fix: resolve host.docker.internal DNS failure on Linux CI and suppress GitGuardian false positives

mridang · claude · mridang · commit 5c7014a82c05 · 2026-04-12T15:14:48.000+07:00
Add --add-host=host.docker.internal:host-gateway to the runtime
container via withExtraHost() so that host.docker.internal resolves
on GitHub Actions Ubuntu runners (Docker Desktop injects this
automatically on macOS/Windows but not on Linux).

Add .gitguardian.yaml to ignore the self-signed test TLS certificates
in src/spec/resources/generated/*/certs/ — these are intentionally
committed mock-server certs with no real-world trust or access.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.gitguardian.yaml b/.gitguardian.yaml
@@ -0,0 +1,6 @@
+version: 2
+# Test TLS certificates committed intentionally for integration test use.
+# These are self-signed certs generated for WireMock/Prism mock servers and
+# carry no real-world trust or access. They are not production secrets.
+ignore-paths:
+  - src/spec/resources/generated/*/certs/
diff --git a/src/spec/java/io/github/mridang/codegen/spec/AbstractIntegrationSpec.java b/src/spec/java/io/github/mridang/codegen/spec/AbstractIntegrationSpec.java
@@ -66,6 +66,7 @@ protected ExecResult executeInRuntimeContainer(String[] commands) {
             .withFileSystemBind(
                 tempOutputDir.toAbsolutePath().toString(), "/app", BindMode.READ_WRITE)
             .withFileSystemBind("/var/run/docker.sock", "/var/run/docker.sock", BindMode.READ_WRITE)
+            .withExtraHost("host.docker.internal", "host-gateway")
             .withEnv("TESTCONTAINERS_HOST_OVERRIDE", "host.docker.internal")
             .withEnv("TC_HOST", "host.docker.internal")
             .withEnv("DOCKER_HOST", "unix:///var/run/docker.sock")
