🔒 Scanned for secrets using gitleaks 8.30.0

# Description

Integrating gateway partition migrator in gateway app & introducing an
integration test for the gateway-with-processor scenario:

- Refreshing source db's `dsList` before starting the migration job for
moving jobs from all current datasets.
- Adapting `clustertest.PartitionMigrationExecutor` to support a
separate gateway.
- Fixing unionjobsdb function to use the proper data type for
`event_payload`.
- Introducing `Router.maxReadSleep` for being able to override the
maximum worker sleep time.

## Linear Ticket

resolves PIPE-2701

## Security

- [x] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

…roughput while draining (#6644)

🔒 Scanned for secrets using gitleaks 8.30.0

# Description

- Keeping track of router partitions which are currently draining jobs
due to:
  - **jobs expiring:** `Router.jobRetention`
- **destinations being configured to abort:**
`Router.toAbortDestinationIDs`
  - **canceled retl syncs:** `drain.jobRunIDs`
- **jobs retry limits being reached:** `Router.maxFailedCountForJob` &
`Router.retryTimeWindow`
- If pickup query throttling is enabled and the partition is draining,
the throttler will not pickup less jobs than the default
`jobQueryBatchSize` so that draining is not hindered by throttling
limits.

## Linear Ticket

resolves PIPE-2729

## Security

- [x] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

🔒 Scanned for secrets using gitleaks 8.30.0

# Description

Upgrading to latest duckdb-go, since debugging was impossible if the
previous `marcboeker/go-duckdb` driver was in the compile path due to
missing c symbols.

## Security

- [x] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

🔒 Scanned for secrets using gitleaks 8.28.0

# Description

- Introduce `FBLA_SRCHYDRATION_TEST_DATA` environment variable to store
test secrets
- Parse pageAccessToken and anonymousId from test secrets for
integration tests
- Update sendEvents function to use anonymousId parameter
- Modify test cases to use new secrets parsing and sending mechanism

## Security

- [x] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

🔒 Scanned for secrets using gitleaks 8.30.0

# Description

Introducing support for a **priority pool** in JobsDB - a dedicated
database connection pool that special operations can use to bypass the
regular JobsDB reader/writer queues and use dedicated database
connections.

## Key Features
- **Dedicated connection pool**: Separate `*sql.DB` with configurable
pool size
- **Queue bypass**: Skip JobsDB reader & writer semaphores for priority
operations
- **Context-based opt-in**: Operations opt into the priority pool by
wrapping their context

## Usage
Initialize a JobsDB with a priority pool
```go
db := jobsdb.NewForReadWrite(
		"mydb",
		jobsdb.WithDBHandle(primaryPool),
		jobsdb.WithPriorityPoolDB(priorityPool),
	)
```
Then use the priority pool by augmenting the context
```go
ctx = jobsdb.WithPriorityPool(ctx)
result, err := db.GetUnprocessed(ctx, jobsdb.GetQueryParams{JobsLimit: 10})
```
If context is augmented but JobsDB doesn't have a priority pool
configured, it will fallback to using the normal database pool.

## Linear Ticket

resolves PIPE-2732

## Security

- [x] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

# Description

In Klaviyo bulk upload, we are not handling the failure scenario
properly when any chunk fails during upload. So we are fixing that with
this pr.

## Linear Ticket


https://linear.app/rudderstack/issue/INT-5683/klaviyo-bulk-upload-fix-failed-jobs-count-status-update

## Security

- [ ] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

---------

Co-authored-by: Sai Kumar Battinoju <[email protected]>

🔒 Scanned for secrets using gitleaks 8.28.0

# Description

Add validation before using `uploadResp`. It is not always available.

## Linear Ticket


https://linear.app/rudderstack/issue/INT-5683/klaviyo-bulk-upload-fix-failed-jobs-count-status-update

## Security

- [ ] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

## Summary
- Add second GitHub App token with `repositories:` parameter for
cross-repo dispatch operations
- The `peter-evans/repository-dispatch` action requires `contents:
write` on the **target** repository
- Without `repositories:` parameter, the token only has permissions for
the current repository

## Changes
- `.github/workflows/release-please.yaml`: Added
`generate-dispatch-token` step targeting
`rudderstack-operator,rudder-devops`
- `.github/workflows/prerelease.yaml`: Added `generate-dispatch-token`
step targeting `rudderstack-operator,rudder-devops`
- `.github/workflows/dispatch-deploy-event-dev.yaml`: Changed token to
include `repositories: rudder-devops`

## Why Two Tokens?
The existing `generate-token` step is used for release-please operations
which need `contents: write` and `pull-requests: write` on the
**current** repository. The new `generate-dispatch-token` step is
specifically for cross-repo dispatch and needs `contents: write` on the
**target** repositories.

## Test plan
- [x] CI passes on this PR
- [ ] Verify release-please workflow runs successfully on release
branches
- [ ] Verify prerelease workflow runs successfully on prerelease
branches
- [ ] Verify dispatch-deploy-event-dev workflow can dispatch to
rudder-devops

🤖 Generated with [Claude Code](https://claude.com/claude-code)

🔒 Scanned for secrets using gitleaks 8.30.0

# Description

Setting up a database priority pool whenever partition migration is
enabled and using it for relevant operations.
This priority pool is controlled through the following (hierarchical)
configuration keys (disabled by default):
1. `DB.<componentName>.PriorityPool.enabled`
2. `DB.PriorityPool.enabled`
3. `PartitionMigration.enabled`

Skipping priority pool in gateway app, since the only partition
migration related operation gateway performs is refreshing buffered
partitions.

## Additional Items

- Upgrading to Go 1.25.6.
- Fixing a bug where dangling connections might not be terminated
whenever the hostname was long enough.
- Adding support for having different idleTxTimeout per component -
gateways don't need anything more than a couple of seconds.


## Linear Ticket

resolves PIPE-2733
resolves PIPE-2731

## Security

- [x] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

🔒 Scanned for secrets using gitleaks 8.30.0

# Description

Each JobsDB Partition Buffer that can perform flush operations starts a
watchdog when it begins. This watchdog periodically checks for jobs
contained in the buffer belonging to unbuffered partitions. If it
detects such partitions, it triggers a flush for them.

This helps prevent jobs from getting stuck in the buffer when their
partitions are no longer actively buffered, whether this is caused by a
bug or a forced abort of a partition migration.

## Linear Ticket

resolves PIPE-2644

## Security

- [x] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

🔒 Scanned for secrets using gitleaks 8.30.0

# Description

- Bumped Go version from `1.25.6` to `1.25.7`
- Bumped `github.com/rudderlabs/rudder-go-kit` from `v0.70.1` to
`v0.72.0`, which includes:
	- Bumped `github.com/lib/pq` from `v1.10.9` to `v1.11.1`
	- Bumped `cloud.google.com/go/bigquery` from `v1.69.0` to `v1.72.0`
- Upgraded to `cloud.google.com/go/pubsub/v2` `v2.3.0` since v1 is now
deprecated
	- Bumped `github.com/aws/aws-sdk-go-v2` from `v1.39.6` to `v1.41.1`
- Bumped `github.com/apache/pulsar-client-go` from `v0.16.0` to
`v0.18.0`
- Bumped `github.com/confluentinc/confluent-kafka-go/v2` from `v2.11.1`
to `v2.13.0`
- Using `jaeger` instead of `zipkin`
([deprecated](https://opentelemetry.io/blog/2025/deprecating-zipkin-exporters/))
for tracing

- Removed legacy library replacements from `go.mod`


## Security

- [x] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

🔒 Scanned for secrets using gitleaks 8.30.0

# Description

Replacing harbor proxy with ecr dockerhub proxy

## Security

- [x] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

…d requests (#6670)

🔒 Scanned for secrets using gitleaks 8.30.0

# Description

Both processor and gateway migrators use etcd transaction gates so that
they don't process & acknowledge the same request twice.
- **t1:** processor receives a new migration, processes and acknowledges
it
- **t2:** processor restarts and receives the same new migration again
- **t3:** orchestrator updates the migration's status
- **t4:** orchestrator deletes previous acknowledgements
- **t5:** processor checks for an existing acknowledgement, none exists,
but in the same Tx refreshes the migration which causes it to be
filtered out because it's status is now changed.

## Linear Ticket

resolves PIPE-2768

## Security

- [x] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

🔒 Scanned for secrets using gitleaks 8.30.0

# Description

getting the latest rudder-transformer/go version for [fixing
typo](rudderlabs/rudder-transformer#4948)

```
=== FAIL: gateway/webhook TestIntegrationWebhook/appsflyer/test-2 (0.01s)
    integration_test.go:199: writeKey: BJeFBuqaSh
    integration_test.go:200: sourceID: DzCpwoncBx
    integration_test.go:201: workspaceID: zSUsjECYQv
    integration_test.go:212: Request URL: http://localhost:37633/v1/webhook?writeKey=BJeFBuqaSh
2026-02-12T06:09:18.261Z	ERROR	gateway.webhook	webhook/webhook.go:485	webhook source transformation failed	{"sourceType": "APPSFLYER", "errorMsg": "Unknown event type from Appsflyer", "statusCode": 400}
2026-02-12T06:09:18.261Z	INFO	gateway.webhook	webhook/webhook.go:244	IP -- Response	{"ip": "192.0.2.30", "path": "/v1/webhook", "code": 400, "error": "Unknown event type from Appsflyer"}
    integration_test.go:236: 
        	Error Trace:	/home/runner/work/rudder-server/rudder-server/gateway/webhook/integration_test.go:236
        	Error:      	Not equal: 
        	            	expected: "\"unknwon event type from appsflyer\\n\""
        	            	actual  : "\"unknown event type from appsflyer\\n\""
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1 +1 @@
        	            	-"unknwon event type from appsflyer\n"
        	            	+"unknown event type from appsflyer\n"
        	Test:       	TestIntegrationWebhook/appsflyer/test-2
    --- FAIL: TestIntegrationWebhook/appsflyer/test-2 (0.01s)
```

## Security

- [x] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

## Summary

Enable [gosec](https://github.com/securego/gosec) (Go Security Checker)
via golangci-lint to catch security issues in new code going forward.

## Motivation

We are rolling out gosec across all Go repositories in the RudderStack
org as part of a security hardening initiative. gosec performs static
analysis to detect common security issues: SQL injection, path
traversal, weak cryptography, SSRF, insecure TLS, and more — covering 48
rules across 10 categories.

## Approach

Rather than fixing all existing issues at once (which would be a large,
risky change), we are taking an **incremental rollout approach**:

1. **This PR**: Enable gosec with rules that currently have **zero
findings** in the codebase. The linter passes cleanly — no code changes
needed.
2. **Follow-up PRs**: Fix existing issues rule-by-rule, then remove the
corresponding exclusion to enforce the rule going forward.

The excluded rules (with current finding counts) are documented inline
in the config so future contributors know what needs remediation.

## What This PR Does

- Adds `gosec` to the existing `linters.enable` list in `.golangci.yml`
- Configures `gosec.excludes` to skip 22 rules that have existing
findings
- All other gosec rules are enabled and will block PRs that introduce
new security issues

## What Changes for Contributors

- New code that triggers any enabled gosec rule will fail CI
- Existing code is unaffected (excluded rules are documented with
finding counts)
- To suppress a legitimate false positive: add `// nosec G<NNN> --
<reason>` with a justification comment

## Linear

Tracks: SEC-75

## Test Plan

- [x] `golangci-lint run -v` passes with zero gosec findings
- [ ] No existing tests or CI pipelines are affected

🤖 Generated with [Claude Code](https://claude.ai/code)

🔒 Scanned for secrets using gitleaks 8.30.0

# Description

- Bumping rudder-go-kit version to fix an issue with zookeeper docker
container port binding
- Adding a workaround for `dockertest` bug for which the
[fix](ory/dockertest#623) is unreleased

## Security

- [x] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

…6685)

🔒 Scanned for secrets using gitleaks 8.30.0

# Description

running `go fix` for modernizing the code automatically whenever there
are new go releases

> The venerable go fix command has been completely revamped and is now
the home of Go’s modernizers. It provides a dependable, push-button way
to update Go code bases to the latest idioms and core library APIs. The
initial suite of modernizers includes dozens of fixers to make use of
modern features of the Go language and library, as well a source-level
inliner that allows users to automate their own API migrations using
[//go:fix inline
directives](https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/inline#hdr-Analyzer_inline).
These fixers should not change the behavior of your program, so if you
encounter any issues with a fix performed by go fix, please [report
it](https://go.dev/issue/new).

## Security

- [x] The code changed/added as part of this pull request won't create
any security issues with how the software is being used.

# Description

Syncing patch release v1.67.1 to main branch

**↓↓ Please review and edit commit overrides before merging ↓↓**

BEGIN_COMMIT_OVERRIDE
fix: snowpipe streaming logs (#6683)
END_COMMIT_OVERRIDE

---------

Co-authored-by: Akash Chetty <[email protected]>
Co-authored-by: rudderstack-github-actions[bot] <236995729+rudderstack-github-actions[bot]@users.noreply.github.com>
Co-authored-by: Aris Tzoumas <[email protected]>

🤖 I have created a release *beep* *boop*
---


##
[1.68.0](v1.67.0...v1.68.0)
(2026-02-16)


### Features

* integrate gateway partition migrator in gw app
([#6636](#6636))
([64bfec4](64bfec4))
* **jobsdb:** introduce priority pool
([#6645](#6645))
([035c34a](035c34a))
* partition buffer watchdog
([#6656](#6656))
([fc763d6](fc763d6))
* pickupQueryThrottlingEnabled shouldn't hinder the pipeline's
throughput while draining
([#6644](#6644))
([4a730cb](4a730cb))
* use database priority pool for partition migrations
([#6666](#6666))
([240d46d](240d46d))


### Bug Fixes

* add repositories param for cross-repo dispatch [SEC-58]
([#6665](#6665))
([d7484dc](d7484dc))
* kafka test container failing to start with error
([#6684](#6684))
([17ab3fc](17ab3fc))
* klaviyo failed jobs logic
([#6646](#6646))
([2ff1091](2ff1091))
* snowpipe streaming logs
([#6683](#6683))
([717af74](717af74))
* webhook integration test failing with appsflyer error
([#6678](#6678))
([4b0f544](4b0f544))


### Miscellaneous

* add validation on uploadResp before accessing it
([#6667](#6667))
([42ea88c](42ea88c))
* bump rudder-go-kit to v0.72.0
([#6671](#6671))
([777abdc](777abdc))
* enable gosec security linter
([#6679](#6679))
([df5e06f](df5e06f))
* partition migrators should skip processing already acknowledged
requests
([#6670](#6670))
([3f18a73](3f18a73))
* run src hydration test with environment secrets
([#6664](#6664))
([31bdb37](31bdb37))
* upgrade to duckdb/duckdb-go/v2 v2.5.0
([#6659](#6659))
([dd9d17b](dd9d17b))
* upgrade to go 1.26 and include go fix in fmt makefile target
([#6685](#6685))
([e6f31c6](e6f31c6))
* use ecr registry as registry mirror
([#6675](#6675))
([8262504](8262504))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: rudderstack-github-actions[bot] <236995729+rudderstack-github-actions[bot]@users.noreply.github.com>