container-registry · Vad1mo · Sep 3, 2025 · Sep 5, 2025 · Sep 5, 2025 · Sep 8, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -23,6 +23,16 @@ updates:
     schedule:
       interval: "weekly"
     labels:
-      - "release-note/update"
-
+      - "release-note/bump-version"
+      - "branch/main"
+
+  - package-ecosystem: "gomod"
+    directory: "/src"
+    schedule:
+      interval: "weekly"
+    target-branch: "release-2.14.0"
+    labels:
+      - "release-note/bump-version"
+      - "branch/release-2.14.0"
+
   # More will be needed
diff --git a/.github/release.yml b/.github/release.yml
@@ -31,6 +31,10 @@ changelog:
       labels:
         - release-note/deprecation
 
+    - title: Bump Component Version 🤖
+      labels:
+        - release-note/bump-version
+
     - title: Other Changes
       labels:
-        - "*"
+        - "*"
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -15,6 +15,8 @@ env:
    UI_BUILDER_VERSION: 1.6.0
 
 on:
+  # the paths-ignore is the same as the paths in pass-CI.yml, they should be synced together
+  # see https://web.archive.org/web/20230506145443/https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/troubleshooting-required-status-checks#handling-skipped-but-required-checks
   pull_request:
     paths-ignore:
       - 'docs/**'
@@ -23,22 +25,29 @@ on:
       - '!tests/**.sh'
       - '!tests/apitests/**'
       - '!tests/ci/**'
+      - '!tests/resources/**'
+      - '!tests/robot-cases/**'
+      - '!tests/robot-cases/Group1-Nightly/**'
   push:
+    # the paths-ignore is the same as the paths in pass-CI.yml, they should be synced together
     paths-ignore:
       - 'docs/**'
       - '**.md'
       - 'tests/**'
       - '!tests/**.sh'
       - '!tests/apitests/**'
       - '!tests/ci/**'
+      - '!tests/resources/**'
+      - '!tests/robot-cases/**'
+      - '!tests/robot-cases/Group1-Nightly/**'
 
 jobs:
   UTTEST:
     env:
        UTTEST: true
     runs-on:
       #- self-hosted
-      - ubuntu-latest
+      - oracle-vm-24cpu-96gb-x86-64
     timeout-minutes: 100
     steps:
       - name: Set up Go 1.23
@@ -99,7 +108,7 @@ jobs:
       APITEST_DB: true
     runs-on:
       #- self-hosted
-      - ubuntu-latest
+      - oracle-vm-24cpu-96gb-x86-64
     timeout-minutes: 100
     steps:
       - name: Set up Go 1.23
@@ -149,7 +158,7 @@ jobs:
           bash ./tests/showtime.sh ./tests/ci/api_run.sh DB $IP
           df -h
       - name: upload_logs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: db-api-harbor-logs.tar.gz
           path: /home/runner/work/harbor/harbor/src/github.com/goharbor/harbor/integration_logs.tar.gz
@@ -159,7 +168,7 @@ jobs:
       APITEST_DB: true
     runs-on:
       #- self-hosted
-      - ubuntu-latest
+      - oracle-vm-24cpu-96gb-x86-64
     timeout-minutes: 100
     steps:
       - name: Set up Go 1.23
@@ -209,7 +218,7 @@ jobs:
           bash ./tests/showtime.sh ./tests/ci/api_run.sh PROXY_CACHE $IP
           df -h
       - name: upload_logs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: proxy-api-harbor-logs.tar.gz
           path: /home/runner/work/harbor/harbor/src/github.com/goharbor/harbor/integration_logs.tar.gz
@@ -219,7 +228,7 @@ jobs:
       APITEST_LDAP: true
     runs-on:
       #- self-hosted
-      - ubuntu-latest
+      - oracle-vm-24cpu-96gb-x86-64
     timeout-minutes: 100
     steps:
       - name: Set up Go 1.23
@@ -267,7 +276,7 @@ jobs:
           bash ./tests/showtime.sh ./tests/ci/api_run.sh LDAP $IP
           df -h
       - name: upload_logs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: ldap-api-harbor-logs.tar.gz
           path: /home/runner/work/harbor/harbor/src/github.com/goharbor/harbor/integration_logs.tar.gz
@@ -277,7 +286,7 @@ jobs:
       OFFLINE: true
     runs-on:
       #- self-hosted
-      - ubuntu-latest
+      - oracle-vm-24cpu-96gb-x86-64
     timeout-minutes: 100
     steps:
       - name: Set up Go 1.23
@@ -329,10 +338,10 @@ jobs:
       UI_UT: true
     runs-on:
       #- self-hosted
-      - ubuntu-latest
+      - oracle-vm-24cpu-96gb-x86-64
     timeout-minutes: 100
     steps:
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version: '18'
       - uses: actions/checkout@v5

diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml
@@ -13,10 +13,10 @@ jobs:
     env:
         BUILD_PACKAGE: true
     runs-on:
-      - ubuntu-22.04
+      - oracle-vm-24cpu-96gb-x86-64
     steps:
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4.2.1
+        uses: aws-actions/configure-aws-credentials@v5.0.0
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

diff --git a/.github/workflows/conformance_test.yml b/.github/workflows/conformance_test.yml
@@ -15,10 +15,10 @@ jobs:
       CONFORMANCE_TEST: true
     runs-on:
       #- self-hosted
-      - ubuntu-latest
+      - oracle-vm-24cpu-96gb-x86-64
     steps:
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4.2.1
+        uses: aws-actions/configure-aws-credentials@v5.0.0
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

diff --git a/.github/workflows/housekeeping-stale-issues-prs.yaml b/.github/workflows/housekeeping-stale-issues-prs.yaml
@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9.1.0
+      - uses: actions/stale@v10.0.0
-      - uses: actions/stale@v10.0.0
+      - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f
-      - uses: actions/stale@v10.0.0
+      - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f
         with:
           stale-issue-message: 'This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.'
           stale-pr-message: 'This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days.'

diff --git a/.github/workflows/pass-CI.yml b/.github/workflows/pass-CI.yml
@@ -2,6 +2,7 @@ name: CI
 
 on:
   pull_request:
+    # the paths is the same as the paths-ignore in CI.yml, they should be synced together
     paths:
       - 'docs/**'
       - '**.md'
@@ -13,6 +14,7 @@ on:
       - '!tests/robot-cases/**'
       - '!tests/robot-cases/Group1-Nightly/**'
   push:
+    # the paths is the same as the paths-ignore in CI.yml, they should be synced together
     paths:
       - 'docs/**'
       - '**.md'

diff --git a/.github/workflows/publish_release.yml b/.github/workflows/publish_release.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   release:
-    runs-on: ubuntu-22.04
+    runs-on: oracle-vm-24cpu-96gb-x86-64
     steps:
       - uses: actions/checkout@v5
       - name: Setup env
@@ -20,7 +20,7 @@ jobs:
           echo "BRANCH=$(echo $release | jq -r '.target_commitish')" >> $GITHUB_ENV
           echo "PRERELEASE=$(echo $release | jq -r '.prerelease')" >> $GITHUB_ENV
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4.2.1
+        uses: aws-actions/configure-aws-credentials@v5.0.0
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

diff --git a/README.md b/README.md
@@ -1,15 +1,13 @@
 # Harbor
-
-[![CI](https://github.com/goharbor/harbor/workflows/CI/badge.svg?branch=main&event=push)](https://github.com/goharbor/harbor/actions?query=event%3Apush+branch%3Amain+workflow%3ACI+)
-[![Coverage Status](https://codecov.io/gh/goharbor/harbor/branch/main/graph/badge.svg)](https://codecov.io/gh/goharbor/harbor)
+[![CI](https://github.com/goharbor/harbor/actions/workflows/CI.yml/badge.svg)](https://github.com/goharbor/harbor/actions/workflows/CI.yml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/goharbor/harbor)](https://goreportcard.com/report/github.com/goharbor/harbor)
+[![Coverage Status](https://codecov.io/gh/goharbor/harbor/branch/main/graph/badge.svg)](https://codecov.io/gh/goharbor/harbor)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2095/badge)](https://bestpractices.coreinfrastructure.org/projects/2095)
 [![Codacy Badge](https://app.codacy.com/project/badge/Grade/792fe1755edc4d6e91f4c3469f553389)](https://www.codacy.com/gh/goharbor/harbor/dashboard?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=goharbor/harbor&amp;utm_campaign=Badge_Grade)
 ![Code scanning - action](https://github.com/goharbor/harbor/workflows/Code%20scanning%20-%20action/badge.svg)
-[![Nightly Status](https://us-central1-eminent-nation-87317.cloudfunctions.net/harbor-nightly-result)](https://www.googleapis.com/storage/v1/b/harbor-nightly/o)
-![CONFORMANCE_TEST](https://github.com/goharbor/harbor/workflows/CONFORMANCE_TEST/badge.svg)
+![OCI Distribution Conformance Tests](https://github.com/goharbor/harbor/workflows/CONFORMANCE_TEST/badge.svg)
 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fgoharbor%2Fharbor.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fgoharbor%2Fharbor?ref=badge_shield)
-[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/harbor)](https://artifacthub.io/packages/helm/harbor/harbor)
+[![Helm Chart on Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/harbor)](https://artifacthub.io/packages/helm/harbor/harbor)
 </br>
 
 |![notification](https://raw.githubusercontent.com/goharbor/website/master/docs/img/readme/bell-outline-badged.svg)Community Meeting|

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v2.14.0
+v2.15.0
diff --git a/api/v2.0/swagger.yaml b/api/v2.0/swagger.yaml
@@ -7321,6 +7321,10 @@ definitions:
         type: string
         description: 'The bandwidth limit of proxy cache, in Kbps (kilobits per second). It limits the communication between Harbor and the upstream registry, not the client and the Harbor.'
         x-nullable: true
+      max_upstream_conn:
+        type: string
+        description: 'The max connection per artifact to the upstream registry in current proxy cache project, if it is -1, no limit to upstream registry connections'
+        x-nullable: true
   ProjectSummary:
     type: object
     properties:

diff --git a/make/migrations/postgresql/0180_2.15.0_schema.up.sql b/make/migrations/postgresql/0180_2.15.0_schema.up.sql
@@ -0,0 +1,17 @@
+/*
+Initialize skip_audit_log_database configuration based on existing audit log usage - Only insert the configuration if it doesn't already exist
+1. If tables exist and show evidence of previous usage
+   set skip_audit_log_database to false
+2. If tables exist but show no evidence of usage, don't create the configuration record
+*/
+DO $$
+BEGIN
+    IF EXISTS (SELECT 1 FROM properties WHERE k = 'skip_audit_log_database') THEN
+        RETURN;
+    END IF;
+
+    IF (SELECT last_value FROM audit_log_id_seq) > 1
+       OR (SELECT last_value FROM audit_log_ext_id_seq) > 1 THEN
+        INSERT INTO properties (k, v) VALUES ('skip_audit_log_database', 'false');
+    END IF;
+END $$;
diff --git a/src/common/api/base.go b/src/common/api/base.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"net/http"
 	"strconv"
+	"strings"
 
 	"github.com/beego/beego/v2/core/validation"
 	"github.com/beego/beego/v2/server/web"
@@ -98,11 +99,11 @@ func (b *BaseAPI) Validate(v any) (bool, error) {
 	}
 
 	if !isValid {
-		message := ""
+		var message strings.Builder
 		for _, e := range validator.Errors {
-			message += fmt.Sprintf("%s %s \n", e.Field, e.Message)
+			message.WriteString(fmt.Sprintf("%s %s \n", e.Field, e.Message))
 		}
-		return false, errors.New(message)
+		return false, errors.New(message.String())
 	}
 	return true, nil
 }

diff --git a/src/common/secret/request.go b/src/common/secret/request.go
@@ -31,8 +31,8 @@ func FromRequest(req *http.Request) string {
 		return ""
 	}
 	auth := req.Header.Get("Authorization")
-	if strings.HasPrefix(auth, HeaderPrefix) {
-		return strings.TrimPrefix(auth, HeaderPrefix)
+	if after, ok := strings.CutPrefix(auth, HeaderPrefix); ok {
+		return after
 	}
 	return ""
 }

diff --git a/src/controller/gc/controller.go b/src/controller/gc/controller.go
@@ -77,6 +77,7 @@ type controller struct {
 func (c *controller) Start(ctx context.Context, policy Policy, trigger string) (int64, error) {
 	para := make(map[string]any)
 	para["delete_untagged"] = policy.DeleteUntagged
+	para["delete_tag"] = policy.DeleteTag
 	para["dry_run"] = policy.DryRun
 	para["workers"] = policy.Workers
 	para["redis_url_reg"] = policy.ExtraAttrs["redis_url_reg"]
@@ -205,6 +206,7 @@ func (c *controller) GetSchedule(ctx context.Context) (*scheduler.Schedule, erro
 func (c *controller) CreateSchedule(ctx context.Context, cronType, cron string, policy Policy) (int64, error) {
 	extras := make(map[string]any)
 	extras["delete_untagged"] = policy.DeleteUntagged
+	extras["delete_tag"] = policy.DeleteTag
 	extras["workers"] = policy.Workers
 	return c.schedulerMgr.Schedule(ctx, job.GarbageCollectionVendorType, -1, cronType, cron, job.GarbageCollectionVendorType, policy, extras)
 }
@@ -234,6 +236,7 @@ func convertTask(task *task.Task) *Task {
 		StatusMessage:  task.StatusMessage,
 		RunCount:       task.RunCount,
 		DeleteUntagged: task.GetBoolFromExtraAttrs("delete_untagged"),
+		DeleteTag:      task.GetBoolFromExtraAttrs("delete_tag"),
 		DryRun:         task.GetBoolFromExtraAttrs("dry_run"),
 		Workers:        int(task.GetNumFromExtraAttrs("workers")),
 		JobID:          task.JobID,

diff --git a/src/controller/gc/controller_test.go b/src/controller/gc/controller_test.go
@@ -41,6 +41,7 @@ func (g *gcCtrTestSuite) TestStart() {
 	dataMap := make(map[string]any)
 	p := Policy{
 		DeleteUntagged: true,
+		DeleteTag:      true,
 		ExtraAttrs:     dataMap,
 	}
 	id, err := g.ctl.Start(nil, p, task.ExecutionTriggerManual)
@@ -149,6 +150,7 @@ func (g *gcCtrTestSuite) TestCreateSchedule() {
 	dataMap := make(map[string]any)
 	p := Policy{
 		DeleteUntagged: true,
+		DeleteTag:      true,
 		ExtraAttrs:     dataMap,
 		Workers:        3,
 	}

diff --git a/src/controller/gc/model.go b/src/controller/gc/model.go
@@ -22,6 +22,7 @@ import (
 type Policy struct {
 	Trigger        *Trigger       `json:"trigger"`
 	DeleteUntagged bool           `json:"deleteuntagged"`
+	DeleteTag      bool           `json:"deletetag"`
 	DryRun         bool           `json:"dryrun"`
 	Workers        int            `json:"workers"`
 	ExtraAttrs     map[string]any `json:"extra_attrs"`
@@ -60,6 +61,7 @@ type Task struct {
 	StatusMessage  string
 	RunCount       int32
 	DeleteUntagged bool
+	DeleteTag      bool
 	DryRun         bool
 	Workers        int
 	JobID          string

diff --git a/src/controller/registry/controller.go b/src/controller/registry/controller.go
@@ -214,7 +214,7 @@ func getWhitelistedAdapters(ctx context.Context) map[string]struct{} {
 		return nil
 	}
 	adapterWhitelist := make(map[string]struct{})
-	for _, adapter := range strings.Split(adapterWhitelistRaw, ",") {
+	for adapter := range strings.SplitSeq(adapterWhitelistRaw, ",") {
 		adapter = strings.TrimSpace(adapter)
 		if adapter != "" {
 			adapterWhitelist[adapter] = struct{}{}