From b1e2fe296588d67077fb0f976c82c0f6a3e6bd35 Mon Sep 17 00:00:00 2001 From: Thomas Petersen Date: Sat, 27 Jun 2026 06:44:11 -0400 Subject: [PATCH] fix(relay): include hook tools in runtime image Co-authored-by: Thomas Petersen Signed-off-by: Thomas Petersen --- Dockerfile | 2 ++ crates/buzz-relay/src/api/git/hook.rs | 29 +++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/Dockerfile b/Dockerfile index 07c0c5bf8..df8f29214 100644 --- a/Dockerfile +++ b/Dockerfile @@ -77,7 +77,9 @@ LABEL org.opencontainers.image.title="Buzz" \ RUN apt-get update \ && apt-get install -y --no-install-recommends \ ca-certificates \ + curl \ git \ + openssl \ && rm -rf /var/lib/apt/lists/* \ && groupadd --system --gid 1000 buzz \ && useradd --system --uid 1000 --gid 1000 --home-dir /var/lib/buzz \ diff --git a/crates/buzz-relay/src/api/git/hook.rs b/crates/buzz-relay/src/api/git/hook.rs index 8b0136661..9c9087dd5 100644 --- a/crates/buzz-relay/src/api/git/hook.rs +++ b/crates/buzz-relay/src/api/git/hook.rs @@ -174,3 +174,32 @@ pub async fn install_hook(repo_path: &Path) -> anyhow::Result<()> { info!(repo = %repo_path.display(), "pre-receive hook installed"); Ok(()) } + +#[cfg(test)] +mod tests { + use super::PRE_RECEIVE_HOOK; + + #[test] + fn runtime_image_installs_pre_receive_hook_tools() { + let dockerfile = include_str!("../../../../../Dockerfile"); + let runtime_stage = dockerfile + .split("FROM debian:${DEBIAN_VERSION}-slim AS runtime") + .nth(1) + .expect("Dockerfile should have a runtime stage"); + let runtime_setup = runtime_stage + .split("COPY --from=builder") + .next() + .expect("runtime stage should copy built artifacts after package setup"); + + for tool in ["curl", "openssl"] { + assert!( + PRE_RECEIVE_HOOK.contains(tool), + "test setup expected the pre-receive hook to invoke {tool}" + ); + assert!( + runtime_setup.contains(&format!("\n {tool} \\")), + "relay runtime image must install {tool}; the git pre-receive hook uses it and fails closed without it" + ); + } + } +}