Stop-ship gates. All must pass before release.
- Digest binding: signed digest == pulled manifest digest (verify + recv --verify)
- Verify-before-materialize: temp file, fsync, atomic rename; no final output on failure
- Tag discovery primary; referrers only for bundle/receipt
- Clock skew +/-5 min for --since
- Tag grammar: [A-Za-z0-9_.-], max 128, start with [A-Za-z0-9_]
- Empty config descriptor canonical
- Chunk format: tar with chunk_.bin
- Bundle attached with tag AND referrers
- Resume via HEAD (skip upload if blob exists)
- Dedup by message id (unordered tag listing)
golangci-lint run ./...Must be clean with errcheck enabled.
go test ./...
go test -race ./...make coverage-gateEnforces per-package thresholds: pkg/crypto >= 66%, pkg/transfer >= 36%, pkg/oci >= 54%.
Document at least one end-to-end run:
- send a file to a registry
- recv the file
- verify the digest
# GHCR round-trip (requires DOCKERCOMMS_IT_GHCR_REPO, DOCKERCOMMS_IT_RECIPIENT)
DOCKERCOMMS_IT_GHCR_REPO=ghcr.io/user/repo DOCKERCOMMS_IT_RECIPIENT=alice@example.com go test -tags=integration ./test/integration/...
# Docker Hub tag listing (requires DOCKERCOMMS_IT_DH_REPO)
DOCKERCOMMS_IT_DH_REPO=docker.io/user/repo go test -tags=integration ./test/integration/...1GB file round-trip: manual only; create 1GB file and run send/recv/verify. Document in release notes.
make build
./dockercomms version
./dockercomms send --help