denis256 notes and projects

Quick scan of the last week in two open source repos: OpenTofu shipped real bugfixes plus a CLI argument refactor, while the kubernetes-client/java repo spent the week migrating its Java build from Maven to Bazel under a copilot bot.

opentofu/opentofu

Nine commits, mostly small and worth knowing about if you run OpenTofu in production. The headline change is a security cleanup in internal/communicator/ssh/provisioner.go. Error messages from signCertWithPrivateKey were embedding the raw private key bytes and the certificate body via %q, so any failed parse would write key material into logs. PR #4084 strips the value from every wrapped error in that function. Anyone who runs tofu apply with SSH provisioners and ships logs to a SIEM should pick this up.

Right behind it is a quieter but real fix in the S3 backend. The getLockInfoFromS3 path was never closing the GetObject response body. Each call leaked one HTTP connection from the pool. The sibling Get method already had defer output.Body.Close(); this commit just adds the matching defer. If you use S3 state locking and saw the client pool slowly degrade, that was probably this.

The other notable items:

• Commit 1c9062b fixes a provider schema cache regression introduced in v1.12. The factory was being constructed inside the per call closure, so each provider instance built a fresh cache. The fix hoists factory := providerFactory(cached) out of the closure. Anyone on 1.12 with many resources from one provider was paying for this on every init.
• Commit 0b8e1f1 removes a panic in internal/tofu/node_provider.go when a ProviderManager returns error diagnostics. The provider value returned in that case is uninitialized, so the previous code crashed instead of surfacing the real diagnostic.
• Three refactor PRs (#4055, #4072, #4073) pull global config, state flags, and backend flags off Meta and into proper argument structs under internal/command/arguments/. Pure plumbing, but the kind of cleanup that makes future flag additions less painful.

Operators on v1.12 should plan an upgrade once the next patch ships, mainly for the schema cache fix and the SSH log fix. Here is the shape of the changed SSH path:

// internal/communicator/ssh/provisioner.go
// before:
// return nil, fmt.Errorf("failed to parse private key %q: %w", pk, err)
return nil, fmt.Errorf("failed to parse private key: %w", err)

kubernetes-client/java

Twenty four commits, almost all from copilot-swe-agent[bot], almost all about CI. There is no library API movement to report here. The week is one long story about getting the Java build to run cleanly under Bazel.

The big move is commit 675e892, which switches the Spring workflow from Maven to Bazel. Around it sits a cluster of supporting changes: folded YAML for Bazel targets so Windows runners can parse the command line, a buildless mode for CodeQL so it stops trying to compile under Bazel, cross OS cache reuse, and a new sync script that derives the Bazel dependency list from pom.xml so Maven stays the source of truth for versions.

The most interesting commit is e2cc8fa, which adds .github/workflows/dependabot-sync-bazel.yml. When Dependabot opens a Maven version bump PR, this workflow auto runs the sync script and pushes the matching Bazel changes to the same branch. A second workflow added a day later, dependabot-sync-bazel-backfill.yml, does the same job for already open Dependabot PRs. The latest commit on master fixes a real bug in it: the original code asked GitHub for one page of 100 open PRs and warned the operator to rerun the job if more existed. The fix replaces that with a proper page loop.

Items contributors should know:

• Building the Java client locally now needs a Bazel toolchain alongside Maven. The two live side by side; the sync script keeps versions aligned.
• The CodeQL workflow is now buildless. If your fork relies on the older compile based scan, expect different results.
• scripts/sync_bazel_dependencies.py was touched in eight commits during the window. It is the load bearing piece of the Maven and Bazel coexistence, so read it before sending PRs against build files.

Shape of the new backfill loop:

page=1
while :; do
  page_json="$(curl -fsSL "${api}/pulls?state=open&per_page=100&page=${page}")"
  open_prs_json="$(jq -s 'add' \
    <(printf '%s' "${open_prs_json}") \
    <(printf '%s' "${page_json}"))"
  [[ "$(jq 'length' <<< "${page_json}")" -lt 100 ]] && break
  page=$((page + 1))
done

What to watch

A few items worth tracking next week:

• OpenTofu 1.12 users should watch for the next patch release. The SSH log fix and the schema cache regression are both worth waiting for, and the S3 connection leak fix is a free win for anyone using remote state locking.
• The kubernetes-client/java Bazel migration is not finished. Maven still drives versioning, Bazel drives builds, and the sync script glues them. Expect more churn in scripts/sync_bazel_dependencies.py and the workflows under .github/workflows/.
• Heavy bot authorship in the Java repo is worth noting. Twenty out of twenty four commits this week came from the copilot agent. Reviewers should treat the workflow files the same way as production code. Small failures in CI plumbing tend to show up at the worst possible time.