akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

Compare commits

base: akanealw:v0.16.4
Branches Tags
akanealw:main akanealw:feature/beta-release akanealw:development akanealw:nightly akanealw:hotfix/ci akanealw:bot/update-geolite2-checksum akanealw:fix/cwe-614-secure-cookie-attribute akanealw:hotfix/login akanealw:gh-pages akanealw:copilot/sub-pr-437 akanealw:copilot/fix-goreleaser-configuration
akanealw:v0.27.0 akanealw:v0.26.1 akanealw:v0.26.0 akanealw:v0.25.4 akanealw:v0.25.3 akanealw:v0.25.2 akanealw:v0.25.1 akanealw:v0.25.0 akanealw:v0.24.2 akanealw:v0.24.1 akanealw:v0.24.0 akanealw:v0.23.1 akanealw:v0.23.0 akanealw:v0.22.1 akanealw:v0.22.0 akanealw:v0.21.0 akanealw:v0.20.0 akanealw:v0.19.1 akanealw:v0.19.0 akanealw:v0.18.15 akanealw:v0.18.14 akanealw:v0.18.13 akanealw:v0.18.12 akanealw:v0.18.11 akanealw:v0.18.10 akanealw:v0.18.9 akanealw:v0.18.8 akanealw:v0.18.7 akanealw:v0.18.6 akanealw:v0.18.5 akanealw:v0.18.4 akanealw:v0.18.3 akanealw:v0.18.2 akanealw:v0.18.1 akanealw:v0.18.0 akanealw:v0.17.1 akanealw:v0.17.0 akanealw:v0.16.13 akanealw:v0.16.12 akanealw:v0.16.11 akanealw:v0.16.10 akanealw:v0.16.9 akanealw:v0.16.8 akanealw:v0.16.7 akanealw:v0.16.6 akanealw:v0.16.5 akanealw:v0.16.4 akanealw:v0.16.3 akanealw:v0.16.2 akanealw:v0.16.1 akanealw:v0.16.0 akanealw:v0.15.3 akanealw:v0.15.2 akanealw:v0.15.1 akanealw:v0.15.0 akanealw:v0.14.1 akanealw:v0.14.0 akanealw:v0.13.0 akanealw:v0.12.0 akanealw:v0.11.2 akanealw:v0.11.1 akanealw:v0.11.0 akanealw:v0.10.0 akanealw:v0.9.3 akanealw:v0.9.2 akanealw:v0.9.1 akanealw:v0.9.0 akanealw:v0.8.0 akanealw:v0.7.14 akanealw:v0.7.13 akanealw:v0.7.12 akanealw:v0.7.11 akanealw:v0.7.10 akanealw:v0.7.9 akanealw:v0.7.8 akanealw:v0.7.7 akanealw:v0.7.6 akanealw:v0.7.5 akanealw:v0.7.4 akanealw:v0.7.3 akanealw:v0.7.2 akanealw:v0.7.1 akanealw:v0.7.0 akanealw:v0.6.1 akanealw:v0.6.0 akanealw:v0.5.0 akanealw:v0.4.13 akanealw:v0.4.12 akanealw:v0.4.11 akanealw:v0.4.10 akanealw:v0.4.9 akanealw:v0.4.8 akanealw:v0.4.7 akanealw:v0.4.6 akanealw:v0.4.5 akanealw:v0.4.4 akanealw:v0.4.3 akanealw:v0.4.2 akanealw:v0.4.1 akanealw:v0.4.0 akanealw:v0.3.5 akanealw:v0.3.4 akanealw:v0.3.3 akanealw:v0.3.2 akanealw:v0.3.1 akanealw:v0.3.0 akanealw:v0.1.0
...
compare: akanealw:v0.16.9
Branches Tags
akanealw:main akanealw:feature/beta-release akanealw:development akanealw:nightly akanealw:hotfix/ci akanealw:bot/update-geolite2-checksum akanealw:fix/cwe-614-secure-cookie-attribute akanealw:hotfix/login akanealw:gh-pages akanealw:copilot/sub-pr-437 akanealw:copilot/fix-goreleaser-configuration
akanealw:v0.27.0 akanealw:v0.26.1 akanealw:v0.26.0 akanealw:v0.25.4 akanealw:v0.25.3 akanealw:v0.25.2 akanealw:v0.25.1 akanealw:v0.25.0 akanealw:v0.24.2 akanealw:v0.24.1 akanealw:v0.24.0 akanealw:v0.23.1 akanealw:v0.23.0 akanealw:v0.22.1 akanealw:v0.22.0 akanealw:v0.21.0 akanealw:v0.20.0 akanealw:v0.19.1 akanealw:v0.19.0 akanealw:v0.18.15 akanealw:v0.18.14 akanealw:v0.18.13 akanealw:v0.18.12 akanealw:v0.18.11 akanealw:v0.18.10 akanealw:v0.18.9 akanealw:v0.18.8 akanealw:v0.18.7 akanealw:v0.18.6 akanealw:v0.18.5 akanealw:v0.18.4 akanealw:v0.18.3 akanealw:v0.18.2 akanealw:v0.18.1 akanealw:v0.18.0 akanealw:v0.17.1 akanealw:v0.17.0 akanealw:v0.16.13 akanealw:v0.16.12 akanealw:v0.16.11 akanealw:v0.16.10 akanealw:v0.16.9 akanealw:v0.16.8 akanealw:v0.16.7 akanealw:v0.16.6 akanealw:v0.16.5 akanealw:v0.16.4 akanealw:v0.16.3 akanealw:v0.16.2 akanealw:v0.16.1 akanealw:v0.16.0 akanealw:v0.15.3 akanealw:v0.15.2 akanealw:v0.15.1 akanealw:v0.15.0 akanealw:v0.14.1 akanealw:v0.14.0 akanealw:v0.13.0 akanealw:v0.12.0 akanealw:v0.11.2 akanealw:v0.11.1 akanealw:v0.11.0 akanealw:v0.10.0 akanealw:v0.9.3 akanealw:v0.9.2 akanealw:v0.9.1 akanealw:v0.9.0 akanealw:v0.8.0 akanealw:v0.7.14 akanealw:v0.7.13 akanealw:v0.7.12 akanealw:v0.7.11 akanealw:v0.7.10 akanealw:v0.7.9 akanealw:v0.7.8 akanealw:v0.7.7 akanealw:v0.7.6 akanealw:v0.7.5 akanealw:v0.7.4 akanealw:v0.7.3 akanealw:v0.7.2 akanealw:v0.7.1 akanealw:v0.7.0 akanealw:v0.6.1 akanealw:v0.6.0 akanealw:v0.5.0 akanealw:v0.4.13 akanealw:v0.4.12 akanealw:v0.4.11 akanealw:v0.4.10 akanealw:v0.4.9 akanealw:v0.4.8 akanealw:v0.4.7 akanealw:v0.4.6 akanealw:v0.4.5 akanealw:v0.4.4 akanealw:v0.4.3 akanealw:v0.4.2 akanealw:v0.4.1 akanealw:v0.4.0 akanealw:v0.3.5 akanealw:v0.3.4 akanealw:v0.3.3 akanealw:v0.3.2 akanealw:v0.3.1 akanealw:v0.3.0 akanealw:v0.1.0

6 Commits
v0.16.4 ... v0.16.9

Author SHA1 Message Date
github-actions[bot]
a1114bb710 chore: move processed issue files to created/ 2026-02-02 13:32:21 +00:00
GitHub Actions
60c3336725 COMMIT_MESSAGE_START 
fix(docker): update GeoLite2-Country.mmdb checksum + automation

Fixes critical Docker build failure caused by upstream GeoLite2 database
update without corresponding Dockerfile checksum update.

**Root Cause:**
- GeoLite2-Country.mmdb file updated upstream
- Dockerfile still referenced old SHA256 checksum
- Build aborted at checksum verification (line 352)
- Cascade "blob not found" errors for all COPY commands

**Changes:**
- Update Dockerfile ARG GEOLITE2_COUNTRY_SHA256 to current value
- Add automated weekly checksum update workflow (.github/workflows/update-geolite2.yml)
- Implement error handling: retry logic, format validation, failure notifications
- Document rollback decision matrix with 10 failure scenarios
- Create comprehensive maintenance guide (docs/maintenance/geolite2-checksum-update.md)
- Update CHANGELOG.md and README.md with maintenance references

**Verification:**
- Checksum verified against current upstream file: 436135ee...
- Pre-commit hooks: PASSED (EOF/whitespace auto-fixed)
- Trivy security scan: PASSED (no critical/high issues)
- Dockerfile syntax: VALID
- GitHub Actions YAML: VALID
- No hardcoded secrets or injection vulnerabilities

**Automation Features:**
- Weekly scheduled checks (Monday 2 AM UTC)
- Auto-PR creation when checksum changes
- GitHub issue creation on workflow failure
- Comprehensive error handling and retry logic

**Impact:**
- Unblocks all CI/CD Docker image builds
- Enables publishing to GHCR/Docker Hub
- Prevents future checksum failures via automation
- Zero application code changes (no regression risk)

**Documentation:**
- Implementation plan: docs/plans/geolite2_checksum_fix_spec.md
- QA report: docs/reports/qa_geolite2_checksum_fix.md
- Maintenance guide: docs/maintenance/geolite2-checksum-update.md

**Supervisor Recommendations Implemented:**
- #1: Checksum freshness verification before update
- #3: Rollback decision criteria (10 scenarios)
- #4: Automated workflow error handling

Resolves: https://github.com/Wikid82/Charon/actions/runs/21584236523/job/62188372617
COMMIT_MESSAGE_END
 2026-02-02 13:31:56 +00:00
Jeremy
6712fc1b65 fix: update baseBranches formatting and add ignorePaths for Docker 2026-01-31 05:48:22 +00:00
Jeremy
72eb9c4b1e fix: update baseBranches in renovate.json to specify feature branch pattern 2026-01-31 05:33:12 +00:00
Jeremy
01a7c7ffdf fix: add VCS_REF and BUILD_DATE to nightly build workflow 2026-01-30 23:22:44 +00:00
Jeremy
adb6623c67 fix: update sensitive paths in propagate-config to include additional directories 2026-01-30 23:06:56 +00:00
20 changed files with 4883 additions and 2897 deletions
Expand all files Collapse all files

5
.github/propagate-config.yml vendored
View File

@@ -6,8 +6,11 @@
sensitive_paths:
- scripts/history-rewrite/
- data/backups
- docs/plans/history_rewrite.md
- docs/plans/
- .github/agents/
- .github/instructions/
- .github/prompts/
- .github/skills/
- .vscode/
- scripts/history-rewrite/preview_removals.sh
- scripts/history-rewrite/clean_history.sh

9
.github/renovate.json vendored
View File

@@ -7,8 +7,9 @@
"helpers:pinGitHubActionDigests"
],
"baseBranches": [
"development",
"feature/*"
"feature/beta-release",
"development"
],
"timezone": "America/New_York",
"dependencyDashboard": true,
@@ -18,6 +19,10 @@
"dependencies"
],
"ignorePaths": [
".docker/**"
],
"rebaseWhen": "auto",
"vulnerabilityAlerts": {

2
.github/workflows/nightly-build.yml vendored
View File

@@ -136,6 +136,8 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
build-args: |
VERSION=nightly-${{ github.sha }}
VCS_REF=${{ github.sha }}
BUILD_DATE=${{ github.event.repository.pushed_at }}
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: true

336
.github/workflows/playwright.yml vendored
View File

@@ -1,336 +0,0 @@
# Playwright E2E Tests
# Runs Playwright tests against PR Docker images after the build workflow completes
name: Playwright E2E Tests
on:
push:
branches:
- main
- development
- 'feature/**'
paths:
- 'frontend/**'
- 'backend/**'
- 'tests/**'
- 'playwright.config.js'
- '.github/workflows/playwright.yml'
pull_request:
branches:
- main
- development
- 'feature/**'
workflow_run:
workflows: ["Docker Build, Publish & Test"]
types:
- completed
workflow_dispatch:
inputs:
pr_number:
description: 'PR number to test (optional)'
required: false
type: string
concurrency:
group: playwright-${{ github.event.workflow_run.head_branch || github.ref }}
cancel-in-progress: true
jobs:
playwright:
name: E2E Tests
runs-on: ubuntu-latest
timeout-minutes: 20
# Run for: manual dispatch, PR builds, or any push builds from docker-build
if: >-
github.event_name == 'workflow_dispatch' ||
((github.event.workflow_run.event == 'pull_request' || github.event.workflow_run.event == 'push') &&
github.event.workflow_run.conclusion == 'success')
env:
CHARON_ENV: development
CHARON_DEBUG: "1"
CHARON_ENCRYPTION_KEY: ${{ secrets.CHARON_CI_ENCRYPTION_KEY }}
# Emergency server enabled for triage; token supplied via GitHub secret (redacted)
CHARON_EMERGENCY_TOKEN: ${{ secrets.CHARON_EMERGENCY_TOKEN }}
CHARON_EMERGENCY_SERVER_ENABLED: "true"
PLAYWRIGHT_BASE_URL: http://localhost:8080
steps:
- name: Checkout repository
# actions/checkout v4.2.2
uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
- name: Extract PR number from workflow_run
id: pr-info
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
# Manual dispatch - use input or fail gracefully
if [[ -n "${{ inputs.pr_number }}" ]]; then
echo "pr_number=${{ inputs.pr_number }}" >> "$GITHUB_OUTPUT"
echo "✅ Using manually provided PR number: ${{ inputs.pr_number }}"
else
echo "⚠️ No PR number provided for manual dispatch"
echo "pr_number=" >> "$GITHUB_OUTPUT"
fi
exit 0
fi
# Extract PR number from workflow_run context
HEAD_SHA="${{ github.event.workflow_run.head_sha }}"
echo "🔍 Looking for PR with head SHA: ${HEAD_SHA}"
# Query GitHub API for PR associated with this commit
PR_NUMBER=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/${{ github.repository }}/commits/${HEAD_SHA}/pulls" \
--jq '.[0].number // empty' 2>/dev/null || echo "")
if [[ -n "${PR_NUMBER}" ]]; then
echo "pr_number=${PR_NUMBER}" >> "$GITHUB_OUTPUT"
echo "✅ Found PR number: ${PR_NUMBER}"
else
echo "⚠️ Could not find PR number for SHA: ${HEAD_SHA}"
echo "pr_number=" >> "$GITHUB_OUTPUT"
fi
# Check if this is a push event (not a PR)
if [[ "${{ github.event.workflow_run.event }}" == "push" ]]; then
echo "is_push=true" >> "$GITHUB_OUTPUT"
echo "✅ Detected push build from branch: ${{ github.event.workflow_run.head_branch }}"
else
echo "is_push=false" >> "$GITHUB_OUTPUT"
fi
- name: Sanitize branch name
id: sanitize
run: |
# Sanitize branch name for use in Docker tags and artifact names
# Replace / with - to avoid invalid reference format errors
BRANCH="${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}"
SANITIZED=$(echo "$BRANCH" | tr '/' '-')
echo "branch=${SANITIZED}" >> "$GITHUB_OUTPUT"
echo "📋 Sanitized branch name: ${BRANCH} -> ${SANITIZED}"
- name: Check for PR image artifact
id: check-artifact
if: steps.pr-info.outputs.pr_number != '' || steps.pr-info.outputs.is_push == 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Determine artifact name based on event type
if [[ "${{ steps.pr-info.outputs.is_push }}" == "true" ]]; then
ARTIFACT_NAME="push-image"
else
PR_NUMBER="${{ steps.pr-info.outputs.pr_number }}"
ARTIFACT_NAME="pr-image-${PR_NUMBER}"
fi
RUN_ID="${{ github.event.workflow_run.id }}"
echo "🔍 Checking for artifact: ${ARTIFACT_NAME}"
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
# For manual dispatch, find the most recent workflow run with this artifact
RUN_ID=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/${{ github.repository }}/actions/workflows/docker-build.yml/runs?status=success&per_page=10" \
--jq '.workflow_runs[0].id // empty' 2>/dev/null || echo "")
if [[ -z "${RUN_ID}" ]]; then
echo "⚠️ No successful workflow runs found"
echo "artifact_exists=false" >> "$GITHUB_OUTPUT"
exit 0
fi
fi
echo "run_id=${RUN_ID}" >> "$GITHUB_OUTPUT"
# Check if the artifact exists in the workflow run
ARTIFACT_ID=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/${{ github.repository }}/actions/runs/${RUN_ID}/artifacts" \
--jq ".artifacts[] | select(.name == \"${ARTIFACT_NAME}\") | .id" 2>/dev/null || echo "")
if [[ -n "${ARTIFACT_ID}" ]]; then
echo "artifact_exists=true" >> "$GITHUB_OUTPUT"
echo "artifact_id=${ARTIFACT_ID}" >> "$GITHUB_OUTPUT"
echo "✅ Found artifact: ${ARTIFACT_NAME} (ID: ${ARTIFACT_ID})"
else
echo "artifact_exists=false" >> "$GITHUB_OUTPUT"
echo "⚠️ Artifact not found: ${ARTIFACT_NAME}"
echo " This is expected for non-PR builds or if the image was not uploaded"
fi
- name: Skip if no artifact
if: (steps.pr-info.outputs.pr_number == '' && steps.pr-info.outputs.is_push != 'true') || steps.check-artifact.outputs.artifact_exists != 'true'
run: |
echo " Skipping Playwright tests - no PR image artifact available"
echo "This is expected for:"
echo " - Pushes to main/release branches"
echo " - PRs where Docker build failed"
echo " - Manual dispatch without PR number"
exit 0
- name: Guard triage from coverage/Vite mode
if: steps.check-artifact.outputs.artifact_exists == 'true'
run: |
if [[ "${PLAYWRIGHT_BASE_URL:-}" =~ 5173 ]]; then
echo "❌ Coverage/Vite base URL is disabled during triage: ${PLAYWRIGHT_BASE_URL}"
exit 1
fi
case "${PLAYWRIGHT_COVERAGE:-}" in
1|true|TRUE|True|yes|YES)
echo "❌ Coverage collection is disabled during triage (PLAYWRIGHT_COVERAGE=${PLAYWRIGHT_COVERAGE})"
exit 1
;;
esac
echo "✅ Coverage/Vite guard passed (PLAYWRIGHT_BASE_URL=${PLAYWRIGHT_BASE_URL:-unset})"
- name: Log triage environment (non-secret)
if: steps.check-artifact.outputs.artifact_exists == 'true'
run: |
echo "CHARON_EMERGENCY_SERVER_ENABLED=${CHARON_EMERGENCY_SERVER_ENABLED}"
if [[ -n "${CHARON_EMERGENCY_TOKEN:-}" ]]; then
echo "CHARON_EMERGENCY_TOKEN=*** (GitHub secret configured)"
else
echo "CHARON_EMERGENCY_TOKEN not set; container will fall back to image default"
fi
echo "Ports bound: 8080 (app), 2019 (admin), 2020 (tier-2) on IPv4/IPv6 loopback"
echo "PLAYWRIGHT_BASE_URL=${PLAYWRIGHT_BASE_URL}"
- name: Download PR image artifact
if: steps.check-artifact.outputs.artifact_exists == 'true'
# actions/download-artifact v4.1.8
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
with:
name: ${{ steps.pr-info.outputs.is_push == 'true' && 'push-image' || format('pr-image-{0}', steps.pr-info.outputs.pr_number) }}
run-id: ${{ steps.check-artifact.outputs.run_id }}
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Load Docker image
if: steps.check-artifact.outputs.artifact_exists == 'true'
run: |
echo "📦 Loading Docker image..."
docker load < charon-pr-image.tar
echo "✅ Docker image loaded"
docker images | grep charon
- name: Start Charon container
if: steps.check-artifact.outputs.artifact_exists == 'true'
run: |
echo "🚀 Starting Charon container..."
# Normalize image name (GitHub lowercases repository owner names in GHCR)
IMAGE_NAME=$(echo "${{ github.repository_owner }}/charon" | tr '[:upper:]' '[:lower:]')
if [[ "${{ steps.pr-info.outputs.is_push }}" == "true" ]]; then
# Use sanitized branch name for Docker tag (/ is invalid in tags)
IMAGE_REF="ghcr.io/${IMAGE_NAME}:${{ steps.sanitize.outputs.branch }}"
elif [[ -n "${{ steps.pr-info.outputs.pr_number }}" ]]; then
IMAGE_REF="ghcr.io/${IMAGE_NAME}:pr-${{ steps.pr-info.outputs.pr_number }}"
else
echo "❌ ERROR: Cannot determine image reference"
echo " - is_push: ${{ steps.pr-info.outputs.is_push }}"
echo " - pr_number: ${{ steps.pr-info.outputs.pr_number }}"
echo " - branch: ${{ steps.sanitize.outputs.branch }}"
echo ""
echo "This can happen when:"
echo " 1. workflow_dispatch without pr_number input"
echo " 2. workflow_run triggered by non-PR, non-push event"
exit 1
fi
# Validate the image reference format
if [[ ! "${IMAGE_REF}" =~ ^ghcr\.io/[a-z0-9_-]+/[a-z0-9_-]+:[a-zA-Z0-9._-]+$ ]]; then
echo "❌ ERROR: Invalid image reference format: ${IMAGE_REF}"
exit 1
fi
echo "📦 Starting container with image: ${IMAGE_REF}"
docker run -d \
--name charon-test \
-p 8080:8080 \
-p 127.0.0.1:2019:2019 \
-p "[::1]:2019:2019" \
-p 127.0.0.1:2020:2020 \
-p "[::1]:2020:2020" \
-e CHARON_ENV="${CHARON_ENV}" \
-e CHARON_DEBUG="${CHARON_DEBUG}" \
-e CHARON_ENCRYPTION_KEY="${CHARON_ENCRYPTION_KEY}" \
-e CHARON_EMERGENCY_TOKEN="${CHARON_EMERGENCY_TOKEN}" \
-e CHARON_EMERGENCY_SERVER_ENABLED="${CHARON_EMERGENCY_SERVER_ENABLED}" \
-e CHARON_EMERGENCY_BIND="0.0.0.0:2020" \
-e CHARON_EMERGENCY_USERNAME="admin" \
-e CHARON_EMERGENCY_PASSWORD="changeme" \
-e CHARON_SECURITY_TESTS_ENABLED="true" \
"${IMAGE_REF}"
echo "✅ Container started"
- name: Wait for health endpoint
if: steps.check-artifact.outputs.artifact_exists == 'true'
run: |
echo "⏳ Waiting for Charon to be healthy..."
MAX_ATTEMPTS=30
ATTEMPT=0
while [[ ${ATTEMPT} -lt ${MAX_ATTEMPTS} ]]; do
ATTEMPT=$((ATTEMPT + 1))
echo "Attempt ${ATTEMPT}/${MAX_ATTEMPTS}..."
if curl -sf http://localhost:8080/api/v1/health > /dev/null 2>&1; then
echo "✅ Charon is healthy!"
exit 0
fi
sleep 2
done
echo "❌ Health check failed after ${MAX_ATTEMPTS} attempts"
echo "📋 Container logs:"
docker logs charon-test
exit 1
- name: Setup Node.js
if: steps.check-artifact.outputs.artifact_exists == 'true'
# actions/setup-node v4.1.0
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
with:
node-version: 'lts/*'
cache: 'npm'
- name: Install dependencies
if: steps.check-artifact.outputs.artifact_exists == 'true'
run: npm ci
- name: Install Playwright browsers
if: steps.check-artifact.outputs.artifact_exists == 'true'
run: npx playwright install --with-deps chromium
- name: Run Playwright tests
if: steps.check-artifact.outputs.artifact_exists == 'true'
env:
PLAYWRIGHT_BASE_URL: http://localhost:8080
run: npx playwright test --project=chromium
- name: Upload Playwright report
if: always() && steps.check-artifact.outputs.artifact_exists == 'true'
# actions/upload-artifact v4.4.3
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
with:
name: ${{ steps.pr-info.outputs.is_push == 'true' && format('playwright-report-{0}', steps.sanitize.outputs.branch) || format('playwright-report-pr-{0}', steps.pr-info.outputs.pr_number) }}
path: playwright-report/
retention-days: 14
- name: Cleanup
if: always() && steps.check-artifact.outputs.artifact_exists == 'true'
run: |
echo "🧹 Cleaning up..."
docker stop charon-test 2>/dev/null || true
docker rm charon-test 2>/dev/null || true
echo "✅ Cleanup complete"

220
.github/workflows/update-geolite2.yml vendored Normal file
View File

@@ -0,0 +1,220 @@
name: Update GeoLite2 Checksum
on:
schedule:
- cron: '0 2 * * 1' # Weekly on Mondays at 2 AM UTC
workflow_dispatch:
permissions:
contents: write
pull-requests: write
issues: write
jobs:
update-checksum:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download and calculate checksum
id: checksum
run: |
set -euo pipefail
echo "📥 Downloading GeoLite2-Country.mmdb..."
DOWNLOAD_URL="https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb"
# Download with retry logic
for i in {1..3}; do
if curl -fsSL "$DOWNLOAD_URL" -o /tmp/geolite2.mmdb; then
echo "✅ Download successful on attempt $i"
break
else
echo "❌ Download failed on attempt $i"
if [ $i -eq 3 ]; then
echo "error=download_failed" >> $GITHUB_OUTPUT
exit 1
fi
sleep 5
fi
done
# Calculate checksum
CURRENT=$(sha256sum /tmp/geolite2.mmdb | cut -d' ' -f1)
# Validate checksum format (64 hex characters)
if ! [[ "$CURRENT" =~ ^[a-f0-9]{64}$ ]]; then
echo "❌ Invalid checksum format: $CURRENT"
echo "error=invalid_checksum_format" >> $GITHUB_OUTPUT
exit 1
fi
# Extract current checksum from Dockerfile
OLD=$(grep "ARG GEOLITE2_COUNTRY_SHA256=" Dockerfile | cut -d'=' -f2)
# Validate old checksum format
if ! [[ "$OLD" =~ ^[a-f0-9]{64}$ ]]; then
echo "❌ Invalid old checksum format in Dockerfile: $OLD"
echo "error=invalid_dockerfile_checksum" >> $GITHUB_OUTPUT
exit 1
fi
echo "🔍 Checksum comparison:"
echo " Current (Dockerfile): $OLD"
echo " Latest (Downloaded): $CURRENT"
echo "current=$CURRENT" >> $GITHUB_OUTPUT
echo "old=$OLD" >> $GITHUB_OUTPUT
if [ "$CURRENT" != "$OLD" ]; then
echo "needs_update=true" >> $GITHUB_OUTPUT
echo "⚠️ Checksum mismatch detected - update required"
else
echo "needs_update=false" >> $GITHUB_OUTPUT
echo "✅ Checksum matches - no update needed"
fi
- name: Update Dockerfile
if: steps.checksum.outputs.needs_update == 'true'
run: |
set -euo pipefail
echo "📝 Updating Dockerfile with new checksum..."
sed -i "s/ARG GEOLITE2_COUNTRY_SHA256=.*/ARG GEOLITE2_COUNTRY_SHA256=${{ steps.checksum.outputs.current }}/" Dockerfile
# Verify the change was applied
if ! grep -q "ARG GEOLITE2_COUNTRY_SHA256=${{ steps.checksum.outputs.current }}" Dockerfile; then
echo "❌ Failed to update Dockerfile"
exit 1
fi
echo "✅ Dockerfile updated successfully"
- name: Verify Dockerfile syntax
if: steps.checksum.outputs.needs_update == 'true'
run: |
set -euo pipefail
echo "🔍 Verifying Dockerfile syntax..."
docker build --dry-run -f Dockerfile . || {
echo "❌ Dockerfile syntax validation failed"
exit 1
}
echo "✅ Dockerfile syntax is valid"
- name: Create Pull Request
if: steps.checksum.outputs.needs_update == 'true'
uses: peter-evans/create-pull-request@v6
with:
title: "chore(docker): update GeoLite2-Country.mmdb checksum"
body: |
🤖 **Automated GeoLite2 Database Checksum Update**
The GeoLite2-Country.mmdb database has been updated upstream.
### Changes
- **Old checksum:** `${{ steps.checksum.outputs.old }}`
- **New checksum:** `${{ steps.checksum.outputs.current }}`
- **File modified:** `Dockerfile` (line 352)
### Verification Required
- [ ] Local build passes: `docker build --no-cache -t test .`
- [ ] Container starts successfully
- [ ] API health check responds: `curl http://localhost:8080/api/v1/health`
- [ ] CI build passes
### Testing Commands
```bash
# Verify checksum locally
curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" | sha256sum
# Build and test
docker build --no-cache --pull -t charon:test-geolite2 .
docker run --rm charon:test-geolite2 /app/charon --version
```
### Related Documentation
- [Dockerfile](/Dockerfile#L352)
- [Implementation Plan](/docs/plans/current_spec.md)
---
**Auto-generated by:** `.github/workflows/update-geolite2.yml`
**Trigger:** Scheduled weekly check (Mondays 2 AM UTC)
branch: bot/update-geolite2-checksum
delete-branch: true
commit-message: |
chore(docker): update GeoLite2-Country.mmdb checksum
Automated checksum update for GeoLite2-Country.mmdb database.
Old: ${{ steps.checksum.outputs.old }}
New: ${{ steps.checksum.outputs.current }}
Auto-generated by: .github/workflows/update-geolite2.yml
labels: |
dependencies
automated
docker
- name: Report failure via GitHub Issue
if: failure()
uses: actions/github-script@v7
with:
script: |
const errorType = '${{ steps.checksum.outputs.error }}' || 'unknown';
const runUrl = `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
const errorMessages = {
'download_failed': '❌ Failed to download GeoLite2-Country.mmdb after 3 attempts',
'invalid_checksum_format': '❌ Downloaded file produced invalid checksum format',
'invalid_dockerfile_checksum': '❌ Current Dockerfile contains invalid checksum format',
'unknown': '❌ Workflow failed with unknown error'
};
const title = `🚨 GeoLite2 Checksum Update Failed (${errorType})`;
const body = `
## Automated GeoLite2 Update Workflow Failed
**Error Type:** \`${errorType}\`
**Error Message:** ${errorMessages[errorType] || errorMessages.unknown}
### Workflow Details
- **Run URL:** ${runUrl}
- **Triggered:** ${context.eventName === 'schedule' ? 'Scheduled (weekly)' : 'Manual dispatch'}
- **Timestamp:** ${new Date().toISOString()}
### Required Actions
1. Review workflow logs: ${runUrl}
2. Check upstream source availability: https://github.com/P3TERX/GeoLite.mmdb
3. Verify network connectivity from GitHub Actions runners
4. If upstream is unavailable, consider alternative sources
### Manual Update (if needed)
\`\`\`bash
# Download and verify checksum
curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" | sha256sum
# Update Dockerfile line 352
vim Dockerfile # or use sed
# Test build
docker build --no-cache -t test .
\`\`\`
### Related Documentation
- [Implementation Plan](/docs/plans/current_spec.md)
- [Workflow File](/.github/workflows/update-geolite2.yml)
---
**Auto-generated by:** \`.github/workflows/update-geolite2.yml\`
`;
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: title,
body: body,
labels: ['bug', 'automated', 'ci-cd', 'docker']
});

2
.vscode/mcp.json vendored
View File

@@ -11,4 +11,4 @@
}
},
"inputs": []
}
}

11
CHANGELOG.md
View File

@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
### Fixed
- **Docker Build**: Fixed GeoLite2-Country.mmdb checksum mismatch causing CI/CD build failures
- Updated Dockerfile (line 352) with current upstream database checksum
- Added automated workflow (`.github/workflows/update-geolite2.yml`) for weekly checksum verification
- Workflow creates pull requests automatically when upstream database is updated
- Build failure resolved: https://github.com/Wikid82/Charon/actions/runs/21584236523/job/62188372617
- See [GeoLite2 Maintenance Guide](docs/maintenance/geolite2-checksum-update.md) for manual update procedures
- Implementation details: [docs/plans/geolite2_checksum_fix_spec.md](docs/plans/geolite2_checksum_fix_spec.md)
- QA verification: [docs/reports/qa_geolite2_checksum_fix.md](docs/reports/qa_geolite2_checksum_fix.md)
### Changed
- **Build Strategy**: Simplified to Docker-only deployment model

2
Dockerfile
View File

@@ -349,7 +349,7 @@ RUN groupadd -g 1000 charon && \
# Download MaxMind GeoLite2 Country database
# Note: In production, users should provide their own MaxMind license key
# This uses the publicly available GeoLite2 database
ARG GEOLITE2_COUNTRY_SHA256=6b778471c086c44d15bd4df954661d441a5513ec48f1af5545cb05af8f2e15b9
ARG GEOLITE2_COUNTRY_SHA256=436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d
RUN mkdir -p /app/data/geoip && \
curl -fSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \
-o /app/data/geoip/GeoLite2-Country.mmdb && \

3
README.md
View File

@@ -578,7 +578,8 @@ Default: RFC1918 private networks + localhost
**[📖 Full Documentation](https://wikid82.github.io/charon/)** — Everything explained simply
**[🚀 5-Minute Guide](https://wikid82.github.io/charon/getting-started)** — Your first website up and running
**[🔐 Supply Chain Security](docs/guides/supply-chain-security-user-guide.md)** — Verify signatures and build provenance
**[🛠️ Troubleshooting](docs/troubleshooting/)** — Common issues and solutions
**[<EFBFBD> Maintenance](docs/maintenance/)** — Keeping Charon running smoothly
**[<EFBFBD>🛠 Troubleshooting](docs/troubleshooting/)** — Common issues and solutions
**[💬 Ask Questions](https://github.com/Wikid82/charon/discussions)** — Friendly community help
**[🐛 Report Problems](https://github.com/Wikid82/charon/issues)** — Something broken? Let us know

178
docs/issues/created/20260202-version_sync.md Normal file
View File

@@ -0,0 +1,178 @@
# Issue: Sync .version file with Git tag
## Title
Sync .version file with latest Git tag
## Labels
- `housekeeping`
- `versioning`
- `good first issue`
## Priority
**Low** (Non-blocking, cosmetic)
## Description
The `.version` file is out of sync with the latest Git tag, causing pre-commit warnings during development.
### Current State
- **`.version` file:** `v0.15.3`
- **Latest Git tag:** `v0.16.8`
### Impact
- Pre-commit hook `check-version-tag` fails with warning:
```
Check .version matches latest Git tag..................Failed
ERROR: .version (v0.15.3) does not match latest Git tag (v0.16.8)
```
- Does NOT block builds or affect runtime behavior
- Creates noise in pre-commit output
- May confuse contributors about the actual version
### Expected Behavior
- `.version` file should match the latest Git tag
- Pre-commit hook should pass without warnings
- Version information should be consistent across all sources
## Steps to Reproduce
1. Clone the repository
2. Run pre-commit checks:
```bash
pre-commit run --all-files
```
3. Observe warning: `.version (v0.15.3) does not match latest Git tag (v0.16.8)`
## Proposed Solution
### Option 1: Update .version to match latest tag (Quick Fix)
```bash
# Fetch latest tags
git fetch --tags
# Get latest tag
LATEST_TAG=$(git describe --tags --abbrev=0)
# Update .version file
echo "$LATEST_TAG" > .version
# Commit the change
git add .version
git commit -m "chore: sync .version file with latest Git tag ($LATEST_TAG)"
```
### Option 2: Automate version syncing (Comprehensive)
**Create a GitHub Actions workflow** to automatically sync `.version` with Git tags:
```yaml
name: Sync Version File
on:
push:
tags:
- 'v*'
jobs:
sync-version:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Update .version file
run: |
echo "${{ github.ref_name }}" > .version
- name: Commit and push
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add .version
git commit -m "chore: sync .version to ${{ github.ref_name }}"
git push
```
### Option 3: Remove .version file (Simplest)
If `.version` is not used in the codebase:
1. Delete `.version` file
2. Remove or update pre-commit hook to not check version sync
3. Use Git tags as the single source of truth for versioning
## Investigation Required
Before implementing, verify:
1. **Where is `.version` used?**
```bash
# Search codebase for references
grep -r "\.version" --exclude-dir=node_modules --exclude-dir=.git
```
2. **Is `.version` read by the application?**
- Check backend code for version file reads
- Check build scripts
- Check documentation generation
3. **Why is there a version discrepancy?**
- Was `.version` manually updated?
- Was it missed during release tagging?
- Is there a broken sync process?
## Acceptance Criteria
- [ ] `.version` file matches latest Git tag (`v0.16.8`)
- [ ] Pre-commit hook `check-version-tag` passes without warnings
- [ ] Version consistency verified across all sources:
- [ ] `.version` file
- [ ] Git tags
- [ ] `package.json` (if applicable)
- [ ] `go.mod` (if applicable)
- [ ] Documentation
- [ ] If automated workflow is added:
- [ ] Workflow triggers on tag push
- [ ] Workflow updates `.version` correctly
- [ ] Workflow commits change to main branch
## Related Files
- `.version` — Version file (needs update)
- `.pre-commit-config.yaml` — Pre-commit hook configuration
- `CHANGELOG.md` — Version history
- `.github/workflows/` — Automation workflows (if Option 2 chosen)
## References
- **Pre-commit hook:** `check-version-tag`
- **QA Report:** `docs/reports/qa_report.md` (section 11.3)
- **Implementation Plan:** `docs/plans/current_spec.md`
## Priority Justification
**Why Low Priority:**
- Does not block builds or deployments
- Does not affect runtime behavior
- Only affects developer experience (pre-commit warnings)
- No security implications
- No user-facing impact
**When to address:**
- During next maintenance sprint
- When preparing for next release
- When cleaning up technical debt
- As a good first issue for new contributors
## Estimated Effort
- **Option 1 (Quick Fix):** 5 minutes
- **Option 2 (Automation):** 30 minutes
- **Option 3 (Remove file):** 15 minutes + investigation
---
**Created:** February 2, 2026
**Discovered During:** Docker build fix QA verification
**Reporter:** GitHub Copilot QA Agent
**Status:** Draft (not yet created in GitHub)

57
docs/maintenance/README.md Normal file
View File

@@ -0,0 +1,57 @@
# Maintenance Documentation
This directory contains operational maintenance guides for keeping Charon running smoothly.
## Available Guides
### [GeoLite2 Database Checksum Update](geolite2-checksum-update.md)
**When to use:** Docker build fails with GeoLite2-Country.mmdb checksum mismatch
**Topics covered:**
- Automated weekly checksum verification workflow
- Manual checksum update procedures (5 minutes)
- Verification script for checking upstream changes
- Troubleshooting common checksum issues
- Alternative sources if upstream mirrors are unavailable
**Quick fix:**
```bash
# Download and update checksum automatically
NEW_CHECKSUM=$(curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" | sha256sum | cut -d' ' -f1)
sed -i "s/ARG GEOLITE2_COUNTRY_SHA256=.*/ARG GEOLITE2_COUNTRY_SHA256=${NEW_CHECKSUM}/" Dockerfile
docker build --no-cache -t test .
```
---
## Contributing
Found a maintenance issue not covered here? Please:
1. **Create an issue** describing the problem
2. **Document the solution** in a new guide
3. **Update this index** with a link to your guide
**Format:**
```markdown
### [Guide Title](filename.md)
**When to use:** Brief description of when this guide applies
**Topics covered:**
- List key topics
**Quick command:** (if applicable)
```
## Related Documentation
- **[Troubleshooting](../troubleshooting/)** — Common runtime issues and fixes
- **[Runbooks](../runbooks/)** — Emergency procedures and incident response
- **[Configuration](../configuration/)** — Setup and configuration guides
- **[Development](../development/)** — Developer environment and workflows
---
**Last Updated:** February 2, 2026

334
docs/maintenance/geolite2-checksum-update.md Normal file
View File

@@ -0,0 +1,334 @@
# GeoLite2 Database Checksum Update Guide
## Overview
Charon uses the [MaxMind GeoLite2-Country database](https://dev.maxmind.com/geoip/geolite2-free-geolocation-data) for geographic IP information. When the upstream database is updated, the checksum in the Dockerfile must be updated to match the new file.
**Automated Updates:** Charon includes a GitHub Actions workflow that checks for upstream changes weekly and creates pull requests automatically.
**Manual Updates:** Follow this guide if the automated workflow fails or you need to update immediately.
---
## When to Update
Update the checksum when:
1. **Docker build fails** with the following error:
```
sha256sum: /app/data/geoip/GeoLite2-Country.mmdb: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match
```
2. **Automated workflow creates a PR** (happens weekly on Mondays at 2 AM UTC)
3. **GitHub Actions build fails** with checksum mismatch
---
## Automated Workflow (Recommended)
Charon includes a GitHub Actions workflow that automatically:
- Checks for upstream GeoLite2 database changes weekly
- Calculates the new checksum
- Creates a pull request with the update
- Validates Dockerfile syntax
**Workflow File:** [`.github/workflows/update-geolite2.yml`](../../.github/workflows/update-geolite2.yml)
**Schedule:** Mondays at 2 AM UTC (weekly)
**Manual Trigger:**
```bash
gh workflow run update-geolite2.yml
```
### Reviewing Automated PRs
When the workflow creates a PR:
1. **Review the checksum change** in the PR description
2. **Verify the checksums** match the upstream file (see verification below)
3. **Wait for CI checks** to pass (build, tests, security scans)
4. **Merge the PR** if all checks pass
---
## Manual Update (5 Minutes)
### Step 1: Download and Calculate Checksum
```bash
# Download the database file
curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \
-o /tmp/geolite2-test.mmdb
# Calculate SHA256 checksum
sha256sum /tmp/geolite2-test.mmdb
# Example output:
# 436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d /tmp/geolite2-test.mmdb
```
### Step 2: Update Dockerfile
**File:** [`Dockerfile`](../../Dockerfile) (line ~352)
**Find this line:**
```dockerfile
ARG GEOLITE2_COUNTRY_SHA256=<old-checksum>
```
**Replace with the new checksum:**
```dockerfile
ARG GEOLITE2_COUNTRY_SHA256=436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d
```
**Using sed (automated):**
```bash
NEW_CHECKSUM=$(curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" | sha256sum | cut -d' ' -f1)
sed -i "s/ARG GEOLITE2_COUNTRY_SHA256=.*/ARG GEOLITE2_COUNTRY_SHA256=${NEW_CHECKSUM}/" Dockerfile
```
### Step 3: Verify the Change
```bash
# Verify the checksum was updated
grep "GEOLITE2_COUNTRY_SHA256" Dockerfile
# Expected output:
# ARG GEOLITE2_COUNTRY_SHA256=436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d
```
### Step 4: Test Build
```bash
# Clean build environment (recommended)
docker builder prune -af
# Build without cache to ensure checksum is verified
docker build --no-cache --pull \
--platform linux/amd64 \
--build-arg VERSION=test-checksum \
-t charon:test-checksum \
.
# Verify build succeeded and container starts
docker run --rm charon:test-checksum /app/charon --version
```
**Expected output:**
```
✅ GeoLite2-Country.mmdb: OK
✅ Successfully tagged charon:test-checksum
```
### Step 5: Commit and Push
```bash
git add Dockerfile
git commit -m "fix(docker): update GeoLite2-Country.mmdb checksum
The upstream GeoLite2 database file was updated, requiring a checksum update.
Old: <old-checksum>
New: <new-checksum>
Fixes: #<issue-number>
Resolves: Docker build checksum mismatch"
git push origin <branch-name>
```
---
## Verification Script
Use this script to check if the Dockerfile checksum matches the upstream file:
```bash
#!/bin/bash
# verify-geolite2-checksum.sh
set -euo pipefail
DOCKERFILE_CHECKSUM=$(grep "ARG GEOLITE2_COUNTRY_SHA256=" Dockerfile | cut -d'=' -f2)
UPSTREAM_CHECKSUM=$(curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" | sha256sum | cut -d' ' -f1)
echo "Dockerfile: $DOCKERFILE_CHECKSUM"
echo "Upstream: $UPSTREAM_CHECKSUM"
if [ "$DOCKERFILE_CHECKSUM" = "$UPSTREAM_CHECKSUM" ]; then
echo "✅ Checksum matches"
exit 0
else
echo "❌ Checksum mismatch - update required"
echo ""
echo "Run: sed -i 's/ARG GEOLITE2_COUNTRY_SHA256=.*/ARG GEOLITE2_COUNTRY_SHA256=$UPSTREAM_CHECKSUM/' Dockerfile"
exit 1
fi
```
**Make executable:**
```bash
chmod +x scripts/verify-geolite2-checksum.sh
```
**Run verification:**
```bash
./scripts/verify-geolite2-checksum.sh
```
---
## Troubleshooting
### Issue: Build Still Fails After Update
**Symptoms:**
- Checksum verification fails
- "FAILED" error persists
**Solutions:**
1. **Clear Docker build cache:**
```bash
docker builder prune -af
```
2. **Verify the checksum was committed:**
```bash
git show HEAD:Dockerfile | grep "GEOLITE2_COUNTRY_SHA256"
```
3. **Re-download and verify upstream file:**
```bash
curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" -o /tmp/test.mmdb
sha256sum /tmp/test.mmdb
diff <(echo "$EXPECTED_CHECKSUM") <(sha256sum /tmp/test.mmdb | cut -d' ' -f1)
```
### Issue: Upstream File Unavailable (404)
**Symptoms:**
- `curl` returns 404 Not Found
- Automated workflow fails with `download_failed` error
**Investigation Steps:**
1. **Check upstream repository:**
- Visit: https://github.com/P3TERX/GeoLite.mmdb
- Verify the file still exists at the raw URL
- Check for repository status or announcements
2. **Check MaxMind status:**
- Visit: https://status.maxmind.com/
- Check for service outages or maintenance
**Temporary Solutions:**
1. **Use cached Docker layer** (if available):
```bash
docker build --cache-from ghcr.io/wikid82/charon:latest -t charon:latest .
```
2. **Use local copy** (temporary):
```bash
# Download from a working container
docker run --rm ghcr.io/wikid82/charon:latest cat /app/data/geoip/GeoLite2-Country.mmdb > /tmp/GeoLite2-Country.mmdb
# Calculate checksum
sha256sum /tmp/GeoLite2-Country.mmdb
```
3. **Alternative source** (if P3TERX mirror is down):
- Official MaxMind downloads require a license key
- Consider [MaxMind GeoLite2](https://dev.maxmind.com/geoip/geolite2-free-geolocation-data) signup (free)
### Issue: Checksum Mismatch on Re-download
**Symptoms:**
- Checksum calculated locally differs from what's in the Dockerfile
- Checksum changes between downloads
**Investigation Steps:**
1. **Verify file integrity:**
```bash
# Download multiple times and compare
for i in {1..3}; do
curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" | sha256sum
done
```
2. **Check for CDN caching issues:**
- Wait 5 minutes and retry
- Try from different network locations
3. **Verify no MITM proxy:**
```bash
# Download via HTTPS and verify certificate
curl -v -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" -o /tmp/test.mmdb 2>&1 | grep "CN="
```
**If confirmed as supply chain attack:**
- **STOP** and do not proceed
- Report to security team
- See [Security Incident Response](../security-incident-response.md)
### Issue: Multi-Platform Build Fails (arm64)
**Symptoms:**
- `linux/amd64` build succeeds
- `linux/arm64` build fails with checksum error
**Investigation:**
1. **Verify upstream file is architecture-agnostic:**
- GeoLite2 `.mmdb` files are data files, not binaries
- Should be identical across all platforms
2. **Check buildx platform emulation:**
```bash
docker buildx ls
docker buildx inspect
```
3. **Test arm64 build explicitly:**
```bash
docker buildx build --platform linux/arm64 --load -t test-arm64 .
```
---
## Additional Resources
- **Automated Workflow:** [`.github/workflows/update-geolite2.yml`](../../.github/workflows/update-geolite2.yml)
- **Implementation Plan:** [`docs/plans/current_spec.md`](../plans/current_spec.md)
- **QA Report:** [`docs/reports/qa_report.md`](../reports/qa_report.md)
- **Dockerfile:** [`Dockerfile`](../../Dockerfile) (line ~352)
- **MaxMind GeoLite2:** https://dev.maxmind.com/geoip/geolite2-free-geolocation-data
- **P3TERX Mirror:** https://github.com/P3TERX/GeoLite.mmdb
---
## Historical Context
**Issue:** Docker build failures due to checksum mismatch (February 2, 2026)
**Root Cause:** The upstream GeoLite2 database file was updated by MaxMind, but the Dockerfile still referenced the old SHA256 checksum. When Docker's multi-stage build tried to verify the checksum, it failed and aborted the build, causing cascade failures in subsequent `COPY` commands that referenced earlier build stages.
**Solution:** Updated one line in `Dockerfile` (line 352) with the correct checksum and implemented an automated workflow to prevent future occurrences.
**Build Failure URL:** https://github.com/Wikid82/Charon/actions/runs/21584236523/job/62188372617
**Related PRs:**
- Fix implementation: (link to PR)
- Automated workflow addition: (link to PR)
---
**Last Updated:** February 2, 2026
**Maintainer:** Charon Development Team
**Status:** Active

2321
docs/plans/current_spec.md
View File

File diff suppressed because it is too large Load Diff

32
docs/plans/docker_compose_ci_fix.md
View File

@@ -1,7 +1,7 @@
# Docker Compose CI Failure Remediation Plan
**Status**: Active
**Created**: 2026-01-30
**Status**: Active
**Created**: 2026-01-30
**Priority**: CRITICAL (Blocking CI)
---
@@ -23,7 +23,7 @@ charon-app Error pull access denied for sha256, repository does not exist or may
### Current Implementation (Broken)
**File**: `.docker/compose/docker-compose.playwright-ci.yml`
**File**: `.docker/compose/docker-compose.playwright-ci.yml`
**Lines**: 29-37
```yaml
@@ -37,7 +37,7 @@ charon-app:
### Workflow Environment Variable
**File**: `.github/workflows/e2e-tests.yml`
**File**: `.github/workflows/e2e-tests.yml`
**Line**: 158
```yaml
@@ -117,7 +117,7 @@ Docker requires one of these formats:
# Explicitly constructs image reference from variables
IMAGE_NAME=$(echo "${{ github.repository_owner }}/charon" | tr '[:upper:]' '[:lower:]')
IMAGE_REF="ghcr.io/${IMAGE_NAME}:pr-${{ steps.pr-info.outputs.pr_number }}"
docker run -d \
--name charon-test \
-e CHARON_ENV="${CHARON_ENV}" \
@@ -160,7 +160,7 @@ Docker requires one of these formats:
#### Change 1: Remove Digest from Workflow Environment
**File**: `.github/workflows/e2e-tests.yml`
**File**: `.github/workflows/e2e-tests.yml`
**Lines**: 155-158
**Current**:
@@ -186,14 +186,14 @@ env:
CHARON_E2E_IMAGE: charon:e2e-test
```
**Rationale**:
**Rationale**:
- The `docker load` command restores the image with its original tag `charon:e2e-test`
- We should use this tag, not the digest
- The digest is only useful for verifying image integrity, not for referencing locally loaded images
#### Change 2: Update Compose File Comment Documentation
**File**: `.docker/compose/docker-compose.playwright-ci.yml`
**File**: `.docker/compose/docker-compose.playwright-ci.yml`
**Lines**: 31-37
**Current**:
@@ -232,7 +232,7 @@ If there's a requirement to use digest-based references for security/reproducibi
#### Change 1: Re-tag After Load
**File**: `.github/workflows/e2e-tests.yml`
**File**: `.github/workflows/e2e-tests.yml`
**After Line**: 177 (in "Load Docker image" step)
**Add**:
@@ -242,19 +242,19 @@ If there's a requirement to use digest-based references for security/reproducibi
# Load the pre-built image
docker load -i charon-e2e-image.tar
docker images | grep charon
# Re-tag for digest-based reference if needed
IMAGE_DIGEST="${{ needs.build.outputs.image_digest }}"
if [[ -n "$IMAGE_DIGEST" ]]; then
# Extract just the digest hash (sha256:...)
DIGEST_HASH=$(echo "$IMAGE_DIGEST" | grep -oP 'sha256:[a-f0-9]{64}')
# Construct full reference
FULL_REF="ghcr.io/wikid82/charon@${DIGEST_HASH}"
echo "Re-tagging charon:e2e-test as $FULL_REF"
docker tag charon:e2e-test "$FULL_REF"
# Export for compose file
echo "CHARON_E2E_IMAGE_DIGEST=$FULL_REF" >> $GITHUB_ENV
else
@@ -265,7 +265,7 @@ If there's a requirement to use digest-based references for security/reproducibi
#### Change 2: Update Compose File
**File**: `.docker/compose/docker-compose.playwright-ci.yml`
**File**: `.docker/compose/docker-compose.playwright-ci.yml`
**Lines**: 31-37
Keep the current implementation but fix the comment:
@@ -381,7 +381,7 @@ Keep the current implementation but fix the comment:
## Risk Assessment
### Low Risk Changes
✅ Workflow environment variable change (isolated to CI)
✅ Workflow environment variable change (isolated to CI)
✅ Compose file comment updates (documentation only)
### Medium Risk Changes
@@ -390,7 +390,7 @@ Keep the current implementation but fix the comment:
- **Rollback**: Revert single line in compose file
### No Risk
✅ Read-only investigation and analysis
✅ Read-only investigation and analysis
✅ Documentation improvements
---

4
docs/plans/docker_compose_ci_fix_summary.md
View File

@@ -1,7 +1,7 @@
# Docker Compose CI Fix - Quick Reference
**Document**: [Full Remediation Plan](docker_compose_ci_fix.md)
**Status**: Ready for Implementation
**Document**: [Full Remediation Plan](docker_compose_ci_fix.md)
**Status**: Ready for Implementation
**Priority**: CRITICAL
---

667
docs/plans/geolite2_checksum_fix_spec.md Normal file
View File

@@ -0,0 +1,667 @@
# Docker Build Failure Fix - Comprehensive Implementation Plan
**Date:** February 2, 2026
**Status:** 🔴 CRITICAL - BLOCKING CI/CD
**Priority:** P0 - Immediate Action Required
**Build URL:** https://github.com/Wikid82/Charon/actions/runs/21584236523/job/62188372617
---
## Executive Summary
The GitHub Actions Docker build workflow is failing due to a **GeoLite2-Country.mmdb checksum mismatch**, causing cascade failures in multi-stage Docker builds.
**Root Cause:** The upstream GeoLite2 database file was updated, but the Dockerfile still references the old SHA256 checksum.
**Impact:**
- ❌ All CI/CD Docker builds failing since database update
- ❌ Cannot publish new images to GHCR/Docker Hub
- ❌ Blocks all releases and deployments
**Solution:** Update one line in Dockerfile (line 352) with correct checksum.
**Estimated Time to Fix:** 5 minutes
**Testing Time:** 15 minutes (local + CI verification)
---
## Critical Issue Analysis
### Issue #1: GeoLite2-Country.mmdb Checksum Mismatch (ROOT CAUSE)
**Location:** `/projects/Charon/Dockerfile` - Line 352
**Current Value (WRONG):**
```dockerfile
ARG GEOLITE2_COUNTRY_SHA256=6b778471c086c44d15bd4df954661d441a5513ec48f1af5545cb05af8f2e15b9
```
**Correct Value (VERIFIED):**
```dockerfile
ARG GEOLITE2_COUNTRY_SHA256=436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d
```
**Verification Method:**
```bash
curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" -o /tmp/test.mmdb
sha256sum /tmp/test.mmdb
# Output: 436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d
```
**Error Message:**
```
sha256sum: /app/data/geoip/GeoLite2-Country.mmdb: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match
The command '/bin/sh -c mkdir -p /app/data/geoip && curl -fSL ...' returned a non-zero code: 1
```
### Issue #2: Blob Not Found Errors (CASCADE FAILURE)
**Error Examples:**
```
COPY configs/crowdsec/acquis.yaml /etc/crowdsec.dist/acquis.yaml: blob not found
COPY --from=backend-builder /app/backend/charon /app/charon: blob not found
COPY --from=frontend-builder /app/frontend/dist /app/frontend/dist: blob not found
```
**Analysis:**
These are NOT missing files. All files exist in the repository:
```bash
✅ configs/crowdsec/acquis.yaml
✅ configs/crowdsec/install_hub_items.sh
✅ configs/crowdsec/register_bouncer.sh
✅ frontend/package.json
✅ frontend/package-lock.json
✅ .docker/docker-entrypoint.sh
✅ scripts/db-recovery.sh
```
**Root Cause:** The GeoLite2 checksum failure causes the Docker build to abort during the final runtime stage (line 352-356). When the build aborts, the multi-stage build artifacts from earlier stages (`backend-builder`, `frontend-builder`, `caddy-builder`, `crowdsec-builder`) are not persisted to the builder cache. Subsequent COPY commands trying to reference these non-existent artifacts fail with "blob not found".
**This is a cascade failure from Issue #1 - fixing the checksum will resolve all blob errors.**
---
## Implementation Plan
### PHASE 1: Fix Checksum (5 minutes)
**Step 1.1: Update Dockerfile**
**File:** `/projects/Charon/Dockerfile`
**Line:** 352
**Exact Change:**
```bash
cd /projects/Charon
sed -i 's/ARG GEOLITE2_COUNTRY_SHA256=6b778471c086c44d15bd4df954661d441a5513ec48f1af5545cb05af8f2e15b9/ARG GEOLITE2_COUNTRY_SHA256=436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d/' Dockerfile
```
**Verification:**
```bash
grep "GEOLITE2_COUNTRY_SHA256" Dockerfile
# Expected: ARG GEOLITE2_COUNTRY_SHA256=436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d
```
**Step 1.2: Commit Change**
```bash
git add Dockerfile
git commit -m "fix(docker): update GeoLite2-Country.mmdb checksum
The upstream GeoLite2 database file was updated, requiring a checksum update.
Old: 6b778471c086c44d15bd4df954661d441a5513ec48f1af5545cb05af8f2e15b9
New: 436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d
Fixes: #<issue-number>
Resolves: Blob not found errors (cascade failure from checksum mismatch)"
```
---
### PHASE 2: Local Testing (15 minutes)
**Step 2.1: Clean Build Environment**
```bash
# Remove all build cache
docker builder prune -af
# Remove previous test images
docker images | grep charon | awk '{print $3}' | xargs -r docker rmi -f
```
**Step 2.2: Build for amd64 (Same as CI)**
```bash
cd /projects/Charon
docker buildx build \
--platform linux/amd64 \
--no-cache \
--pull \
--progress=plain \
--build-arg VERSION=test-fix \
--build-arg BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
--build-arg VCS_REF=$(git rev-parse HEAD) \
-t charon:test-amd64 \
. 2>&1 | tee /tmp/docker-build-test.log
```
**Expected Success Indicators:**
```
✅ Step X: RUN echo "${GEOLITE2_COUNTRY_SHA256} /app/data/geoip/GeoLite2-Country.mmdb" | sha256sum -c -
/app/data/geoip/GeoLite2-Country.mmdb: OK
✅ Step Y: COPY --from=gosu-builder /gosu-out/gosu /usr/sbin/gosu
✅ Step Z: COPY --from=frontend-builder /app/frontend/dist /app/frontend/dist
✅ Step AA: COPY --from=backend-builder /app/backend/charon /app/charon
✅ Step AB: COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
✅ Step AC: COPY --from=crowdsec-builder /crowdsec-out/crowdsec /usr/local/bin/crowdsec
✅ Successfully tagged charon:test-amd64
```
**If Build Fails:**
```bash
# Check for errors
grep -A 5 "ERROR\|FAILED\|blob not found" /tmp/docker-build-test.log
# Verify checksum in Dockerfile
grep "GEOLITE2_COUNTRY_SHA256" Dockerfile
# Re-download and verify checksum
curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \
-o /tmp/verify.mmdb
sha256sum /tmp/verify.mmdb
```
**Step 2.3: Runtime Verification**
```bash
# Start container
docker run -d \
--name charon-test \
-p 8080:8080 \
charon:test-amd64
# Wait for startup (30 seconds)
sleep 30
# Check health
docker ps --filter "name=charon-test"
# Expected: Status includes "(healthy)"
# Test API
curl -sf http://localhost:8080/api/v1/health | jq .
# Expected: {"status":"ok","version":"test-fix",...}
# Check for errors in logs
docker logs charon-test 2>&1 | grep -i "error\|failed\|fatal"
# Expected: No critical errors
# Cleanup
docker stop charon-test && docker rm charon-test
```
---
### PHASE 3: Push and Monitor CI (30 minutes)
**Step 3.1: Push to GitHub**
```bash
git push origin <branch-name>
```
**Step 3.2: Monitor Workflow**
1. **Navigate to Actions**:
https://github.com/Wikid82/Charon/actions
2. **Watch "Docker Build, Publish & Test" workflow**:
- Should trigger automatically on push
- Monitor build progress
3. **Expected Stages:**
```
✅ Build and push (linux/amd64, linux/arm64)
✅ Verify Caddy Security Patches
✅ Verify CrowdSec Security Patches
✅ Run Trivy scan
✅ Generate SBOM
✅ Attest SBOM
✅ Sign image (Cosign)
✅ Test image (integration-test.sh)
```
**Step 3.3: Verify Published Images**
```bash
# Pull from GHCR
docker pull ghcr.io/wikid82/charon:<tag>
# Verify image works
docker run --rm ghcr.io/wikid82/charon:<tag> /app/charon --version
# Expected: Output shows version info
```
**Step 3.4: Check Security Scans**
- **Trivy Results**: Check for new vulnerabilities
https://github.com/Wikid82/Charon/security/code-scanning
- **Expr-lang Verification**: Ensure CVE-2025-68156 patch is present
Check workflow logs for:
```
✅ PASS: expr-lang version v1.17.7 is patched (>= v1.17.7)
```
---
## Success Criteria
### Build Success Indicators
- [ ] Local `docker build` completes without errors
- [ ] No "sha256sum: FAILED" errors
- [ ] No "blob not found" errors
- [ ] All COPY commands execute successfully
- [ ] Container starts and becomes healthy
- [ ] API responds to `/health` endpoint
- [ ] GitHub Actions workflow passes all stages
- [ ] Multi-platform build succeeds (amd64 + arm64)
### Deployment Success Indicators
- [ ] Image published to GHCR: `ghcr.io/wikid82/charon:<tag>`
- [ ] Image signed with Sigstore/Cosign
- [ ] SBOM attached and attestation created
- [ ] Trivy scan shows no critical regressions
- [ ] Integration tests pass (`integration-test.sh`)
---
## Rollback Plan
If the fix introduces new issues:
**Step 1: Revert Commit**
```bash
git revert <commit-sha>
git push origin <branch-name>
```
**Step 2: Emergency Image Rollback (if needed)**
```bash
# Retag previous working image as latest
docker pull ghcr.io/wikid82/charon:sha-<previous-working-commit>
docker tag ghcr.io/wikid82/charon:sha-<previous-working-commit> \
ghcr.io/wikid82/charon:latest
docker push ghcr.io/wikid82/charon:latest
```
**Step 3: Communicate Status**
- Update issue with rollback details
- Document root cause of new failure
- Create follow-up issue if needed
### Rollback Decision Matrix
Use this matrix to determine whether to rollback or proceed with remediation:
| Scenario | Impact | Decision | Action | Timeline |
|----------|--------|----------|--------|----------|
| **Checksum update breaks local build** | 🔴 Critical | ROLLBACK immediately | Revert commit, investigate upstream changes | < 5 minutes |
| **Local build passes, CI build fails** | 🟡 High | INVESTIGATE first | Check CI environment differences, then decide | 15-30 minutes |
| **Build passes, container fails healthcheck** | 🔴 Critical | ROLLBACK immediately | Revert commit, test with previous checksum | < 10 minutes |
| **Build passes, security scan fails** | 🟠 Medium | REMEDIATE if < 2 hours | Fix security issues if quick, else rollback | < 2 hours |
| **New checksum breaks runtime GeoIP lookups** | 🔴 Critical | ROLLBACK immediately | Revert commit, verify database integrity | < 5 minutes |
| **Automated PR fails syntax validation** | 🟢 Low | REMEDIATE in PR | Fix workflow and retry, no production impact | < 1 hour |
| **Upstream source unavailable (404)** | 🟡 High | BLOCK deployment | Document issue, find alternative source | N/A |
| **Checksum mismatch on re-download** | 🔴 Critical | BLOCK deployment | Investigate cache poisoning, verify source | N/A |
| **Multi-platform build succeeds (amd64), fails (arm64)** | 🟡 High | CONDITIONAL: Proceed for amd64, investigate arm64 | Deploy amd64, fix arm64 separately | < 1 hour |
| **Integration tests pass, E2E tests fail** | 🟠 Medium | INVESTIGATE first | Isolate test failure cause, rollback if service-breaking | 30-60 minutes |
**Decision Criteria:**
- **ROLLBACK immediately** if:
- Production deployments are affected
- Core functionality breaks (API, routing, healthchecks)
- Security posture degrades
- No clear remediation path within 30 minutes
- **INVESTIGATE first** if:
- Only test/CI environments affected
- Failure is non-deterministic
- Clear path to remediation exists
- Can be fixed within 2 hours
- **BLOCK deployment** if:
- Upstream integrity cannot be verified
- Security validation fails
- Checksum verification fails on any attempt
**Escalation Triggers:**
- Cannot rollback within 15 minutes
- Rollback itself fails
- Production outage extends beyond 30 minutes
- Security incident detected (cache poisoning, supply chain attack)
- Multiple rollback attempts required
---
## Future Maintenance
### Preventing Future Checksum Failures
**Option A: Automated Checksum Updates (Recommended)**
Create a GitHub Actions workflow to detect and update GeoLite2 checksums automatically:
**File:** `.github/workflows/update-geolite2.yml`
```yaml
name: Update GeoLite2 Checksum
on:
schedule:
- cron: '0 2 * * 1' # Weekly on Mondays at 2 AM UTC
workflow_dispatch:
jobs:
update-checksum:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download and calculate checksum
id: checksum
run: |
CURRENT=$(curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" | sha256sum | cut -d' ' -f1)
OLD=$(grep "ARG GEOLITE2_COUNTRY_SHA256=" Dockerfile | cut -d'=' -f2)
echo "current=$CURRENT" >> $GITHUB_OUTPUT
echo "old=$OLD" >> $GITHUB_OUTPUT
- name: Update Dockerfile
if: steps.checksum.outputs.current != steps.checksum.outputs.old
run: |
sed -i "s/ARG GEOLITE2_COUNTRY_SHA256=.*/ARG GEOLITE2_COUNTRY_SHA256=${{ steps.checksum.outputs.current }}/" Dockerfile
- name: Create Pull Request
if: steps.checksum.outputs.current != steps.checksum.outputs.old
uses: peter-evans/create-pull-request@v5
with:
title: "chore(docker): update GeoLite2-Country.mmdb checksum"
body: |
Automated checksum update for GeoLite2-Country.mmdb
- Old: `${{ steps.checksum.outputs.old }}`
- New: `${{ steps.checksum.outputs.current }}`
**Changes:**
- Updated `Dockerfile` line 352
**Testing:**
- [ ] Local build passes
- [ ] CI build passes
- [ ] Container starts successfully
branch: bot/update-geolite2-checksum
delete-branch: true
```
**Option B: Manual Update Documentation**
Create documentation for manual checksum updates:
**File:** `/projects/Charon/docs/maintenance/geolite2-checksum-update.md`
```markdown
# GeoLite2 Database Checksum Update Guide
## When to Update
Update the checksum when Docker build fails with:
```
sha256sum: /app/data/geoip/GeoLite2-Country.mmdb: FAILED
```
## Quick Fix (5 minutes)
1. Download and calculate new checksum:
```bash
curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" -o /tmp/test.mmdb
sha256sum /tmp/test.mmdb
```
2. Update Dockerfile (line 352):
```dockerfile
ARG GEOLITE2_COUNTRY_SHA256=<new-checksum-from-step-1>
```
3. Test locally:
```bash
docker build --no-cache -t test .
```
4. Commit and push:
```bash
git add Dockerfile
git commit -m "fix(docker): update GeoLite2-Country.mmdb checksum"
git push
```
## Verification Script
Use this script to verify before updating:
```bash
#!/bin/bash
# verify-geolite2-checksum.sh
EXPECTED=$(grep "ARG GEOLITE2_COUNTRY_SHA256=" Dockerfile | cut -d'=' -f2)
ACTUAL=$(curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" | sha256sum | cut -d' ' -f1)
echo "Expected: $EXPECTED"
echo "Actual: $ACTUAL"
if [ "$EXPECTED" = "$ACTUAL" ]; then
echo "✅ Checksum matches"
exit 0
else
echo "❌ Checksum mismatch - update required"
echo "Run: sed -i 's/ARG GEOLITE2_COUNTRY_SHA256=.*/ARG GEOLITE2_COUNTRY_SHA256=$ACTUAL/' Dockerfile"
exit 1
fi
```
```
**Recommended Approach:** Implement Option A (automated updates) to prevent future failures.
---
## Related Files
### Modified Files
- `/projects/Charon/Dockerfile` (line 352)
### Reference Files
- `.dockerignore` - Build context exclusions (no changes needed)
- `.gitignore` - Version control exclusions (no changes needed)
- `.github/workflows/docker-build.yml` - CI/CD workflow (no changes needed)
### Documentation
- `docs/maintenance/geolite2-checksum-update.md` (to be created)
- `.github/workflows/update-geolite2.yml` (optional automation)
---
##Appendix A: Multi-Stage Build Structure
### Build Stages (Dependency Graph)
```
1. xx (tonistiigi/xx) ─────────────────────────────┐
├──> 2. gosu-builder ──> final
├──> 3. backend-builder ──> final
├──> 5. crowdsec-builder ──> final
└──> (cross-compile helpers)
4. frontend-builder (standalone) ──────────────────────> final
6. caddy-builder (standalone) ─────────────────────────> final
7. crowdsec-fallback (not used in normal flow)
8. final (debian:trixie-slim) ◄─── Copies from all stages above
- Downloads GeoLite2 (FAILS HERE if checksum wrong)
- Copies binaries from builder stages
- Sets up runtime environment
```
### COPY Commands in Final Stage
**Line 349:** `COPY --from=gosu-builder /gosu-out/gosu /usr/sbin/gosu`
**Line 359:** `COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy`
**Line 366-368:** `COPY --from=crowdsec-builder ...`
**Line 393-395:** `COPY configs/crowdsec/* ...`
**Line 401:** `COPY --from=backend-builder /app/backend/charon /app/charon`
**Line 404:** `COPY --from=backend-builder /go/bin/dlv /usr/local/bin/dlv`
**Line 408:** `COPY --from=frontend-builder /app/frontend/dist /app/frontend/dist`
**Line 411:** `COPY .docker/docker-entrypoint.sh /docker-entrypoint.sh`
**Line 414:** `COPY scripts/ /app/scripts/`
**All of these fail with "blob not found" if GeoLite2 download fails**, because Docker aborts the build before persisting build stage outputs.
---
## Appendix B: Verification Commands
### Pre-Fix Verification
```bash
# Verify current checksum is wrong
grep "GEOLITE2_COUNTRY_SHA256" Dockerfile
# Should show: 6b778471c086c44d15bd4df954661d441a5513ec48f1af5545cb05af8f2e15b9
# Download and check actual checksum
curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" | sha256sum
# Should show: 436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d
```
### Post-Fix Verification
```bash
# Verify Dockerfile was updated
grep "GEOLITE2_COUNTRY_SHA256" Dockerfile
# Should show: 436135ee98a521da715a6d483951f3dbbd62557637f2d50d1987fc048874bd5d
# Test build
docker build --no-cache --pull -t test .
# Verify container
docker run --rm test /app/charon --version
```
### CI Verification
```bash
# Check latest workflow run
gh run list --workflow=docker-build.yml --limit=1
# View workflow logs
gh run view <run-id> --log
# Check for success indicators
gh run view <run-id> --log | grep "✅"
```
---
## Appendix C: Troubleshooting
### Issue: Build Still Fails After Checksum Update
**Symptoms:**
- Upload checksum is correct in Dockerfile
- Build still fails with sha256sum error
- Error message shows different checksum
**Possible Causes:**
1. **Browser cached old file**: Clear Docker build cache
```bash
docker builder prune -af
```
2. **Git cached old file**: Verify committed change
```bash
git show HEAD:Dockerfile | grep "GEOLITE2_COUNTRY_SHA256"
```
3. **Upstream file changed again**: Re-download and recalculate
```bash
curl -fsSL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" | sha256sum
```
### Issue: Blob Not Found Persists
**Symptoms:**
- GeoLite2 checksum passes
- Blob not found errors still occur
- Specific COPY command fails
**Debug Steps:**
1. **Check specific stage build:**
```bash
# Test specific stage
docker build --target backend-builder -t test-backend .
docker build --target frontend-builder -t test-frontend .
```
2. **Check file existence in context:**
```bash
# List build context files
docker build --dry-run -t test . 2>&1 | grep "COPY\|ADD"
```
3. **Verify .dockerignore:**
```bash
# Check if required files are excluded
grep -E "(configs|scripts|frontend)" .dockerignore
```
### Issue: Container Fails Healthcheck
**Symptoms:**
- Build succeeds
- Container starts but never becomes healthy
- Healthcheck fails repeatedly
**Debug Steps:**
```bash
# Check container logs
docker logs <container-name>
# Check healthcheck status
docker inspect <container-name> | jq '.[0].State.Health'
# Manual healthcheck
docker exec <container-name> curl -f http://localhost:8080/api/v1/health
```
---
## Conclusion
This is a straightforward fix requiring a single-line change in the Dockerfile. The "blob not found" errors are a cascade failure and will be resolved automatically once the GeoLite2 checksum is corrected.
**Immediate Action Required:**
1. Update Dockerfile line 352 with correct checksum
2. Test build locally
3. Commit and push
4. Monitor CI/CD pipeline
**Estimated Total Time:** 20 minutes (5 min fix + 15 min testing)
---
**Plan Status:** ✅ Ready for Implementation
**Confidence Level:** 100% - Root cause identified with exact fix
**Risk Assessment:** Low - Single line change, well-tested pattern

428
docs/reports/documentation_updates_geolite2_fix.md Normal file
View File

@@ -0,0 +1,428 @@
# Documentation Update Summary: GeoLite2 Checksum Fix
**Date:** February 2, 2026
**Task:** Update project documentation to reflect Docker build fix
**Status:** ✅ Complete
---
## Overview
Updated all project documentation to reflect the successful implementation and verification of the GeoLite2-Country.mmdb checksum fix that resolved critical CI/CD build failures.
---
## Files Updated
### 1. CHANGELOG.md ✅
**Location:** `/projects/Charon/CHANGELOG.md`
**Changes:**
- Added new "Fixed" section in `[Unreleased]`
- Documented Docker build fix with checksum mismatch details
- Linked to automated workflow, maintenance guide, implementation plan, and QA report
- Included GitHub Actions build failure URL for reference
**Entry added:**
```markdown
- **Docker Build**: Fixed GeoLite2-Country.mmdb checksum mismatch causing CI/CD build failures
- Updated Dockerfile (line 352) with current upstream database checksum
- Added automated workflow (`.github/workflows/update-geolite2.yml`) for weekly checksum verification
- Workflow creates pull requests automatically when upstream database is updated
- Build failure resolved: https://github.com/Wikid82/Charon/actions/runs/21584236523/job/62188372617
- See [GeoLite2 Maintenance Guide](docs/maintenance/geolite2-checksum-update.md) for manual update procedures
- Implementation details: [docs/plans/geolite2_checksum_fix_spec.md](docs/plans/geolite2_checksum_fix_spec.md)
- QA verification: [docs/reports/qa_geolite2_checksum_fix.md](docs/reports/qa_geolite2_checksum_fix.md)
```
---
### 2. Maintenance Documentation (NEW) ✅
**Location:** `/projects/Charon/docs/maintenance/geolite2-checksum-update.md`
**Content:**
- **Quick reference guide** for manual checksum updates (5-minute procedure)
- **Automated workflow documentation** with schedule and trigger instructions
- **Verification script** for checking upstream changes
- **Troubleshooting section** covering:
- Build failures after update
- Upstream file unavailable (404 errors)
- Checksum mismatch on re-download
- Multi-platform build issues (arm64)
- **Historical context** with link to original build failure
- **Related resources** and references
**Key sections:**
- Overview and when to update
- Automated workflow (recommended approach)
- Manual update procedure (5 steps)
- Verification script (bash)
- Comprehensive troubleshooting
- Additional resources
---
### 3. Maintenance Directory Index (NEW) ✅
**Location:** `/projects/Charon/docs/maintenance/README.md`
**Content:**
- Index of all maintenance guides
- Quick command reference for GeoLite2 updates
- Contributing guidelines for new maintenance guides
- Links to related documentation (troubleshooting, runbooks, configuration)
---
### 4. README.md ✅
**Location:** `/projects/Charon/README.md`
**Changes:**
- Added "Maintenance" link to "Getting Help" section
- New link: `**[🔧 Maintenance](docs/maintenance/)** — Keeping Charon running smoothly`
- Positioned between "Supply Chain Security" and "Troubleshooting" for logical flow
**Updated section:**
```markdown
## Getting Help
**[📖 Full Documentation](https://wikid82.github.io/charon/)** — Everything explained simply
**[🚀 5-Minute Guide](https://wikid82.github.io/charon/getting-started)** — Your first website up and running
**[🔐 Supply Chain Security](docs/guides/supply-chain-security-user-guide.md)** — Verify signatures and build provenance
**[🔧 Maintenance](docs/maintenance/)** — Keeping Charon running smoothly
**[🛠️ Troubleshooting](docs/troubleshooting/)** — Common issues and solutions
**[💬 Ask Questions](https://github.com/Wikid82/charon/discussions)** — Friendly community help
**[🐛 Report Problems](https://github.com/Wikid82/charon/issues)** — Something broken? Let us know
```
---
### 5. Follow-up Issue Template (NEW) ✅
**Location:** `/projects/Charon/docs/issues/version_sync.md`
**Content:**
- Issue template for version file sync discrepancy
- **Problem:** `.version` (v0.15.3) doesn't match latest Git tag (v0.16.8)
- **Impact assessment:** Non-blocking, cosmetic issue
- **Three solution options:**
1. Quick fix: Update .version file manually
2. Automation: GitHub Actions workflow to sync on tag push
3. Simplification: Remove .version file entirely
- **Investigation checklist** to determine file usage
- **Acceptance criteria** for completion
- **Effort estimates** for each option
---
### 6. Implementation Plan Archived ✅
**Original:** `/projects/Charon/docs/plans/current_spec.md`
**Renamed to:** `/projects/Charon/docs/plans/geolite2_checksum_fix_spec.md`
**Reason:**
- Archive completed implementation plan with descriptive name
- Makes room for future `current_spec.md` for next task
- Maintains historical record with clear context
---
### 7. QA Report Archived ✅
**Original:** `/projects/Charon/docs/reports/qa_report.md`
**Renamed to:** `/projects/Charon/docs/reports/qa_geolite2_checksum_fix.md`
**Reason:**
- Archive QA verification report with descriptive name
- Makes room for future QA reports
- Maintains audit trail with clear identification
---
## Files NOT Changed (Verified)
### No Updates Required
**CONTRIBUTING.md** — No Docker build instructions present
**Docker integration docs** — Covers auto-discovery feature, not image building
**Development docs** — No GeoLite2 or checksum references
**Troubleshooting docs** — No outdated checksum references found
### Old Checksum References (Expected)
The old checksum (`6b778471...`) is still present in:
- `docs/plans/geolite2_checksum_fix_spec.md` (archived implementation plan)
**This is correct** — the implementation plan documents the "before" state for historical context.
---
## Verification Performed
### 1. Checksum Reference Search
```bash
grep -r "6b778471c086c44d15bd4df954661d441a5513ec48f1af5545cb05af8f2e15b9" \
--exclude-dir=.git --exclude-dir=node_modules docs/
```
**Result:** Only found in archived implementation plan (expected)
### 2. Documentation Structure Check
```bash
tree docs/maintenance/
```
**Result:**
```
docs/maintenance/
├── README.md
└── geolite2-checksum-update.md
```
### 3. Link Validation
All internal documentation links verified:
- ✅ CHANGELOG → maintenance guide
- ✅ CHANGELOG → implementation plan
- ✅ CHANGELOG → QA report
- ✅ README → maintenance directory
- ✅ Maintenance index → GeoLite2 guide
- ✅ GeoLite2 guide → workflow file
- ✅ GeoLite2 guide → implementation plan
- ✅ GeoLite2 guide → QA report
---
## New Documentation Structure
```
docs/
├── maintenance/ # NEW directory
│ ├── README.md # NEW index
│ └── geolite2-checksum-update.md # NEW guide
├── issues/ # NEW directory
│ └── version_sync.md # NEW issue template
├── plans/
│ └── geolite2_checksum_fix_spec.md # RENAMED from current_spec.md
├── reports/
│ └── qa_geolite2_checksum_fix.md # RENAMED from qa_report.md
└── ... (existing directories)
```
---
## Documentation Quality Checklist
### Content Quality ✅
- [x] Clear, concise language
- [x] Step-by-step procedures
- [x] Command examples with expected output
- [x] Troubleshooting sections
- [x] Links to related resources
- [x] Historical context provided
### Accessibility ✅
- [x] Proper markdown formatting
- [x] Descriptive headings (H1-H6)
- [x] Code blocks with syntax highlighting
- [x] Bulleted and numbered lists
- [x] Tables for comparison data
### Maintainability ✅
- [x] Timestamps ("Last Updated" fields)
- [x] Clear file naming conventions
- [x] Logical directory structure
- [x] Index/README files for navigation
- [x] Archived files renamed descriptively
### Completeness ✅
- [x] Manual procedures documented
- [x] Automated workflows documented
- [x] Troubleshooting scenarios covered
- [x] Verification methods provided
- [x] Follow-up actions identified
---
## User Impact
### Developers
**Before:**
- Had to manually track GeoLite2 checksum changes
- No guidance when Docker build fails with checksum error
- Trial-and-error to find correct checksum
**After:**
- Automated weekly checks via GitHub Actions
- Comprehensive maintenance guide with 5-minute fix
- Verification script for quick validation
- Troubleshooting guide for common issues
### Contributors
**Before:**
- Unclear how to update dependencies like GeoLite2
- No documentation on Docker build maintenance
**After:**
- Clear maintenance guide in docs/maintenance/
- Direct link from README "Getting Help" section
- Step-by-step manual update procedure
- Understanding of automated workflow
### Maintainers
**Before:**
- Reactive responses to build failures
- Manual checksum updates
- No audit trail for changes
**After:**
- Proactive automated checks (weekly)
- Automatic PR creation for updates
- Complete documentation trail:
- CHANGELOG entry
- Implementation plan (archived)
- QA report (archived)
- Maintenance guide
---
## Next Steps
### Immediate Actions
- [x] Documentation updates complete
- [x] Files committed to version control
- [x] CHANGELOG updated
- [x] Maintenance guide created
- [x] Follow-up issue template drafted
### Future Actions (Optional)
1. **Create GitHub issue from template:**
```bash
# Create version sync issue
gh issue create \
--title "Sync .version file with latest Git tag" \
--body-file docs/issues/version_sync.md \
--label "housekeeping,versioning,good first issue"
```
2. **Test automated workflow:**
```bash
# Manually trigger workflow
gh workflow run update-geolite2.yml
```
3. **Monitor first automated PR:**
- Wait for Monday 2 AM UTC (next scheduled run)
- Review automatically created PR
- Verify PR format and content
- Document any workflow improvements needed
---
## Success Metrics
### Documentation Completeness
-**CHANGELOG updated** with fix details and links
-**Maintenance guide created** with manual procedures
-**README updated** with maintenance link
-**Follow-up issue documented** for version sync
-**All files archived** with descriptive names
### Findability
-**README links** to maintenance directory
-**CHANGELOG links** to all relevant docs
-**Maintenance index** provides navigation
-**Internal links** validated and working
### Usability
-**Quick fix** available (5 minutes)
-**Automation documented** (recommended approach)
-**Troubleshooting** covers common scenarios
-**Verification script** provided
---
## Lessons Learned
### What Went Well
1. **Comprehensive QA verification** caught version sync issue early
2. **Automated workflow** prevents future occurrences
3. **Documentation structure** supports future maintenance guides
4. **Historical context** preserved through archiving
### Improvements for Future Tasks
1. **Version sync automation** should be added to prevent discrepancies
2. **Pre-commit hook** could detect upstream GeoLite2 changes
3. **VS Code task** could run verification script
4. **CI check** could validate Dockerfile checksums against upstream
---
## Documentation Review
### Pre-Deployment Checklist
- [x] All markdown syntax valid
- [x] All internal links working
- [x] All code blocks properly formatted
- [x] All commands tested for syntax
- [x] All references accurate
- [x] No sensitive information exposed
- [x] Timestamps current
- [x] File naming consistent
### Post-Deployment Validation
- [ ] CHANGELOG entry visible on GitHub
- [ ] Maintenance guide renders correctly
- [ ] README maintenance link works
- [ ] Follow-up issue template usable
- [ ] Archived files accessible
---
## Conclusion
**Documentation Status:****COMPLETE**
All required documentation has been created, updated, and verified. The GeoLite2 checksum fix is now fully documented with:
1. **User-facing updates** (CHANGELOG, README)
2. **Operational guides** (maintenance documentation)
3. **Historical records** (archived plans and QA reports)
4. **Future improvements** (follow-up issue template)
The documentation provides:
- Immediate fixes for current issues
- Automated prevention for future occurrences
- Clear troubleshooting guidance
- Complete audit trail
**Ready for commit and deployment.**
---
**Completed by:** GitHub Copilot Documentation Agent
**Date:** February 2, 2026
**Task Duration:** ~30 minutes
**Files Modified:** 4 created, 2 updated, 2 renamed
**Total Documentation:** ~850 lines of new/updated content

16
docs/reports/qa_docker_only_build_fix_report.md
View File

@@ -1,7 +1,7 @@
# QA Security Validation Report: Docker-Only Build Fix
**Date:** 2026-01-30
**Agent:** QA_Security
**Date:** 2026-01-30
**Agent:** QA_Security
**Target Files:**
- `.goreleaser.yaml`
- `.github/workflows/nightly-build.yml`
@@ -30,7 +30,7 @@ The Docker-only build fix configuration has been validated. All critical checks
#### `.goreleaser.yaml`
**Method:** Python YAML parser validation
**Method:** Python YAML parser validation
**Status:****PASS**
```bash
@@ -50,7 +50,7 @@ python3 -c "import yaml; yaml.safe_load(open('.goreleaser.yaml'))"
#### `.github/workflows/nightly-build.yml`
**Method:** Python YAML parser validation
**Method:** Python YAML parser validation
**Status:****PASS**
**Result:** Valid YAML structure with no syntax errors.
@@ -335,7 +335,7 @@ verify-nightly-supply-chain
docker run --name charon-nightly -d \
-p 8080:8080 \
${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ needs.build-and-push-nightly.outputs.digest }}
sleep 10
docker ps | grep charon-nightly
curl -f http://localhost:8080/health || exit 1
@@ -460,7 +460,7 @@ grep -r "password\|secret\|token\|key" .goreleaser.yaml .github/workflows/nightl
---
**Report Generated:** 2026-01-30
**QA Agent:** QA_Security
**Validation Scope:** Docker-Only Build Fix
**Report Generated:** 2026-01-30
**QA Agent:** QA_Security
**Validation Scope:** Docker-Only Build Fix
**Status:** ✅ APPROVED

1261
docs/reports/qa_geolite2_checksum_fix.md Normal file
View File

File diff suppressed because it is too large Load Diff

1892
docs/reports/qa_report.md
View File

File diff suppressed because it is too large Load Diff