code · pull · Mar 5, 2026 · Mar 4, 2026 · Mar 4, 2026 · Mar 4, 2026
diff --git a/.changeset/add-step-context.md b/.changeset/add-step-context.md
@@ -0,0 +1,17 @@
+---
+"@cloudflare/workflows-shared": minor
+---
+
+Adds step context with attempt count to step.do() callbacks.
+
+Workflow step callbacks now receive a context object containing the current attempt number (1-indexed).
+This allows developers to access which retry attempt is currently executing.
+
+Example:
+
+```ts
+await step.do("my-step", async (ctx) => {
+	// ctx.attempt is 1 on first try, 2 on first retry, etc.
+	console.log(`Attempt ${ctx.attempt}`);
+});
+```
diff --git a/.changeset/short-sloths-bake.md b/.changeset/short-sloths-bake.md
@@ -0,0 +1,7 @@
+---
+"@cloudflare/workers-shared": patch
+---
+
+fix: Normalize backslash characters in `/cdn-cgi` paths
+
+Requests containing backslash characters in `/cdn-cgi` paths are now redirected to their normalized equivalents with forward slashes. This ensures consistent URL handling across different browsers and HTTP clients.
diff --git a/.changeset/silver-coins-take.md b/.changeset/silver-coins-take.md
@@ -0,0 +1,17 @@
+---
+"wrangler": minor
+---
+
+feat(hyperdrive): add MySQL SSL mode and Custom CA support
+
+Hyperdrive now supports MySQL-specific SSL modes (`REQUIRED`, `VERIFY_CA`, `VERIFY_IDENTITY`) alongside the existing PostgreSQL modes. The `--sslmode` flag now validates the provided value based on the database scheme (PostgreSQL or MySQL) and enforces appropriate CA certificate requirements for each.
+
+**Usage:**
+
+```sh
+# MySQL with CA verification
+wrangler hyperdrive create my-config --connection-string="mysql://user:pass@host:3306/db" --sslmode=VERIFY_CA --ca-certificate-id=<cert-id>
+
+# PostgreSQL (unchanged)
+wrangler hyperdrive create my-config --connection-string="postgres://user:pass@host:5432/db" --sslmode=verify-full --ca-certificate-id=<cert-id>
+```
diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml
@@ -1,6 +1,8 @@
 name: "Code Owners"
 
-# Re-evaluate when PRs are opened/updated, and when reviews are submitted/dismissed.
+# Re-evaluate when PRs are opened/updated.
+# When reviews are submitted/dismissed, the separate rerun_codeowners.yml workflow
+# re-runs this check (rather than creating a second check context).
 # Using pull_request_target (not pull_request) so the workflow has access to secrets
 # for fork PRs. This is safe because:
 #   - The checkout is the BASE branch (ownership rules come from the protected branch)
@@ -9,8 +11,6 @@ name: "Code Owners"
 on:
   pull_request_target:
     types: [opened, reopened, synchronize, ready_for_review, labeled, unlabeled]
-  pull_request_review:
-    types: [submitted, dismissed]
 
 concurrency:
   group: codeowners-${{ github.event.pull_request.number }}
@@ -27,16 +27,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout Base Branch"
+        if: github.event.pull_request.head.ref != 'changeset-release/main'
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: "Fetch PR Head (for diff computation)"
+        if: github.event.pull_request.head.ref != 'changeset-release/main'
         run: git fetch origin +refs/pull/${{ github.event.pull_request.number }}/head
         env:
           GITHUB_TOKEN: "${{ secrets.CODEOWNERS_GITHUB_PAT }}"
 
       - name: "Codeowners Plus"
+        if: github.event.pull_request.head.ref != 'changeset-release/main'
         uses: multimediallc/codeowners-plus@ff02aa993a92e8efe01642916d0877beb9439e9f # v1.9.0
         with:
           github-token: "${{ secrets.CODEOWNERS_GITHUB_PAT }}"

diff --git a/.github/workflows/rerun_codeowners.yml b/.github/workflows/rerun_codeowners.yml
@@ -0,0 +1,40 @@
+name: "Rerun Code Owners"
+
+# When a review is submitted or dismissed, re-run the Code Owners check from the
+# main codeowners.yml workflow (triggered by pull_request_target) rather than
+# running the check again under a separate event context. This avoids duplicate
+# "Code Owners" checks appearing on the PR.
+on:
+  pull_request_review:
+    types: [submitted, dismissed]
+
+permissions: {}
+
+jobs:
+  rerun-codeowners:
+    name: "Rerun Codeowners Plus"
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      checks: read
+    steps:
+      - name: "Re-run Codeowners Check"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          REPO: ${{ github.repository }}
+        run: |
+          # Find the "Run Codeowners Plus" check run for the PR head commit
+          # and extract the Actions job ID from its details URL.
+          # Using the commit SHA (not branch name) so this works for fork PRs
+          # where the branch name doesn't exist in the base repository.
+          job_id=$(gh api "repos/${REPO}/commits/${HEAD_SHA}/check-runs?check_name=Run+Codeowners+Plus" \
+            --jq '(.check_runs[0].details_url // "") | split("/") | last | split("?") | first' || true)
+
+          if [ -n "$job_id" ]; then
+            gh api "repos/${REPO}/actions/jobs/${job_id}/rerun" --method POST \
+              || echo "Job may already be running"
+            echo "Re-triggered 'Run Codeowners Plus' (job ${job_id})"
+          else
+            echo "Check 'Run Codeowners Plus' not found for SHA ${HEAD_SHA}"
+          fi
diff --git a/packages/workers-shared/router-worker/src/analytics.ts b/packages/workers-shared/router-worker/src/analytics.ts
@@ -55,6 +55,8 @@ type Data = {
 	abuseMitigationURLHost?: string;
 	// blob7 - XSS detection href parameter value
 	xssDetectionImageHref?: string;
+	// blob8 - cdn-cgi backslash bypass attempt URL
+	cdnCgiBackslashBypassUrl?: string;
 };
 
 export class Analytics {
@@ -110,6 +112,7 @@ export class Analytics {
 				this.data.coloRegion, // blob5
 				this.data.abuseMitigationURLHost, // blob6
 				this.data.xssDetectionImageHref, // blob7
+				this.data.cdnCgiBackslashBypassUrl?.substring(0, 256), // blob8 - trim to 256 bytes
 			],
 		});
 	}

diff --git a/packages/workers-shared/router-worker/src/worker.ts b/packages/workers-shared/router-worker/src/worker.ts
@@ -1,5 +1,6 @@
 import { generateStaticRoutingRuleMatcher } from "../../asset-worker/src/utils/rules-engine";
 import { PerformanceTimer } from "../../utils/performance";
+import { TemporaryRedirectResponse } from "../../utils/responses";
 import { setupSentry } from "../../utils/sentry";
 import { mockJaegerBinding } from "../../utils/tracing";
 import { Analytics, DISPATCH_TYPE, STATIC_ROUTING_DECISION } from "./analytics";
@@ -82,6 +83,19 @@ export default {
 				});
 			}
 
+			// Handle /cdn-cgi\... backslash bypass attempts
+			// - in production if pathname starts with `/cdn-cgi/` then it bypassed the external
+			//   routing and so must have actually started with `/cdn-cgi\`.
+			// - in local dev it is possible for pathname to start with `/cdn-cgi/`
+			//   even if it doesn't start with `/cdn-cgi\` so we also check the raw URL for that.
+			if (
+				url.pathname.startsWith("/cdn-cgi/") &&
+				request.url.includes("/cdn-cgi\\")
+			) {
+				analytics.setData({ cdnCgiBackslashBypassUrl: request.url });
+				return new TemporaryRedirectResponse(url.href);
+			}
+
 			const routeToUserWorker = async ({
 				asset,
 			}: {