Skip to content

Test nginx docker ports#1926

Closed
alxndrsn wants to merge 21 commits into
getodk:masterfrom
alxndrsn:test-nginx-docker-ports
Closed

Test nginx docker ports#1926
alxndrsn wants to merge 21 commits into
getodk:masterfrom
alxndrsn:test-nginx-docker-ports

Conversation

@alxndrsn
Copy link
Copy Markdown
Contributor

@alxndrsn alxndrsn commented May 31, 2026

Closes #

What has been done to verify that this works as intended?

Why is this the best possible solution? Were any other approaches considered?

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Does this change require updates to documentation? If so, please file an issue here and include the link below.

Before submitting this PR, please make sure you have:

  • branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
  • verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

alxndrsn and others added 21 commits April 18, 2026 08:08
@alxndrsn
ci/test-nginx: show mock-sentry logs (getodk#1816)
6c764ea
@alxndrsn
ci/ghcr: update deprecated docker action versions (getodk#1821)
0379dcf 
Closes getodk#1818
@alxndrsn
test/nginx/csp: rename backend-strict policy (getodk#1823)
ae72624 
Previously called `disallow-all`; rename to `backend-strict` to better reflect its usage rather than current implementation details.
@alxndrsn
ci: only publish containers if tests passed (getodk#1820)
963b9dc 
Closes getodk#1819
@alxndrsn
test/nginx/csp: remove duplicate test (getodk#1860)
94aa904 
Looks like a merge error.
@alxndrsn
nginx/csp: blank.html: allow form-action 'self' (getodk#1857)
1431cb1 
Closes getodk#1856
@alxndrsn
nginx/csp: enforce policy for blank.html (getodk#1858)
e6df530 
Switch from Content-Security-Policy-Report-Only to Content-Security-Policy.
@alxndrsn
csp: allow data: URLs in worker-src for web-forms (getodk#1776)
9122bb2 
Closes getodk#1775
@alxndrsn
nginx/csp: tighten favicon allowance for blank.html (getodk#1855)
711c6ad 
In line with getodk#1854.
@alxndrsn
nginx/csp: allow favicons for backend requests (getodk#1854)
c9b359a 
Closes getodk#1851
@matthew-white
Merge branch 'master' into next
d3eb696
@alxndrsn
nginx/csp: enforce policy for central-backend (getodk#1859)
af64f1d 
Switch from Content-Security-Policy-Report-Only to Content-Security-Policy.
@alxndrsn
nginx: fix escaping in /fonts/ matcher (getodk#1863)
625eb98
@alxndrsn
ci: simplify checkout (getodk#1890)
97b3251 
It looks like the checkout code from the `test-images` job was copy/pasted elsewhere.

Simplifying this config should speed up git checkout in affected jobs.
@sadiqkhoja
Fixes: expected docker context is increased due to WF merge
fe411c8
@sadiqkhoja
Merge pull request getodk#1893 from sadiqkhoja/fixes/docker-context
448b96a 
Fixes: expected docker context is increased due to WF merge
@sadiqkhoja
Fixes: install openssl in service container
1a9c7f9
@sadiqkhoja
Merge pull request getodk#1892 from sadiqkhoja/fixes/install-openssl
b9a1d3f 
Fixes/install openssl
@alxndrsn
service: move DB_SSL check back to runtime (getodk#1889)
e4c7b83 
The `DB_SSL` env var was made illegal in getodk#1647.

The check was then moved from runtime to build time in getodk#1671.

Checking at build-time allows for faster failure and clearer feedback to sysadmins who are upgrading, and previously depended on this env var.  However, the downside is that if container images are pre-built centrally, this check will be skipped.

With this commit, the check will move to container startup.  However, it will now be skipped if the container is started with a non-standard CMD/command/COMMAND.
@alxndrsn
nginx: enable Content Security Policies (getodk#1909)
95717b1 
Switch all headers from `Content-Security-Policy-Report-Only` to `Content-Security-Policy`.
test/nginx/docker-compose: restrict open ports to local machine
c269c11 
Restrict TCP ports to the local machine.  This will prevent exposing these dev services on the local network or wider.
@alxndrsn alxndrsn closed this May 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alxndrsn @matthew-white @sadiqkhoja