- Pin actions/checkout to commit SHA (v4.2.2) to prevent tag mutation attacks
- Remove branch filters so CI runs on push to all branches, not just main
- Lint stage: golangci/golangci-lint:v1.64.8 (sha256-pinned)
Runs make fmt-check and make lint for fast feedback
- Build stage: golang:1.24-bookworm (sha256-pinned, matches go.mod 1.24.0)
COPY --from=lint forces BuildKit to run lint stage
Runs make test, then make build
- Runtime stage: debian:bookworm-slim (sha256-pinned)
- All base images updated from ancient versions to current
- Removed vendoring/source tarball (per CLAUDE.md: avoid vendoring)
- Add fmt-check target for gofmt format verification without modifying files
- Add hooks target to install pre-commit git hook
- Update check target to include fmt-check (check: fmt-check lint test)
- Remove redundant gofmt check from lint target (now in fmt-check)
- Add .PHONY declarations for all phony targets
- Update tools target to use go install
