feat(ver-check): add timeout flag to prevent hanging on unresponsive binaries#289
Open
rawlingsj wants to merge 1 commit intochainguard-dev:mainfrom
Open
feat(ver-check): add timeout flag to prevent hanging on unresponsive binaries#289rawlingsj wants to merge 1 commit intochainguard-dev:mainfrom
rawlingsj wants to merge 1 commit intochainguard-dev:mainfrom
Conversation
…binaries When checking binaries that don't support version flags (like livenessprobe), ver-check would hang indefinitely waiting for the command to complete. This adds a --timeout flag (default: 5 seconds) that limits how long each version command can run. The implementation: - Uses the `timeout` command when available (Linux) - Falls back to a shell-based timeout using background processes (macOS) - Returns exit code 124 on timeout (matching `timeout` convention) - During auto-detection, skips to the next flag on timeout - With explicit flags, fails with a clear timeout error message Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
smoser
reviewed
Jan 30, 2026
Contributor
smoser
left a comment
smoser
left a comment
There was a problem hiding this comment.
Do you want to change the pipeline also (in pipelines/) to let the caller set -timeout?
| shift | ||
| if command -v timeout >/dev/null 2>&1; then | ||
| timeout "$secs" "$@" 2>&1 | ||
| return $? |
Contributor
There was a problem hiding this comment.
its fine to check to see if this is available, but is there any reason not to add a dependency on coreutils to the package.
| version_flag="auto" | ||
| match_type="contains" | ||
| VERBOSE=false | ||
| timeout_secs=5 |
Contributor
There was a problem hiding this comment.
I think you might as well bump this up to 10 or 30. The only thing you want it to catch is "command will never return", not "command is just slow or system is heavily loaded, but it would have returned correctly in 15 seconds".
| timeout "$secs" "$@" 2>&1 | ||
| return $? | ||
| fi | ||
| # Fallback for systems without timeout command (e.g., macOS) |
Contributor
There was a problem hiding this comment.
Are you actually running this on non-linux somewhere?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--timeout=SECONDSflag (default: 5s) to prevent ver-check from hanging indefinitely when binaries don't respond to version flagstimeoutcommand on Linux, shell-based fallback on macOS)--version-flag, a timeout results in a clear failure messageFixes
Discovered in this presubmit https://github.com/chainguard-dev/stereo/pull/14158
There is no version command, the process is started and therefore hangs.
Test plan
--helpshows new--timeoutoptiongit) - passes as expected🤖 Generated with Claude Code