Merge branch 'main' into rishabh-gupta/bug-consul-namespaces-disappearing

Author: rishabh-gupta-hashicorp

.changelog/22671.txt

@@ -0,0 +1,3 @@
+```release-note:security
+security: Fixed proxied URL path validation to prevent path traversal.
+```

.changelog/22752.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete.
+```

.changelog/22769.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+Added support to register a service in consul with multiple ports
+```

.changelog/22770.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities
+```

.github/workflows/build-distros.yml

@@ -18,7 +18,7 @@ env:
   GOPRIVATE: github.com/hashicorp # Required for enterprise deps
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  group: build-distros-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
 jobs:

.github/workflows/go-tests.yml

@@ -25,7 +25,7 @@ env:
 
 # concurrency
 concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  group: go-tests-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -562,6 +562,8 @@ jobs:
           # Capturing in an env var makes this safe against GHA shell injection via commit message.
           # See https://securitylab.github.com/research/github-actions-untrusted-input/
           COMMIT_MESSAGE_FULL: ${{ github.event.head_commit.message }}
+          # Capturing workflow name in env var to prevent shell injection
+          WORKFLOW_NAME: ${{ github.workflow }}
         run: |
           # if failure (not cancelled), notify Slack
           if printf '${{ toJSON(needs) }}' | grep -E -i '\"result\": \"(failure)\"'; then
@@ -574,7 +576,7 @@ jobs:
             # Send multi-line env var to GITHUB_ENV.
             # github.event.head_commit.message and github.ref_name both rely on this event occurring on a push / merge
             echo "SLACK_MESSAGE_RAW<<EOF" >> $GITHUB_ENV
-            echo "❌ ${{ github.workflow }} workflow failed:
+            echo "❌ ${WORKFLOW_NAME} workflow failed:
 
             - Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
             - Branch: ${{ github.ref_name }}

.github/workflows/security-scan.yml

@@ -20,7 +20,7 @@ on:
 
 # cancel existing runs of the same workflow on the same ref
 concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  group: security-scan-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
 jobs:

.github/workflows/test-integrations.yml

@@ -29,7 +29,7 @@ env:
   GOPRIVATE: github.com/hashicorp # Required for enterprise deps
 
 concurrency:
-  group: "${{ github.workflow }}-${{ github.head_ref || github.ref }}"
+  group: "test-integrations-${{ github.head_ref || github.ref }}"
   cancel-in-progress: true
 
 jobs:

.release/security-scan.hcl

@@ -53,7 +53,8 @@ container {
 				"CVE-2025-25724",
 				"CVE-2025-3576",
 				"CVE-2025-8058",
-				"CVE-2024-23337", 
+				"CVE-2024-23337",
+				"CVE-2025-6395",
 			]
 			paths = [
 				"internal/tools/proto-gen-rpc-glue/e2e/consul/*",

Dockerfile

@@ -215,10 +215,9 @@ ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["agent", "-dev", "-client", "0.0.0.0"]
 
 
-
 # Red Hat UBI-based image
 # This target is used to build a Consul image for use on OpenShift.
-FROM registry.access.redhat.com/ubi9-minimal:latest as ubi
+FROM registry.access.redhat.com/ubi9-minimal:9.6 as ubi
 
 ARG PRODUCT_VERSION
 ARG PRODUCT_REVISION