sneak/gohttpserver
1
0
Fork 0
Code Issues 5 Pull Requests 1 Actions Releases Wiki Activity

Split Dockerfile: pre-built golangci-lint stage for faster CI #26

Merged
sneak merged 4 commits from fix/issue-22-dockerfile-split into main 2026-03-02 21:11:18 +01:00
Conversation 2 Commits 4 Files Changed 3 +54 -39
clawbot commented 2026-03-02 11:09:38 +01:00
Collaborator
Copy Link

Closes #22

Changes

Makefile

  • Added fmt-check target: checks gofmt formatting without modifying files
  • Added hooks target: installs pre-commit git hook
  • Updated check target: now runs fmt-check lint test
  • Removed redundant gofmt check from lint target (now in fmt-check)
  • Added .PHONY declarations for all phony targets
  • Updated tools target to use go install

Dockerfile

  • Lint stage: Uses pre-built golangci/golangci-lint:v1.64.8 (sha256-pinned)
    • Runs make fmt-check and make lint for fast feedback
  • Build stage: Uses golang:1.24-bookworm (sha256-pinned, matches go.mod 1.24.0)
    • COPY --from=lint forces BuildKit to actually run the lint stage
    • Runs make test then make build
  • Runtime stage: Uses debian:bookworm-slim (sha256-pinned)
  • All base images updated from ancient/unpinned versions to current sha256-pinned images
  • Removed vendoring/source tarball per CLAUDE.md policy

CI

  • Added .gitea/workflows/check.yml: runs docker build . on push to main and PRs

Image Versions

Stage Image Digest
lint golangci/golangci-lint:v1.64.8 sha256:2987913e...5cb8
build golang:1.24-bookworm sha256:1a6d4452...77ac
runtime debian:bookworm-slim sha256:74d56e39...4421

Verification

docker build . passes locally — all stages (lint, test, build) execute correctly.

Closes [#22](https://git.eeqj.de/sneak/gohttpserver/issues/22) ## Changes ### Makefile - Added `fmt-check` target: checks gofmt formatting without modifying files - Added `hooks` target: installs pre-commit git hook - Updated `check` target: now runs `fmt-check lint test` - Removed redundant gofmt check from `lint` target (now in `fmt-check`) - Added `.PHONY` declarations for all phony targets - Updated `tools` target to use `go install` ### Dockerfile - **Lint stage**: Uses pre-built `golangci/golangci-lint:v1.64.8` (sha256-pinned) - Runs `make fmt-check` and `make lint` for fast feedback - **Build stage**: Uses `golang:1.24-bookworm` (sha256-pinned, matches go.mod 1.24.0) - `COPY --from=lint` forces BuildKit to actually run the lint stage - Runs `make test` then `make build` - **Runtime stage**: Uses `debian:bookworm-slim` (sha256-pinned) - All base images updated from ancient/unpinned versions to current sha256-pinned images - Removed vendoring/source tarball per CLAUDE.md policy ### CI - Added `.gitea/workflows/check.yml`: runs `docker build .` on push to main and PRs ## Image Versions | Stage | Image | Digest | |-------|-------|--------| | lint | golangci/golangci-lint:v1.64.8 | sha256:2987913e...5cb8 | | build | golang:1.24-bookworm | sha256:1a6d4452...77ac | | runtime | debian:bookworm-slim | sha256:74d56e39...4421 | ## Verification `docker build .` passes locally — all stages (lint, test, build) execute correctly. <!-- session: agent:sdlc-manager:subagent:bcf4d5ff-f487-4dcb-aa85-1c0e039bbb3b -->
clawbot added 3 commits 2026-03-02 11:09:38 +01:00 
- Add fmt-check target for gofmt format verification without modifying files
- Add hooks target to install pre-commit git hook
- Update check target to include fmt-check (check: fmt-check lint test)
- Remove redundant gofmt check from lint target (now in fmt-check)
- Add .PHONY declarations for all phony targets
- Update tools target to use go install
- Lint stage: golangci/golangci-lint:v1.64.8 (sha256-pinned)
  Runs make fmt-check and make lint for fast feedback
- Build stage: golang:1.24-bookworm (sha256-pinned, matches go.mod 1.24.0)
  COPY --from=lint forces BuildKit to run lint stage
  Runs make test, then make build
- Runtime stage: debian:bookworm-slim (sha256-pinned)
- All base images updated from ancient versions to current
- Removed vendoring/source tarball (per CLAUDE.md: avoid vendoring)
Runs docker build . on push to main and pull requests.
clawbot added the
bot
needs-review
 labels 2026-03-02 11:09:51 +01:00
clawbot reviewed 2026-03-02 11:21:21 +01:00
clawbot left a comment
Author
Collaborator
Copy Link

Review: PASS

All requirements from issue #22 verified:

Check Status
All images sha256-pinned with version+date comments
COPY --from=lint BuildKit dependency exists
.golangci.yml not modified
No test weakening
Go version matches go.mod (1.24)
fmt-check Makefile target added
hooks Makefile target added
CI workflow (.gitea/workflows/check.yml) added
check target updated to fmt-check lint test
docker build . passes

Details

Dockerfile — Clean three-stage split:

  • Lint stage: Uses pre-built golangci/golangci-lint:v1.64.8 (sha256-pinned, dated 2025-03-17). Runs fmt-check and lint for fast feedback.
  • Build stage: Uses golang:1.24-bookworm (sha256-pinned). COPY --from=lint /src/go.sum /dev/null correctly forces BuildKit to execute the lint stage. Runs test then build.
  • Runtime stage: Uses debian:bookworm-slim (sha256-pinned). Minimal — just the binary, CA certs, and proper ENV syntax.

Makefilefmt-check correctly uses gofmt -l without modification. lint no longer duplicates the gofmt check. hooks installs a pre-commit hook. .PHONY declarations added. tools modernized to go install.

CI — Simple docker build . on push to main and PRs. Correct.

Good cleanup: removed vendoring/source tarball, updated ENV syntax, removed stale go get commands.

docker build . verified locally — all stages pass (lint, test, build).

## Review: PASS ✅ All requirements from [issue #22](https://git.eeqj.de/sneak/gohttpserver/issues/22) verified: | Check | Status | |-------|--------| | All images sha256-pinned with version+date comments | ✅ | | `COPY --from=lint` BuildKit dependency exists | ✅ | | `.golangci.yml` not modified | ✅ | | No test weakening | ✅ | | Go version matches go.mod (1.24) | ✅ | | `fmt-check` Makefile target added | ✅ | | `hooks` Makefile target added | ✅ | | CI workflow (`.gitea/workflows/check.yml`) added | ✅ | | `check` target updated to `fmt-check lint test` | ✅ | | `docker build .` passes | ✅ | ### Details **Dockerfile** — Clean three-stage split: - **Lint stage**: Uses pre-built `golangci/golangci-lint:v1.64.8` (sha256-pinned, dated 2025-03-17). Runs `fmt-check` and `lint` for fast feedback. - **Build stage**: Uses `golang:1.24-bookworm` (sha256-pinned). `COPY --from=lint /src/go.sum /dev/null` correctly forces BuildKit to execute the lint stage. Runs `test` then `build`. - **Runtime stage**: Uses `debian:bookworm-slim` (sha256-pinned). Minimal — just the binary, CA certs, and proper ENV syntax. **Makefile** — `fmt-check` correctly uses `gofmt -l` without modification. `lint` no longer duplicates the gofmt check. `hooks` installs a pre-commit hook. `.PHONY` declarations added. `tools` modernized to `go install`. **CI** — Simple `docker build .` on push to main and PRs. Correct. Good cleanup: removed vendoring/source tarball, updated ENV syntax, removed stale `go get` commands. `docker build .` verified locally — all stages pass (lint, test, build). <!-- session: agent:sdlc-manager:subagent:222a4d77-c817-4737-997d-fc30b84d7644 -->
clawbot added
merge-ready
 and removed
needs-review
bot
 labels 2026-03-02 11:21:45 +01:00
sneak was assigned by clawbot 2026-03-02 11:22:00 +01:00
sneak commented 2026-03-02 21:06:09 +01:00
Owner
Copy Link

@clawbot REWORK. checks should run on all branches, not just main, and the actions/checkout image is not pinned by hash like is required.

@clawbot REWORK. checks should run on all branches, not just main, and the `actions/checkout` image is not pinned by hash like is required.
sneak added
bot
 and removed
merge-ready
 labels 2026-03-02 21:06:16 +01:00
clawbot added 1 commit 2026-03-02 21:08:03 +01:00 
- Pin actions/checkout to commit SHA (v4.2.2) to prevent tag mutation attacks
- Remove branch filters so CI runs on push to all branches, not just main
clawbot commented 2026-03-02 21:08:29 +01:00
Author
Collaborator
Copy Link

Rework complete — CI workflow fixes applied:

  1. Pinned actions/checkout by commit SHA (11bd71901bbe5b1630ceea73d27597364c9af683, v4.2.2) — tags are mutable and an RCE vector
  2. Removed branch filters on push/pull_request triggers — CI now runs on all branches, not just main

docker build . passes locally

Only .gitea/workflows/check.yml was modified.

**Rework complete** — CI workflow fixes applied: 1. **Pinned `actions/checkout` by commit SHA** (`11bd71901bbe5b1630ceea73d27597364c9af683`, v4.2.2) — tags are mutable and an RCE vector 2. **Removed branch filters** on push/pull_request triggers — CI now runs on all branches, not just `main` `docker build .` passes locally ✅ Only `.gitea/workflows/check.yml` was modified. <!-- session: agent:sdlc-manager:subagent:2ba892e8-d97a-466d-aded-749d9e676ffc -->
clawbot added the
needs-review
 label 2026-03-02 21:08:41 +01:00
sneak merged commit 4482529f6a into main 2026-03-02 21:11:18 +01:00
sneak deleted branch fix/issue-22-dockerfile-split 2026-03-02 21:11:18 +01:00
clawbot removed the
needs-review
 label 2026-03-02 21:11:35 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bot

   
merge-ready

   
needs-review
No Label
bot
merge-ready
needs-review
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
sneak
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/gohttpserver#26
No description provided.
Delete Branch "fix/issue-22-dockerfile-split"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?