temporalio · cretz · Oct 22, 2025 · Oct 20, 2025 · Oct 20, 2025 · Oct 20, 2025
@@ -62,6 +62,7 @@ type RunConfig struct {
 	Namespace           string
 	ClientCertPath      string
 	ClientKeyPath       string
+	TLSServerName       string
 	GenerateHistory     bool
 	DisableHistoryCheck bool
 	RetainTempDir       bool
@@ -92,6 +93,11 @@ func (r *RunConfig) dockerRunFlags() []cli.Flag {
 			Usage:       "Path of TLS client key to use (optional)",
 			Destination: &r.ClientKeyPath,
 		},
+		&cli.StringFlag{
+			Name:        "tls-server-name",
+			Usage:       "TLS server name to use for verification and SNI override (optional)",
+			Destination: &r.TLSServerName,
+		},
 	}
 }
 
@@ -238,7 +244,7 @@ func (r *Runner) Run(ctx context.Context, patterns []string) error {
 	} else {
 		// Wait for namespace to become available
 		err := harness.WaitNamespaceAvailable(ctx, r.log,
-			r.config.Server, r.config.Namespace, r.config.ClientCertPath, r.config.ClientKeyPath)
+			r.config.Server, r.config.Namespace, r.config.ClientCertPath, r.config.ClientKeyPath, r.config.TLSServerName)
 		if err != nil {
 			return err
 		}
@@ -294,6 +300,7 @@ func (r *Runner) Run(ctx context.Context, patterns []string) error {
 				Namespace:      r.config.Namespace,
 				ClientCertPath: r.config.ClientCertPath,
 				ClientKeyPath:  r.config.ClientKeyPath,
+				TLSServerName:  r.config.TLSServerName,
 				SummaryURI:     r.config.SummaryURI,
 				HTTPProxyURL:   r.config.HTTPProxyURL,
 			}).Run(ctx, run)

@@ -49,6 +49,9 @@ func (r *Runner) RunDotNetExternal(ctx context.Context, run *cmd.Run) error {
 	if r.config.HTTPProxyURL != "" {
 		args = append(args, "--http-proxy-url", r.config.HTTPProxyURL)
 	}
+	if r.config.TLSServerName != "" {
+		args = append(args, "--tls-server-name", r.config.TLSServerName)
+	}
 	args = append(args, run.ToArgs()...)
 	cmd, err := r.program.NewCommand(ctx, args...)
 	if err == nil {

@@ -68,6 +68,9 @@ func (r *Runner) RunGoExternal(ctx context.Context, run *cmd.Run) error {
 	if r.config.HTTPProxyURL != "" {
 		args = append(args, "--http-proxy-url", r.config.HTTPProxyURL)
 	}
+	if r.config.TLSServerName != "" {
+		args = append(args, "--tls-server-name", r.config.TLSServerName)
+	}
 	args = append(args, run.ToArgs()...)
 	cmd, err := r.program.NewCommand(ctx, args...)
 	if err == nil {

@@ -61,6 +61,9 @@ func (r *Runner) RunJavaExternal(ctx context.Context, run *cmd.Run) error {
 	if r.config.HTTPProxyURL != "" {
 		args = append(args, "--http-proxy-url", r.config.HTTPProxyURL)
 	}
+	if r.config.TLSServerName != "" {
+		args = append(args, "--tls-server-name", r.config.TLSServerName)
+	}
 	args = append(args, run.ToArgs()...)
 
 	// Run

@@ -63,6 +63,9 @@ func (r *Runner) RunPhpExternal(ctx context.Context, run *cmd.Run) error {
 		}
 		args = append(args, "tls.key="+clientKeyPath)
 	}
+	if r.config.TLSServerName != "" {
+		args = append(args, "tls.server-name="+r.config.TLSServerName)
+	}
 
 	// Run
 	cmd, err := r.program.NewCommand(ctx, args...)

@@ -80,6 +80,9 @@ func (r *Runner) RunPythonExternal(ctx context.Context, run *cmd.Run) error {
 	if r.config.HTTPProxyURL != "" {
 		args = append(args, "--http-proxy-url", r.config.HTTPProxyURL)
 	}
+	if r.config.TLSServerName != "" {
+		args = append(args, "--tls-server-name", r.config.TLSServerName)
+	}
 	args = append(args, run.ToArgs()...)
 
 	// Run

@@ -82,6 +82,9 @@ func (r *Runner) RunTypeScriptExternal(ctx context.Context, run *cmd.Run) error
 	if r.config.HTTPProxyURL != "" {
 		args = append(args, "--http-proxy-url", r.config.HTTPProxyURL)
 	}
+	if r.config.TLSServerName != "" {
+		args = append(args, "--tls-server-name", r.config.TLSServerName)
+	}
 	args = append(args, run.ToArgs()...)
 
 	// Run

@@ -52,6 +52,7 @@ func (h HTTPProxyTest) Execute(ctx context.Context, r *harness.Runner) (client.W
 		namespace:      r.Namespace,
 		clientCertPath: r.ClientCertPath,
 		clientKeyPath:  r.ClientKeyPath,
+		tlsServerName:  r.TLSServerName,
 		taskQueue:      r.TaskQueue,
 		workflowID:     "wf-" + uuid.NewString(),
 	}
@@ -93,7 +94,7 @@ func SubprocessExecuteWorkflow(ctx context.Context, args *subprocessArgs) error
 	clientOpts := client.Options{HostPort: fmt.Sprintf("passthrough:///%s", args.server), Namespace: args.namespace}
 	if args.clientCertPath != "" {
 		var err error
-		clientOpts.ConnectionOptions.TLS, err = harness.LoadTLSConfig(args.clientCertPath, args.clientKeyPath)
+		clientOpts.ConnectionOptions.TLS, err = harness.LoadTLSConfig(args.clientCertPath, args.clientKeyPath, args.tlsServerName)
 		if err != nil {
 			return fmt.Errorf("failed loading TLS config: %w", err)
 		}
@@ -138,6 +139,7 @@ type subprocessArgs struct {
 	namespace      string
 	clientCertPath string
 	clientKeyPath  string
+	tlsServerName  string
 	taskQueue      string
 	workflowID     string
 	useAuth        bool
@@ -149,6 +151,7 @@ func (s *subprocessArgs) flags() []cli.Flag {
 		&cli.StringFlag{Name: "namespace", Destination: &s.namespace, Required: true},
 		&cli.StringFlag{Name: "client-cert-path", Destination: &s.clientCertPath},
 		&cli.StringFlag{Name: "client-key-path", Destination: &s.clientKeyPath},
+		&cli.StringFlag{Name: "tls-server-name", Destination: &s.tlsServerName},
 		&cli.StringFlag{Name: "task-queue", Destination: &s.taskQueue, Required: true},
 		&cli.StringFlag{Name: "workflow-id", Destination: &s.workflowID, Required: true},
 	}
@@ -164,6 +167,9 @@ func (s *subprocessArgs) args() []string {
 	if s.clientCertPath != "" {
 		args = append(args, "--client-cert-path", s.clientCertPath, "--client-key-path", s.clientKeyPath)
 	}
+	if s.tlsServerName != "" {
+		args = append(args, "--tls-server-name", s.tlsServerName)
+	}
 	return args
 }
 

@@ -86,7 +86,7 @@ func SetCurrent(r *harness.Runner, ctx context.Context, deploymentName string, v
 	}
 
 	_, err = dHandle.SetCurrentVersion(ctx, client.WorkerDeploymentSetCurrentVersionOptions{
-		BuildID:       version.BuildId,
+		BuildID:       version.BuildID,
 		ConflictToken: response1.ConflictToken,
 	})
 
@@ -110,7 +110,7 @@ func SetRamp(r *harness.Runner, ctx context.Context, deploymentName string, vers
 	}
 
 	_, err = dHandle.SetRampingVersion(ctx, client.WorkerDeploymentSetRampingVersionOptions{
-		BuildID:       version.BuildId,
+		BuildID:       version.BuildID,
 		ConflictToken: response1.ConflictToken,
 		Percentage:    float32(100.0),
 	})

@@ -16,11 +16,11 @@ import (
 var deploymentName = uuid.NewString()
 var v1 = worker.WorkerDeploymentVersion{
 	DeploymentName: deploymentName,
-	BuildId:        "1.0",
+	BuildID:        "1.0",
 }
 var v2 = worker.WorkerDeploymentVersion{
 	DeploymentName: deploymentName,
-	BuildId:        "2.0",
+	BuildID:        "2.0",
 }
 
 func WaitForSignalOne(ctx workflow.Context) (string, error) {

@@ -16,11 +16,11 @@ import (
 var deploymentName = uuid.NewString()
 var v1 = worker.WorkerDeploymentVersion{
 	DeploymentName: deploymentName,
-	BuildId:        "1.0",
+	BuildID:        "1.0",
 }
 var v2 = worker.WorkerDeploymentVersion{
 	DeploymentName: deploymentName,
-	BuildId:        "2.0",
+	BuildID:        "2.0",
 }
 
 func WaitForSignalOne(ctx workflow.Context) (string, error) {

@@ -16,11 +16,11 @@ import (
 var deploymentName = uuid.NewString()
 var v1 = worker.WorkerDeploymentVersion{
 	DeploymentName: deploymentName,
-	BuildId:        "1.0",
+	BuildID:        "1.0",
 }
 var v2 = worker.WorkerDeploymentVersion{
 	DeploymentName: deploymentName,
-	BuildId:        "2.0",
+	BuildID:        "2.0",
 }
 
 func WaitForSignalOne(ctx workflow.Context) (string, error) {

@@ -16,11 +16,11 @@ import (
 var deploymentName = uuid.NewString()
 var v1 = worker.WorkerDeploymentVersion{
 	DeploymentName: deploymentName,
-	BuildId:        "1.0",
+	BuildID:        "1.0",
 }
 var v2 = worker.WorkerDeploymentVersion{
 	DeploymentName: deploymentName,
-	BuildId:        "2.0",
+	BuildID:        "2.0",
 }
 
 func WaitForSignalOne(ctx workflow.Context) (string, error) {

@@ -24,6 +24,7 @@ type ConnMaterial struct {
 	Identity       string
 	ClientCertPath string
 	ClientKeyPath  string
+	TLSServerName  string
 }
 
 var Feature = harness.Feature{
@@ -44,6 +45,7 @@ var Feature = harness.Feature{
 			Identity:       runner.Feature.ClientOptions.Identity,
 			ClientCertPath: runner.ClientCertPath,
 			ClientKeyPath:  runner.ClientKeyPath,
+			TLSServerName:  runner.TLSServerName,
 		})
 	},
 }
@@ -75,7 +77,7 @@ func SelfUpdateWorkflow(ctx workflow.Context, cm ConnMaterial) (string, error) {
 }
 
 func SelfUpdateActivity(ctx context.Context, cm ConnMaterial) error {
-	tlsCfg, err := harness.LoadTLSConfig(cm.ClientCertPath, cm.ClientKeyPath)
+	tlsCfg, err := harness.LoadTLSConfig(cm.ClientCertPath, cm.ClientKeyPath, cm.TLSServerName)
 	if err != nil {
 		return err
 	}

@@ -10,7 +10,7 @@ require (
 	github.com/temporalio/features/features v0.0.0-00010101000000-000000000000
 	github.com/temporalio/features/harness/go v0.0.0-00010101000000-000000000000
 	github.com/urfave/cli/v2 v2.25.7
-	go.temporal.io/sdk v1.35.0
+	go.temporal.io/sdk v1.37.0
 	golang.org/x/mod v0.17.0
 	gopkg.in/yaml.v3 v3.0.1
 )
@@ -21,7 +21,7 @@ require (
 	github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/mock v1.6.0 // indirect
-	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
+	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect
 	github.com/nexus-rpc/sdk-go v0.3.0 // indirect
 	github.com/robfig/cron v1.2.0 // indirect
@@ -31,7 +31,7 @@ require (
 	github.com/twmb/murmur3 v1.1.8 // indirect
 	github.com/uber-go/tally/v4 v4.1.7 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
-	go.temporal.io/api v1.50.0 // indirect
+	go.temporal.io/api v1.53.0 // indirect
 	go.temporal.io/sdk/contrib/tally v0.2.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
@@ -43,8 +43,8 @@ require (
 	golang.org/x/time v0.5.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240827150818-7e3bb234dfed // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240827150818-7e3bb234dfed // indirect
-	google.golang.org/grpc v1.66.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	google.golang.org/grpc v1.67.1 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 )
 
 replace (