7 changed files with 7 additions and 9 deletions
--- a/2
+++ b/2
@ -12,6 +12,4 @@ FROM scratch
 COPY --from=builder /checker-dane /checker-dane
 USER 65534:65534
 EXPOSE 8080
-HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
-  CMD ["/checker-dane", "-healthcheck"]
 ENTRYPOINT ["/checker-dane"]
--- a/checker/collect_test.go
+++ b/checker/collect_test.go
@ -216,7 +216,7 @@ func TestCollect_DeterministicOutput(t *testing.T) {
 		if err != nil {
 			t.Fatal(err)
 		}
-		// Compare only Targets: CollectedAt is a wall-clock timestamp.
+		// Compare only Targets — CollectedAt is a wall-clock timestamp.
 		b, _ := json.Marshal(out.(*DANEData).Targets)
 		if i > 0 && string(b) != string(prev) {
 			t.Errorf("non-deterministic targets:\n%s\nvs\n%s", prev, b)
--- a/checker/match_test.go
+++ b/checker/match_test.go
@ -295,7 +295,7 @@ func TestSummarizeMatches(t *testing.T) {
 func TestSummarizeMatches_BadFirstSlotDoesNotAbort(t *testing.T) {
 	t.Parallel()
 	// An undecodable Full record at slot 0 shouldn't prevent later valid
-	// records from matching: regression test for the per-slot continue.
+	// records from matching — regression test for the per-slot continue.
 	leaf := fakeCert([]byte("leaf"), []byte("spki"))
 	probe := &tls.TLSProbe{Chain: []tls.CertInfo{leaf}}
 	bad := TargetResult{Records: []TLSARecord{
--- a/checker/report.go
+++ b/checker/report.go
@ -194,7 +194,7 @@ func proposedTLSA(t TargetResult, p *tls.TLSProbe) string {
 		tmpl.Selector = r.Selector
 		tmpl.MatchingType = r.MatchingType
 		// Suggesting Full (matching type 0) inline as a zone fragment is
-		// not useful: collapse to SHA-256 of the same selector, which is
+		// not useful — collapse to SHA-256 of the same selector, which is
 		// what operators publish in practice.
 		if tmpl.MatchingType == MatchingFull {
 			tmpl.MatchingType = MatchingSHA256
--- a/checker/rules_records.go
+++ b/checker/rules_records.go
@ -66,7 +66,7 @@ func (r *hasRecordsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter
 // evaluating were fetched over a DNSSEC-validated path. Without DNSSEC,
 // DANE is a downgrade primitive: an on-path attacker can forge TLSA
 // answers and any "match" the rest of the rules report is meaningless.
-// The rule only emits when the collector recorded a validation status:
+// The rule only emits when the collector recorded a validation status —
 // in managed mode the records come from the user's authoritative zone
 // config and DNSSEC posture is checked by a different checker.
 type dnssecValidatedRule struct{}
--- a/go.mod
+++ b/go.mod
@ -3,7 +3,7 @@ module git.happydns.org/checker-dane
 go 1.25.0

 require (
-	git.happydns.org/checker-sdk-go v1.5.0
+	git.happydns.org/checker-sdk-go v1.4.0
 	git.happydns.org/checker-tls v0.6.1
 	github.com/miekg/dns v1.1.72
 )
--- a/go.sum
+++ b/go.sum
@ -1,5 +1,5 @@
-git.happydns.org/checker-sdk-go v1.5.0 h1:5uD5Cm6xJ+lwnhbJ09iCXGHbYS9zRh+Yh0NeBHkAPBY=
-git.happydns.org/checker-sdk-go v1.5.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
+git.happydns.org/checker-sdk-go v1.4.0 h1:sO8EnF3suhNgYLRsbmCZWJOymH/oNMrOUqj3FEzJArs=
+git.happydns.org/checker-sdk-go v1.4.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
 git.happydns.org/checker-tls v0.6.1 h1:YJp9Q+1aJZ6wATyUZbRh67ZtERN6Mp4Sje8ld2dNFuo=
 git.happydns.org/checker-tls v0.6.1/go.mod h1:9tpnxg0iOwS+7If64DRG1jqYonUAgxOBuxwfF5mVkL4=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=