stacklok / toolhive / 26828008342
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 747
Run time 4min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.848% (-0.06%) from 65.905%
26828008342

push

github

web-flow 
Add upgrade apply for the CLI and API (#5411)

* Add Applier for upgrading workloads in place

Detecting an available upgrade is only useful if users can apply it
while keeping their configuration. Add the apply path that the CLI and
API will drive.

Add upgrade.Applier: it reloads the workload's saved config, re-runs the
check on fresh state (so a stale result can never drive an apply),
resolves the candidate from the registry, and rebuilds the run config
preserving the full user configuration — auth, authz, audit, telemetry,
tools filters, volumes, secrets, ports, permission profile, and more —
changing only the image, merged env/secrets, and re-resolved registry
URLs. New required env vars surface through the injected validator.

Crucially, the candidate image is verified and pulled (and the policy
gate runs) before the destructive stop/delete/start, so a missing or
unverifiable image leaves the running workload untouched — there is no
rollback once UpdateWorkload begins. Verification uses the same path as
thv run.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Add upgrade apply for the CLI and API

With the Applier in place, expose it to users. This lets CLI users and
API clients apply an upgrade while preserving their configuration,
instead of manually re-running a workload with a new image.

Add a thv upgrade apply <name> command. It runs the check, shows the
candidate image, new env vars, and any permission/transport/network
posture drift, then prompts for confirmation. --dry-run reports the plan
without applying; --env/--secret supply values for newly required
variables; --yes (or a non-interactive shell) skips the prompt and fails
loudly on missing required values; --image-verification mirrors thv run.

Add POST /api/v1beta/workloads/{name}/upgrade, delegating to the same
Applier so all clients share one apply path. The API path is always
non-interactive (detached validator) and sources image verification from
server... (continued)

84 of 187 new or added lines in 3 files covered. (44.92%)

18 existing lines in 4 files now uncovered.

66371 of 100794 relevant lines covered (65.85%)

62.14 hits per line

Uncovered Changes

Lines Coverage File
80
19.55
 4.9% cmd/thv/app/upgrade.go
14
20.26
 -0.76% pkg/api/v1/workloads.go
9
73.53
 7.49% pkg/api/v1/workloads_upgrade.go

Coverage Regressions

Lines Coverage File
6
20.11
 -3.45% pkg/client/manager.go
6
76.15
 -5.5% pkg/secrets/keyring/keyctl_linux.go
3
70.0
 -3.33% pkg/state/local.go
3
77.66
 -0.76% pkg/transport/proxy/httpsse/http_proxy.go
Jobs
ID Job ID Ran Files Coverage
1 26828008342.1 747
65.85
 GitHub Action Run
Source Files on build 26828008342