are audit-logged via the server logger.

.server-changes/fix-realtime-fetch-signal-leak.md

@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Fix RSS memory leak in the realtime proxy routes. `/realtime/v1/runs`, `/realtime/v1/runs/:id`, and `/realtime/v1/batches/:id` called `fetch()` into Electric with no abort signal, so when a client disconnected mid long-poll, undici kept the upstream socket open and buffered response chunks that would never be consumed — retained only in RSS, invisible to V8 heap tooling. Thread `getRequestAbortSignal()` through `RealtimeClient.streamRun/streamRuns/streamBatch` to `longPollingFetch` and cancel the upstream body in the error path. Isolated reproducer showed ~44 KB retained per leaked request; signal propagation releases it cleanly.

.server-changes/fix-sse-memory-leak.md

@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Fix memory leak where every aborted SSE connection pinned the full request/response graph on Node 20, caused by `AbortSignal.any()` in `sse.ts` retaining its source signals indefinitely (see nodejs/node#54614, nodejs/node#55351). Also clear the `setTimeout(abort)` timer in `entry.server.tsx` so successful HTML renders don't pin the React tree for 30s per request.