ac3a8a7c43
quality: MSRV, tarpaulin config, proptest for parsers ( #84 )
...
* fix: proxy dedup, multi-registry GC, TOCTOU and credential hygiene
- Deduplicate proxy_fetch/proxy_fetch_text into generic proxy_fetch_core
with response extractor closure (removes ~50 lines of copy-paste)
- GC now scans all registry prefixes, not just docker/
- Add tracing::warn to fire-and-forget cache writes in docker proxy
- Mark S3 credentials as skip_serializing to prevent accidental leaks
- Remove TOCTOU race in LocalStorage get/delete (redundant exists check)
* chore: clean up root directory structure
- Move Dockerfile.astra and Dockerfile.redos to deploy/ (niche builds
should not clutter the project root)
- Harden .gitignore to exclude session files, working notes, and
internal review scripts
* refactor(metrics): replace 13 atomic fields with CounterMap
Per-registry download/upload counters were 13 individual AtomicU64
fields, each duplicated across new(), with_persistence(), save(),
record_download(), record_upload(), and get_registry_* (6 touch points
per counter). Adding a new registry required changes in 6+ places.
Now uses CounterMap (HashMap<String, AtomicU64>) for per-registry
counters. Adding a new registry = one entry in REGISTRIES const.
Added Go registry to REGISTRIES, gaining go metrics for free.
* quality: add MSRV, tarpaulin config, proptest for parsers
- Set rust-version = 1.75 in workspace Cargo.toml (MSRV policy)
- Add tarpaulin.toml: llvm engine, fail-under=25, json+html output
- Add coverage/ to .gitignore
- Update CI to use tarpaulin.toml instead of inline flags
- Add proptest dev-dependency and property tests:
- validation.rs: 16 tests (never-panics + invariants for all 4 validators)
- pypi.rs: 5 tests (extract_filename never-panics + format assertions)
* test: add unit tests for 14 modules, coverage 21% → 30%
Add 149 new tests across auth, backup, gc, metrics, mirror parsers,
docker (manifest detection, session cleanup, metadata serde),
docker_auth (token cache), maven, npm, pypi (normalize, rewrite, extract),
raw (content-type guessing), request_id, and s3 (URI encoding).
Update tarpaulin.toml: raise fail-under to 30, exclude UI/main from
coverage reporting as they require integration tests.
* bench: add criterion benchmarks for validation and manifest parsing
Add parsing benchmark suite with 14 benchmarks covering:
- Storage key, Docker name, digest, and reference validation
- Docker manifest media type detection (v2, OCI index, minimal, invalid)
Run with: cargo bench --package nora-registry --bench parsing
* test: add 48 integration tests via tower oneshot
Add integration tests for all HTTP handlers:
- health (3), raw (7), cargo (4), maven (4), request_id (2)
- pypi (5), npm (5), docker (12), auth (6)
Create test_helpers.rs with TestContext pattern.
Add tower and http-body-util dev-dependencies.
Update tarpaulin fail-under 30 to 40.
Coverage: 29.5% to 43.3% (2089/4825 lines)
* fix: clean clippy warnings in tests, fix flaky audit test
Add #[allow(clippy::unwrap_used)] to 18 test modules.
Fix 3 additional clippy lints: writeln_empty_string, needless_update,
unnecessary_get_then_check.
Fix flaky audit test: replace single sleep(50ms) with retry loop (max 1s).
Prefix unused token variable with underscore.
cargo clippy --all-targets = 0 warnings (was 245 errors)
2026-04-05 10:01:50 +03:00
6ad710ff32
ci: add security scanning and SBOM to release pipeline
...
- ci.yml: add security job (gitleaks, cargo-audit, cargo-deny, trivy fs)
- release.yml: restructure into build-binary + build-docker matrix + release
- build binary once on self-hosted, reuse across all Docker builds
- trivy image scan per matrix variant, results to GitHub Security tab
- SBOM generation in SPDX and CycloneDX formats attached to release
- deny.toml: cargo-deny policy (allowed licenses, banned openssl, crates.io only)
- Dockerfile: remove Rust build stage, use pre-built binary
- Dockerfile.astra, Dockerfile.redos: FROM scratch for Russian certified OS support
2026-02-23 11:37:27 +00:00
