Add CI/CD pipeline

Update rules section
2026-05-10 19:26:44 +08:00 · 2026-04-30 08:49:15 +07:00
3 changed files with 223 additions and 18 deletions
--- a/.drone-manifest.yml
+++ b/.drone-manifest.yml
@ -0,0 +1,22 @@
 image: happydomain/checker-resolver-propagation:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
 {{#if build.tags}}
 tags:
 {{#each build.tags}}
  - {{this}}
 {{/each}}
 {{/if}}
 manifests:
  - image: happydomain/checker-resolver-propagation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
    platform:
      architecture: amd64
      os: linux
  - image: happydomain/checker-resolver-propagation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
    platform:
      architecture: arm64
      os: linux
      variant: v8
  - image: happydomain/checker-resolver-propagation:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm
    platform:
      architecture: arm
      os: linux
      variant: v7
--- a/.drone.yml
+++ b/.drone.yml
@ -0,0 +1,187 @@
 ---
 kind: pipeline
 type: docker
 name: build-amd64
 platform:
  os: linux
  arch: amd64
 steps:
  - name: checker build
    image: golang:1-alpine
    commands:
      - apk add --no-cache git make
      - make
    environment:
      CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
      CGO_ENABLED: 0
    when:
      event:
        exclude:
          - tag
  - name: checker build tag
    image: golang:1-alpine
    commands:
      - apk add --no-cache git make
      - make
    environment:
      CHECKER_VERSION: "${DRONE_SEMVER}"
      CGO_ENABLED: 0
    when:
      event:
        - tag
  - name: publish on Docker Hub
    image: plugins/docker
    settings:
      repo: happydomain/checker-resolver-propagation
      auto_tag: true
      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
      dockerfile: Dockerfile
      build_args:
        - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password
    when:
      event:
        exclude:
          - tag
  - name: publish on Docker Hub (tag)
    image: plugins/docker
    settings:
      repo: happydomain/checker-resolver-propagation
      auto_tag: true
      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
      dockerfile: Dockerfile
      build_args:
        - CHECKER_VERSION=${DRONE_SEMVER}
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password
    when:
      event:
        - tag
 trigger:
  branch:
    exclude:
      - renovate/*
  event:
    - cron
    - push
    - tag
 ---
 kind: pipeline
 type: docker
 name: build-arm64
 platform:
  os: linux
  arch: arm64
 steps:
  - name: checker build
    image: golang:1-alpine
    commands:
      - apk add --no-cache git make
      - make
    environment:
      CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
      CGO_ENABLED: 0
    when:
      event:
        exclude:
          - tag
  - name: checker build tag
    image: golang:1-alpine
    commands:
      - apk add --no-cache git make
      - make
    environment:
      CHECKER_VERSION: "${DRONE_SEMVER}"
      CGO_ENABLED: 0
    when:
      event:
        - tag
  - name: publish on Docker Hub
    image: plugins/docker
    settings:
      repo: happydomain/checker-resolver-propagation
      auto_tag: true
      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
      dockerfile: Dockerfile
      build_args:
        - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password
    when:
      event:
        exclude:
          - tag
  - name: publish on Docker Hub (tag)
    image: plugins/docker
    settings:
      repo: happydomain/checker-resolver-propagation
      auto_tag: true
      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
      dockerfile: Dockerfile
      build_args:
        - CHECKER_VERSION=${DRONE_SEMVER}
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password
    when:
      event:
        - tag
 trigger:
  event:
    - cron
    - push
    - tag
 ---
 kind: pipeline
 name: docker-manifest
 platform:
  os: linux
  arch: arm64
 steps:
  - name: publish on Docker Hub
    image: plugins/manifest
    settings:
      auto_tag: true
      ignore_missing: true
      spec: .drone-manifest.yml
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password
 trigger:
  branch:
    exclude:
      - renovate/*
  event:
    - cron
    - push
    - tag
 depends_on:
  - build-amd64
  - build-arm64
--- a/README.md
+++ b/README.md
@ -82,24 +82,20 @@ apex / NS configuration).
 ## Rules
-Each rule emits a finding code. Severity can be affected by the options above.
+| Code                                         | Description                                                                                                       | Severity            |
-
+|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------|
-| Code                          | Default severity | Condition |
+| `resolver_propagation.selection`             | Checks that the current option set selects at least one public resolver.                                          | CRITICAL            |
-|-------------------------------|------------------|-----------|
+| `resolver_propagation.reachable`             | Checks that at least one selected resolver answered a query.                                                      | CRITICAL            |
-| `rprop_no_resolvers`          | critical         | The current option set selects no resolver from the catalog. |
+| `resolver_propagation.latency`               | Flags resolvers that are unreachable or whose average response time exceeds the configured threshold.             | WARNING             |
-| `rprop_all_resolvers_down`    | critical         | Every selected resolver failed to answer (likely no DNS connectivity from the checker host). |
+| `resolver_propagation.filtered_hit`          | Reports filtered resolvers returning a different answer than the consensus (typical blocklist behaviour).         | INFO                |
-| `rprop_resolver_unreachable`  | warning          | An individual resolver failed to answer within the run budget. |
+| `resolver_propagation.consensus`             | Checks that public resolvers agree on a single answer for each probed RRset.                                      | WARNING             |
-| `rprop_resolver_high_latency` | info             | A resolver's average response time exceeds `latencyThresholdMs`. |
+| `resolver_propagation.matches_authoritative` | Checks that the public consensus matches the answer served by the zone's authoritative nameservers.               | CRITICAL            |
-| `rprop_resolver_filtered_hit` | info             | A filtered resolver returned a different answer than the consensus (typical blocklist behaviour). Only when `includeFiltered` is enabled. |
+| `resolver_propagation.nxdomain`              | Flags RRsets for which some resolvers return NXDOMAIN while others return NOERROR.                                | CRITICAL            |
-| `rprop_partial_propagation`   | warning          | Public resolvers disagree on the answer for a probed RRset. |
+| `resolver_propagation.servfail`              | Flags RRsets for which any resolver returns SERVFAIL (usually DNSSEC or reachability failure).                    | CRITICAL            |
-| `rprop_answer_drift`          | critical         | The public consensus differs from the answer served by the zone's authoritative nameservers. |
+| `resolver_propagation.regional_split`        | Flags regions in which every resolver agrees on an answer that differs from the global consensus.                 | WARNING             |
-| `rprop_unexpected_nxdomain`   | critical         | Some resolvers return NXDOMAIN while others return NOERROR for the same RRset. |
+| `resolver_propagation.serial_drift`          | Flags disagreement on the SOA serial across unfiltered resolvers.                                                 | WARNING             |
-| `rprop_unexpected_servfail`   | critical         | A resolver returns SERVFAIL (usually a DNSSEC or reachability failure). |
+| `resolver_propagation.stale_cache`           | Flags resolvers still serving an SOA serial below the one saved by happyDomain.                                   | INFO                |
-| `rprop_regional_split`        | warning          | Every resolver of a region agrees on an answer that differs from the global consensus. |
+| `resolver_propagation.dnssec`                | Checks that validating resolvers successfully validate the zone's DNSSEC chain.                                   | CRITICAL            |
 | `rprop_serial_drift`          | warning          | Unfiltered resolvers disagree on the SOA serial. |
 | `rprop_stale_cache`           | info             | A resolver still serves an SOA serial below the one last observed by happyDomain. |
 | `rprop_dnssec_failure`        | critical         | A validating resolver fails to validate the zone's DNSSEC chain (returns SERVFAIL with AD/CD semantics). |
 | `rprop_dnssec_not_validated`  | info             | A validating resolver answered without setting AD on a signed zone. |
 ## License
Author	SHA1	Message	Date
Pierre-Olivier Mercier	30cc586f34	Add CI/CD pipeline All checks were successful continuous-integration/drone/push Build is passing Details	2026-05-10 19:26:44 +08:00
Pierre-Olivier Mercier	46d4bb2b49	Update rules section	2026-04-30 08:49:15 +07:00