feat: install-script SHA-256 verification + Spring Boot starter integration tests#166
Merged
Merged
Conversation
…ration tests Two post-release-housekeeping items folded into one PR. install.sh / install.ps1: SHA-256 verification of release artifacts. After PR #164 added a checksums.txt asset to every GitHub Release, the install scripts were still downloading JARs without checking integrity. Now both scripts: 1. Try to fetch checksums.txt from the release. If the release pre-dates 1.3.0, the file is missing; that case is handled by a clear "skipping integrity check" warning so old versions keep installing. 2. After each JAR download (argus-agent.jar, argus-cli.jar), compute the local SHA-256 (via sha256sum / shasum / Get-FileHash) and compare against the entry for the corresponding original filename in checksums.txt. On mismatch the partial download is deleted and the installer aborts non-zero. Spring Boot starter: real-context integration test alongside the existing pure unit tests (ArgusAutoConfigurationTest / ArgusPropertiesTest). The new ArgusAutoConfigurationIntegrationTest uses Spring Boot Test's ApplicationContextRunner to: - Verify @ConfigurationProperties binding from synthetic property sources covering buffer-size, server.port, gc.enabled, profiling.interval-ms, contention.threshold-ms, and the nested metrics.* tree. - Verify argus.enabled=false short-circuits the entire auto-configuration (no ArgusProperties / AgentConfig beans created). - Verify the matchIfMissing=true default activates the auto-configuration when argus.enabled is unset. To avoid the JFR / ArgusServer startup side effects, the binding test loads only @EnableConfigurationProperties(ArgusProperties.class) rather than the full ArgusAutoConfiguration. This addresses the P2 follow-up identified in the v1.2.0 audit (#158). Build verified: ./gradlew :argus-spring-boot-starter:test → BUILD SUCCESSFUL. Signed-off-by: rlaope <piyrw9754@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two post-release-housekeeping items folded into one PR.
install.sh / install.ps1: SHA-256 verification
PR #164 added a
checksums.txtasset to every GitHub Release, but the install scripts were still downloading JARs without integrity checks. Now both scripts:checksums.txtfrom the release. If the release pre-dates 1.3.0 the file is missing; that case is handled with a clear "skipping integrity check" warning so legacy versions keep installing.sha256sum/shasum/Get-FileHash) and compare against the entry for the corresponding original filename inchecksums.txt. On mismatch the partial download is deleted and the installer aborts non-zero.Spring Boot starter: real Spring-context integration tests
argus-spring-boot-starterpreviously only had pure-unit tests. NewArgusAutoConfigurationIntegrationTestuses Spring Boot Test'sApplicationContextRunnerto assert:@ConfigurationPropertiesbinding from synthetic property sources (buffer-size, server.port, gc.enabled, profiling.interval-ms, contention.threshold-ms, nested metrics.*).argus.enabled=falseshort-circuits the entire auto-configuration (noArgusProperties/AgentConfigbeans created).matchIfMissing=truedefault activates the auto-config whenargus.enabledis unset.To avoid JFR /
ArgusServerstartup side effects, the binding test loads only@EnableConfigurationProperties(ArgusProperties.class)rather than the fullArgusAutoConfiguration. This addresses the P2 follow-up identified in the v1.2.0 audit (#158).Verification
bash -n install.sh→ syntax OK./gradlew :argus-spring-boot-starter:test→ BUILD SUCCESSFUL (3 new tests pass alongside existing 2)Notes
The ApplicationContextRunner test approach was deliberately chosen over
@SpringBootTest. The latter would require disabling the JFR streaming engine and the Argus server bean (which spawn threads on context refresh), and the existing@ConditionalOnPropertywiring at the bean level would need extending. ApplicationContextRunner gives the same Spring-binding coverage without that scope creep.