pomerium / pomerium / 24363719188
52%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 691
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 45.443% (+0.008%) from 45.435%
24363719188

push

github

web-flow 
docker: standardize pomerium debug image contract (#6261)

## Summary

Standardize `pomerium/pomerium:debug*` around the release debug
Dockerfiles so the published debug images and the local debug build path
use the same contract.

This PR:
- switches the published debug images to a `debian:bookworm-slim`
toolbox image
- includes a baseline troubleshooting stack: `bash`, `ca-certificates`,
`curl`, `dnsutils`, `iproute2`, `iputils-ping`, `jq`, `lsof`,
`netcat-openbsd`, `openssl`, `procps`, `strace`, `traceroute`
- keeps `apt-get` available in the root debug image
- removes the separate root-level `Dockerfile.debug` and
`scripts/debug-entrypoint.sh`
- adds `make docker-debug` so local debug builds go through
`.github/Dockerfile-release-debug`
- publishes `pomerium/pomerium:debug-main` from the main-branch workflow

Non-goals in this PR:
- no runtime image base change
- no `dlv` in the published debug images

## Related issues

-
https://linear.app/pomerium/issue/ENG-3884/docker-make-published-debug-images-consistent-and-ship-a-baseline
- https://github.com/pomerium/pomerium/issues/6188
- https://github.com/pomerium/pomerium/issues/6256

## Validation

- PASS: `make build`
- PASS: `make test`
- PASS: `make lint`
- PASS: `goreleaser check --config .github/goreleaser.yaml`
- PASS: `./scripts/check-docker-images`
- PASS: `actionlint .github/workflows/docker-main.yaml`
- PASS: OrbStack local build and runtime verification for `make
docker-debug`
- PASS: OrbStack local build and runtime verification for release-style
root and nonroot debug images
- PASS: OrbStack local build and runtime verification for simulated
`debug-main` `linux/amd64` and `linux/arm64` images
- PASS: OrbStack runtime sanity check that the runtime image does not
expose `/bin/sh`

## AI assistance

Codex drafted the implementation and validation flow. Claude was used as
a review pass to challenge scope and workflow details. I manually
restacked the branch onto `main`, resolved the `Makefil... (continued)

35109 of 77259 relevant lines covered (45.44%)

114.69 hits per line

Coverage Regressions

Lines Coverage File
13
87.75
 -6.37% config/config_source.go
9
80.34
 0.0% pkg/ssh/manager.go
2
48.28
 0.0% internal/databroker/server_clustered_follower.go
2
90.91
 0.0% pkg/fanout/receive.go
2
83.51
 -0.43% pkg/ssh/auth.go
1
75.41
 0.0% pkg/storage/postgres/registry.go
Jobs
ID Job ID Ran Files Coverage
1 24363719188.1 691
45.44
 GitHub Action Run
Source Files on build 24363719188