• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

umputun / ralphex / 29566174422
84%
master: 84%

Build:
Build:
LAST BUILD BRANCH: fix-oauth-token-persistence
DEFAULT BRANCH: master
Ran 17 Jul 2026 08:22AM UTC
Jobs 1
Files 55
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

17 Jul 2026 08:21AM UTC coverage: 83.783% (+0.04%) from 83.74%
29566174422

push

github

umputun
fix: harden OAuth credential bind mounts and keep older wrappers working

Follow-up fixes to the credential write-through mounts, from a multi-agent review.

Mount emission (scripts/ralphex-dk.sh):
- use --mount type=bind rather than -v for the two credential files. A missing -v source makes
  docker create a DIRECTORY at the target, corrupting the credential path; --mount fails the
  container start instead, so the is_file() guard can no longer be raced.
- CSV-quote the source: --mount parses as CSV, so a comma in the resolved path (reachable via
  $HOME or CLAUDE_CONFIG_DIR) split the field and docker rejected the spec. -v tolerated it.
- no SELinux option on these specs: docker's --mount has no relabel option at all (podman's
  relabel= has no docker equivalent; z/Z are -v only). The parent ~/.claude and ~/.codex are
  -v mounted with :z and docker's z relabel walks the source tree, so the bound inodes are
  already labeled.

Container init (scripts/internal/init-docker.sh):
- keep copying the credential files when the wrapper supplies no bind mount. The init script
  ships in the image but the wrapper updates through a separate channel (--update-script vs
  docker pull), so "new image + old wrapper" is a supported combination that otherwise left
  the container with no credentials at all. seed_claude_home/seed_codex_home probe the target
  before copying — docker establishes mounts before the entrypoint, and the fallback creates
  the file itself, so the probe cannot be deferred until after the copy.
- gate the chown on the same probe: a bind-mounted file must not be chowned (it would mutate
  the host file's metadata), but a fallback copy lands root:app 0600 and needs the full
  chown -R to be writable by app.
- anchor the chown exclusions with -path; ! -name matched at any depth.

Tests and docs:
- cover both wrapper generations in init-docker_test.sh and wire the harness into CI — it had
  no references anywhere and never ran. Ownership is not ... (continued)

7796 of 9305 relevant lines covered (83.78%)

225.97 hits per line

Coverage Regressions

Lines Coverage ∆ File
2
90.75
-0.68% pkg/web/session_manager.go
Jobs
ID Job ID Ran Files Coverage
1 29566174422.1 17 Jul 2026 08:22AM UTC 55
83.78
GitHub Action Run
Source Files on build 29566174422
  • Tree
  • List 55
  • Changed 2
  • Source Changed 0
  • Coverage Changed 2
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • ebe685a5 on github
  • Prev Build on fix-oauth-token-persistence (#29561552992)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc