CodesWhat/drydock v1.4.3

on GitHub

What's Changed

Fixed

• DNS resolution failures on Alpine (EAI_AGAIN) — Node.js 24 defaults to verbatim DNS ordering, which on Alpine's musl libc can cause getaddrinfo EAI_AGAIN errors when IPv6 records are returned first on dual-stack networks. Drydock now defaults to IPv4-first DNS ordering at startup, configurable via DD_DNS_MODE (ipv4first | ipv6first | verbatim, default: ipv4first). (#161)

Security

• Scope CI secrets to dedicated environments — Repository secrets referenced by CI and release workflows are now scoped to ci and release GitHub environments, preventing unauthorized workflow access.
• Make zizmor findings blocking — The zizmor GitHub Actions security scanner is now a blocking step in both CI and local pre-push hooks (previously advisory-only).

Documentation

• DNS configuration page — New DNS configuration docs covering DD_DNS_MODE values and IPv6-only setup.
• DNS troubleshooting FAQ — Added FAQ entry for diagnosing EAI_AGAIN errors.

Full Changelog: v1.4.2...v1.4.3

Verification

All container images are signed with Sigstore cosign (keyless). Verify with:

cosign verify \
  --certificate-identity-regexp="https://github.com/CodesWhat/drydock" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/codeswhat/drydock:1.4.3

Release artifact signatures can be verified similarly:

cosign verify-blob \
  --bundle drydock-v1.4.3.tar.gz.bundle \
  --certificate-identity-regexp="https://github.com/CodesWhat/drydock" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  drydock-v1.4.3.tar.gz