halostatue / dchook / 22598742236
68%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 4
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 68.182% (-24.9%) from 93.038%
22598742236

push

github

halostatue 
feat: Improved deployment tracking and security validation

This will be version 1.2.0.

### Security Enhancements

- Secret validation has been improved for both the listener and the
  notifier. The secret file _may_ be specified on the command-line via
  process substitution (`-s <(pass dchook.secret)`) or as a filename via
  the command-line or via `DCHOOK_SECRET_FILE`. When provided as a
  filename, the secret file must be a regular file (not a symbolic link)
  and may not be in `/etc/shadow`, `/etc/passwd`, `/proc`, `/sys`, or
  `/dev`.

  On the listener, the secret file must also be an absolute path.

- Applied comprehensive security and code quality audits.

### Listener (`dchook`)

- Compose files must not be symlinks, must be absolute paths, and must
  be regular files.

- The listener now maintains a buffer of the last ten deployments with a
  deployment ID, timestamp, and image pull and restart results, exit
  codes, output, and duration.

  When `Accept: application/json` is supplied to the deploy endpoint,
  the response is JSON with the `deployment_id` included. This will be
  the default behaviour with `dchook` 2.x.

  The deployment buffer can be obtained by map or as a list:

  - `GET /deploy/status/{id}`: Get specific deployment details
  - `GET /deploy/status`: List recent deployments (newest first)

  Both queries require HMAC authentication.

- Previously, the `listener` would fail early if Docker is unavailable,
  making it impossible to be aware of issues except through a gateway
  error response. This has been changed to check on startup and return
  503 on `POST /deploy` when Docker is unavailable.

  `/health` will also return a 503 if Docker is unavailable.

- Switched to structured logging (JSON format via `slog`).

- The listener now supports explicit specification of the Docker compose
  project via `DCHOOK_COMPOSE_PROJECT` or the `--project` option. This
  is required when a custom project name is used via the Docker Co... (continued)

101 of 177 new or added lines in 4 files covered. (57.06%)

2 existing lines in 1 file now uncovered.

180 of 264 relevant lines covered (68.18%)

8.46 hits per line

New Missed Lines in Diff

Lines Coverage File
3
93.83
 0.41% internal/dchook/ratelimit.go
8
84.0
 internal/dchook/version.go
65
0.0
 internal/dchook/secret.go

Uncovered Existing Lines

Lines Coverage File
2
91.18
 -1.51% internal/dchook/dchook.go
Jobs
ID Job ID Ran Files Coverage
1 22598742236.1 4
68.18
 GitHub Action Run
Source Files on build 22598742236