VERSION.txt: this is 1.92.2

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>

.github/actions/go-cache/action.sh

@@ -1,54 +0,0 @@
-#!/usr/bin/env bash
-#
-# This script sets up cigocacher, but should never fail the build if unsuccessful.
-# It expects to run on a GitHub-hosted runner, and connects to cigocached over a
-# private Azure network that is configured at the runner group level in GitHub.
-#
-# Usage: ./action.sh
-# Inputs:
-#   URL: The cigocached server URL.
-#   HOST: The cigocached server host to dial.
-# Outputs:
-#   success: Whether cigocacher was set up successfully.
-
-set -euo pipefail
-
-if [ -z "${GITHUB_ACTIONS:-}" ]; then
-    echo "This script is intended to run within GitHub Actions"
-    exit 1
-fi
-
-if [ -z "${URL:-}" ]; then
-    echo "No cigocached URL is set, skipping cigocacher setup"
-    exit 0
-fi
-
-GOPATH=$(command -v go || true)
-if [ -z "${GOPATH}" ]; then
-  if [ ! -f "tool/go" ]; then
-    echo "Go not available, unable to proceed"
-    exit 1
-  fi
-  GOPATH="./tool/go"
-fi
-
-BIN_PATH="${RUNNER_TEMP:-/tmp}/cigocacher$(${GOPATH} env GOEXE)"
-if [ -d "cmd/cigocacher" ]; then
-  echo "cmd/cigocacher found locally, building from local source"
-  "${GOPATH}" build -o "${BIN_PATH}" ./cmd/cigocacher
-else
-  echo "cmd/cigocacher not found locally, fetching from tailscale.com/cmd/cigocacher"
-  "${GOPATH}" build -o "${BIN_PATH}" tailscale.com/cmd/cigocacher
-fi
-
-CIGOCACHER_TOKEN="$("${BIN_PATH}" --auth --cigocached-url "${URL}" --cigocached-host "${HOST}" )"
-if [ -z "${CIGOCACHER_TOKEN:-}" ]; then
-    echo "Failed to fetch cigocacher token, skipping cigocacher setup"
-    exit 0
-fi
-
-echo "Fetched cigocacher token successfully"
-echo "::add-mask::${CIGOCACHER_TOKEN}"
-
-echo "GOCACHEPROG=${BIN_PATH} --cache-dir ${CACHE_DIR} --cigocached-url ${URL} --cigocached-host ${HOST} --token ${CIGOCACHER_TOKEN}" >> "${GITHUB_ENV}"
-echo "success=true" >> "${GITHUB_OUTPUT}"

.github/actions/go-cache/action.yml

@@ -1,35 +0,0 @@
-name: go-cache
-description: Set up build to use cigocacher
-
-inputs:
-  cigocached-url:
-    description: URL of the cigocached server
-    required: true
-  cigocached-host:
-    description: Host to dial for the cigocached server
-    required: true
-  checkout-path:
-    description: Path to cloned repository
-    required: true
-  cache-dir:
-    description: Directory to use for caching
-    required: true
-
-outputs:
-  success:
-    description: Whether cigocacher was set up successfully
-    value: ${{ steps.setup.outputs.success }}
-
-runs:
-  using: composite
-  steps:
-    - name: Setup cigocacher
-      id: setup
-      shell: bash
-      env:
-        URL: ${{ inputs.cigocached-url }}
-        HOST: ${{ inputs.cigocached-host }}
-        CACHE_DIR: ${{ inputs.cache-dir }}
-      working-directory: ${{ inputs.checkout-path }}
-      # https://github.com/orgs/community/discussions/25910
-      run: $GITHUB_ACTION_PATH/action.sh

.github/workflows/checklocks.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: [ ubuntu-latest ]
     steps:
       - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Build checklocks
         run: ./tool/go build -o /tmp/checklocks gvisor.dev/gvisor/tools/checklocks/cmd/checklocks

.github/workflows/cigocacher.yml

@@ -1,73 +0,0 @@
-name: Build cigocacher
-
-on:
-  # Released on-demand. The commit will be used as part of the tag, so generally
-  # prefer to release from main where the commit is stable in linear history.
-  workflow_dispatch:
-
-jobs:
-  build:
-    strategy:
-      matrix:
-        GOOS: ["linux", "darwin", "windows"]
-        GOARCH: ["amd64", "arm64"]
-    runs-on: ubuntu-24.04
-    env:
-      GOOS: "${{ matrix.GOOS }}"
-      GOARCH: "${{ matrix.GOARCH }}"
-      CGO_ENABLED: "0"
-    steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-    - name: Build
-      run: |
-        OUT="cigocacher$(./tool/go env GOEXE)"
-        ./tool/go build -o "${OUT}" ./cmd/cigocacher/
-        tar -zcf cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}.tar.gz "${OUT}"
-
-    - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-      with:
-        name: cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}
-        path: cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}.tar.gz
-
-  release:
-    runs-on: ubuntu-24.04
-    needs: build
-    permissions:
-      contents: write
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
-        with:
-          pattern: 'cigocacher-*'
-          merge-multiple: true
-      # This step is a simplified version of actions/create-release and
-      # actions/upload-release-asset, which are archived and unmaintained.
-      - name: Create release
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-
-            const { data: release } = await github.rest.repos.createRelease({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              tag_name: `cmd/cigocacher/${{ github.sha }}`,
-              name: `cigocacher-${{ github.sha }}`,
-              draft: false,
-              prerelease: true,
-              target_commitish: `${{ github.sha }}`
-            });
-
-            const files = fs.readdirSync('.').filter(f => f.endsWith('.tar.gz'));
-            
-            for (const file of files) {
-              await github.rest.repos.uploadReleaseAsset({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                release_id: release.id,
-                name: file,
-                data: fs.readFileSync(file)
-              });
-              console.log(`Uploaded ${file}`);
-            }

.github/workflows/codeql-analysis.yml

@@ -45,7 +45,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     # Install a more recent Go that understands modern go.mod content.
     - name: Install Go

.github/workflows/docker-base.yml

@@ -1,29 +0,0 @@
-name: "Validate Docker base image"
-on: 
-  workflow_dispatch:
-  pull_request:
-    paths:
-    - "Dockerfile.base"
-    - ".github/workflows/docker-base.yml"
-jobs:
-  build-and-test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-    - name: "build and test"
-      run: |
-        set -e
-        IMG="test-base:$(head -c 8 /dev/urandom | xxd -p)"
-        docker build -t "$IMG" -f Dockerfile.base .
-
-        iptables_version=$(docker run --rm "$IMG" iptables --version)
-        if [[ "$iptables_version" != *"(legacy)"* ]]; then
-            echo "ERROR: Docker base image should contain legacy iptables; found ${iptables_version}"
-            exit 1
-        fi
-
-        ip6tables_version=$(docker run --rm "$IMG" ip6tables --version)
-        if [[ "$ip6tables_version" != *"(legacy)"* ]]; then
-            echo "ERROR: Docker base image should contain legacy ip6tables; found ${ip6tables_version}"
-            exit 1
-        fi

.github/workflows/docker-file-build.yml

@@ -8,6 +8,6 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: "Build Docker image"
       run: docker build .

.github/workflows/flakehub-publish-tagged.yml

@@ -17,7 +17,7 @@ jobs:
       id-token: "write"
       contents: "read"
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
       - uses: DeterminateSystems/nix-installer-action@786fff0690178f1234e4e1fe9b536e94f5433196 # v20

.github/workflows/golangci-lint.yml

@@ -2,11 +2,7 @@ name: golangci-lint
 on:
   # For now, only lint pull requests, not the main branches.
   pull_request:
-    paths:
-      - ".github/workflows/golangci-lint.yml"
-      - "**.go"
-      - "go.mod"
-      - "go.sum"
+
   # TODO(andrew): enable for main branch after an initial waiting period.
   #push:
   #  branches:
@@ -27,21 +23,17 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
-          cache: true
+          cache: false
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0
         with:
           version: v2.4.0
 
           # Show only new issues if it's a pull request.
           only-new-issues: true
-
-          # Loading packages with a cold cache takes a while:
-          args: --timeout=10m
-          

.github/workflows/govulncheck.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install govulncheck
         run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest

.github/workflows/installer.yml

@@ -58,14 +58,6 @@ jobs:
           # Check a few images with wget rather than curl.
           - { image: "debian:oldstable-slim", deps: "wget" }
           - { image: "debian:sid-slim", deps: "wget" }
-          - { image: "debian:stable-slim", deps: "curl" }
-          - { image: "ubuntu:24.04", deps: "curl" }
-          - { image: "fedora:latest", deps: "curl" }
-          # Test TAILSCALE_VERSION pinning on a subset of distros.
-          # Skip Alpine as community repos don't reliably keep old versions.
-          - { image: "debian:stable-slim", deps: "curl", version: "1.80.0" }
-          - { image: "ubuntu:24.04", deps: "curl", version: "1.80.0" }
-          - { image: "fedora:latest", deps: "curl", version: "1.80.0" }
     runs-on: ubuntu-latest
     container:
       image: ${{ matrix.image }}
@@ -99,21 +91,15 @@ jobs:
         contains(matrix.image, 'parrotsec') ||
         contains(matrix.image, 'kalilinux')
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: run installer
       run: scripts/installer.sh
-      env:
-        TAILSCALE_VERSION: ${{ matrix.version }}
       # Package installation can fail in docker because systemd is not running
       # as PID 1, so ignore errors at this step. The real check is the
       # `tailscale --version` command below.
       continue-on-error: true
     - name: check tailscale version
-      run: |
-        tailscale --version
-        if [ -n "${{ matrix.version }}" ]; then
-          tailscale --version | grep -q "^${{ matrix.version }}" || { echo "Version mismatch!"; exit 1; }
-        fi
+      run: tailscale --version
   notify-slack:
     needs: test
     runs-on: ubuntu-latest

.github/workflows/kubemanifests.yaml

@@ -17,7 +17,7 @@ jobs:
     runs-on: [ ubuntu-latest ]
     steps:
     - name: Check out code
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Build and lint Helm chart
       run: |
         eval `./tool/go run ./cmd/mkversion`

.github/workflows/natlab-integrationtest.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Install qemu
         run: |
           sudo rm /var/lib/man-db/auto-update

.github/workflows/pin-github-actions.yml

@@ -22,7 +22,7 @@ jobs:
     name: pin-github-actions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: pin
         run: make pin-github-actions
       - name: check for changed workflow files

.github/workflows/request-dataplane-review.yml

@@ -2,7 +2,6 @@ name: request-dataplane-review
 
 on:
   pull_request:
-    types: [ opened, synchronize, reopened, ready_for_review ]
     paths:
       - ".github/workflows/request-dataplane-review.yml"
       - "**/*derp*"
@@ -11,12 +10,11 @@ on:
 
 jobs:
   request-dataplane-review:
-    if: github.event.pull_request.draft == false
     name: Request Dataplane Review
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Get access token
         uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
         id: generate-token

.github/workflows/ssh-integrationtest.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run SSH integration tests
         run: |
           make sshintegrationtest

.github/workflows/test.yml

@@ -19,7 +19,6 @@ env:
   # toplevel directories "src" (for the checked out source code), and "gomodcache"
   # and other caches as siblings to follow.
   GOMODCACHE: ${{ github.workspace }}/gomodcache
-  CMD_GO_USE_GIT_HASH: "true"
 
 on:
   push:
@@ -49,7 +48,7 @@ jobs:
       cache-key: ${{ steps.hash.outputs.key }}
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: src
       - name: Compute cache key from go.{mod,sum}
@@ -89,7 +88,7 @@ jobs:
           - shard: '4/4'
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
     - name: Restore Go module cache
@@ -127,7 +126,7 @@ jobs:
     needs: gomod-cache
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
     - name: Restore Go module cache
@@ -137,20 +136,21 @@ jobs:
         key: ${{ needs.gomod-cache.outputs.cache-key }}
         enableCrossOsArchive: true
     - name: Restore Cache
-      id: restore-cache
-      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
       with:
-        # Note: this is only restoring the build cache. Mod cache is shared amongst
-        # all jobs in the workflow.
+        # Note: unlike the other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
         path: |
           ~/.cache/go-build
           ~\AppData\Local\go-build
-        key: ${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-${{ matrix.shard }}-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
         restore-keys: |
-          ${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-${{ matrix.shard }}-${{ hashFiles('**/go.sum') }}-${{ github.job }}-
-          ${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-${{ matrix.shard }}-${{ hashFiles('**/go.sum') }}-
-          ${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-${{ matrix.shard }}-
-          ${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-${{ hashFiles('**/go.sum') }}
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-
     - name: build all
       if: matrix.buildflags == '' # skip on race builder
       working-directory: src
@@ -206,26 +206,12 @@ jobs:
       shell: bash
       run: |
         find $(go env GOCACHE) -type f -mmin +90 -delete
-    - name: Save Cache
-      # Save cache even on failure, but only on cache miss and main branch to avoid thrashing.
-      if: always() && steps.restore-cache.outputs.cache-hit != 'true' && github.ref == 'refs/heads/main'
-      uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
-      with:
-        # Note: this is only saving the build cache. Mod cache is shared amongst
-        # all jobs in the workflow.
-        path: |
-          ~/.cache/go-build
-          ~\AppData\Local\go-build
-        key: ${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-${{ matrix.shard }}-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
 
   windows:
-    permissions:
-      id-token: write # This is required for requesting the GitHub action identity JWT that can auth to cigocached
-      contents: read # This is required for actions/checkout
-    # ci-windows-github-1 is a 2022 GitHub-managed runner in our org with 8 cores
-    # and 32 GB of RAM. It is connected to a private Azure VNet that hosts cigocached.
-    # https://github.com/organizations/tailscale/settings/actions/github-hosted-runners/5
-    runs-on: ci-windows-github-1
+    # windows-8vpu is a 2022 GitHub-managed runner in our
+    # org with 8 cores and 32 GB of RAM:
+    # https://github.com/organizations/tailscale/settings/actions/github-hosted-runners/1
+    runs-on: windows-8vcpu
     needs: gomod-cache
     name: Windows (${{ matrix.name || matrix.shard}})
     strategy:
@@ -234,40 +220,54 @@ jobs:
         include:
           - key: "win-bench"
             name: "benchmarks"
+          - key: "win-tool-go"
+            name: "./tool/go"
           - key: "win-shard-1-2"
             shard: "1/2"
           - key: "win-shard-2-2"
             shard: "2/2"
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        path: ${{ github.workspace }}/src
+        path: src
 
     - name: Install Go
+      if: matrix.key != 'win-tool-go'
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
-        go-version-file: ${{ github.workspace }}/src/go.mod
+        go-version-file: src/go.mod
         cache: false
 
     - name: Restore Go module cache
+      if: matrix.key != 'win-tool-go'
       uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
       with:
         path: gomodcache
         key: ${{ needs.gomod-cache.outputs.cache-key }}
         enableCrossOsArchive: true
 
-    - name: Set up cigocacher
-      id: cigocacher-setup
-      uses: ./src/.github/actions/go-cache
+    - name: Restore Cache
+      if: matrix.key != 'win-tool-go'
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
       with:
-        checkout-path: ${{ github.workspace }}/src
-        cache-dir: ${{ github.workspace }}/cigocacher
-        cigocached-url: ${{ vars.CIGOCACHED_AZURE_URL }}
-        cigocached-host: ${{ vars.CIGOCACHED_AZURE_HOST }}
+        path: |
+          ~/.cache/go-build
+          ~\AppData\Local\go-build
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        key: ${{ github.job }}-${{ matrix.key }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ github.job }}-${{ matrix.key }}-go-2-${{ hashFiles('**/go.sum') }}
+          ${{ github.job }}-${{ matrix.key }}-go-2-
+
+    - name: test-tool-go
+      if: matrix.key == 'win-tool-go'
+      working-directory: src
+      run: ./tool/go version
 
     - name: test
-      if: matrix.key != 'win-bench' # skip on bench builder
+      if: matrix.key != 'win-bench' && matrix.key != 'win-tool-go' # skip on bench builder
       working-directory: src
       run: go run ./cmd/testwrapper sharded:${{ matrix.shard }}
 
@@ -279,26 +279,12 @@ jobs:
       # the equals signs cause great confusion.
       run: go test ./... -bench . -benchtime 1x -run "^$"
 
-    - name: Print stats
-      shell: pwsh
-      if: steps.cigocacher-setup.outputs.success == 'true'
-      env:
-        GOCACHEPROG: ${{ env.GOCACHEPROG }}
-      run: |
-        Invoke-Expression "$env:GOCACHEPROG --stats" | jq .
-
-  win-tool-go:
-    runs-on: windows-latest
-    needs: gomod-cache
-    name: Windows (win-tool-go)
-    steps:
-    - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      with:
-        path: src
-    - name: test-tool-go
+    - name: Tidy cache
+      if: matrix.key != 'win-tool-go'
       working-directory: src
-      run: ./tool/go version
+      shell: bash
+      run: |
+        find $(go env GOCACHE) -type f -mmin +90 -delete
 
   privileged:
     needs: gomod-cache
@@ -308,7 +294,7 @@ jobs:
       options: --privileged
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
     - name: Restore Go module cache
@@ -331,7 +317,7 @@ jobs:
     if: github.repository == 'tailscale/tailscale'
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
     - name: Restore Go module cache
@@ -387,29 +373,31 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
-    - name: Restore Go module cache
-      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
-      with:
-        path: gomodcache
-        key: ${{ needs.gomod-cache.outputs.cache-key }}
-        enableCrossOsArchive: true
     - name: Restore Cache
-      id: restore-cache
-      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
       with:
-        # Note: this is only restoring the build cache. Mod cache is shared amongst
-        # all jobs in the workflow.
+        # Note: unlike the other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
         path: |
           ~/.cache/go-build
           ~\AppData\Local\go-build
-        key: ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-${{ matrix.goarm }}-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
         restore-keys: |
-          ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-${{ matrix.goarm }}-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-
-          ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-${{ matrix.goarm }}-go-${{ hashFiles('**/go.sum') }}-
-          ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-${{ matrix.goarm }}-go-
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
     - name: build all
       working-directory: src
       run: ./tool/go build ./cmd/...
@@ -430,17 +418,6 @@ jobs:
       shell: bash
       run: |
         find $(go env GOCACHE) -type f -mmin +90 -delete
-    - name: Save Cache
-      # Save cache even on failure, but only on cache miss and main branch to avoid thrashing.
-      if: always() && steps.restore-cache.outputs.cache-hit != 'true' && github.ref == 'refs/heads/main'
-      uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
-      with:
-        # Note: this is only saving the build cache. Mod cache is shared amongst
-        # all jobs in the workflow.
-        path: |
-          ~/.cache/go-build
-          ~\AppData\Local\go-build
-        key: ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-${{ matrix.goarm }}-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
 
   ios: # similar to cross above, but iOS can't build most of the repo. So, just
        # make it build a few smoke packages.
@@ -448,7 +425,7 @@ jobs:
     needs: gomod-cache
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
     - name: Restore Go module cache
@@ -486,29 +463,31 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
-    - name: Restore Go module cache
-      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
-      with:
-        path: gomodcache
-        key: ${{ needs.gomod-cache.outputs.cache-key }}
-        enableCrossOsArchive: true
     - name: Restore Cache
-      id: restore-cache
-      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
       with:
-        # Note: this is only restoring the build cache. Mod cache is shared amongst
-        # all jobs in the workflow.
+        # Note: unlike the other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
         path: |
           ~/.cache/go-build
           ~\AppData\Local\go-build
-        key: ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
         restore-keys: |
-          ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-
-          ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-${{ hashFiles('**/go.sum') }}-
-          ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
     - name: build core
       working-directory: src
       run: ./tool/go build ./cmd/tailscale ./cmd/tailscaled
@@ -522,17 +501,6 @@ jobs:
       shell: bash
       run: |
         find $(go env GOCACHE) -type f -mmin +90 -delete
-    - name: Save Cache
-      # Save cache even on failure, but only on cache miss and main branch to avoid thrashing.
-      if: always() && steps.restore-cache.outputs.cache-hit != 'true' && github.ref == 'refs/heads/main'
-      uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
-      with:
-        # Note: this is only saving the build cache. Mod cache is shared amongst
-        # all jobs in the workflow.
-        path: |
-          ~/.cache/go-build
-          ~\AppData\Local\go-build
-        key: ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
 
   android:
     # similar to cross above, but android fails to build a few pieces of the
@@ -542,7 +510,7 @@ jobs:
     needs: gomod-cache
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
       # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
@@ -567,29 +535,31 @@ jobs:
     needs: gomod-cache
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
-    - name: Restore Go module cache
-      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
-      with:
-        path: gomodcache
-        key: ${{ needs.gomod-cache.outputs.cache-key }}
-        enableCrossOsArchive: true
     - name: Restore Cache
-      id: restore-cache
-      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
       with:
-        # Note: this is only restoring the build cache. Mod cache is shared amongst
-        # all jobs in the workflow.
+        # Note: unlike the other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
         path: |
           ~/.cache/go-build
           ~\AppData\Local\go-build
-        key: ${{ runner.os }}-js-wasm-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        key: ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
         restore-keys: |
-          ${{ runner.os }}-js-wasm-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-
-          ${{ runner.os }}-js-wasm-go-${{ hashFiles('**/go.sum') }}-
-          ${{ runner.os }}-js-wasm-go-
+          ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
+          ${{ github.job }}-${{ runner.os }}-go-2-
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
     - name: build tsconnect client
       working-directory: src
       run: ./tool/go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
@@ -608,24 +578,13 @@ jobs:
       shell: bash
       run: |
         find $(go env GOCACHE) -type f -mmin +90 -delete
-    - name: Save Cache
-      # Save cache even on failure, but only on cache miss and main branch to avoid thrashing.
-      if: always() && steps.restore-cache.outputs.cache-hit != 'true' && github.ref == 'refs/heads/main'
-      uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
-      with:
-        # Note: this is only saving the build cache. Mod cache is shared amongst
-        # all jobs in the workflow.
-        path: |
-          ~/.cache/go-build
-          ~\AppData\Local\go-build
-        key: ${{ runner.os }}-js-wasm-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
 
   tailscale_go: # Subset of tests that depend on our custom Go toolchain.
     runs-on: ubuntu-24.04
     needs: gomod-cache
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Set GOMODCACHE env
       run: echo "GOMODCACHE=$HOME/.cache/go-mod" >> $GITHUB_ENV
     - name: Restore Go module cache
@@ -710,7 +669,7 @@ jobs:
     needs: gomod-cache
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
     - name: Set GOMODCACHE env
@@ -730,7 +689,7 @@ jobs:
     needs: gomod-cache
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
     - name: Restore Go module cache
@@ -754,7 +713,7 @@ jobs:
     needs: gomod-cache
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
     - name: Restore Go module cache
@@ -776,7 +735,7 @@ jobs:
     needs: gomod-cache
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
     - name: Restore Go module cache
@@ -830,7 +789,7 @@ jobs:
 
     steps:
     - name: checkout
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: src
     - name: Restore Go module cache

.github/workflows/update-flake.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run update-flakes
         run: ./update-flake.sh
@@ -35,7 +35,7 @@ jobs:
           private-key: ${{ secrets.CODE_UPDATER_APP_PRIVATE_KEY }}
 
       - name: Send pull request
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 #v8.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8
         with:
           token: ${{ steps.generate-token.outputs.token }}
           author: Flakes Updater <noreply+flakes-updater@tailscale.com>

.github/workflows/update-webclient-prebuilt.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run go get
         run: |
@@ -32,7 +32,7 @@ jobs:
 
       - name: Send pull request
         id: pull-request
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 #v8.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8
         with:
           token: ${{ steps.generate-token.outputs.token }}
           author: OSS Updater <noreply+oss-updater@tailscale.com>

.github/workflows/vet.yml

@@ -6,7 +6,6 @@ env:
   # toplevel directories "src" (for the checked out source code), and "gomodcache"
   # and other caches as siblings to follow.
   GOMODCACHE: ${{ github.workspace }}/gomodcache
-  CMD_GO_USE_GIT_HASH: "true"
 
 on:
   push:
@@ -26,7 +25,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: src
 

.github/workflows/webclient.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Install deps
         run: ./tool/yarn --cwd client/web
       - name: Run lint

.gitignore

@@ -52,6 +52,3 @@ client/web/build/assets
 
 # Ignore personal IntelliJ settings
 .idea/
-
-# Ignore syncthing state directory.
-/.stfolder

.stignore

@@ -1 +0,0 @@
-.gitignore

AUTHORS

@@ -0,0 +1,17 @@
+# This is the official list of Tailscale
+# authors for copyright purposes.
+#
+# Names should be added to this file as one of
+#     Organization's name
+#     Individual's name <submission email address>
+#     Individual's name <submission email address> <email2> <emailN>
+#
+# Please keep the list sorted.
+#
+# You do not need to add entries to this list, and we don't actively
+# populate this list. If you do want to be acknowledged explicitly as
+# a copyright holder, though, then please send a PR referencing your
+# earlier contributions and clarifying whether it's you or your
+# company that owns the rights to your contribution.
+
+Tailscale Inc.

Dockerfile

@@ -1,4 +1,4 @@
-# Copyright (c) Tailscale Inc & contributors
+# Copyright (c) Tailscale Inc & AUTHORS
 # SPDX-License-Identifier: BSD-3-Clause
 
 # Note that this Dockerfile is currently NOT used to build any of the published
@@ -73,13 +73,8 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\
 
 FROM alpine:3.22
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
-# Alpine 3.19 replaced legacy iptables with nftables based implementation.
-# Tailscale is used on some hosts that don't support nftables, such as Synology
-# NAS, so link iptables back to legacy version. Hosts that don't require legacy
-# iptables should be able to use Tailscale in nftables mode.  See
-# https://github.com/tailscale/tailscale/issues/17854
-RUN rm /usr/sbin/iptables && ln -s /usr/sbin/iptables-legacy /usr/sbin/iptables
-RUN rm /usr/sbin/ip6tables && ln -s /usr/sbin/ip6tables-legacy /usr/sbin/ip6tables
+RUN ln -s /sbin/iptables-legacy /sbin/iptables
+RUN ln -s /sbin/ip6tables-legacy /sbin/ip6tables
 
 COPY --from=build-env /go/bin/* /usr/local/bin/
 # For compat with the previous run.sh, although ideally you should be

Dockerfile.base

@@ -1,12 +1,12 @@
-# Copyright (c) Tailscale Inc & contributors
+# Copyright (c) Tailscale Inc & AUTHORS
 # SPDX-License-Identifier: BSD-3-Clause
 
 FROM alpine:3.22
 RUN apk add --no-cache ca-certificates iptables iptables-legacy iproute2 ip6tables iputils
-# Alpine 3.19 replaced legacy iptables with nftables based implementation.
-# Tailscale is used on some hosts that don't support nftables, such as Synology
-# NAS, so link iptables back to legacy version. Hosts that don't require legacy
-# iptables should be able to use Tailscale in nftables mode.  See
-# https://github.com/tailscale/tailscale/issues/17854
-RUN rm /usr/sbin/iptables && ln -s /usr/sbin/iptables-legacy /usr/sbin/iptables
-RUN rm /usr/sbin/ip6tables && ln -s /usr/sbin/ip6tables-legacy /usr/sbin/ip6tables
+# Alpine 3.19 replaced legacy iptables with nftables based implementation.  We
+# can't be certain that all hosts that run Tailscale containers currently
+# suppport nftables, so link back to legacy for backwards compatibility reasons.
+# TODO(irbekrm): add some way how to determine if we still run on nodes that
+# don't support nftables, so that we can eventually remove these symlinks.
+RUN ln -s /sbin/iptables-legacy /sbin/iptables
+RUN ln -s /sbin/ip6tables-legacy /sbin/ip6tables

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2020 Tailscale Inc & contributors.
+Copyright (c) 2020 Tailscale Inc & AUTHORS.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:

VERSION.txt

@@ -1 +1 @@
-1.95.0
+1.92.2

appc/appconnector.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 // Package appc implements App Connectors.

appc/appconnector_test.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 package appc

appc/appctest/appctest.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 // Package appctest contains code to help test App Connectors.

appc/conn25.go

@@ -1,173 +0,0 @@
-// Copyright (c) Tailscale Inc & contributors
-// SPDX-License-Identifier: BSD-3-Clause
-
-package appc
-
-import (
-	"cmp"
-	"net/netip"
-	"slices"
-	"sync"
-
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/appctype"
-	"tailscale.com/util/mak"
-	"tailscale.com/util/set"
-)
-
-// Conn25 holds the developing state for the as yet nascent next generation app connector.
-// There is currently (2025-12-08) no actual app connecting functionality.
-type Conn25 struct {
-	mu         sync.Mutex
-	transitIPs map[tailcfg.NodeID]map[netip.Addr]netip.Addr
-}
-
-const dupeTransitIPMessage = "Duplicate transit address in ConnectorTransitIPRequest"
-
-// HandleConnectorTransitIPRequest creates a ConnectorTransitIPResponse in response to a ConnectorTransitIPRequest.
-// It updates the connectors mapping of TransitIP->DestinationIP per peer (tailcfg.NodeID).
-// If a peer has stored this mapping in the connector Conn25 will route traffic to TransitIPs to DestinationIPs for that peer.
-func (c *Conn25) HandleConnectorTransitIPRequest(nid tailcfg.NodeID, ctipr ConnectorTransitIPRequest) ConnectorTransitIPResponse {
-	resp := ConnectorTransitIPResponse{}
-	seen := map[netip.Addr]bool{}
-	for _, each := range ctipr.TransitIPs {
-		if seen[each.TransitIP] {
-			resp.TransitIPs = append(resp.TransitIPs, TransitIPResponse{
-				Code:    OtherFailure,
-				Message: dupeTransitIPMessage,
-			})
-			continue
-		}
-		tipresp := c.handleTransitIPRequest(nid, each)
-		seen[each.TransitIP] = true
-		resp.TransitIPs = append(resp.TransitIPs, tipresp)
-	}
-	return resp
-}
-
-func (c *Conn25) handleTransitIPRequest(nid tailcfg.NodeID, tipr TransitIPRequest) TransitIPResponse {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.transitIPs == nil {
-		c.transitIPs = make(map[tailcfg.NodeID]map[netip.Addr]netip.Addr)
-	}
-	peerMap, ok := c.transitIPs[nid]
-	if !ok {
-		peerMap = make(map[netip.Addr]netip.Addr)
-		c.transitIPs[nid] = peerMap
-	}
-	peerMap[tipr.TransitIP] = tipr.DestinationIP
-	return TransitIPResponse{}
-}
-
-func (c *Conn25) transitIPTarget(nid tailcfg.NodeID, tip netip.Addr) netip.Addr {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	return c.transitIPs[nid][tip]
-}
-
-// TransitIPRequest details a single TransitIP allocation request from a client to a
-// connector.
-type TransitIPRequest struct {
-	// TransitIP is the intermediate destination IP that will be received at this
-	// connector and will be replaced by DestinationIP when performing DNAT.
-	TransitIP netip.Addr `json:"transitIP,omitzero"`
-
-	// DestinationIP is the final destination IP that connections to the TransitIP
-	// should be mapped to when performing DNAT.
-	DestinationIP netip.Addr `json:"destinationIP,omitzero"`
-}
-
-// ConnectorTransitIPRequest is the request body for a PeerAPI request to
-// /connector/transit-ip and can include zero or more TransitIP allocation requests.
-type ConnectorTransitIPRequest struct {
-	// TransitIPs is the list of requested mappings.
-	TransitIPs []TransitIPRequest `json:"transitIPs,omitempty"`
-}
-
-// TransitIPResponseCode appears in TransitIPResponse and signifies success or failure status.
-type TransitIPResponseCode int
-
-const (
-	// OK indicates that the mapping was created as requested.
-	OK TransitIPResponseCode = 0
-
-	// OtherFailure indicates that the mapping failed for a reason that does not have
-	// another relevant [TransitIPResponsecode].
-	OtherFailure TransitIPResponseCode = 1
-)
-
-// TransitIPResponse is the response to a TransitIPRequest
-type TransitIPResponse struct {
-	// Code is an error code indicating success or failure of the [TransitIPRequest].
-	Code TransitIPResponseCode `json:"code,omitzero"`
-	// Message is an error message explaining what happened, suitable for logging but
-	// not necessarily suitable for displaying in a UI to non-technical users. It
-	// should be empty when [Code] is [OK].
-	Message string `json:"message,omitzero"`
-}
-
-// ConnectorTransitIPResponse is the response to a ConnectorTransitIPRequest
-type ConnectorTransitIPResponse struct {
-	// TransitIPs is the list of outcomes for each requested mapping. Elements
-	// correspond to the order of [ConnectorTransitIPRequest.TransitIPs].
-	TransitIPs []TransitIPResponse `json:"transitIPs,omitempty"`
-}
-
-const AppConnectorsExperimentalAttrName = "tailscale.com/app-connectors-experimental"
-
-// PickSplitDNSPeers looks at the netmap peers capabilities and finds which peers
-// want to be connectors for which domains.
-func PickSplitDNSPeers(hasCap func(c tailcfg.NodeCapability) bool, self tailcfg.NodeView, peers map[tailcfg.NodeID]tailcfg.NodeView) map[string][]tailcfg.NodeView {
-	var m map[string][]tailcfg.NodeView
-	if !hasCap(AppConnectorsExperimentalAttrName) {
-		return m
-	}
-	apps, err := tailcfg.UnmarshalNodeCapViewJSON[appctype.AppConnectorAttr](self.CapMap(), AppConnectorsExperimentalAttrName)
-	if err != nil {
-		return m
-	}
-	tagToDomain := make(map[string][]string)
-	for _, app := range apps {
-		for _, tag := range app.Connectors {
-			tagToDomain[tag] = append(tagToDomain[tag], app.Domains...)
-		}
-	}
-	// NodeIDs are Comparable, and we have a map of NodeID to NodeView anyway, so
-	// use a Set of NodeIDs to deduplicate, and populate into a []NodeView later.
-	var work map[string]set.Set[tailcfg.NodeID]
-	for _, peer := range peers {
-		if !peer.Valid() || !peer.Hostinfo().Valid() {
-			continue
-		}
-		if isConn, _ := peer.Hostinfo().AppConnector().Get(); !isConn {
-			continue
-		}
-		for _, t := range peer.Tags().All() {
-			domains := tagToDomain[t]
-			for _, domain := range domains {
-				if work[domain] == nil {
-					mak.Set(&work, domain, set.Set[tailcfg.NodeID]{})
-				}
-				work[domain].Add(peer.ID())
-			}
-		}
-	}
-
-	// Populate m. Make a []tailcfg.NodeView from []tailcfg.NodeID using the peers map.
-	// And sort it to our preference.
-	for domain, ids := range work {
-		nodes := make([]tailcfg.NodeView, 0, ids.Len())
-		for id := range ids {
-			nodes = append(nodes, peers[id])
-		}
-		// The ordering of the nodes in the map vals is semantic (dnsConfigForNetmap uses the first node it can
-		// get a peer api url for as its split dns target). We can think of it as a preference order, except that
-		// we don't (currently 2026-01-14) have any preference over which node is chosen.
-		slices.SortFunc(nodes, func(a, b tailcfg.NodeView) int {
-			return cmp.Compare(a.ID(), b.ID())
-		})
-		mak.Set(&m, domain, nodes)
-	}
-	return m
-}

appc/conn25_test.go

@@ -1,311 +0,0 @@
-// Copyright (c) Tailscale Inc & contributors
-// SPDX-License-Identifier: BSD-3-Clause
-
-package appc
-
-import (
-	"encoding/json"
-	"net/netip"
-	"reflect"
-	"testing"
-
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/appctype"
-	"tailscale.com/types/opt"
-)
-
-// TestHandleConnectorTransitIPRequestZeroLength tests that if sent a
-// ConnectorTransitIPRequest with 0 TransitIPRequests, we respond with a
-// ConnectorTransitIPResponse with 0 TransitIPResponses.
-func TestHandleConnectorTransitIPRequestZeroLength(t *testing.T) {
-	c := &Conn25{}
-	req := ConnectorTransitIPRequest{}
-	nid := tailcfg.NodeID(1)
-
-	resp := c.HandleConnectorTransitIPRequest(nid, req)
-	if len(resp.TransitIPs) != 0 {
-		t.Fatalf("n TransitIPs in response: %d, want 0", len(resp.TransitIPs))
-	}
-}
-
-// TestHandleConnectorTransitIPRequestStoresAddr tests that if sent a
-// request with a transit addr and a destination addr we store that mapping
-// and can retrieve it. If sent another req with a different dst for that transit addr
-// we store that instead.
-func TestHandleConnectorTransitIPRequestStoresAddr(t *testing.T) {
-	c := &Conn25{}
-	nid := tailcfg.NodeID(1)
-	tip := netip.MustParseAddr("0.0.0.1")
-	dip := netip.MustParseAddr("1.2.3.4")
-	dip2 := netip.MustParseAddr("1.2.3.5")
-	mr := func(t, d netip.Addr) ConnectorTransitIPRequest {
-		return ConnectorTransitIPRequest{
-			TransitIPs: []TransitIPRequest{
-				{TransitIP: t, DestinationIP: d},
-			},
-		}
-	}
-
-	resp := c.HandleConnectorTransitIPRequest(nid, mr(tip, dip))
-	if len(resp.TransitIPs) != 1 {
-		t.Fatalf("n TransitIPs in response: %d, want 1", len(resp.TransitIPs))
-	}
-	got := resp.TransitIPs[0].Code
-	if got != TransitIPResponseCode(0) {
-		t.Fatalf("TransitIP Code: %d, want 0", got)
-	}
-	gotAddr := c.transitIPTarget(nid, tip)
-	if gotAddr != dip {
-		t.Fatalf("Connector stored destination for tip: %v, want %v", gotAddr, dip)
-	}
-
-	// mapping can be overwritten
-	resp2 := c.HandleConnectorTransitIPRequest(nid, mr(tip, dip2))
-	if len(resp2.TransitIPs) != 1 {
-		t.Fatalf("n TransitIPs in response: %d, want 1", len(resp2.TransitIPs))
-	}
-	got2 := resp.TransitIPs[0].Code
-	if got2 != TransitIPResponseCode(0) {
-		t.Fatalf("TransitIP Code: %d, want 0", got2)
-	}
-	gotAddr2 := c.transitIPTarget(nid, tip)
-	if gotAddr2 != dip2 {
-		t.Fatalf("Connector stored destination for tip: %v, want %v", gotAddr, dip2)
-	}
-}
-
-// TestHandleConnectorTransitIPRequestMultipleTIP tests that we can
-// get a req with multiple mappings and we store them all. Including
-// multiple transit addrs for the same destination.
-func TestHandleConnectorTransitIPRequestMultipleTIP(t *testing.T) {
-	c := &Conn25{}
-	nid := tailcfg.NodeID(1)
-	tip := netip.MustParseAddr("0.0.0.1")
-	tip2 := netip.MustParseAddr("0.0.0.2")
-	tip3 := netip.MustParseAddr("0.0.0.3")
-	dip := netip.MustParseAddr("1.2.3.4")
-	dip2 := netip.MustParseAddr("1.2.3.5")
-	req := ConnectorTransitIPRequest{
-		TransitIPs: []TransitIPRequest{
-			{TransitIP: tip, DestinationIP: dip},
-			{TransitIP: tip2, DestinationIP: dip2},
-			// can store same dst addr for multiple transit addrs
-			{TransitIP: tip3, DestinationIP: dip},
-		},
-	}
-	resp := c.HandleConnectorTransitIPRequest(nid, req)
-	if len(resp.TransitIPs) != 3 {
-		t.Fatalf("n TransitIPs in response: %d, want 3", len(resp.TransitIPs))
-	}
-
-	for i := 0; i < 3; i++ {
-		got := resp.TransitIPs[i].Code
-		if got != TransitIPResponseCode(0) {
-			t.Fatalf("i=%d TransitIP Code: %d, want 0", i, got)
-		}
-	}
-	gotAddr1 := c.transitIPTarget(nid, tip)
-	if gotAddr1 != dip {
-		t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip, gotAddr1, dip)
-	}
-	gotAddr2 := c.transitIPTarget(nid, tip2)
-	if gotAddr2 != dip2 {
-		t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip2, gotAddr2, dip2)
-	}
-	gotAddr3 := c.transitIPTarget(nid, tip3)
-	if gotAddr3 != dip {
-		t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip3, gotAddr3, dip)
-	}
-}
-
-// TestHandleConnectorTransitIPRequestSameTIP tests that if we get
-// a req that has more than one TransitIPRequest for the same transit addr
-// only the first is stored, and the subsequent ones get an error code and
-// message in the response.
-func TestHandleConnectorTransitIPRequestSameTIP(t *testing.T) {
-	c := &Conn25{}
-	nid := tailcfg.NodeID(1)
-	tip := netip.MustParseAddr("0.0.0.1")
-	tip2 := netip.MustParseAddr("0.0.0.2")
-	dip := netip.MustParseAddr("1.2.3.4")
-	dip2 := netip.MustParseAddr("1.2.3.5")
-	dip3 := netip.MustParseAddr("1.2.3.6")
-	req := ConnectorTransitIPRequest{
-		TransitIPs: []TransitIPRequest{
-			{TransitIP: tip, DestinationIP: dip},
-			// cannot have dupe TransitIPs in one ConnectorTransitIPRequest
-			{TransitIP: tip, DestinationIP: dip2},
-			{TransitIP: tip2, DestinationIP: dip3},
-		},
-	}
-
-	resp := c.HandleConnectorTransitIPRequest(nid, req)
-	if len(resp.TransitIPs) != 3 {
-		t.Fatalf("n TransitIPs in response: %d, want 3", len(resp.TransitIPs))
-	}
-
-	got := resp.TransitIPs[0].Code
-	if got != TransitIPResponseCode(0) {
-		t.Fatalf("i=0 TransitIP Code: %d, want 0", got)
-	}
-	msg := resp.TransitIPs[0].Message
-	if msg != "" {
-		t.Fatalf("i=0 TransitIP Message: \"%s\", want \"%s\"", msg, "")
-	}
-	got1 := resp.TransitIPs[1].Code
-	if got1 != TransitIPResponseCode(1) {
-		t.Fatalf("i=1 TransitIP Code: %d, want 1", got1)
-	}
-	msg1 := resp.TransitIPs[1].Message
-	if msg1 != dupeTransitIPMessage {
-		t.Fatalf("i=1 TransitIP Message: \"%s\", want \"%s\"", msg1, dupeTransitIPMessage)
-	}
-	got2 := resp.TransitIPs[2].Code
-	if got2 != TransitIPResponseCode(0) {
-		t.Fatalf("i=2 TransitIP Code: %d, want 0", got2)
-	}
-	msg2 := resp.TransitIPs[2].Message
-	if msg2 != "" {
-		t.Fatalf("i=2 TransitIP Message: \"%s\", want \"%s\"", msg, "")
-	}
-
-	gotAddr1 := c.transitIPTarget(nid, tip)
-	if gotAddr1 != dip {
-		t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip, gotAddr1, dip)
-	}
-	gotAddr2 := c.transitIPTarget(nid, tip2)
-	if gotAddr2 != dip3 {
-		t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip2, gotAddr2, dip3)
-	}
-}
-
-// TestGetDstIPUnknownTIP tests that unknown transit addresses can be looked up without problem.
-func TestTransitIPTargetUnknownTIP(t *testing.T) {
-	c := &Conn25{}
-	nid := tailcfg.NodeID(1)
-	tip := netip.MustParseAddr("0.0.0.1")
-	got := c.transitIPTarget(nid, tip)
-	want := netip.Addr{}
-	if got != want {
-		t.Fatalf("Unknown transit addr, want: %v, got %v", want, got)
-	}
-}
-
-func TestPickSplitDNSPeers(t *testing.T) {
-	getBytesForAttr := func(name string, domains []string, tags []string) []byte {
-		attr := appctype.AppConnectorAttr{
-			Name:       name,
-			Domains:    domains,
-			Connectors: tags,
-		}
-		bs, err := json.Marshal(attr)
-		if err != nil {
-			t.Fatalf("test setup: %v", err)
-		}
-		return bs
-	}
-	appOneBytes := getBytesForAttr("app1", []string{"example.com"}, []string{"tag:one"})
-	appTwoBytes := getBytesForAttr("app2", []string{"a.example.com"}, []string{"tag:two"})
-	appThreeBytes := getBytesForAttr("app3", []string{"woo.b.example.com", "hoo.b.example.com"}, []string{"tag:three1", "tag:three2"})
-	appFourBytes := getBytesForAttr("app4", []string{"woo.b.example.com", "c.example.com"}, []string{"tag:four1", "tag:four2"})
-
-	makeNodeView := func(id tailcfg.NodeID, name string, tags []string) tailcfg.NodeView {
-		return (&tailcfg.Node{
-			ID:       id,
-			Name:     name,
-			Tags:     tags,
-			Hostinfo: (&tailcfg.Hostinfo{AppConnector: opt.NewBool(true)}).View(),
-		}).View()
-	}
-	nvp1 := makeNodeView(1, "p1", []string{"tag:one"})
-	nvp2 := makeNodeView(2, "p2", []string{"tag:four1", "tag:four2"})
-	nvp3 := makeNodeView(3, "p3", []string{"tag:two", "tag:three1"})
-	nvp4 := makeNodeView(4, "p4", []string{"tag:two", "tag:three2", "tag:four2"})
-
-	for _, tt := range []struct {
-		name   string
-		want   map[string][]tailcfg.NodeView
-		peers  []tailcfg.NodeView
-		config []tailcfg.RawMessage
-	}{
-		{
-			name: "empty",
-		},
-		{
-			name:   "bad-config", // bad config should return a nil map rather than error.
-			config: []tailcfg.RawMessage{tailcfg.RawMessage(`hey`)},
-		},
-		{
-			name:   "no-peers",
-			config: []tailcfg.RawMessage{tailcfg.RawMessage(appOneBytes)},
-		},
-		{
-			name:   "peers-that-are-not-connectors",
-			config: []tailcfg.RawMessage{tailcfg.RawMessage(appOneBytes)},
-			peers: []tailcfg.NodeView{
-				(&tailcfg.Node{
-					ID:   5,
-					Name: "p5",
-					Tags: []string{"tag:one"},
-				}).View(),
-				(&tailcfg.Node{
-					ID:   6,
-					Name: "p6",
-					Tags: []string{"tag:one"},
-				}).View(),
-			},
-		},
-		{
-			name:   "peers-that-dont-match-tags",
-			config: []tailcfg.RawMessage{tailcfg.RawMessage(appOneBytes)},
-			peers: []tailcfg.NodeView{
-				makeNodeView(5, "p5", []string{"tag:seven"}),
-				makeNodeView(6, "p6", nil),
-			},
-		},
-		{
-			name: "matching-tagged-connector-peers",
-			config: []tailcfg.RawMessage{
-				tailcfg.RawMessage(appOneBytes),
-				tailcfg.RawMessage(appTwoBytes),
-				tailcfg.RawMessage(appThreeBytes),
-				tailcfg.RawMessage(appFourBytes),
-			},
-			peers: []tailcfg.NodeView{
-				nvp1,
-				nvp2,
-				nvp3,
-				nvp4,
-				makeNodeView(5, "p5", nil),
-			},
-			want: map[string][]tailcfg.NodeView{
-				// p5 has no matching tags and so doesn't appear
-				"example.com":       {nvp1},
-				"a.example.com":     {nvp3, nvp4},
-				"woo.b.example.com": {nvp2, nvp3, nvp4},
-				"hoo.b.example.com": {nvp3, nvp4},
-				"c.example.com":     {nvp2, nvp4},
-			},
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			selfNode := &tailcfg.Node{}
-			if tt.config != nil {
-				selfNode.CapMap = tailcfg.NodeCapMap{
-					tailcfg.NodeCapability(AppConnectorsExperimentalAttrName): tt.config,
-				}
-			}
-			selfView := selfNode.View()
-			peers := map[tailcfg.NodeID]tailcfg.NodeView{}
-			for _, p := range tt.peers {
-				peers[p.ID()] = p
-			}
-			got := PickSplitDNSPeers(func(_ tailcfg.NodeCapability) bool {
-				return true
-			}, selfView, peers)
-			if !reflect.DeepEqual(got, tt.want) {
-				t.Fatalf("got %v, want %v", got, tt.want)
-			}
-		})
-	}
-}

appc/ippool.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 package appc

appc/ippool_test.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 package appc

appc/observe.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build !ts_omit_appconnectors

appc/observe_disabled.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build ts_omit_appconnectors

assert_ts_toolchain_match.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build tailscale_go
@@ -17,9 +17,6 @@ func init() {
 		panic("binary built with tailscale_go build tag but failed to read build info or find tailscale.toolchain.rev in build info")
 	}
 	want := strings.TrimSpace(GoToolchainRev)
-	if os.Getenv("TS_GO_NEXT") == "1" {
-		want = strings.TrimSpace(GoToolchainNextRev)
-	}
 	if tsRev != want {
 		if os.Getenv("TS_PERMIT_TOOLCHAIN_MISMATCH") == "1" {
 			fmt.Fprintf(os.Stderr, "tailscale.toolchain.rev = %q, want %q; but ignoring due to TS_PERMIT_TOOLCHAIN_MISMATCH=1\n", tsRev, want)

atomicfile/atomicfile.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 // Package atomicfile contains code related to writing to filesystems

atomicfile/atomicfile_notwindows.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build !windows

atomicfile/atomicfile_test.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build !js && !windows

atomicfile/atomicfile_windows.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 package atomicfile

atomicfile/atomicfile_windows_test.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 package atomicfile

atomicfile/mksyscall.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 package atomicfile

chirp/chirp.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 // Package chirp implements a client to communicate with the BIRD Internet

chirp/chirp_test.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 package chirp

client/local/cert.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build !js && !ts_omit_acme

client/local/debugportmapper.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build !ts_omit_debugportmapper

client/local/local.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 // Package local contains a Go client for the Tailscale LocalAPI.
@@ -43,7 +43,6 @@ import (
 	"tailscale.com/types/appctype"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
-	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/eventbus"
 )
 
@@ -386,14 +385,18 @@ func (lc *Client) IncrementCounter(ctx context.Context, name string, delta int)
 	if !buildfeatures.HasClientMetrics {
 		return nil
 	}
+	type metricUpdate struct {
+		Name  string `json:"name"`
+		Type  string `json:"type"`
+		Value int    `json:"value"` // amount to increment by
+	}
 	if delta < 0 {
 		return errors.New("negative delta not allowed")
 	}
-	_, err := lc.send(ctx, "POST", "/localapi/v0/upload-client-metrics", 200, jsonBody([]clientmetric.MetricUpdate{{
+	_, err := lc.send(ctx, "POST", "/localapi/v0/upload-client-metrics", 200, jsonBody([]metricUpdate{{
 		Name:  name,
 		Type:  "counter",
 		Value: delta,
-		Op:    "add",
 	}}))
 	return err
 }
@@ -402,23 +405,15 @@ func (lc *Client) IncrementCounter(ctx context.Context, name string, delta int)
 // metric by the given delta. If the metric has yet to exist, a new gauge
 // metric is created and initialized to delta. The delta value can be negative.
 func (lc *Client) IncrementGauge(ctx context.Context, name string, delta int) error {
-	_, err := lc.send(ctx, "POST", "/localapi/v0/upload-client-metrics", 200, jsonBody([]clientmetric.MetricUpdate{{
+	type metricUpdate struct {
+		Name  string `json:"name"`
+		Type  string `json:"type"`
+		Value int    `json:"value"` // amount to increment by
+	}
+	_, err := lc.send(ctx, "POST", "/localapi/v0/upload-client-metrics", 200, jsonBody([]metricUpdate{{
 		Name:  name,
 		Type:  "gauge",
 		Value: delta,
-		Op:    "add",
-	}}))
-	return err
-}
-
-// SetGauge sets the value of a Tailscale daemon's gauge metric to the given value.
-// If the metric has yet to exist, a new gauge metric is created and initialized to value.
-func (lc *Client) SetGauge(ctx context.Context, name string, value int) error {
-	_, err := lc.send(ctx, "POST", "/localapi/v0/upload-client-metrics", 200, jsonBody([]clientmetric.MetricUpdate{{
-		Name:  name,
-		Type:  "gauge",
-		Value: value,
-		Op:    "set",
 	}}))
 	return err
 }

client/local/local_test.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build go1.19

client/local/serve.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build !ts_omit_serve

client/local/syspolicy.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build !ts_omit_syspolicy

client/local/tailnetlock.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build !ts_omit_tailnetlock

client/systray/logo.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build cgo || !darwin

client/systray/startup-creator.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build cgo || !darwin

client/systray/systray.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build cgo || !darwin
@@ -66,8 +66,8 @@ func (menu *Menu) Run(client *local.Client) {
 		case <-menu.bgCtx.Done():
 		}
 	}()
-	go menu.lc.SetGauge(menu.bgCtx, "systray_running", 1)
-	defer menu.lc.SetGauge(menu.bgCtx, "systray_running", 0)
+	go menu.lc.IncrementGauge(menu.bgCtx, "systray_running", 1)
+	defer menu.lc.IncrementGauge(menu.bgCtx, "systray_running", -1)
 
 	systray.Run(menu.onReady, menu.onExit)
 }
@@ -372,7 +372,6 @@ func setRemoteIcon(menu *systray.MenuItem, urlStr string) {
 	}
 
 	cacheMu.Lock()
-	defer cacheMu.Unlock()
 	b, ok := httpCache[urlStr]
 	if !ok {
 		resp, err := http.Get(urlStr)
@@ -396,6 +395,7 @@ func setRemoteIcon(menu *systray.MenuItem, urlStr string) {
 			resp.Body.Close()
 		}
 	}
+	cacheMu.Unlock()
 
 	if len(b) > 0 {
 		menu.SetIcon(b)

client/systray/tailscale-systray.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Tailscale System Tray
-After=graphical.target
+After=systemd.service
 
 [Service]
 Type=simple

client/tailscale/acl.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build go1.19

client/tailscale/apitype/apitype.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 // Package apitype contains types for the Tailscale LocalAPI and control plane API.

client/tailscale/apitype/controltype.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 package apitype

client/tailscale/cert.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build !js && !ts_omit_acme

client/tailscale/devices.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build go1.19

client/tailscale/dns.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build go1.19

client/tailscale/example/servetls/servetls.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 // The servetls program shows how to run an HTTPS server

client/tailscale/keys.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 package tailscale

client/tailscale/localclient_aliases.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 package tailscale

client/tailscale/required_version.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build !go1.23

client/tailscale/routes.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build go1.19

client/tailscale/tailnet.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build go1.19

client/tailscale/tailscale.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 //go:build go1.19

client/tailscale/tailscale_test.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 package tailscale

client/web/assets.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 package web

client/web/auth.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 package web

client/web/package.json

@@ -34,10 +34,10 @@
     "prettier-plugin-organize-imports": "^3.2.2",
     "tailwindcss": "^3.3.3",
     "typescript": "^5.3.3",
-    "vite": "^5.4.21",
+    "vite": "^5.1.7",
     "vite-plugin-svgr": "^4.2.0",
     "vite-tsconfig-paths": "^3.5.0",
-    "vitest": "^1.6.1"
+    "vitest": "^1.3.1"
   },
   "resolutions": {
     "@typescript-eslint/eslint-plugin": "^6.2.1",

client/web/qnap.go

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 // qnap.go contains handlers and logic, such as authentication,

client/web/src/api.ts

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import { useCallback } from "react"

client/web/src/components/acl-tag.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import cx from "classnames"

client/web/src/components/address-copy-card.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import * as Primitive from "@radix-ui/react-popover"

client/web/src/components/app.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import React from "react"

client/web/src/components/control-components.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import React from "react"

client/web/src/components/exit-node-selector.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import cx from "classnames"

client/web/src/components/login-toggle.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import cx from "classnames"

client/web/src/components/nice-ip.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import cx from "classnames"

client/web/src/components/update-available.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import React from "react"

client/web/src/components/views/device-details-view.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import cx from "classnames"

client/web/src/components/views/disconnected-view.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import React from "react"

client/web/src/components/views/home-view.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import cx from "classnames"

client/web/src/components/views/login-view.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import React from "react"

client/web/src/components/views/ssh-view.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import cx from "classnames"

client/web/src/components/views/subnet-router-view.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import cx from "classnames"

client/web/src/components/views/updating-view.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import React from "react"

client/web/src/hooks/auth.ts

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import { useCallback, useEffect, useState } from "react"

client/web/src/hooks/exit-nodes.ts

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import { useMemo } from "react"

client/web/src/hooks/self-update.ts

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import { useCallback, useEffect, useState } from "react"

client/web/src/hooks/toaster.ts

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import { useRawToasterForHook } from "src/ui/toaster"

client/web/src/hooks/ts-web-connected.ts

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import { useCallback, useEffect, useState } from "react"

client/web/src/index.tsx

@@ -1,10 +1,10 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 // Preserved js license comment for web client app.
 /**
  * @license
- * Copyright (c) Tailscale Inc & contributors
+ * Copyright (c) Tailscale Inc & AUTHORS
  * SPDX-License-Identifier: BSD-3-Clause
  */
 

client/web/src/types.ts

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import { assertNever } from "src/utils/util"

client/web/src/ui/badge.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import cx from "classnames"

client/web/src/ui/button.tsx

@@ -1,4 +1,4 @@
-// Copyright (c) Tailscale Inc & contributors
+// Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
 import cx from "classnames"