Merge c733dd618ab191de66952e6b892ab0221ef51397 into 82757144e93fe8e4f3365fcdec2f40c7f2e8cb8f

Bumps
[stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action)
from 5.2.0 to 6.0.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/stefanzweifel/git-auto-commit-action/releases">stefanzweifel/git-auto-commit-action's
releases</a>.</em></p>
<blockquote>
<h2>v6.0.1</h2>
<h2>Fixed</h2>
<ul>
<li>Disable Check if Repo is in Detached State (<a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/379">#379</a>)
<a
href="https://github.com/@stefanzweifel"><code>@​stefanzweifel</code></a></li>
</ul>
<h2>v6.0.0</h2>
<h2>Added</h2>
<ul>
<li>Throw error early if repository is in a detached state (<a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/357">#357</a>)</li>
</ul>
<h2>Fixed</h2>
<ul>
<li>Fix PAT instructions with Dependabot (<a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/376">#376</a>)
<a
href="https://github.com/@Dreamsorcerer"><code>@​Dreamsorcerer</code></a></li>
</ul>
<h2>Removed</h2>
<ul>
<li>Remove support for <code>create_branch</code>,
<code>skip_checkout</code>, <code>skip_Fetch</code> (<a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/314">#314</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/stefanzweifel/git-auto-commit-action/blob/master/CHANGELOG.md">stefanzweifel/git-auto-commit-action's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<p>All notable changes to this project will be documented in this
file.</p>
<p>The format is based on <a
href="http://keepachangelog.com/en/1.0.0/">Keep a Changelog</a>
and this project adheres to <a
href="http://semver.org/spec/v2.0.0.html">Semantic Versioning</a>.</p>
<h2><a
href="https://github.com/stefanzweifel/git-auto-commit-action/compare/v6.0.1...HEAD">Unreleased</a></h2>
<blockquote>
<p>TBD</p>
</blockquote>
<h2><a
href="https://github.com/stefanzweifel/git-auto-commit-action/compare/v6.0.0...v6.0.1">v6.0.1</a>
- 2025-06-11</h2>
<h3>Fixed</h3>
<ul>
<li>Disable Check if Repo is in Detached State (<a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/379">#379</a>)
<a
href="https://github.com/@stefanzweifel"><code>@​stefanzweifel</code></a></li>
</ul>
<h2><a
href="https://github.com/stefanzweifel/git-auto-commit-action/compare/v5.2.0...v6.0.0">v6.0.0</a>
- 2025-06-10</h2>
<h3>Added</h3>
<ul>
<li>Throw error early if repository is in a detached state (<a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/357">#357</a>)</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>Fix PAT instructions with Dependabot (<a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/376">#376</a>)
<a
href="https://github.com/@Dreamsorcerer"><code>@​Dreamsorcerer</code></a></li>
</ul>
<h3>Removed</h3>
<ul>
<li>Remove support for <code>create_branch</code>,
<code>skip_checkout</code>, <code>skip_Fetch</code> (<a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/314">#314</a>)</li>
</ul>
<h2><a
href="https://github.com/stefanzweifel/git-auto-commit-action/compare/v5.1.0...v5.2.0">v5.2.0</a>
- 2025-04-19</h2>
<h3>Added</h3>
<ul>
<li>Add <code>create_git_tag_only</code> option to skip commiting and
always create a git-tag. (<a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/364">#364</a>)
<a href="https://github.com/@zMynxx"><code>@​zMynxx</code></a></li>
<li>Add Test for <code>create_git_tag_only</code> feature (<a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/367">#367</a>)
<a
href="https://github.com/@stefanzweifel"><code>@​stefanzweifel</code></a></li>
</ul>
<h3>Fixed</h3>
<ul>
<li>docs: Update README.md per <a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/issues/354">#354</a>
(<a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/361">#361</a>)
<a href="https://github.com/@rasa"><code>@​rasa</code></a></li>
</ul>
<h2><a
href="https://github.com/stefanzweifel/git-auto-commit-action/compare/v5.0.1...v5.1.0">v5.1.0</a>
- 2025-01-11</h2>
<h3>Changed</h3>
<ul>
<li>Include <code>github.actor_id</code> in default
<code>commit_author</code> (<a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/354">#354</a>)
<a
href="https://github.com/@parkerbxyz"><code>@​parkerbxyz</code></a></li>
</ul>
<h3>Fixed</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="778341af66"><code>778341a</code></a>
Merge pull request <a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/issues/379">#379</a>
from stefanzweifel/disable-detached-state-check</li>
<li><a
href="33b203d92a"><code>33b203d</code></a>
Disable Check if Repo is in Detached State</li>
<li><a
href="a82d80a75f"><code>a82d80a</code></a>
Update CHANGELOG</li>
<li><a
href="3cc016cfc8"><code>3cc016c</code></a>
Merge pull request <a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/issues/375">#375</a>
from stefanzweifel/v6-next</li>
<li><a
href="ddb7ae4159"><code>ddb7ae4</code></a>
Merge pull request <a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/issues/376">#376</a>
from Dreamsorcerer/patch-1</li>
<li><a
href="b001e5f0ff"><code>b001e5f</code></a>
Apply suggestions from code review</li>
<li><a
href="6494dc61d3"><code>6494dc6</code></a>
Fix PAT instructions with Dependabot</li>
<li><a
href="76180511d9"><code>7618051</code></a>
Add deprecated inputs to fix unbound variable issue</li>
<li><a
href="ae114628ea"><code>ae11462</code></a>
Merge pull request <a
href="https://redirect.github.com/stefanzweifel/git-auto-commit-action/issues/371">#371</a>
from stefanzweifel/dependabot/npm_and_yarn/bats-1.12.0</li>
<li><a
href="3058f91afb"><code>3058f91</code></a>
Bump bats from 1.11.1 to 1.12.0</li>
<li>Additional commits viewable in <a
href="b863ae1933...778341af66">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=stefanzweifel/git-auto-commit-action&package-manager=github_actions&previous-version=5.2.0&new-version=6.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/docker.yml

@@ -30,9 +30,6 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@fb28c2b6339dcd94da6e4cbcbc5e888961f6f8c3 # v3.9.0
-
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -71,14 +68,6 @@ jobs:
           platforms: ${{ matrix.platform }}
           outputs: type=image,push-by-digest=true,name-canonical=true,push=true
 
-      - name: Sign the images with GitHub OIDC Token
-        env:
-          DIGEST: ${{ steps.build.outputs.digest }}
-        run: |
-          cosign sign --yes \
-            docker.io/matrixdotorg/synapse@${DIGEST} \
-            ghcr.io/element-hq/synapse@${DIGEST}
-
       - name: Export digest
         run: |
           mkdir -p ${{ runner.temp }}/digests
@@ -130,6 +119,9 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@fb28c2b6339dcd94da6e4cbcbc5e888961f6f8c3 # v3.9.0
+
       - name: Calculate docker image tag
         uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
@@ -150,3 +142,14 @@ jobs:
         run: |
           docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
             $(printf "$REPOSITORY@sha256:%s " *)
+
+      - name: Sign each manifest
+        env:
+          REPOSITORY: ${{ matrix.repository }}
+        run: |
+          DIGESTS=""
+          for TAG in $(echo "$DOCKER_METADATA_OUTPUT_JSON" | jq -r '.tags[]'); do
+            DIGEST="$(docker buildx imagetools inspect $TAG --format '{{json .Manifest}}' | jq -r '.digest')"
+            DIGESTS="$DIGESTS $REPOSITORY@$DIGEST"
+          done
+          cosign sign --yes $DIGESTS

.github/workflows/fix_lint.yaml

@@ -44,6 +44,6 @@ jobs:
       - run: cargo fmt
         continue-on-error: true
 
-      - uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
+      - uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
         with:
           commit_message: "Attempt to fix linting"

changelog.d/18575.misc

@@ -0,0 +1 @@
+Raise poetry-core version cap to 2.1.3.

changelog.d/18594.bugfix

@@ -0,0 +1 @@
+Respond with 401 & `M_USER_LOCKED` when a locked user calls `POST /login`, as per the spec.

changelog.d/18620.misc

@@ -0,0 +1 @@
+Speed up the building of Docker images in CI.

changelog.d/18625.misc

@@ -0,0 +1 @@
+Log the room ID we're purging state for.

pyproject.toml

@@ -374,7 +374,7 @@ tomli = ">=1.2.3"
 # runtime errors caused by build system changes.
 # We are happy to raise these upper bounds upon request,
 # provided we check that it's safe to do so (i.e. that CI passes).
-requires = ["poetry-core>=1.1.0,<=1.9.1", "setuptools_rust>=1.3,<=1.10.2"]
+requires = ["poetry-core>=1.1.0,<=2.1.3", "setuptools_rust>=1.3,<=1.10.2"]
 build-backend = "poetry.core.masonry.api"
 
 

synapse/api/auth/internal.py

@@ -29,6 +29,7 @@ from synapse.api.errors import (
     InvalidClientTokenError,
     MissingClientTokenError,
     UnrecognizedRequestError,
+    UserLockedError,
 )
 from synapse.http.site import SynapseRequest
 from synapse.logging.opentracing import active_span, force_tracing, start_active_span
@@ -162,12 +163,7 @@ class InternalAuth(BaseAuth):
                 if not allow_locked and await self.store.get_user_locked_status(
                     requester.user.to_string()
                 ):
-                    raise AuthError(
-                        401,
-                        "User account has been locked",
-                        errcode=Codes.USER_LOCKED,
-                        additional_fields={"soft_logout": True},
-                    )
+                    raise UserLockedError()
 
                 # Deny the request if the user account has expired.
                 # This check is only done for regular users, not appservice ones.

synapse/api/errors.py

@@ -306,6 +306,20 @@ class UserDeactivatedError(SynapseError):
         )
 
 
+class UserLockedError(SynapseError):
+    """The error returned to the client when the user attempted to access an
+    authenticated endpoint, but the account has been locked.
+    """
+
+    def __init__(self) -> None:
+        super().__init__(
+            code=HTTPStatus.UNAUTHORIZED,
+            msg="User account has been locked",
+            errcode=Codes.USER_LOCKED,
+            additional_fields={"soft_logout": True},
+        )
+
+
 class FederationDeniedError(SynapseError):
     """An error raised when the server tries to federate with a server which
     is not on its federation whitelist.

synapse/rest/client/login.py

@@ -42,6 +42,7 @@ from synapse.api.errors import (
     NotApprovedError,
     SynapseError,
     UserDeactivatedError,
+    UserLockedError,
 )
 from synapse.api.ratelimiting import Ratelimiter
 from synapse.api.urls import CLIENT_API_PREFIX
@@ -313,7 +314,7 @@ class LoginRestServlet(RestServlet):
             should_issue_refresh_token=should_issue_refresh_token,
             # The user represented by an appservice's configured sender_localpart
             # is not actually created in Synapse.
-            should_check_deactivated=qualified_user_id != appservice.sender,
+            should_check_deactivated_or_locked=qualified_user_id != appservice.sender,
             request_info=request_info,
         )
 
@@ -367,7 +368,7 @@ class LoginRestServlet(RestServlet):
         auth_provider_id: Optional[str] = None,
         should_issue_refresh_token: bool = False,
         auth_provider_session_id: Optional[str] = None,
-        should_check_deactivated: bool = True,
+        should_check_deactivated_or_locked: bool = True,
         *,
         request_info: RequestInfo,
     ) -> LoginResponse:
@@ -389,8 +390,8 @@ class LoginRestServlet(RestServlet):
             should_issue_refresh_token: True if this login should issue
                 a refresh token alongside the access token.
             auth_provider_session_id: The session ID got during login from the SSO IdP.
-            should_check_deactivated: True if the user should be checked for
-                deactivation status before logging in.
+            should_check_deactivated_or_locked: True if the user should be checked for
+                deactivation or locked status before logging in.
 
                 This exists purely for appservice's configured sender_localpart
                 which doesn't have an associated user in the database.
@@ -415,11 +416,14 @@ class LoginRestServlet(RestServlet):
                 )
             user_id = canonical_uid
 
-        # If the account has been deactivated, do not proceed with the login.
-        if should_check_deactivated:
+        # If the account has been deactivated or locked, do not proceed with the login.
+        if should_check_deactivated_or_locked:
             deactivated = await self._main_store.get_user_deactivated_status(user_id)
             if deactivated:
                 raise UserDeactivatedError("This account has been deactivated")
+            locked = await self._main_store.get_user_locked_status(user_id)
+            if locked:
+                raise UserLockedError()
 
         device_id = login_submission.get("device_id")
 

synapse/storage/controllers/purge_events.py

@@ -34,6 +34,7 @@ from synapse.metrics.background_process_metrics import wrap_as_background_proces
 from synapse.storage.database import LoggingTransaction
 from synapse.storage.databases import Databases
 from synapse.types.storage import _BackgroundUpdates
+from synapse.util.stringutils import shortstr
 
 if TYPE_CHECKING:
     from synapse.server import HomeServer
@@ -167,6 +168,12 @@ class PurgeEventsStorageController:
                 break
 
             (room_id, groups_to_sequences) = next_to_delete
+
+            logger.info(
+                "[purge] deleting state groups for room %s: %s",
+                room_id,
+                shortstr(groups_to_sequences.keys(), maxitems=10),
+            )
             made_progress = await self._delete_state_groups(
                 room_id, groups_to_sequences
             )

tests/rest/admin/test_user.py

@@ -2846,6 +2846,16 @@ class UserRestTestCase(unittest.HomeserverTestCase):
         self.assertEqual(Codes.USER_LOCKED, channel.json_body["errcode"])
         self.assertTrue(channel.json_body["soft_logout"])
 
+        # User is not authorized to log in anymore
+        channel = self.make_request(
+            "POST",
+            "/_matrix/client/r0/login",
+            {"type": "m.login.password", "user": "user", "password": "pass"},
+        )
+        self.assertEqual(401, channel.code, msg=channel.json_body)
+        self.assertEqual(Codes.USER_LOCKED, channel.json_body["errcode"])
+        self.assertTrue(channel.json_body["soft_logout"])
+
     @override_config({"user_directory": {"enabled": True, "search_all_users": True}})
     def test_locked_user_not_in_user_dir(self) -> None:
         # User is available in the user dir