Deps Update and Logging Enhancements

.github/dependabot.yml

@@ -6,12 +6,25 @@ updates:
       interval: daily
     open-pull-requests-limit: 10
     target-branch: staging
-    reviewers:
+    assignees:
       - biodrone
+    labels:
+      - dependencies
+    commit-message:
+      prefix: chore 🤖
+      prefix-development: chore 🤖
+      include: scope
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
+    target-branch: staging
     assignees:
       - biodrone
     labels:
       - dependencies
+      - github-actions
     commit-message:
       prefix: chore 🤖
       prefix-development: chore 🤖

.github/workflows/deploy_master.yml

@@ -104,14 +104,14 @@ jobs:
           image: dangeroustech/streamdl:${{ matrix.component }}_stable
           args: >-
             --severity-threshold=critical
-            --file=Dockerfile.${{ matrix.component }}
             --exclude-base-image-vulns
             --policy-path=.snyk
-            --prune-repeated-subdependencies
-            --package-manager=dockerfile
+            --app-vulns
+            --sarif
 
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v3
         continue-on-error: true
         with:
           sarif_file: snyk.sarif
+          category: ${{ matrix.component }}-master

.github/workflows/deploy_staging.yml

@@ -44,26 +44,28 @@ jobs:
           load: true
           tags: streamdl:${{ matrix.component }}_local
 
-      - name: Docker Scan
-        id: docker_scan
+      - name: Snyk Scan
+        id: snyk_scan
         uses: snyk/actions/docker@master
         continue-on-error: true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           image: streamdl:${{ matrix.component }}_local
           args: >-
-            --severity-threshold=medium
-            --file=Dockerfile.${{ matrix.component }}
+            --severity-threshold=critical
             --exclude-base-image-vulns
             --policy-path=.snyk
+            --app-vulns
+            --sarif
 
       - name: Upload result to GitHub Code Scanning
         id: snyk_results_upload
         uses: github/codeql-action/upload-sarif@v3
         continue-on-error: true
         with:
           sarif_file: snyk.sarif
+          category: ${{ matrix.component }}-staging-${{ github.event_name }}
 
       - name: Dockerhub Push Staging
         id: dockerhub_staging_push

.github/workflows/update-actions.yml

@@ -0,0 +1,41 @@
+name: Validate GitHub Actions
+
+on:
+  schedule:
+    # Run weekly on Mondays at 9 AM UTC (Dependabot handles PRs daily, this validates)
+    - cron: 0 9 * * 1
+  workflow_dispatch: # Allow manual triggering
+  pull_request:
+    paths:
+      - .github/workflows/**
+
+permissions:
+  contents: read
+
+jobs:
+  validate-actions:
+    name: Validate Action Versions
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check for pinned action versions
+        run: |
+          echo "Checking for actions using @master or @main tags..."
+          # Exclude snyk/actions/docker as it only has @master available
+          if grep -rh "uses:" .github/workflows/*.yml | grep -E "@master|@main" | grep -v "snyk/actions/docker"; then
+            echo "⚠️ Warning: Found actions using @master or @main tags"
+            echo "Consider pinning to specific versions for better security and reproducibility"
+            exit 1
+          else
+            echo "✅ All actions are using versioned tags (or approved exceptions)"
+          fi
+
+      - name: List all action versions
+        run: |
+          echo "## GitHub Actions in use:" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+          grep -h "uses:" .github/workflows/*.yml | sort -u >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+

.gitignore

@@ -24,3 +24,4 @@ Dockerfile
 *.exe
 streamdl
 test/
+.dccache

.trunk/trunk.yaml

@@ -2,45 +2,46 @@
 # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
 version: 0.1
 cli:
-  version: 1.22.11
+  version: 1.25.0
 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
 plugins:
   sources:
     - id: trunk
-      ref: v1.6.7
+      ref: v1.7.2
       uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes:
   enabled:
     - go@1.21.0
-    - node@18.20.5
+    - node@22.16.0
     - python@3.10.8
     - rust@1.82.0
 # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
 lint:
   enabled:
+    - golangci-lint2@2.4.0
     - snyk@1.1295.0
     - actionlint@1.7.7
-    - bandit@1.8.3
+    - bandit@1.8.6
     - black@25.1.0
-    - checkov@3.2.386
+    - checkov@3.2.464
     - git-diff-check
     - gofmt@1.20.4
-    - golangci-lint@1.64.7
+    - golangci-lint@1.64.8
     - hadolint@2.12.1-beta
     - isort@6.0.1
-    - markdownlint@0.44.0
+    - markdownlint@0.45.0
     - nixpkgs-fmt@1.3.0
-    - osv-scanner@2.0.0
-    - prettier@3.5.3
-    - ruff@0.11.0
-    - shellcheck@0.10.0
+    - osv-scanner@2.2.1
+    - prettier@3.6.2
+    - ruff@0.12.10
+    - shellcheck@0.11.0
     - shfmt@3.6.0
-    - taplo@0.9.3
+    - taplo@0.10.0
     - terrascan@1.19.1
-    - trivy@0.60.0
-    - trufflehog@3.88.17
-    - yamllint@1.36.2
+    - trivy@0.65.0
+    - trufflehog@3.90.5
+    - yamllint@1.37.1
 actions:
   disabled:
     - trunk-announce

Dockerfile.client

@@ -1,17 +1,17 @@
-FROM mwader/static-ffmpeg:7.1.1 AS ffmpeg
+FROM mwader/static-ffmpeg:8.0 AS ffmpeg
 
 # Go Binary Builder
-FROM golang:1.24.1-alpine AS go-build
+FROM golang:1.25.3-alpine AS go-build
 WORKDIR /app
 COPY . .
 RUN go get -v && \
     go build -o streamdl
 
 # Golang Protobuf Client and Logic
-FROM golang:1.24.1-alpine AS client
+FROM golang:1.25.3-alpine AS client
 
-# Install su-exec for running as non-root
-RUN apk add --no-cache su-exec
+# Install su-exec and curl for running as non-root and health checks
+RUN apk add --no-cache su-exec==0.2-r3 curl=8.14.1-r2
 
 WORKDIR /app
 
@@ -25,5 +25,9 @@ COPY streamdl_client_entrypoint.sh /app/streamdl_client_entrypoint.sh
 # Make entrypoint scripts executable
 RUN chmod +x /app/entrypoint_client.sh /app/streamdl_client_entrypoint.sh
 
-# HEALTHCHECK --interval=60s --timeout=15s --start-period=5s --retries=3 CMD curl --fail http://streamdl-client:8080/health || exit 1
+# Add health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+  CMD curl --fail --max-time 5 --silent --output /dev/null http://localhost:8080/health || exit 1
+
+# Entrypoint script handles user creation and switching
 ENTRYPOINT ["/bin/sh", "/app/entrypoint_client.sh"]

Dockerfile.server

@@ -8,8 +8,8 @@ RUN which uv
 # Python Protobuf Server
 FROM python:3.13-slim-bookworm AS server
 
-# Install gosu for running as non-root
-RUN apt-get update && apt-get install -y gosu && rm -rf /var/lib/apt/lists/*
+# Install gosu and curl for running as non-root and health checks
+RUN apt-get update && apt-get install -y --no-install-recommends gosu=1.14-1+b10 curl=7.88.1-10+deb12u14 && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
 
@@ -25,5 +25,9 @@ COPY streamdl_server_entrypoint.sh /app/streamdl_server_entrypoint.sh
 RUN pip install --no-cache-dir uv==0.4.28 && uv sync && \
     chmod +x /app/entrypoint_server.sh /app/streamdl_server_entrypoint.sh
 
-# HEALTHCHECK --interval=60s --timeout=15s --start-period=5s --retries=3 CMD curl --fail http://streamdl-server:8080/health || exit 1
+# Add health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+  CMD curl --fail --max-time 5 http://localhost:8080/health || exit 1
+
+# Entrypoint script handles user creation and switching
 ENTRYPOINT ["/bin/sh", "/app/entrypoint_server.sh"]

README.md

@@ -43,7 +43,16 @@ Edit the Environment variables in `docker-compose.yml.example` to modify script
 
 Otherwise, just rename it to `docker-compose.yml` and run `docker compose up -d`.
 
-#### Directory Permissions
+#### Security Best Practices
+
+StreamDL containers follow Docker security best practices by running as a non-root user:
+
+- **Default User**: Containers create a `streamdl` user (UID 1000, GID 1000) at build time
+- **Runtime User Switching**: Supports dynamic UID/GID switching via `PUID`/`PGID` environment variables
+- **User Tools**: Uses `su-exec` (client) and `gosu` (server) for secure user switching
+- **Directory Permissions**: Working directories are created with proper ownership at build time
+
+##### Directory Permissions
 
 When using Docker, be aware of the following:
 
@@ -120,6 +129,45 @@ Some of these are also available as flags to the `streamdl` command, this is a #
 | `PUID`               | User ID that will own the files/directories created by the container (Docker only)                                | `1000`   |
 | `PGID`               | Group ID that will own the files/directories created by the container (Docker only)                               | `1000`   |
 
+### User ID and Group ID Configuration
+
+The `PUID` and `PGID` environment variables allow you to control what user and group ID the container runs as:
+
+- **Default Behavior**: If not specified, containers run as UID 1000, GID 1000
+- **Runtime Switching**: These values are applied at container startup, allowing you to match your host user's UID/GID
+- **Permission Matching**: Set these to match your host user's UID/GID to avoid permission issues with mounted volumes
+
+Example `.env` configuration:
+
+```bash
+PUID=1001
+PGID=1001
+```
+
+To find your current user's UID/GID on Linux/macOS:
+
+```bash
+id -u  # Shows your user ID
+id -g  # Shows your group ID
+```
+
+### FFmpeg Resilience Settings
+
+The following environment variables control FFmpeg's reconnection behavior for more resilient stream downloading:
+
+|| Variable | Description | Default |
+|| -------------------- | ----------------------------------------------------------------------------------------------------------------- | -------- |
+|| `FFMPEG_MAX_RETRIES` | Maximum number of FFmpeg retry attempts for transient failures | `5` |
+|| `FFMPEG_RETRY_BASE_DELAY_SECONDS` | Base delay in seconds between FFmpeg retry attempts | `5` |
+|| `FFMPEG_RECONNECT_DELAY_MAX` | Maximum delay in seconds for FFmpeg to wait before reconnecting | `30` |
+|| `FFMPEG_RW_TIMEOUT_US` | FFmpeg read/write timeout in microseconds (30,000,000 = 30 seconds) | `30000000` |
+|| `FFMPEG_RECONNECT_ON_NETWORK_ERROR` | Enable FFmpeg reconnection on network errors (1=enabled, 0=disabled) | `1` |
+|| `FFMPEG_RECONNECT_ON_HTTP_ERROR` | Enable FFmpeg reconnection on HTTP errors (1=enabled, 0=disabled) | `1` |
+|| `FFMPEG_HTTP_SEEKABLE` | Enable HTTP seeking for better resilience (1=enabled, 0=disabled) | `1` |
+|| `FFMPEG_HTTP_PERSISTENT` | Keep HTTP connections alive (1=enabled, 0=disabled) | `1` |
+
+These settings help prevent creating multiple small files when streams have temporary interruptions.
+
 ### Understanding UMASK
 
 UMASK (User Mask) is a system setting that controls the default permissions for newly created files and directories.

config_reader.go

@@ -4,12 +4,15 @@ import (
 	"os"
 
 	log "github.com/sirupsen/logrus"
+	yaml "gopkg.in/yaml.v3"
 )
 
+// fatalf allows tests to override fatal behavior. In production, it maps to log.Fatalf.
+var fatalf = log.Fatalf
+
 func check(e error) {
 	if e != nil {
-		log.Fatalf("%v", e)
-		panic(e)
+		fatalf("%v", e)
 	}
 }
 
@@ -18,3 +21,12 @@ func readConfig(loc string) []byte {
 	check(err)
 	return dat
 }
+
+// parseConfig unmarshals YAML bytes into []Config.
+func parseConfig(data []byte) ([]Config, error) {
+	var cfg []Config
+	if err := yaml.Unmarshal(data, &cfg); err != nil {
+		return nil, err
+	}
+	return cfg, nil
+}

config_reader_test.go

@@ -0,0 +1,56 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestReadConfig_ValidFile(t *testing.T) {
+	dir := t.TempDir()
+	cfg := filepath.Join(dir, "config.yml")
+	want := []byte("- site: test.example\n  channels: []\n")
+	if err := os.WriteFile(cfg, want, 0644); err != nil {
+		t.Fatalf("write cfg: %v", err)
+	}
+
+	got := readConfig(cfg)
+	if string(got) != string(want) {
+		t.Fatalf("config mismatch: got %q want %q", string(got), string(want))
+	}
+}
+
+func TestReadConfig_MissingFile_Fatal(t *testing.T) {
+	// Stub fatalf to avoid os.Exit; instead record message
+	var called bool
+	oldFatal := fatalf
+	fatalf = func(format string, args ...interface{}) {
+		called = true
+		// Do not exit in tests
+	}
+	t.Cleanup(func() { fatalf = oldFatal })
+
+	_ = readConfig("/path/does/not/exist.yml")
+	if !called {
+		t.Fatalf("expected fatalf to be called for missing file")
+	}
+}
+
+func TestParseConfig_MalformedYAML(t *testing.T) {
+	dir := t.TempDir()
+	cfg := filepath.Join(dir, "bad.yml")
+	// channels should be a sequence, not a scalar
+	bad := []byte("- site: test.example\n  channels: true\n")
+	if err := os.WriteFile(cfg, bad, 0644); err != nil {
+		t.Fatalf("write bad cfg: %v", err)
+	}
+
+	// Stub fatalf to no-op so readConfig won't exit on read
+	oldFatal := fatalf
+	fatalf = func(format string, args ...interface{}) {}
+	t.Cleanup(func() { fatalf = oldFatal })
+
+	if _, err := parseConfig(readConfig(cfg)); err == nil {
+		t.Fatalf("expected YAML unmarshal error for malformed config")
+	}
+}