{"id":50814184,"url":"https://github.com/sholdee/drydock","last_synced_at":"2026-06-13T08:01:30.468Z","repository":{"id":360501019,"uuid":"1250438436","full_name":"sholdee/drydock","owner":"sholdee","description":"Fast Argo CD GitOps render, diff, test, and diagnostics without a cluster or Argo CD server.","archived":false,"fork":false,"pushed_at":"2026-06-10T18:34:19.000Z","size":2456,"stargazers_count":9,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-10T20:08:27.656Z","etag":null,"topics":["argocd","cicd","gitops","golang","helm","kubernetes","kustomize"],"latest_commit_sha":null,"homepage":"https://sholdee.github.io/drydock/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sholdee.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-05-26T16:21:55.000Z","updated_at":"2026-06-10T18:20:42.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/sholdee/drydock","commit_stats":null,"previous_names":["sholdee/drydock"],"tags_count":21,"template":false,"template_full_name":null,"purl":"pkg:github/sholdee/drydock","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sholdee%2Fdrydock","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sholdee%2Fdrydock/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sholdee%2Fdrydock/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sholdee%2Fdrydock/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sholdee","download_url":"https://codeload.github.com/sholdee/drydock/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sholdee%2Fdrydock/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34276504,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-13T02:00:06.617Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["argocd","cicd","gitops","golang","helm","kubernetes","kustomize"],"created_at":"2026-06-13T08:01:24.333Z","updated_at":"2026-06-13T08:01:29.468Z","avatar_url":"https://github.com/sholdee.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/logo/drydock-display.svg\" alt=\"drydock\" width=\"480\"\u003e\n\u003c/p\u003e\n\n# drydock\n\nInspect your Argo CD fleet without getting wet\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/sholdee/drydock)](https://goreportcard.com/report/github.com/sholdee/drydock)\n[![CI](https://github.com/sholdee/drydock/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/sholdee/drydock/actions/workflows/ci.yml)\n[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)\n[![Go Version](https://img.shields.io/github/go-mod/go-version/sholdee/drydock)](go.mod)\n\n`drydock` is a fast, single static Go binary and embeddable library for\nruntime-offline Argo CD desired-state analysis. It discovers, renders, tests,\ndiffs, and diagnoses GitOps Applications without requiring a live Argo CD\ninstance or Kubernetes cluster.\n\nIt is built for operators who want quick, deterministic feedback before a\nchange reaches the cluster. Pull request diffing is a key workflow, but\nthe same native engine also supports render validation, image inventory,\nrepository diagnostics, cache inspection, and Go API embedding.\n\nDefault commands use native Go renderers and do not shell out to `kubectl`,\n`argocd`, Helm CLI, Kustomize CLI, or repo-server wrappers. Runtime-offline\ndoes not mean network-disconnected: declared Git, HTTP Helm, OCI Helm, and\nremote Kustomize sources may still be fetched into explicit drydock caches\nunless `--offline` is set.\n\n**Full documentation:** [sholdee.github.io/drydock](https://sholdee.github.io/drydock/).\n\n## Pull Request Review\n\nThe PR action posts a markdown summary and links a standalone Full Rendered\nDiff View so Argo CD/GitOps reviewers can inspect rendered Kubernetes resources\nbefore merge.\n\n[Open an example Full Rendered Diff View](https://sholdee.github.io/drydock/examples/full-rendered-diff-view.html)\n\n## Install\n\nInstall the latest Linux/macOS release with Homebrew:\n\n```bash\nbrew install sholdee/tap/drydock\n```\n\nHomebrew installs shell completions automatically.\n\nFor GitOps repository and CI pinning, use `mise` with the GitHub backend:\n\n```toml\n[tools]\n\"github:sholdee/drydock[exe=drydock]\" = \"vX.Y.Z\"\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eInstall Script\u003c/summary\u003e\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/sholdee/drydock/main/scripts/install-drydock.sh -o install-drydock.sh\nbash install-drydock.sh --yes\n```\n\nThe script verifies release checksums, verifies Sigstore bundles when\navailable, installs the `drydock` binary, and attempts shell completion\ninstallation. Pin a release with `--version vX.Y.Z`.\n\nPipe form:\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/sholdee/drydock/main/scripts/install-drydock.sh | bash -s -- --yes\n```\n\nPinned pipe form:\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/sholdee/drydock/main/scripts/install-drydock.sh | bash -s -- --version vX.Y.Z --yes\n```\n\nUse `--no-completions` when completions should be installed manually.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eGitHub Actions\u003c/summary\u003e\n\nWorkflows that install a released binary can use the setup action:\n\n```yaml\n- uses: sholdee/drydock/setup-action@main\n  with:\n    version: vX.Y.Z\n```\n\nFor pull request validation, the PR action wraps render tests, manifest diffs,\nimage diff reports, source caches, artifacts, and sticky PR comments:\n\n```yaml\nname: drydock\n\non:\n  pull_request:\n    branches: [main]\n\npermissions:\n  contents: read\n  pull-requests: write\n\njobs:\n  drydock:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: sholdee/drydock/pr-action@main\n        with:\n          version: vX.Y.Z\n```\n\nThe setup action accepts `latest`, `vX.Y.Z`, or bare `X.Y.Z` and verifies the\nselected archive with the release checksum manifest by default.\n\nSee the [GitHub Actions reference](https://sholdee.github.io/drydock/workflows/github-actions/)\nfor full action inputs, GitHub App token support, cache behavior, comments,\nartifacts, and outputs.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eDownload A Binary\u003c/summary\u003e\n\nDownload Linux and macOS `amd64` or `arm64` archives from the\n[latest release](https://github.com/sholdee/drydock/releases/latest). Verify\nthe archive with `checksums.txt` before installing the `drydock` binary.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eDocker / GHCR\u003c/summary\u003e\n\nRelease containers are published to GHCR for Linux `amd64` and `arm64`:\n\n```bash\ndocker run --rm -v \"$PWD:/workspace:ro\" ghcr.io/sholdee/drydock:latest test apps --path /workspace\n```\n\nFor repeatable automation, pin `ghcr.io/sholdee/drydock:vX.Y.Z`.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eGo Install\u003c/summary\u003e\n\nBuild from source with Go:\n\n```bash\ngo install github.com/sholdee/drydock/cmd/drydock@latest\n```\n\n\u003c/details\u003e\n\nManual binary installs can generate shell completions with:\n\n```bash\ndrydock completion zsh\ndrydock completion bash\ndrydock completion fish\n```\n\n## Quick Start\n\nRun drydock from the root of an Argo CD GitOps repository.\n\nList discovered Applications:\n\n```bash\ndrydock get apps --path .\n```\n\nTest every discovered Application without printing rendered manifests:\n\n```bash\ndrydock test apps --path .\n```\n\nExample text output:\n\n```text\nPASS renovate\nPASS cert-manager\nFAIL argocd/broken Application argocd/broken source[0] path=\"...\" ...\n```\n\nCompare a pull request checkout against a baseline tree:\n\n```bash\ngit worktree add ../baseline main\ndrydock diff apps --path . --path-orig ../baseline\n```\n\nDiff commands use changed-only selection by default. Use\n`--changed-only=false` when you want to render and compare every discovered\nApplication. Use repeatable `--changed-only-include` and\n`--changed-only-ignore` globs when CI should ignore known non-GitOps paths\nbefore changed-only ownership is evaluated.\n\nYou can also compare against committed Git refs without creating a baseline\nworktree:\n\n```bash\ndrydock diff apps --path . --ref-orig main\ndrydock diff apps --repo . --ref feature --ref-orig main\n```\n\nInspect image changes in a machine-readable form:\n\n```bash\ndrydock diff images --path . --path-orig ../baseline -o json\n```\n\nFor CI jobs that have already populated drydock's source caches, require a\ncache-only run:\n\n```bash\ndrydock test apps --path . --offline\ndrydock diff apps --path . --path-orig ../baseline --offline\n```\n\n## Common Workflows\n\n| Goal | Command |\n| --- | --- |\n| List Applications | `drydock get apps --path .` |\n| List rendered image references | `drydock get images --path . -o name` |\n| Render all Applications | `drydock build apps --path .` |\n| Render one Application | `drydock build app renovate --path .` |\n| Test renderability | `drydock test apps --path .` |\n| Diff rendered manifests | `drydock diff apps --path . --path-orig ../baseline` |\n| Diff one Application | `drydock diff app renovate --path . --path-orig ../baseline` |\n| Diff rendered image references | `drydock diff images --path . --path-orig ../baseline -o json` |\n| Inspect repository diagnostics | `drydock diag --path .` |\n| Inspect redacted settings | `drydock diag --path . --settings -o json` |\n| Inspect cache roots | `drydock cache path` |\n| List cache entries | `drydock cache list -o json` |\n\n`drydock \u003ccommand\u003e --help` lists command-specific flags. See\nthe [docs reference](https://sholdee.github.io/drydock/reference/) for the\noperator guide index.\n\n## What It Supports\n\ndrydock covers the common Argo CD GitOps repository shapes operators need to\ninspect locally and in CI:\n\n- **Application discovery:** committed Applications, supported ApplicationSets,\n  rendered app-of-apps/bootstrap children, explicit Kustomize discovery\n  entrypoints, AppProjects, and settings objects.\n- **Rendering:** directory, Kustomize, Helm, Jsonnet, single-source and\n  multi-source Applications, Kustomize Helm charts, remote Helm charts, and\n  remote Kustomize sources.\n- **Source acquisition:** declared Git, HTTP Helm, OCI Helm, and remote\n  Kustomize inputs through explicit drydock caches, plus `--repo-map` for\n  adjacent local checkouts.\n- **Diffs and images:** desired-vs-desired manifest and image diffs,\n  changed-only selection, default noisy-field filtering, and structured or\n  markdown output.\n- **Plugins:** native safe Kustomize compatibility, `avp-compat` placeholder\n  redaction, native policy overrides, static `plugin-policy init` and\n  `plugin-policy doctor` onboarding, trusted exec/container policy with\n  `--enable-plugins`, and policy bootstrap entrypoints.\n- **Diagnostics:** render status, custom health Lua validation, redacted\n  settings/repository/AppProject checks, source acquisition diagnostics, and\n  cache lifecycle commands.\n\nSee the [compatibility overview](https://sholdee.github.io/drydock/compatibility/)\nfor the support matrix and links to detailed reference docs.\n\n## Offline Runtime Model\n\ndrydock performs desired-vs-desired analysis. It renders Kubernetes manifests\nfrom repository inputs, explicit mappings, and drydock caches. Diff commands\ncompare a current snapshot to a baseline snapshot.\n\nDefault commands do not ask a live Kubernetes cluster or Argo CD server what is\ncurrently running. They also do not reproduce runtime behavior such as API\ndefaulting, admission mutation, server-side diff, live health aggregation,\nmanaged-fields ownership, or full RBAC authorization.\n\nThis boundary is intentional: normal workflows stay fast, deterministic, and\nsafe for local use and CI. Source acquisition may still fetch declared Git,\nHelm, OCI, or remote Kustomize inputs unless `--offline` is set.\n\nSee [Runtime Offline](https://sholdee.github.io/drydock/concepts/runtime-offline/)\nand [Argo CD Render Parity](https://sholdee.github.io/drydock/concepts/argocd-render-parity/)\nfor the design model and validation strategy.\n\n## How It Works\n\n```mermaid\nflowchart TD\n  current[Current tree]\n  baseline[Baseline tree]\n\n  current --\u003e discover\n  baseline --\u003e discover\n\n  discover[Discover static and rendered Argo CD fleet objects]\n  discover --\u003e plan[Plan sources, resolve repo maps, use caches]\n  plan --\u003e render[Render desired manifests with Go libraries]\n  render --\u003e normalize[Apply Argo-aware filters and diff normalization]\n  normalize --\u003e outputs[Test statuses, manifest diffs, image diffs, diagnostics]\n```\n\nThe render path imports Argo CD API types and selected reusable helpers, but\ndrydock owns offline orchestration. See\n[How It Works](https://sholdee.github.io/drydock/concepts/how-it-works/) and\n[Argo CD Render Parity](https://sholdee.github.io/drydock/concepts/argocd-render-parity/)\nfor the architecture and validation model.\n\n## Go API\n\nEmbedding callers can use `github.com/sholdee/drydock/pkg/drydock` to list,\nrender, and diff Applications without shelling out:\n\n```go\nresult, err := drydock.Render(ctx, drydock.Config{Path: \".\"})\n```\n\n`drydock.NewClient` accepts public Git, chart, and remote-resource acquirer\ninterfaces, plus a public config management plugin renderer hook. Embedders can\nuse those interfaces for tests, offline fixtures, and custom source handling.\nWhen one selected Application fails, the result still includes successful\nmanifests, diagnostics, and per-Application statuses from the partial build.\n\n## Community\n\ndrydock is inspired by [Flate](https://github.com/home-operations/flate), a\nFlux resource inflator, and the home-operations community.\n\nJoin the home-operations Discord at \u003chttps://discord.gg/home-operations\u003e.\n\n## Documentation\n\n- [Documentation site](https://sholdee.github.io/drydock/): curated operator\n  docs and full reference pages.\n- [Getting started](https://sholdee.github.io/drydock/getting-started/):\n  first local discovery, render test, and comparison commands.\n- [GitHub Actions](https://sholdee.github.io/drydock/workflows/github-actions/):\n  setup action, PR action, comments, artifacts, and caches.\n- [Local diffs](https://sholdee.github.io/drydock/workflows/local-diffs/):\n  terminal manifest and image diff workflows.\n- [Compatibility](https://sholdee.github.io/drydock/compatibility/): supported\n  Argo CD behavior and intentional runtime boundaries.\n- [Runtime Offline](https://sholdee.github.io/drydock/concepts/runtime-offline/):\n  what drydock does without live Argo CD or Kubernetes.\n- [Argo CD Render Parity](https://sholdee.github.io/drydock/concepts/argocd-render-parity/):\n  how covered render semantics are validated against real Argo CD.\n- [Plugin policy](https://sholdee.github.io/drydock/plugin-policy/):\n  onboarding commands, trusted policy engines, schema, CMP compatibility,\n  bootstrap discovery, and command security.\n- [Source acquisition](https://sholdee.github.io/drydock/concepts/source-acquisition/):\n  Git, Helm, remote Kustomize, cache, and auth behavior.\n- [Reference](https://sholdee.github.io/drydock/reference/): operator guide\n  index.\n\n## License\n\nApache-2.0. See [`LICENSE`](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsholdee%2Fdrydock","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsholdee%2Fdrydock","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsholdee%2Fdrydock/lists"}