From 3e48b46e3d07ebb36008db5c7c15a0eedf81aaa1 Mon Sep 17 00:00:00 2001 From: clawbot Date: Mon, 2 Mar 2026 02:09:07 -0800 Subject: [PATCH 1/4] Makefile: add fmt-check, hooks targets; update check prereqs - Add fmt-check target for gofmt format verification without modifying files - Add hooks target to install pre-commit git hook - Update check target to include fmt-check (check: fmt-check lint test) - Remove redundant gofmt check from lint target (now in fmt-check) - Add .PHONY declarations for all phony targets - Update tools target to use go install --- Makefile | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index 104c122..e3c7982 100644 --- a/Makefile +++ b/Makefile @@ -11,22 +11,30 @@ default: clean debug commit: fmt lint git commit -a -# get golangci-lint with: -# go get github.com/golangci/golangci-lint/cmd/golangci-lint@v1.31.0 -# get gofumports with: -# go get mvdan.cc/gofumpt/gofumports +# get gofumpt with: +# go install mvdan.cc/gofumpt@latest fmt: gofumpt -l -w . golangci-lint run --fix +fmt-check: + @test -z "$$(gofmt -l .)" || { echo "gofmt found unformatted files:"; gofmt -l .; exit 1; } + lint: golangci-lint run - sh -c 'test -z "$$(gofmt -l .)"' test: go test ./... -check: lint test +check: fmt-check lint test + +build: ./$(FN)d + +hooks: + @mkdir -p .git/hooks + @printf '#!/bin/sh\nmake fmt-check lint\n' > .git/hooks/pre-commit + @chmod +x .git/hooks/pre-commit + @echo "Pre-commit hook installed." debug: ./$(FN)d DEBUG=1 GOTRACEBACK=all ./$(FN)d @@ -48,5 +56,6 @@ docker: go build -o ../../$(FN)d $(GOFLAGS) . tools: - go get -v github.com/golangci/golangci-lint/cmd/golangci-lint@v1.31.0 - go get -v mvdan.cc/gofumpt/gofumports + go install mvdan.cc/gofumpt@latest + +.PHONY: default commit fmt fmt-check lint test check build hooks debug debugger run clean docker tools -- 2.45.2 From e6d75ed57fdc3dc6af76d47d28d427d4c1e9515b Mon Sep 17 00:00:00 2001 From: clawbot Date: Mon, 2 Mar 2026 02:09:14 -0800 Subject: [PATCH 2/4] Dockerfile: split into lint/build/runtime stages with pinned images - Lint stage: golangci/golangci-lint:v1.64.8 (sha256-pinned) Runs make fmt-check and make lint for fast feedback - Build stage: golang:1.24-bookworm (sha256-pinned, matches go.mod 1.24.0) COPY --from=lint forces BuildKit to run lint stage Runs make test, then make build - Runtime stage: debian:bookworm-slim (sha256-pinned) - All base images updated from ancient versions to current - Removed vendoring/source tarball (per CLAUDE.md: avoid vendoring) --- Dockerfile | 56 ++++++++++++++++++++++++------------------------------ 1 file changed, 25 insertions(+), 31 deletions(-) diff --git a/Dockerfile b/Dockerfile index e887df1..b871d4d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,41 +1,35 @@ -## lint image -FROM golangci/golangci-lint:v1.50.1 - -RUN mkdir -p /build -WORKDIR /build -COPY ./ ./ -RUN golangci-lint run - -## build image: -FROM golang:1.19.3-bullseye AS builder - -RUN apt update && apt install -y make bzip2 - -RUN mkdir -p /build -WORKDIR /build - -COPY go.mod . -COPY go.sum . +# Lint stage — fast feedback +# golangci/golangci-lint:v1.64.8 (2025-03-17) +FROM golangci/golangci-lint@sha256:2987913e27f4eca9c8a39129d2c7bc1e74fbcf77f181e01cea607be437aa5cb8 AS lint +WORKDIR /src +COPY go.mod go.sum ./ RUN go mod download +COPY . . +RUN make fmt-check +RUN make lint -COPY ./ ./ -#RUN make lint -RUN make httpd && mv ./httpd /httpd -RUN go mod vendor -RUN tar -c . | bzip2 > /src.tbz2 +# Build stage +# golang:1.24-bookworm (Go 1.24) +FROM golang@sha256:1a6d4452c65dea36aac2e2d606b01b4a029ec90cc1ae53890540ce6173ea77ac AS builder +# Force BuildKit to run the lint stage +COPY --from=lint /src/go.sum /dev/null +WORKDIR /build +COPY go.mod go.sum ./ +RUN go mod download +COPY . . +RUN make test +RUN make build && cp ./httpd /httpd -## output image: -FROM debian:bullseye-slim AS final +# Runtime stage +# debian:bookworm-slim (2025-03) +FROM debian@sha256:74d56e3931e0d5a1dd51f8c8a2466d21de84a271cd3b5a733b803aa91abf4421 AS final COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=builder /httpd /app/httpd -COPY --from=builder /src.tbz2 /usr/local/src/src.tbz2 - WORKDIR /app -ENV HOME /app - -ENV PORT 8080 -ENV DBURL none +ENV HOME=/app +ENV PORT=8080 +ENV DBURL=none EXPOSE 8080 -- 2.45.2 From a77096326a3d22f8d0c5e1148aebd80027b25c46 Mon Sep 17 00:00:00 2001 From: clawbot Date: Mon, 2 Mar 2026 02:09:18 -0800 Subject: [PATCH 3/4] Add Gitea Actions CI workflow Runs docker build . on push to main and pull requests. --- .gitea/workflows/check.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .gitea/workflows/check.yml diff --git a/.gitea/workflows/check.yml b/.gitea/workflows/check.yml new file mode 100644 index 0000000..3761dcb --- /dev/null +++ b/.gitea/workflows/check.yml @@ -0,0 +1,14 @@ +name: check + +on: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: docker build . -- 2.45.2 From 51035a2fe2d7007e78b2b6ec0458a93fed820731 Mon Sep 17 00:00:00 2001 From: clawbot Date: Mon, 2 Mar 2026 12:07:00 -0800 Subject: [PATCH 4/4] ci: pin checkout action by SHA, run on all branches - Pin actions/checkout to commit SHA (v4.2.2) to prevent tag mutation attacks - Remove branch filters so CI runs on push to all branches, not just main --- .gitea/workflows/check.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.gitea/workflows/check.yml b/.gitea/workflows/check.yml index 3761dcb..eafafa8 100644 --- a/.gitea/workflows/check.yml +++ b/.gitea/workflows/check.yml @@ -2,13 +2,11 @@ name: check on: push: - branches: [main] pull_request: - branches: [main] jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: docker build . -- 2.45.2