Skip to content

Re-base fork onto upstream/main + REST SSL/TLS config#6

Open
mmaslankaprv wants to merge 152 commits into
mainfrom
rebase/upstream-main
Open

Re-base fork onto upstream/main + REST SSL/TLS config#6
mmaslankaprv wants to merge 152 commits into
mainfrom
rebase/upstream-main

Conversation

@mmaslankaprv

Copy link
Copy Markdown
Member

What & why

Re-bases the redpanda fork onto Apache upstream/main (9bf1ba1b). The fork had branched from a pre-v0.3.0 upstream commit and accumulated 31 patches, most of which upstream has since re-implemented independently. Rather than a literal git rebase (a conflict storm over duplicate/obsolete work), this takes upstream/main as the new base and re-applies only the fork's one genuinely-unique, still-wanted feature: REST HTTP client SSL/TLS configuration.

Note: this is a large diff — it brings in ~140 upstream commits (SQL/Hive catalogs, Puffin, metrics, MOR deletes, streaming/S3 FileIO, upstream's own SigV4 + session-aware REST catalog, v3 types, …) on top of the fork's old base.

Carried over (the unique feature)

  • REST SSL/TLS config: SslConfig{verify, ca_info, ca_path, crl_file} + SslConfigFromProperties() parser, applied via cpr::SslOptions on every request, threaded from catalog properties ssl.verify / ssl.ca-info / ssl.ca-path / ssl.crl-file at all three HttpClient construction sites. Secure by default (verify=true; disabled only on exact "false").
  • CI: one SigV4 + REST build/test job (intentionally overlaps upstream's aws_test.yml).

Dropped (upstream supersedes)

Testing

rest_catalog_test passes 319/319 under a clean -Werror build (incl. 4 new SslConfigFromPropertiesTest cases); clang-format --dry-run --Werror clean on all touched files. Wire-level TLS (bad-cert rejection, custom CA) needs a live HTTPS server and is out of automated scope; the property→config→cpr mapping is unit-covered.

Design / plan

See docs/superpowers/specs/2026-07-01-rebase-fork-on-upstream-design.md and docs/superpowers/plans/2026-07-01-rebase-fork-on-upstream.md.

MisterRaindrop and others added 30 commits April 16, 2026 23:12
…check) (apache#618)

Adding these 3 checks for all apache/iceberg* repos as part of
apache/iceberg#15742
Part of apache/iceberg#16000

Gets rid of `zizmor: ignore[cache-poisoning]`, its low confidence. 
Set `min-severity: medium` and `min-confidence: medium` in
`.github/workflows/zizmor.yml`


Validated locally:
```
GH_TOKEN=`gh auth token` uvx zizmor --min-severity medium --min-confidence medium .github/
```
…#622)

Bumps
[actions/upload-artifact](https://github.com/actions/upload-artifact)
from 7.0.0 to 7.0.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's
releases</a>.</em></p>
<blockquote>
<h2>v7.0.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Update the readme with direct upload details by <a
href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
<a
href="https://redirect.github.com/actions/upload-artifact/pull/795">actions/upload-artifact#795</a></li>
<li>Readme: bump all the example versions to v7 by <a
href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
<a
href="https://redirect.github.com/actions/upload-artifact/pull/796">actions/upload-artifact#796</a></li>
<li>Include changes in typespec/ts-http-runtime 0.3.5 by <a
href="https://github.com/yacaovsnc"><code>@​yacaovsnc</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/797">actions/upload-artifact#797</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v7...v7.0.1">https://github.com/actions/upload-artifact/compare/v7...v7.0.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/upload-artifact/commit/043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"><code>043fb46</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/797">#797</a>
from actions/yacaovsnc/update-dependency</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/634250c1388765ea7ed0f053e636f1f399000b94"><code>634250c</code></a>
Include changes in typespec/ts-http-runtime 0.3.5</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/e454baaac2be505c9450e11b8f3215c6fc023ce8"><code>e454baa</code></a>
Readme: bump all the example versions to v7 (<a
href="https://redirect.github.com/actions/upload-artifact/issues/796">#796</a>)</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/74fad66b98a6d799dc004d3353ccd0e6f6b2530e"><code>74fad66</code></a>
Update the readme with direct upload details (<a
href="https://redirect.github.com/actions/upload-artifact/issues/795">#795</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/upload-artifact/compare/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=7.0.0&new-version=7.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This commit implements the retry for transaction commits. It introduces
a generic RetryRunner utility with exponential backoff and error-kind
filtering, and integrates it into Transaction::Commit() to automatically
refresh table metadata and retry on commit conflicts.
Co-authored-by: Kevin Liu <kevinjqliu@users.noreply.github.com>
)

Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 4.35.1 to 4.35.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.35.2</h2>
<ul>
<li>The undocumented TRAP cache cleanup feature that could be enabled
using the <code>CODEQL_ACTION_CLEANUP_TRAP_CACHES</code> environment
variable is deprecated and will be removed in May 2026. If you are
affected by this, we recommend disabling TRAP caching by passing the
<code>trap-caching: false</code> input to the <code>init</code> Action.
<a
href="https://redirect.github.com/github/codeql-action/pull/3795">#3795</a></li>
<li>The Git version 2.36.0 requirement for improved incremental analysis
now only applies to repositories that contain submodules. <a
href="https://redirect.github.com/github/codeql-action/pull/3789">#3789</a></li>
<li>Python analysis on GHES no longer extracts the standard library,
relying instead on models of the standard library. This should result in
significantly faster extraction and analysis times, while the effect on
alerts should be minimal. <a
href="https://redirect.github.com/github/codeql-action/pull/3794">#3794</a></li>
<li>Fixed a bug in the validation of OIDC configurations for private
registries that was added in CodeQL Action 4.33.0 / 3.33.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3807">#3807</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2">2.25.2</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3823">#3823</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>4.35.2 - 15 Apr 2026</h2>
<ul>
<li>The undocumented TRAP cache cleanup feature that could be enabled
using the <code>CODEQL_ACTION_CLEANUP_TRAP_CACHES</code> environment
variable is deprecated and will be removed in May 2026. If you are
affected by this, we recommend disabling TRAP caching by passing the
<code>trap-caching: false</code> input to the <code>init</code> Action.
<a
href="https://redirect.github.com/github/codeql-action/pull/3795">#3795</a></li>
<li>The Git version 2.36.0 requirement for improved incremental analysis
now only applies to repositories that contain submodules. <a
href="https://redirect.github.com/github/codeql-action/pull/3789">#3789</a></li>
<li>Python analysis on GHES no longer extracts the standard library,
relying instead on models of the standard library. This should result in
significantly faster extraction and analysis times, while the effect on
alerts should be minimal. <a
href="https://redirect.github.com/github/codeql-action/pull/3794">#3794</a></li>
<li>Fixed a bug in the validation of OIDC configurations for private
registries that was added in CodeQL Action 4.33.0 / 3.33.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3807">#3807</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2">2.25.2</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3823">#3823</a></li>
</ul>
<h2>4.35.1 - 27 Mar 2026</h2>
<ul>
<li>Fix incorrect minimum required Git version for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a>: it should have been 2.36.0, not 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3781">#3781</a></li>
</ul>
<h2>4.35.0 - 27 Mar 2026</h2>
<ul>
<li>Reduced the minimum Git version required for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> from 2.38.0 to 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3767">#3767</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1">2.25.1</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3773">#3773</a></li>
</ul>
<h2>4.34.1 - 20 Mar 2026</h2>
<ul>
<li>Downgrade default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>
due to issues with a small percentage of Actions and JavaScript
analyses. <a
href="https://redirect.github.com/github/codeql-action/pull/3762">#3762</a></li>
</ul>
<h2>4.34.0 - 20 Mar 2026</h2>
<ul>
<li>Added an experimental change which disables TRAP caching when <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> is enabled, since improved incremental analysis
supersedes TRAP caching. This will improve performance and reduce
Actions cache usage. We expect to roll this change out to everyone in
March. <a
href="https://redirect.github.com/github/codeql-action/pull/3569">#3569</a></li>
<li>We are rolling out improved incremental analysis to C/C++ analyses
that use build mode <code>none</code>. We expect this rollout to be
complete by the end of April 2026. <a
href="https://redirect.github.com/github/codeql-action/pull/3584">#3584</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0">2.25.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3585">#3585</a></li>
</ul>
<h2>4.33.0 - 16 Mar 2026</h2>
<ul>
<li>
<p>Upcoming change: Starting April 2026, the CodeQL Action will skip
collecting file coverage information on pull requests to improve
analysis performance. File coverage information will still be computed
on non-PR analyses. Pull request analyses will log a warning about this
upcoming change. <a
href="https://redirect.github.com/github/codeql-action/pull/3562">#3562</a></p>
<p>To opt out of this change:</p>
<ul>
<li><strong>Repositories owned by an organization:</strong> Create a
custom repository property with the name
<code>github-codeql-file-coverage-on-prs</code> and the type
&quot;True/false&quot;, then set this property to <code>true</code> in
the repository's settings. For more information, see <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing
custom properties for repositories in your organization</a>.
Alternatively, if you are using an advanced setup workflow, you can set
the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable
to <code>true</code> in your workflow.</li>
<li><strong>User-owned repositories using default setup:</strong> Switch
to an advanced setup workflow and set the
<code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable to
<code>true</code> in your workflow.</li>
<li><strong>User-owned repositories using advanced setup:</strong> Set
the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable
to <code>true</code> in your workflow.</li>
</ul>
</li>
<li>
<p>Fixed <a
href="https://redirect.github.com/github/codeql-action/issues/3555">a
bug</a> which caused the CodeQL Action to fail loading repository
properties if a &quot;Multi select&quot; repository property was
configured for the repository. <a
href="https://redirect.github.com/github/codeql-action/pull/3557">#3557</a></p>
</li>
<li>
<p>The CodeQL Action now loads <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">custom
repository properties</a> on GitHub Enterprise Server, enabling the
customization of features such as
<code>github-codeql-disable-overlay</code> that was previously only
available on GitHub.com. <a
href="https://redirect.github.com/github/codeql-action/pull/3559">#3559</a></p>
</li>
<li>
<p>Once <a
href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private
package registries</a> can be configured with OIDC-based authentication
for organizations, the CodeQL Action will now be able to accept such
configurations. <a
href="https://redirect.github.com/github/codeql-action/pull/3563">#3563</a></p>
</li>
<li>
<p>Fixed the retry mechanism for database uploads. Previously this would
fail with the error &quot;Response body object should not be disturbed
or locked&quot;. <a
href="https://redirect.github.com/github/codeql-action/pull/3564">#3564</a></p>
</li>
<li>
<p>A warning is now emitted if the CodeQL Action detects a repository
property whose name suggests that it relates to the CodeQL Action, but
which is not one of the properties recognised by the current version of
the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3570">#3570</a></p>
</li>
</ul>
<h2>4.32.6 - 05 Mar 2026</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/95e58e9a2cdfd71adc6e0353d5c52f41a045d225"><code>95e58e9</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3824">#3824</a>
from github/update-v4.35.2-d2e135a73</li>
<li><a
href="https://github.com/github/codeql-action/commit/6f31bfe060e817d81e938dbec767969d20031e25"><code>6f31bfe</code></a>
Update changelog for v4.35.2</li>
<li><a
href="https://github.com/github/codeql-action/commit/d2e135a73a39154e3a231aeb49163c4661c5b8b1"><code>d2e135a</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3823">#3823</a>
from github/update-bundle/codeql-bundle-v2.25.2</li>
<li><a
href="https://github.com/github/codeql-action/commit/60abb65df09fcf213c398e064c8a80db1f15cdaf"><code>60abb65</code></a>
Add changelog note</li>
<li><a
href="https://github.com/github/codeql-action/commit/5a0a562209255e956ad8aafcee303294e64eefa2"><code>5a0a562</code></a>
Update default bundle to codeql-bundle-v2.25.2</li>
<li><a
href="https://github.com/github/codeql-action/commit/65216971a11ded447a6b76263d5a144519e5eee1"><code>6521697</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3820">#3820</a>
from github/dependabot/github_actions/dot-github/wor...</li>
<li><a
href="https://github.com/github/codeql-action/commit/3c45af2dd258e1623af1898da5c86545b514e028"><code>3c45af2</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3821">#3821</a>
from github/dependabot/npm_and_yarn/npm-minor-345b93...</li>
<li><a
href="https://github.com/github/codeql-action/commit/f1c339364c12f922998186ed897e45e3b4ae8874"><code>f1c3393</code></a>
Rebuild</li>
<li><a
href="https://github.com/github/codeql-action/commit/1024fc496c87e944a93e98d8cf2c09e2c7602a30"><code>1024fc4</code></a>
Rebuild</li>
<li><a
href="https://github.com/github/codeql-action/commit/9dd4cfed96030ccdfe1af4daf7a7964322704fed"><code>9dd4cfe</code></a>
Bump the npm-minor group across 1 directory with 6 updates</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/c10b8064de6f491fea524254123dbe5e09572f13...95e58e9a2cdfd71adc6e0353d5c52f41a045d225">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=4.35.1&new-version=4.35.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…e#630)

Bumps
[zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action)
from 0.5.2 to 0.5.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/zizmorcore/zizmor-action/releases">zizmorcore/zizmor-action's
releases</a>.</em></p>
<blockquote>
<h2>v0.5.3</h2>
<h2>What's Changed</h2>
<ul>
<li><code>1.24.0</code> and <code>1.24.1</code> are now available via
the action</li>
<li><code>1.24.1</code> is now the default version of zizmor used by the
action</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/zizmorcore/zizmor-action/compare/v0.5.2...v0.5.3">https://github.com/zizmorcore/zizmor-action/compare/v0.5.2...v0.5.3</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/b1d7e1fb5de872772f31590499237e7cce841e8e"><code>b1d7e1f</code></a>
Sync zizmor versions (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/102">#102</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/a195b57475917ddcb70845e5ffe1c3a15dbbdedc"><code>a195b57</code></a>
Sync zizmor versions (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/100">#100</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/629d5d01fe5939a6aeae25c1bd1acd2cfa28e9b2"><code>629d5d0</code></a>
chore(deps): bump github/codeql-action in the github-actions group (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/99">#99</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/453d591467e8199b1d5c6883b6ec5c22a12aac72"><code>453d591</code></a>
chore(deps): bump the github-actions group with 2 updates (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/98">#98</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/ea2c18b942410df0b22bed3b94c361c407518d45"><code>ea2c18b</code></a>
Bump pins (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/97">#97</a>)</li>
<li>See full diff in <a
href="https://github.com/zizmorcore/zizmor-action/compare/71321a20a9ded102f6e9ce5718a2fcec2c4f70d8...b1d7e1fb5de872772f31590499237e7cce841e8e">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=zizmorcore/zizmor-action&package-manager=github_actions&previous-version=0.5.2&new-version=0.5.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…apache#636)

Bumps
[mozilla-actions/sccache-action](https://github.com/mozilla-actions/sccache-action)
from 0.0.9 to 0.0.10.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/mozilla-actions/sccache-action/releases">mozilla-actions/sccache-action's
releases</a>.</em></p>
<blockquote>
<h2>v0.0.10</h2>
<h2>What's Changed</h2>
<ul>
<li>Use tar on all platforms by <a
href="https://github.com/brianmichel"><code>@​brianmichel</code></a> in
<a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/193">Mozilla-Actions/sccache-action#193</a></li>
<li>Bump eslint-plugin-prettier from 5.2.3 to 5.2.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/196">Mozilla-Actions/sccache-action#196</a></li>
<li>Bump typescript from 5.7.2 to 5.8.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/195">Mozilla-Actions/sccache-action#195</a></li>
<li>Bump <code>@​types/node</code> from 22.13.0 to 22.13.17 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/194">Mozilla-Actions/sccache-action#194</a></li>
<li>Bump undici from 5.28.5 to 5.29.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/204">Mozilla-Actions/sccache-action#204</a></li>
<li>Bump eslint-config-prettier from 9.1.0 to 10.1.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/201">Mozilla-Actions/sccache-action#201</a></li>
<li>Bump ts-jest from 29.2.6 to 29.3.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/200">Mozilla-Actions/sccache-action#200</a></li>
<li>Bump eslint-plugin-prettier from 5.2.5 to 5.5.4 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/221">Mozilla-Actions/sccache-action#221</a></li>
<li>Bump eslint-config-prettier from 10.1.2 to 10.1.8 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/214">Mozilla-Actions/sccache-action#214</a></li>
<li>Bump the github-actions group across 1 directory with 2 updates by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/220">Mozilla-Actions/sccache-action#220</a></li>
<li>Add job id to annotation title by <a
href="https://github.com/wetheredge"><code>@​wetheredge</code></a> in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/212">Mozilla-Actions/sccache-action#212</a></li>
<li>Bump <code>@​actions/io</code> from 1.1.3 to 2.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/228">Mozilla-Actions/sccache-action#228</a></li>
<li>Bump eslint-plugin-import from 2.31.0 to 2.32.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/227">Mozilla-Actions/sccache-action#227</a></li>
<li>Bump actions/setup-node from 5 to 6 in the github-actions group by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/226">Mozilla-Actions/sccache-action#226</a></li>
<li>Bump <code>@​actions/github</code> from 6.0.0 to 6.0.1 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/233">Mozilla-Actions/sccache-action#233</a></li>
<li>Bump minimatch by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/239">Mozilla-Actions/sccache-action#239</a></li>
<li>Bump actions/checkout from 5 to 6 in the github-actions group by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/232">Mozilla-Actions/sccache-action#232</a></li>
<li>Bump ts-jest from 29.3.2 to 29.4.6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/240">Mozilla-Actions/sccache-action#240</a></li>
<li>Bump to <code>node24</code> by <a
href="https://github.com/cakebaker"><code>@​cakebaker</code></a> in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/245">Mozilla-Actions/sccache-action#245</a></li>
<li>Bump flatted from 3.3.1 to 3.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/248">Mozilla-Actions/sccache-action#248</a></li>
<li>Bump picomatch from 2.3.1 to 2.3.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/249">Mozilla-Actions/sccache-action#249</a></li>
<li>Bump handlebars from 4.7.8 to 4.7.9 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/250">Mozilla-Actions/sccache-action#250</a></li>
<li>Fix code block formatting in README.md by <a
href="https://github.com/baseplate-admin"><code>@​baseplate-admin</code></a>
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/246">Mozilla-Actions/sccache-action#246</a></li>
<li>Bump js-yaml from 3.14.1 to 3.14.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/231">Mozilla-Actions/sccache-action#231</a></li>
<li>prepare version 0.0.10 by <a
href="https://github.com/sylvestre"><code>@​sylvestre</code></a> in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/251">Mozilla-Actions/sccache-action#251</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/brianmichel"><code>@​brianmichel</code></a>
made their first contribution in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/193">Mozilla-Actions/sccache-action#193</a></li>
<li><a
href="https://github.com/wetheredge"><code>@​wetheredge</code></a> made
their first contribution in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/212">Mozilla-Actions/sccache-action#212</a></li>
<li><a
href="https://github.com/baseplate-admin"><code>@​baseplate-admin</code></a>
made their first contribution in <a
href="https://redirect.github.com/Mozilla-Actions/sccache-action/pull/246">Mozilla-Actions/sccache-action#246</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Mozilla-Actions/sccache-action/compare/v0.0.9...v0.0.10">https://github.com/Mozilla-Actions/sccache-action/compare/v0.0.9...v0.0.10</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Mozilla-Actions/sccache-action/commit/9e7fa8a12102821edf02ca5dbea1acd0f89a2696"><code>9e7fa8a</code></a>
Merge pull request <a
href="https://redirect.github.com/mozilla-actions/sccache-action/issues/251">#251</a>
from sylvestre/ver</li>
<li><a
href="https://github.com/Mozilla-Actions/sccache-action/commit/3ca012d1e0c8c9f363fd709c2a022f9d0c3d6f85"><code>3ca012d</code></a>
prepare version 0.0.10</li>
<li><a
href="https://github.com/Mozilla-Actions/sccache-action/commit/7cf164359ee744609be2e8d4e59b7b4473ba6ffb"><code>7cf1643</code></a>
Merge pull request <a
href="https://redirect.github.com/mozilla-actions/sccache-action/issues/231">#231</a>
from Mozilla-Actions/dependabot/npm_and_yarn/js-yaml-...</li>
<li><a
href="https://github.com/Mozilla-Actions/sccache-action/commit/b2be80214f85674195e711d442be22eb18fbbcb9"><code>b2be802</code></a>
Merge pull request <a
href="https://redirect.github.com/mozilla-actions/sccache-action/issues/246">#246</a>
from baseplate-admin/patch-1</li>
<li><a
href="https://github.com/Mozilla-Actions/sccache-action/commit/84812a50fb0ca74b852818a3cfe4d0f8a7e4c15a"><code>84812a5</code></a>
Merge pull request <a
href="https://redirect.github.com/mozilla-actions/sccache-action/issues/250">#250</a>
from Mozilla-Actions/dependabot/npm_and_yarn/handleba...</li>
<li><a
href="https://github.com/Mozilla-Actions/sccache-action/commit/4e283182f1d6aa05fb561228d8904773db2ff12e"><code>4e28318</code></a>
Merge pull request <a
href="https://redirect.github.com/mozilla-actions/sccache-action/issues/249">#249</a>
from Mozilla-Actions/dependabot/npm_and_yarn/picomatc...</li>
<li><a
href="https://github.com/Mozilla-Actions/sccache-action/commit/cfa813ebe3578b37ef0887b18e687d25be872c6e"><code>cfa813e</code></a>
Merge pull request <a
href="https://redirect.github.com/mozilla-actions/sccache-action/issues/248">#248</a>
from Mozilla-Actions/dependabot/npm_and_yarn/flatted-...</li>
<li><a
href="https://github.com/Mozilla-Actions/sccache-action/commit/ef3762b447d7b4f49d5ffa178b103427dbb0b08b"><code>ef3762b</code></a>
Merge pull request <a
href="https://redirect.github.com/mozilla-actions/sccache-action/issues/245">#245</a>
from cakebaker/bump_to_node24</li>
<li><a
href="https://github.com/Mozilla-Actions/sccache-action/commit/919bfb6881255cec28fda6ade2b0deedb5273356"><code>919bfb6</code></a>
Bump handlebars from 4.7.8 to 4.7.9</li>
<li><a
href="https://github.com/Mozilla-Actions/sccache-action/commit/167904be3a121ef63c7eba0472d6bb5475f2c4b9"><code>167904b</code></a>
Bump picomatch from 2.3.1 to 2.3.2</li>
<li>Additional commits viewable in <a
href="https://github.com/mozilla-actions/sccache-action/compare/7d986dd989559c6ecdb630a3fd2557667be217ad...9e7fa8a12102821edf02ca5dbea1acd0f89a2696">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mozilla-actions/sccache-action&package-manager=github_actions&previous-version=0.0.9&new-version=0.0.10)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…pache#635)

1. Update the shared installation interface to depend on the static
nanoarrow target, since vendored libraries are built only as static
artifacts(see prepare_fetchcontent).

2. Switch the example build to use shared libraries to surface linkage
issues. This revealed that `TableScanBuilder` symbols are not exported.
Explicitly export the `TableScanBuilder` template instantiations so that
shared-library consumers can successfully link against `Build()`.
Move data writers, deletes/, and puffin/ into a separate `iceberg_data`
library that links the existing `iceberg` target. `delete_file_index`
stays in `iceberg` because manifest_group embeds
DeleteFileIndex::Builder with only core dependencies.

* `iceberg` — unchanged target name for metadata/planning, expressions,
manifests, catalog (incl. in-memory), utilities, file I/O abstractions,
and delete_file_index.

* `iceberg_data` — data/, deletes/, puffin/; links `iceberg`.

`iceberg_bundle` links `iceberg_data` when the bundle is built.
`iceberg_rest` links `iceberg` and cpr only.
Replace hardcoded vcvarsall.bat path with the Apache-approved
ilammy/msvc-dev-cmd action so builds work across VS image layouts.
Similar to apache/iceberg#16229

The workflow files use SHA-pinned actions (immutable), but the
human-readable comments referenced only major versions (e.g., `# v6`, `#
v5`).
**When maintainers move these mutable tags to a new commit, zizmor fails
in CI because the SHA no longer matches the stated tag.**
Introduce InputFile/OutputFile stream APIs and Arrow IO adapters so
bundled Avro/Parquet readers and writers can work with generic FileIO
implementations.
Adds delete filter support for merge-on-read data batches, including
position deletes, equality deletes, dropped-field lookup through
historic schemas, optional delete counting, and required schema
expansion.
)

Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 4.35.2 to 4.35.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.35.3</h2>
<ul>
<li><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.19.3 and earlier. These versions of
CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise
Server 3.15, and will be unsupported by the next minor release of the
CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li>
<li>Configurations for private registries that use Cloudsmith or GCP
OIDC are now accepted. <a
href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li>
<li>Best-effort connection tests for private registries now use
<code>GET</code> requests instead of <code>HEAD</code> for better
compatibility with various registry implementations. For NuGet feeds,
the test is now always performed against the service index. <a
href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li>
<li>Fixed a bug where two diagnostics produced within the same
millisecond could overwrite each other on disk, causing one of them to
be lost. <a
href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3">2.25.3</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3865">#3865</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>4.35.4 - 07 May 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li>
</ul>
<h2>4.35.3 - 01 May 2026</h2>
<ul>
<li><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.19.3 and earlier. These versions of
CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise
Server 3.15, and will be unsupported by the next minor release of the
CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li>
<li>Configurations for private registries that use Cloudsmith or GCP
OIDC are now accepted. <a
href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li>
<li>Best-effort connection tests for private registries now use
<code>GET</code> requests instead of <code>HEAD</code> for better
compatibility with various registry implementations. For NuGet feeds,
the test is now always performed against the service index. <a
href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li>
<li>Fixed a bug where two diagnostics produced within the same
millisecond could overwrite each other on disk, causing one of them to
be lost. <a
href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3">2.25.3</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3865">#3865</a></li>
</ul>
<h2>4.35.2 - 15 Apr 2026</h2>
<ul>
<li>The undocumented TRAP cache cleanup feature that could be enabled
using the <code>CODEQL_ACTION_CLEANUP_TRAP_CACHES</code> environment
variable is deprecated and will be removed in May 2026. If you are
affected by this, we recommend disabling TRAP caching by passing the
<code>trap-caching: false</code> input to the <code>init</code> Action.
<a
href="https://redirect.github.com/github/codeql-action/pull/3795">#3795</a></li>
<li>The Git version 2.36.0 requirement for improved incremental analysis
now only applies to repositories that contain submodules. <a
href="https://redirect.github.com/github/codeql-action/pull/3789">#3789</a></li>
<li>Python analysis on GHES no longer extracts the standard library,
relying instead on models of the standard library. This should result in
significantly faster extraction and analysis times, while the effect on
alerts should be minimal. <a
href="https://redirect.github.com/github/codeql-action/pull/3794">#3794</a></li>
<li>Fixed a bug in the validation of OIDC configurations for private
registries that was added in CodeQL Action 4.33.0 / 3.33.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3807">#3807</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2">2.25.2</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3823">#3823</a></li>
</ul>
<h2>4.35.1 - 27 Mar 2026</h2>
<ul>
<li>Fix incorrect minimum required Git version for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a>: it should have been 2.36.0, not 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3781">#3781</a></li>
</ul>
<h2>4.35.0 - 27 Mar 2026</h2>
<ul>
<li>Reduced the minimum Git version required for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> from 2.38.0 to 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3767">#3767</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1">2.25.1</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3773">#3773</a></li>
</ul>
<h2>4.34.1 - 20 Mar 2026</h2>
<ul>
<li>Downgrade default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>
due to issues with a small percentage of Actions and JavaScript
analyses. <a
href="https://redirect.github.com/github/codeql-action/pull/3762">#3762</a></li>
</ul>
<h2>4.34.0 - 20 Mar 2026</h2>
<ul>
<li>Added an experimental change which disables TRAP caching when <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> is enabled, since improved incremental analysis
supersedes TRAP caching. This will improve performance and reduce
Actions cache usage. We expect to roll this change out to everyone in
March. <a
href="https://redirect.github.com/github/codeql-action/pull/3569">#3569</a></li>
<li>We are rolling out improved incremental analysis to C/C++ analyses
that use build mode <code>none</code>. We expect this rollout to be
complete by the end of April 2026. <a
href="https://redirect.github.com/github/codeql-action/pull/3584">#3584</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0">2.25.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3585">#3585</a></li>
</ul>
<h2>4.33.0 - 16 Mar 2026</h2>
<ul>
<li>Upcoming change: Starting April 2026, the CodeQL Action will skip
collecting file coverage information on pull requests to improve
analysis performance. File coverage information will still be computed
on non-PR analyses. Pull request analyses will log a warning about this
upcoming change. <a
href="https://redirect.github.com/github/codeql-action/pull/3562">#3562</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/e46ed2cbd01164d986452f91f178727624ae40d7"><code>e46ed2c</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3867">#3867</a>
from github/update-v4.35.3-8c6e48dbe</li>
<li><a
href="https://github.com/github/codeql-action/commit/b73d1d163446ca5e62b96698027210ab41df6a4a"><code>b73d1d1</code></a>
Add changelog entry for <a
href="https://redirect.github.com/github/codeql-action/issues/3853">#3853</a></li>
<li><a
href="https://github.com/github/codeql-action/commit/24e0bb00a931e2a5edb703ce3b22a70f3a3e800b"><code>24e0bb0</code></a>
Reorder changelog entries</li>
<li><a
href="https://github.com/github/codeql-action/commit/ec298daba71cf7592feacbd1c0887cddc0659f62"><code>ec298da</code></a>
Update changelog for v4.35.3</li>
<li><a
href="https://github.com/github/codeql-action/commit/8c6e48dbe051ceb3015c19554831af1b43275f46"><code>8c6e48d</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3865">#3865</a>
from github/update-bundle/codeql-bundle-v2.25.3</li>
<li><a
href="https://github.com/github/codeql-action/commit/719098349ea5beae8aa364bf9b71ff1c8d937df2"><code>7190983</code></a>
Add changelog note</li>
<li><a
href="https://github.com/github/codeql-action/commit/2bb209555a024d051f6271c8a846b402497f9445"><code>2bb2095</code></a>
Update default bundle to codeql-bundle-v2.25.3</li>
<li><a
href="https://github.com/github/codeql-action/commit/7851e55dc3be31ec4bcc3ef98453de2cb306e698"><code>7851e55</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3850">#3850</a>
from github/mbg/private-registry/cloudsmith-gcp</li>
<li><a
href="https://github.com/github/codeql-action/commit/262a15f6cf4c7a43d6a38ad76392e5e2d4977751"><code>262a15f</code></a>
Add generic non-printable chars test for OIDC configs</li>
<li><a
href="https://github.com/github/codeql-action/commit/a6109b1c07173a53ece3d179a925ff9644d1fabd"><code>a6109b1</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3853">#3853</a>
from github/mbg/start-proxy/improved-checks</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/95e58e9a2cdfd71adc6e0353d5c52f41a045d225...e46ed2cbd01164d986452f91f178727624ae40d7">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=4.35.2&new-version=4.35.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
)

Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 4.35.3 to 4.35.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.35.4</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<ul>
<li>Add support for SHA-256 Git object IDs. <a
href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li>
</ul>
<h2>4.35.5 - 15 May 2026</h2>
<ul>
<li>We have improved how the JavaScript bundles for the CodeQL Action
are generated to avoid duplication across bundles and reduce the size of
the repository by around 70%. This should have no effect on the runtime
behaviour of the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3899">#3899</a></li>
<li>For performance and accuracy reasons, <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> will now only be enabled on a pull request when
diff-informed analysis is also enabled for that run. If diff-informed
analysis is unavailable (for example, because the PR diff ranges could
not be computed), the action will fall back to a full analysis. <a
href="https://redirect.github.com/github/codeql-action/pull/3791">#3791</a></li>
<li>If multiple inputs are provided for the GitHub-internal
<code>analysis-kinds</code> input, only <code>code-scanning</code> will
be enabled. The <code>analysis-kinds</code> input is experimental, for
GitHub-internal use only, and may change without notice at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/3892">#3892</a></li>
<li>Added an experimental change which, when running a Code Scanning
analysis for a PR with <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> enabled, prefers CodeQL CLI versions that have
a cached overlay-base database for the configured languages. This speeds
up analysis for a repository when there is not yet a cached overlay-base
database for the latest CLI version. We expect to roll this change out
to everyone in May. <a
href="https://redirect.github.com/github/codeql-action/pull/3880">#3880</a></li>
</ul>
<h2>4.35.4 - 07 May 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li>
</ul>
<h2>4.35.3 - 01 May 2026</h2>
<ul>
<li><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.19.3 and earlier. These versions of
CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise
Server 3.15, and will be unsupported by the next minor release of the
CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li>
<li>Configurations for private registries that use Cloudsmith or GCP
OIDC are now accepted. <a
href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li>
<li>Best-effort connection tests for private registries now use
<code>GET</code> requests instead of <code>HEAD</code> for better
compatibility with various registry implementations. For NuGet feeds,
the test is now always performed against the service index. <a
href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li>
<li>Fixed a bug where two diagnostics produced within the same
millisecond could overwrite each other on disk, causing one of them to
be lost. <a
href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3">2.25.3</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3865">#3865</a></li>
</ul>
<h2>4.35.2 - 15 Apr 2026</h2>
<ul>
<li>The undocumented TRAP cache cleanup feature that could be enabled
using the <code>CODEQL_ACTION_CLEANUP_TRAP_CACHES</code> environment
variable is deprecated and will be removed in May 2026. If you are
affected by this, we recommend disabling TRAP caching by passing the
<code>trap-caching: false</code> input to the <code>init</code> Action.
<a
href="https://redirect.github.com/github/codeql-action/pull/3795">#3795</a></li>
<li>The Git version 2.36.0 requirement for improved incremental analysis
now only applies to repositories that contain submodules. <a
href="https://redirect.github.com/github/codeql-action/pull/3789">#3789</a></li>
<li>Python analysis on GHES no longer extracts the standard library,
relying instead on models of the standard library. This should result in
significantly faster extraction and analysis times, while the effect on
alerts should be minimal. <a
href="https://redirect.github.com/github/codeql-action/pull/3794">#3794</a></li>
<li>Fixed a bug in the validation of OIDC configurations for private
registries that was added in CodeQL Action 4.33.0 / 3.33.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3807">#3807</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2">2.25.2</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3823">#3823</a></li>
</ul>
<h2>4.35.1 - 27 Mar 2026</h2>
<ul>
<li>Fix incorrect minimum required Git version for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a>: it should have been 2.36.0, not 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3781">#3781</a></li>
</ul>
<h2>4.35.0 - 27 Mar 2026</h2>
<ul>
<li>Reduced the minimum Git version required for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> from 2.38.0 to 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3767">#3767</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1">2.25.1</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3773">#3773</a></li>
</ul>
<h2>4.34.1 - 20 Mar 2026</h2>
<ul>
<li>Downgrade default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>
due to issues with a small percentage of Actions and JavaScript
analyses. <a
href="https://redirect.github.com/github/codeql-action/pull/3762">#3762</a></li>
</ul>
<h2>4.34.0 - 20 Mar 2026</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/68bde559dea0fdcac2102bfdf6230c5f70eb485e"><code>68bde55</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3885">#3885</a>
from github/update-v4.35.4-803d9e8c3</li>
<li><a
href="https://github.com/github/codeql-action/commit/9739ad2d182c072da0d01a6887f7f39620f71b1e"><code>9739ad2</code></a>
Update changelog for v4.35.4</li>
<li><a
href="https://github.com/github/codeql-action/commit/803d9e8c3ca8b0dd2029a1da3b541a18b6bfb076"><code>803d9e8</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3883">#3883</a>
from github/mbg/test/macro-wrapper</li>
<li><a
href="https://github.com/github/codeql-action/commit/0fd9c7d1358a7404e46ed8165f12262f56bd1434"><code>0fd9c7d</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3882">#3882</a>
from github/dependabot/github_actions/dot-github/wor...</li>
<li><a
href="https://github.com/github/codeql-action/commit/922d6fb888d665134eb982b150b8912dbd48e21a"><code>922d6fb</code></a>
Use <code>makeMacro</code> instead of <code>test.macro</code></li>
<li><a
href="https://github.com/github/codeql-action/commit/df77e87896689b5c736433984c5df14d86c63d56"><code>df77e87</code></a>
Update test macro snippet</li>
<li><a
href="https://github.com/github/codeql-action/commit/6e3f985e4fc409a188c7701b68c4dec158c9ced3"><code>6e3f985</code></a>
Add wrapper for <code>test.macro</code></li>
<li><a
href="https://github.com/github/codeql-action/commit/e7a347dfb1bfb7a858347623fcb4f650effca6b5"><code>e7a347d</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3881">#3881</a>
from github/update-bundle/codeql-bundle-v2.25.4</li>
<li><a
href="https://github.com/github/codeql-action/commit/17eabb2500031486a71e00ecbcb72c73804a6c9f"><code>17eabb2</code></a>
Rebuild</li>
<li><a
href="https://github.com/github/codeql-action/commit/aaef09c48db2dd7f0100363de1785963a34cd706"><code>aaef09c</code></a>
Bump ruby/setup-ruby</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/e46ed2cbd01164d986452f91f178727624ae40d7...68bde559dea0fdcac2102bfdf6230c5f70eb485e">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=4.35.3&new-version=4.35.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Update the Meson project version from 0.2.0 to 0.3.0 to match the CMake project version.
## Summary

- keep `UseRef()` snapshot IDs as `int64_t` while resolving refs
- add a regression test for a ref pointing at `INT32_MAX + 42`

## Root Cause

`TableScanBuilder::UseRef()` copied `SnapshotRef::snapshot_id` into an
`int32_t`, even though snapshot IDs are modeled as `int64_t` in refs,
metadata lookup, and scan context.

## Testing

- `uvx cmake --build build --target scan_test -j 8`
- `./build/src/iceberg/test/scan_test
--gtest_filter=*UseRefPreservesInt64SnapshotIds*`
- `./build/src/iceberg/test/scan_test`

Fixes apache#660
…pache#652)

Implement two manifest management classes for table write operations:

- ManifestFilterManager: filters manifest entries by row filter
expression, file path, or partition value; supports
FailMissingDeletePaths validation. Rewrites manifests that contain
matching files, marking entries as DELETED; passes through manifests
that cannot contain matching files unchanged.

- ManifestMergeManager: merges small manifests using greedy bin-packing,
grouping by partition_spec_id (manifests with different specs are never
merged). Oversized manifests pass through unchanged. ADDED entries from
prior manifests become EXISTING when merged (matching Java semantics).
dependabot Bot and others added 12 commits June 29, 2026 10:27
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3
to 7.0.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/releases">actions/checkout's
releases</a>.</em></p>
<blockquote>
<h2>v7.0.0</h2>
<h2>What's Changed</h2>
<ul>
<li>block checking out fork pr for pull_request_target and workflow_run
by <a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
<li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the
minor-actions-dependencies group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li>
<li>Bump flatted from 3.3.1 to 3.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li>
<li>Bump js-yaml from 4.1.0 to 4.2.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li>
<li>Bump <code>@​actions/core</code> and
<code>@​actions/tool-cache</code> and Remove uuid by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li>
<li>upgrade module to esm and update dependencies by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li>
<li>Bump the minor-npm-dependencies group across 1 directory with 3
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li>
<li>getting ready for checkout v7 release by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2464">actions/checkout#2464</a></li>
<li>update error wording by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2467">actions/checkout#2467</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6.0.3...v7.0.0">https://github.com/actions/checkout/compare/v6.0.3...v7.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v7.0.0</h2>
<ul>
<li>Block checking out fork PR for pull_request_target and workflow_run
by <a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
<li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the
minor-actions-dependencies group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li>
<li>Bump flatted from 3.3.1 to 3.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li>
<li>Bump js-yaml from 4.1.0 to 4.2.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li>
<li>Bump <code>@​actions/core</code> and
<code>@​actions/tool-cache</code> and Remove uuid by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li>
<li>upgrade module to esm and update dependencies by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li>
<li>Bump the minor-npm-dependencies group across 1 directory with 3
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li>
</ul>
<h2>v6.0.3</h2>
<ul>
<li>Fix checkout init for SHA-256 repositories by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li>
<li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
</ul>
<h2>v6.0.2</h2>
<ul>
<li>Fix tag handling: preserve annotations and explicit fetch-tags by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li>
</ul>
<h2>v6.0.1</h2>
<ul>
<li>Add worktree support for persist-credentials includeIf by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li>
</ul>
<h2>v6.0.0</h2>
<ul>
<li>Persist creds to a separate file by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li>
<li>Update README to include Node.js 24 support details and requirements
by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li>
</ul>
<h2>v5.0.1</h2>
<ul>
<li>Port v6 cleanup to v5 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li>
</ul>
<h2>v5.0.0</h2>
<ul>
<li>Update actions checkout to use node 24 by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li>
</ul>
<h2>v4.3.1</h2>
<ul>
<li>Port v6 cleanup to v4 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li>
</ul>
<h2>v4.3.0</h2>
<ul>
<li>docs: update README.md by <a
href="https://github.com/motss"><code>@​motss</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li>
<li>Add internal repos for checking out multiple repositories by <a
href="https://github.com/mouismail"><code>@​mouismail</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li>
<li>Documentation update - add recommended permissions to Readme by <a
href="https://github.com/benwells"><code>@​benwells</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li>
<li>Adjust positioning of user email note and permissions heading by <a
href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li>
<li>Update README.md by <a
href="https://github.com/nebuk89"><code>@​nebuk89</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li>
<li>Update CODEOWNERS for actions by <a
href="https://github.com/TingluoHuang"><code>@​TingluoHuang</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li>
<li>Update package dependencies by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li>
</ul>
<h2>v4.2.2</h2>
<ul>
<li><code>url-helper.ts</code> now leverages well-known environment
variables by <a href="https://github.com/jww3"><code>@​jww3</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li>
<li>Expand unit test coverage for <code>isGhes</code> by <a
href="https://github.com/jww3"><code>@​jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li>
</ul>
<h2>v4.2.1</h2>
<ul>
<li>Check out other refs/* by commit if provided, fall back to ref by <a
href="https://github.com/orhantoy"><code>@​orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/checkout/commit/9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0"><code>9c091bb</code></a>
update error wording (<a
href="https://redirect.github.com/actions/checkout/issues/2467">#2467</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/1044a6dea927916f2c38ba5aeffbc0a847b1221a"><code>1044a6d</code></a>
getting ready for checkout v7 release (<a
href="https://redirect.github.com/actions/checkout/issues/2464">#2464</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/f0282184c7ce73ab54c7e4ab5a617122602e575f"><code>f028218</code></a>
Bump the minor-npm-dependencies group across 1 directory with 3 updates
(<a
href="https://redirect.github.com/actions/checkout/issues/2462">#2462</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/d914b262ffc244530a203ab40decab34c3abf34d"><code>d914b26</code></a>
upgrade module to esm and update dependencies (<a
href="https://redirect.github.com/actions/checkout/issues/2463">#2463</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/537c7ef99cef6e5ddb5e7ff5d16d14510503801d"><code>537c7ef</code></a>
Bump <code>@​actions/core</code> and <code>@​actions/tool-cache</code>
and Remove uuid (<a
href="https://redirect.github.com/actions/checkout/issues/2459">#2459</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/130a169078a413d3a5246a393625e8e742f387f6"><code>130a169</code></a>
Bump js-yaml from 4.1.0 to 4.2.0 (<a
href="https://redirect.github.com/actions/checkout/issues/2461">#2461</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/7d09575332117a40b46e5e020664df234cd416f3"><code>7d09575</code></a>
Bump flatted from 3.3.1 to 3.4.2 (<a
href="https://redirect.github.com/actions/checkout/issues/2460">#2460</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/0f9f3aa320cb53abeb534aeb54048075d9697a0e"><code>0f9f3aa</code></a>
Bump actions/publish-immutable-action (<a
href="https://redirect.github.com/actions/checkout/issues/2458">#2458</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/f9e715a95fcd1f9253f77dd28f11e88d2d6460c7"><code>f9e715a</code></a>
block checking out fork pr for pull_request_target and workflow_run (<a
href="https://redirect.github.com/actions/checkout/issues/2454">#2454</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/checkout/compare/df4cb1c069e1874edd31b4311f1884172cec0e10...9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout&package-manager=github_actions&previous-version=6.0.3&new-version=7.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#768)

## What
Add `/wd4251` and `/wd4275` in `meson.build`, applied only where the
compiler accepts them.

## Why
The MSVC build prints tens of thousands of lines of C4251/C4275 warnings
about exported classes (like `TableProperties` and `ConfigBase`/`Entry`)
that hold standard-library members. These are harmless when everything
is built as one DLL with one compiler, but they bury the warnings that
actually matter in the Windows logs. The flags are ignored on GCC and
Clang, which don't have these warnings.

For reference, the average Meson Windows build logs ~22k of these
warning lines (971 unique messages), drowning the handful of real
warnings in the same run:

https://github.com/apache/iceberg-cpp/actions/runs/27870777076/job/82482181520

Co-authored-by: Abanoub Doss <abanoub.doss@gmail.com>
## What
Add the `cl.exe` version to the Windows sccache cache key (and its
restore-keys prefix) in `test` and `sql_catalog_test`, so each MSVC
build keeps its own cache. On the `sql_catalog_test` matrix the suffix
stays empty for the non-Windows legs, so their keys don't change.

## Why
sccache decides whether a cached object is still valid from the compiler
binary. GitHub patches the Windows runner image regularly, roughly once
a week, and rolls each update out across the hosted fleet over a few
days rather than all at once. During that window back-to-back runs can
land on different `cl.exe` builds. When that happens the two builds
share one cache key and keep evicting each other, and a run on a newer
compiler restores the old cache, misses everything, and rebuilds the
whole stack (around 35 to 50 minutes). Putting the `cl.exe` version in
the key gives each compiler its own cache, so a run stays warm instead
of recompiling.

## Validation
On the `windows-2025` runner the resolve step read `cl.exe` as
19.51.36248, and the Windows `test` and `sql_catalog_test` builds passed
with the version in the key. The cache is only saved on `main`, so the
warm reuse shows up there rather than on a branch run.

Co-authored-by: Abanoub Doss <abanoub.doss@gmail.com>
…e#788)

Bumps
[zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action)
from 0.5.6 to 0.5.7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/zizmorcore/zizmor-action/releases">zizmorcore/zizmor-action's
releases</a>.</em></p>
<blockquote>
<h2>v0.5.7</h2>
<p>1.26.1 is now available via the action
1.26.1 is now the default version of zizmor used by the action</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/192e21d79ab29983730a13d1382995c2307fbcaa"><code>192e21d</code></a>
Sync zizmor versions (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/127">#127</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/2720f2673c0b64a8656d08b009ac239b9383c0ae"><code>2720f26</code></a>
Update README.md with new actions/checkout version (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/126">#126</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/40b41b824eab0ad9c19ddf9856be25550729e6d8"><code>40b41b8</code></a>
chore(deps): bump the github-actions group with 2 updates (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/123">#123</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/a687b25bf3aa149153e80ed5f45292e47589888c"><code>a687b25</code></a>
chore(deps): bump github/codeql-action from 4.35.5 to 4.36.0 in the
github-ac...</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/64a6900ea7f40fab0caa7dcfc77b392d28fe0cb1"><code>64a6900</code></a>
add note to explain that the default value for
<code>online-checks</code> is different t...</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/14050abd109fcba34e6e2f31a723280997808e82"><code>14050ab</code></a>
chore(deps): bump the github-actions group with 2 updates (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/118">#118</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/ee9b4194a74f093e38908dbcfcb078f63eeef002"><code>ee9b419</code></a>
chore(deps): bump github/codeql-action in the github-actions group (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/116">#116</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/fddf2b4aa9bf29290c6bf9866e6d113b0cdf6f67"><code>fddf2b4</code></a>
Bump pins in README (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/115">#115</a>)</li>
<li>See full diff in <a
href="https://github.com/zizmorcore/zizmor-action/compare/5f14fd08f7cf1cb1609c1e344975f152c7ee938d...192e21d79ab29983730a13d1382995c2307fbcaa">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=zizmorcore/zizmor-action&package-manager=github_actions&previous-version=0.5.6&new-version=0.5.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Gang Wu <ustcwg@gmail.com>
…che#746)

Part 1 of a multi-part split of apache#730 (column default values, item 2 of
apache#637). The full
end-to-end implementation is in apache#731, kept open as the proof-of-concept;
this series
lands it in reviewable pieces.

This PR is the **schema foundation** — representing, serializing and
validating v3
column default values. It is purely additive and changes no read or
write behavior on
its own.

## What's in this PR

- **`SchemaField`** carries `initial-default` / `write-default`, stored
as
`std::shared_ptr<const Literal>` (immutable payload shared across
copies, like the
adjacent `type_`; the C++ analog of Java's `final Literal<?>`). They are
set via the
constructor. Getters return `std::optional<std::reference_wrapper<const
Literal>>` for
reading (the `Schema::FindFieldByName` idiom); `initial_default_ptr()` /
`write_default_ptr()` expose the shared pointer so a rebuilt field (e.g.
ID
  reassignment) shares the value instead of copying it.
- **JSON serde**: parse/write `initial-default` / `write-default` using
the existing
  single-value serialization (all primitive types).
- **`Schema::Validate`**: version-gates the `initial-default` to format
v3
(`kMinFormatVersionDefaultValues`) — it reinterprets how existing data
files are read,
so it requires the v3 reader contract. The `write-default` only affects
values written
going forward and is **not** version-gated (matching Java's
`Schema.checkCompatibility`,
which gates only the initial default). Both defaults are otherwise
validated to be
  non-null primitive literals matching the field type.
- **Generic projection**: a column missing from a data file with an
`initial-default`
maps to `FieldProjection::Kind::kDefault` carrying the literal (the
per-format readers
  consume this in the follow-up PRs).

## Follow-ups (stacked on this PR)

- read path — Parquet (`literal_util` + parquet
projection/materialization)
- read path — Avro
- schema evolution (`UpdateSchema` add/update column defaults)

## Testing

Added tests
This PR implements the RewriteFiles operation for the Iceberg C++
library.

## Changes

- Added RewriteFiles update class in src/iceberg/update/rewrite_files.h
and .cc
- Added RewriteFiles to the type forward declarations in
src/iceberg/type_fwd.h
- Registered RewiteFiles as a merging snapshot update in
src/iceberg/table.h and .cc
- Added RewriteFiles support in transaction (src/iceberg/transaction.h
and .cc)
- Added comprehensive tests in src/iceberg/test/rewrite_files_test.cc
- Added merge test for RewriteFiles in
src/iceberg/test/merging_snapshot_update_test.cc
## Summary

Adds `ArrowRowBuilder` (`arrow_row_builder_internal.h` /
`arrow_row_builder.cc`), a schema-driven RAII helper that materializes
in-memory rows into an Arrow `ArrowArray` (a struct batch) for an
arbitrary Iceberg schema. It wraps the nanoarrow boilerplate and exposes
per-column access plus typed append free functions, so metadata tables
(snapshots, history, manifests, …) can emit rows without re-implementing
it.

This is the first of a series splitting metadata-table support into
focused PRs; the `InMemoryBatchReader` and the `SnapshotsTable::Scan`
integration are intended to follow in separate PRs that build on this.

## What's included
- **`ArrowRowBuilder`** — a single RAII class (move-only) with
`Make(const Schema&)` and `Make(const ArrowSchema*)` overloads. Handles
the full nanoarrow lifecycle: `InitFromSchema` → `StartAppending` → …
append values … → `FinishBuilding` → `Release`. The `ArrowArray` is
guarded immediately after `InitFromSchema` so a failure in
`StartAppending` releases it automatically.
- **`ArrowArrayGuard::Release()`** — added to the existing guard so
other call sites (`position_delete_writer`, `manifest_adapter`) can
reuse the RAII-release pattern instead of manually managing nanoarrow
resources.
- **Free functions** in the `iceberg` namespace: `AppendNull`,
`AppendBoolean`, `AppendInt` (covers int32/int64/timestamp via
nanoarrow's int64), `AppendString`, `AppendStringMap`.
- The implementation lives at the **core** `iceberg` library level — it
only needs nanoarrow + `ToArrowSchema` (no Apache Arrow), matching peers
like `manifest_adapter` and `arrow_c_data_util`.
- Unit tests in `arrow_row_builder_test.cc` covering typed appends
(int32/string/int64/boolean/map), null handling for optional columns,
multi-entry/empty string maps, zero-row batches, and column-index
bounds. Compiled into the `iceberg-data-test` test target.

## Testing
- CMake (Ninja): `cmake --build build --target iceberg-data-test` then
ran the test binary — 5/5 `ArrowRowBuilderTest` tests pass. `ctest`
green.
- The test verifies output by importing the produced C-data into Apache
Arrow (`arrow::ImportRecordBatch`), so its target is under `USE_BUNDLE`.

## Notes
- The test is registered under CMake's bundle build only. The meson
build (which has no Apache Arrow/bundle layer) is left unchanged; the
core-only test target continues to build there.
- Developed with AI-assisted tooling, reviewed by the author.
Add a retryable validation error kind and use it for add-snapshot stale
sequence-number and stale first-row-id checks, matching Java Iceberg's
RetryableValidationException behavior.

Include the new retryable validation kind in commit retry policy, while
preserving normal validation failures for mixed/non-retryable builder
errors. Add focused v3 row-lineage tests for multi-file assignment,
branch commits, retry reassignment, stale snapshot validation, and
delete-manifest null first_row_id handling.
@mmaslankaprv mmaslankaprv force-pushed the rebase/upstream-main branch from a9afe70 to 0eaf7f6 Compare July 1, 2026 13:49
@mmaslankaprv mmaslankaprv force-pushed the rebase/upstream-main branch 2 times, most recently from 8dd5d30 to 00818da Compare July 1, 2026 14:07
merging_snapshot_update_test.cc called op->SetTargetBranch("audit"), a
method that does not exist on MergingSnapshotUpdate, breaking the CMake
-Werror build on upstream/main HEAD (introduced by apache#794). The real API for
targeting a branch is ToBranch(). Carry-patch until upstream fixes it.
@bharathv

bharathv commented Jul 1, 2026

Copy link
Copy Markdown

@mmaslankaprv there are conflicts.

Records origin/main as a parent using the 'ours' strategy so the tree
is kept identical to rebase/upstream-main. This branch re-applies the
redpanda fork patches on top of a newer upstream apache/iceberg-cpp;
merging it into main overrides main's diverged content without conflicts.
@mmaslankaprv

Copy link
Copy Markdown
Member Author

resolved

Upstream adopted a parquet::arrow::FileReader::Make overload returning
arrow::Result<...>, which Arrow 22 does not yet provide. Switch this one
call site to the older Status/out-param form via ICEBERG_ARROW_RETURN_NOT_OK.

The out-param form also compiles against newer Arrow that provides the
Result-returning overload, so the change is safe across versions.
The rebase onto upstream/main dropped the configurable token-refresh
margin; OAuth2AuthSession::CalculateRefreshDelay() hardcoded a 10%/5min
window. Restore the 0.3.2 behavior: refresh oauth2.token-refresh-margin-seconds
(default 300) before expiry.

- auth_properties: re-add kExpiryMarginSeconds entry + expiry_margin_seconds()
- auth_session: thread int64_t expiry_margin_seconds through MakeOAuth2 and
  Config; CalculateRefreshDelay now subtracts the configured margin
- auth_manager: pass config.expiry_margin_seconds() at both MakeOAuth2 sites

Oxla maps its SQL option oauth2_token_refresh_margin_seconds to this key.
@mmaslankaprv mmaslankaprv force-pushed the rebase/upstream-main branch from 0f97a4c to 13d4981 Compare July 2, 2026 09:45
The rebase onto upstream/main removed the ability to inject a FileIO into
RestCatalog; the catalog always built its own via MakeCatalogFileIO. Restore
an injection point for host-provided filesystems (e.g. Oxla's
IcebergArrowFileSystem).

- Add Make(config, std::shared_ptr<FileIO>) overload; the single-arg overload
  now delegates with a null FileIO, preserving today's behavior.
- When a non-null FileIO is injected, use it for the catalog and record
  use_injected_file_io_ so TableFileIO returns it for every table instead of
  building one from per-table storage config/credentials.
The earlier Arrow-22 fix switched unconditionally to the Status/out-param
FileReader::Make. That form is deprecated in Arrow 23.0.0, and the fork's CI
builds against a newer vendored Arrow with -Werror=deprecated-declarations,
so the build broke.

Guard the call on ARROW_VERSION_MAJOR: use the arrow::Result-returning
overload on Arrow >= 23 (matches upstream) and the out-parameter form on
Arrow 22 (needed by Oxla). Verified compiling against the vendored Arrow 24
with the CI -Werror flags.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.