dunglas / mercure / 25044174714
84%
master: 93%

LAST BUILD BRANCH: main
DEFAULT BRANCH: master
Ran
Jobs 1
Files 23
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 83.886%. Remained the same
25044174714

push

github

web-flow 
feat(examples/chat): bump deps + harden chart security context (#1227)

* feat(examples/chat): bump deps + harden chart security context

Refresh the demo chat to current Python and Flask versions, ship a
hardened chart that runs as non-root on a read-only rootfs, and add a
Gateway API HTTPRoute alongside the Ingress.

Image:
- Replace tiangolo/meinheld-gunicorn (last upstream activity 2020,
  meinheld itself unmaintained) with python:3.13-slim and plain
  gunicorn. Multi-stage so runtime carries only the wheels.
- Adds a nonroot user (UID 65532) and USER 65532:65532 in the runtime
  layer so the image is non-root by default.
- Default port 8080 (gunicorn --bind=0.0.0.0:8080).

Dependencies:
- Flask >=1.1.2 -> ~=3.0.
- PyJWT  >=1.7.1 -> ~=2.10. (jwt.encode signature is unchanged for our
  call sites; main.py needs no modification.)
- uritemplate >=3.0.1 -> ~=4.1.
- gunicorn >=20.0.4 -> ~=23.0.

Chart (0.2.0):
- podSecurityContext: runAsNonRoot, UID/GID 65532, seccompProfile
  RuntimeDefault.
- container securityContext: drop ALL caps, readOnlyRootFilesystem,
  allowPrivilegeEscalation: false.
- Default resources follow the SRE rule for production clusters: requests
  + memory limit only, no CPU limit (CFS quota throttling causes probe
  timeouts even with idle CPU on managed cluster setups).
- Probes split into TCP startup + TCP liveness + HTTP readiness with
  timeoutSeconds 5, replacing the bare 1s default httpGet probes.
- automountServiceAccountToken: false (the app makes no Kubernetes API
  calls).
- containerPort 8080 to match the binary's new default; service still
  exposes 80 by default.
- Empty-dir /tmp volume baked into defaults so gunicorn worker
  heartbeats keep working under readOnlyRootFilesystem.
- New NetworkPolicy template: ingress only from the configured ingress
  controller namespace, egress to DNS plus everything outside the
  cluster CIDR (the app calls the public Mercure hub).
- New HTTPRoute (gateway.networking.k8s.io/v1) tem... (continued)

1744 of 2079 relevant lines covered (83.89%)

49.82 hits per line

Jobs
ID Job ID Ran Files Coverage
1 0 - 25044174714.1 23
83.89
 GitHub Action Run
Source Files on build 25044174714