mirror of
https://github.com/tiennm99/miti99bot.git
synced 2026-06-08 12:13:59 +00:00
tiennm99
9a3108a1c4
Phase 1+2 of the 2026-05-09 review remediation plan:
- Go-version alignment (Dockerfile/go.mod) + 4 nil-deref guards + CI
docker-build step (Phase 1, c89aa1c carried over).
- Env allowlist: secretEnvKeys denylist replaced; modules opt-in via
RequiredEnv. Future API keys do not auto-leak.
- Visibility enforcement: dispatcher gates Private/Protected commands
via BOT_OWNER_ID / ADMIN_USER_IDS; non-permitted callers are silently
denied.
- Panic recovery in webhook handler; logs runtime/debug.Stack and
returns 200 to prevent Telegram retry storm.
- Cron timeout reduced 5m -> 60s.
- MaxBytesError handled separately from generic decode errors so 413
from MaxBytesReader is not shadowed by a 400.
- Emoji clue HTML-escaped defensively in loldle-emoji renderer.
- Tests added for dispatcher Auth.Permits + webhook panic recovery.
18 lines
337 B
Docker
18 lines
337 B
Docker
FROM golang:1.25-alpine AS builder
|
|
WORKDIR /src
|
|
|
|
COPY go.mod go.sum ./
|
|
RUN go mod download
|
|
|
|
COPY . .
|
|
RUN CGO_ENABLED=0 GOOS=linux go build \
|
|
-ldflags="-s -w" \
|
|
-o /out/server \
|
|
./cmd/server
|
|
|
|
FROM gcr.io/distroless/static:nonroot
|
|
COPY --from=builder /out/server /server
|
|
USER nonroot:nonroot
|
|
EXPOSE 8080
|
|
ENTRYPOINT ["/server"]
|