chore(deps): update renovate/renovate docker tag to v43.222.1

.woodpecker/renovate.yaml

@@ -46,7 +46,7 @@ steps:
       - bao kv get -mount secret -field GITHUB_COM_TOKEN renovate > /woodpecker/github_com_token
   - name: renovate
     # Renovate's built-in "woodpecker" manager tracks this image automatically.
-    image: renovate/renovate:43.220.0
+    image: renovate/renovate:43.222.1
     environment:
       # --- platform / target ---
       RENOVATE_PLATFORM: gitea

Dockerfile

@@ -57,49 +57,6 @@ WORKDIR /src/tailscale
 # disables the filter at runtime for debugging — no rebuild needed.
 COPY patches/stderr_verbosity_filter.go cmd/tailscaled/
 
-# Patch net/tstun/wrap.go: fix panic("unreachable") in invertGSOChecksum for
-# ts_omit_netstack builds.
-#
-# invertGSOChecksum is a gVisor/GSO helper that inverts a transport-layer
-# checksum before/after SNAT when gVisor hands us a segment with a partial
-# checksum (NeedsCsum=true). It is only meaningful when netstack (gVisor) is
-# compiled in (HasNetstack=true).
-#
-# The function correctly guards its body with:
-#   if !buildfeatures.HasNetstack { panic("unreachable") }
-#
-# When built with ts_omit_netstack, HasNetstack is a const false, so that guard
-# evaluates to `if true { panic(...) }` — the function always panics.
-#
-# The problem: invertGSOChecksum is called unconditionally from injectedRead()
-# (twice, around pc.snat()), even for the res.data path where res.packet==nil
-# and gso is a zero-value netstack_GSO (NeedsCsum=false). The HasNetstack
-# guard in the res.packet branch does NOT protect these calls.
-#
-# As a result, any code path that injects an outbound packet via InjectOutbound()
-# — which happens when enabling exit-node use (Tailscale sends TSMP messages
-# and synthesizes packets through the TUN injection path) — hits injectedRead
-# with res.data!=nil, calls invertGSOChecksum, and crashes with:
-#   panic: unreachable
-#   tailscale.com/net/tstun.invertGSOChecksum(...)
-#   tailscale.com/net/tstun.(*Wrapper).injectedRead(...)  wrap.go:1077
-#
-# Fix: replace the `panic("unreachable")` with a `return` in invertGSOChecksum.
-# When HasNetstack=false (ts_omit_netstack), a zero-value netstack_GSO always
-# has NeedsCsum=false, so the function is correctly a no-op anyway. This matches
-# what the function would do if the rest of its body ran: NeedsCsum=false → return.
-#
-# The sed expression targets the function precisely: it matches the three-line
-# sequence that opens invertGSOChecksum's HasNetstack guard, and replaces only
-# the panic line with return. The pattern is stable across minor reformats
-# because it anchors on the literal function comment and the specific panic string.
-#
-# See tailscale/tailscale issue for context (no upstream fix as of v1.98.5):
-# panic happens when using exit-node via a ts_omit_netstack build.
-RUN sed -i \
-    -e '/func invertGSOChecksum/,/^}/ s/\t\tpanic("unreachable")/\t\treturn/' \
-    net/tstun/wrap.go
-
 # Build a minimal combined binary (tailscale CLI + tailscaled daemon in one file).
 #
 # Tag strategy — ALLOWLIST, not blocklist: