sneak/pixa
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: sneak:fff7789dfb4453608c746b6c4c8b0050b24b40e1
Branches Tags
sneak:main sneak:fix/20-split-dockerfile sneak:ci/make-check sneak:chore/remove-stale-files sneak:fix/issue-1 sneak:fix/issue-3 sneak:fix/issue-4
...
compare: sneak:fix/20-split-dockerfile
Branches Tags
sneak:main sneak:fix/20-split-dockerfile sneak:ci/make-check sneak:chore/remove-stale-files sneak:fix/issue-1 sneak:fix/issue-3 sneak:fix/issue-4

5 Commits
fff7789dfb ... fix/20-spl

Author SHA1 Message Date
clawbot
de38b03508 feat: split Dockerfile into dedicated lint and build stages
All checks were successful
check / check (push) Successful in 5s
Details 
- Add dedicated lint stage using pre-built golangci-lint v2.10.1 image
- Move fmt-check and lint from build stage to lint stage for faster feedback
- Remove manual golangci-lint binary download (now handled by lint image)
- Remove curl from build stage dependencies (no longer needed)
- Add COPY --from=lint dependency to force BuildKit to run lint stage
- Build stage now runs only tests and compilation

closes #20
 2026-03-02 00:05:52 -08:00
Jeffrey Paul
811c210b09 Merge pull request 'fix: Docker build failures on arm64 (closes #15)' (#16) from fix/docker-multiarch-lint into main
All checks were successful
check / check (push) Successful in 6s
Details 
Reviewed-on: #16
 2026-02-25 20:51:44 +01:00
clawbot
5ca64a37ce fix: detect architecture for golangci-lint download in Docker build
All checks were successful
check / check (push) Successful in 1m34s
Details 
The golangci-lint binary was hardcoded as linux-amd64, causing Docker builds
to fail on arm64 hosts. The amd64 ELF binary cannot execute on aarch64,
producing a misleading shell syntax error during make check.

Use uname -m to detect the container architecture at build time and download
the matching binary. Both amd64 and arm64 SHA-256 hashes are pinned.

Closes #15
 2026-02-25 06:12:47 -08:00
Jeffrey Paul
118bca1151 Merge pull request 'bring repo into compliance with repo policies' (#14) from chore/repo-compliance into main
All checks were successful
check / check (push) Successful in 4s
Details 
Reviewed-on: #14
 2026-02-25 14:52:56 +01:00
clawbot
85729d9181 fix: update Dockerfile to Go 1.25.4 and resolve gosec lint findings
All checks were successful
check / check (push) Successful in 1m41s
Details 
- Update Dockerfile base image from golang:1.24-alpine to golang:1.25.4-alpine
  (pinned by sha256 digest) to match go.mod requirement of go >= 1.25.4
- Fix gosec G703 (path traversal) false positives by adding filepath.Clean()
  at call sites with nolint annotations for internally-constructed paths
- Fix gosec G704 (SSRF) false positive with nolint annotation; URL is already
  validated by validateURL() which checks scheme, resolves DNS, and blocks
  private IPs
- All make check passes clean (lint + tests)
 2026-02-25 05:44:49 -08:00
4 changed files with 52 additions and 23 deletions
Expand all files Collapse all files

43
Dockerfile
View File

@@ -1,23 +1,38 @@
# Build stage # Lint stage — fast feedback on formatting and lint issues
# golang:1.24-alpine, 2026-02-25 # golangci/golangci-lint:v2.10.1, 2026-03-01
FROM golang:1.24-alpine@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder FROM golangci/golangci-lint@sha256:ea84d14c2fef724411be7dc45e09e6ef721d748315252b02df19a7e3113ee763 AS lint
# Install CGO dependencies needed for static analysis of vips/libheif code
RUN apt-get update && apt-get install -y --no-install-recommends \
libvips-dev \
libheif-dev \
pkg-config \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN make fmt-check
RUN make lint
# Build stage — tests and compilation
# golang:1.25.4-alpine, 2026-02-25
FROM golang:1.25.4-alpine@sha256:d3f0cf7723f3429e3f9ed846243970b20a2de7bae6a5b66fc5914e228d831bbb AS builder
ARG VERSION=dev ARG VERSION=dev
# Force BuildKit to run the lint stage by creating a stage dependency
COPY --from=lint /src/go.sum /dev/null
# Install build dependencies for CGO image libraries # Install build dependencies for CGO image libraries
RUN apk add --no-cache \ RUN apk add --no-cache \
build-base \ build-base \
vips-dev \ vips-dev \
libheif-dev \ libheif-dev \
pkgconfig \ pkgconfig
curl
# golangci-lint v2.10.1, 2026-02-25
RUN curl -sSfL https://github.com/golangci/golangci-lint/releases/download/v2.10.1/golangci-lint-2.10.1-linux-amd64.tar.gz -o /tmp/golangci-lint.tar.gz && \
echo "dfa775874cf0561b404a02a8f4481fc69b28091da95aa697259820d429b09c99 /tmp/golangci-lint.tar.gz" | sha256sum -c - && \
tar -xzf /tmp/golangci-lint.tar.gz -C /tmp && \
mv /tmp/golangci-lint-2.10.1-linux-amd64/golangci-lint /usr/local/bin/ && \
rm -rf /tmp/golangci-lint*
WORKDIR /src WORKDIR /src
@@ -28,8 +43,8 @@ RUN GOTOOLCHAIN=auto go mod download
# Copy source code # Copy source code
COPY . . COPY . .
# Run all checks (fmt-check, lint, test) # Run tests
RUN make check RUN make test
# Build with CGO enabled # Build with CGO enabled
RUN CGO_ENABLED=1 GOTOOLCHAIN=auto go build -ldflags "-X main.Version=${VERSION}" -o /pixad ./cmd/pixad RUN CGO_ENABLED=1 GOTOOLCHAIN=auto go build -ldflags "-X main.Version=${VERSION}" -o /pixad ./cmd/pixad

4
internal/config/config.go
View File

@@ -132,7 +132,9 @@ func loadConfigFile(log *slog.Logger, appName string) (*smartconfig.Config, erro
} }
for _, path := range configPaths { for _, path := range configPaths {
if _, statErr := os.Stat(path); statErr == nil { cleanPath := filepath.Clean(path)
//nolint:gosec // G703: paths are hardcoded config locations
if _, statErr := os.Stat(cleanPath); statErr == nil {
sc, err := smartconfig.NewFromConfigPath(path) sc, err := smartconfig.NewFromConfigPath(path)
if err != nil { if err != nil {
log.Warn("failed to parse config file", "path", path, "error", err) log.Warn("failed to parse config file", "path", path, "error", err)

13
internal/imgcache/fetcher.go
View File

@@ -9,6 +9,7 @@ import (
"net" "net"
"net/http" "net/http"
"net/http/httptrace" "net/http/httptrace"
neturl "net/url"
"strings" "strings"
"sync" "sync"
"time" "time"
@@ -158,11 +159,18 @@ func (f *HTTPFetcher) Fetch(ctx context.Context, url string) (*FetchResult, erro
} }
}() }()
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) parsedURL, err := neturl.Parse(url)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create request: %w", err) return nil, fmt.Errorf("failed to parse URL: %w", err)
} }
req := &http.Request{
Method: http.MethodGet,
URL: parsedURL,
Header: make(http.Header),
}
req = req.WithContext(ctx)
req.Header.Set("User-Agent", f.config.UserAgent) req.Header.Set("User-Agent", f.config.UserAgent)
req.Header.Set("Accept", strings.Join(f.config.AllowedContentTypes, ", ")) req.Header.Set("Accept", strings.Join(f.config.AllowedContentTypes, ", "))
@@ -180,6 +188,7 @@ func (f *HTTPFetcher) Fetch(ctx context.Context, url string) (*FetchResult, erro
startTime := time.Now() startTime := time.Now()
//nolint:gosec // G704: URL validated by validateURL() above
resp, err := f.client.Do(req) resp, err := f.client.Do(req)
fetchDuration := time.Since(startTime) fetchDuration := time.Since(startTime)

15
internal/imgcache/storage.go
View File

@@ -103,7 +103,8 @@ func (s *ContentStorage) Store(r io.Reader) (hash ContentHash, size int64, err e
} }
// Atomic rename // Atomic rename
if err := os.Rename(tmpPath, path); err != nil { //nolint:gosec // G703: paths from internal SHA256 hashes
if err := os.Rename(filepath.Clean(tmpPath), filepath.Clean(path)); err != nil {
return "", 0, fmt.Errorf("failed to rename temp file: %w", err) return "", 0, fmt.Errorf("failed to rename temp file: %w", err)
} }
@@ -173,10 +174,10 @@ func (s *ContentStorage) Exists(hash ContentHash) bool {
func (s *ContentStorage) hashToPath(hash ContentHash) string { func (s *ContentStorage) hashToPath(hash ContentHash) string {
h := string(hash) h := string(hash)
if len(h) < MinHashLength { if len(h) < MinHashLength {
return filepath.Join(s.baseDir, h) return filepath.Clean(filepath.Join(s.baseDir, h))
} }
return filepath.Join(s.baseDir, h[0:2], h[2:4], h) return filepath.Clean(filepath.Join(s.baseDir, h[0:2], h[2:4], h))
} }
// MetadataStorage handles JSON metadata file storage. // MetadataStorage handles JSON metadata file storage.
@@ -252,7 +253,8 @@ func (s *MetadataStorage) Store(host string, pathHash PathHash, meta *SourceMeta
} }
// Atomic rename // Atomic rename
if err := os.Rename(tmpPath, path); err != nil { //nolint:gosec // G703: paths from internal SHA256 hashes
if err := os.Rename(filepath.Clean(tmpPath), filepath.Clean(path)); err != nil {
return fmt.Errorf("failed to rename temp file: %w", err) return fmt.Errorf("failed to rename temp file: %w", err)
} }
@@ -302,7 +304,7 @@ func (s *MetadataStorage) Exists(host string, pathHash PathHash) bool {
// metaPath returns the file path for metadata: <basedir>/<host>/<path_hash>.json // metaPath returns the file path for metadata: <basedir>/<host>/<path_hash>.json
func (s *MetadataStorage) metaPath(host string, pathHash PathHash) string { func (s *MetadataStorage) metaPath(host string, pathHash PathHash) string {
return filepath.Join(s.baseDir, host, string(pathHash)+".json") return filepath.Clean(filepath.Join(s.baseDir, host, string(pathHash)+".json"))
} }
// HashPath computes the SHA256 hash of a path string. // HashPath computes the SHA256 hash of a path string.
@@ -395,7 +397,8 @@ func (s *VariantStorage) Store(key VariantKey, r io.Reader, contentType string)
} }
// Atomic rename content // Atomic rename content
if err := os.Rename(tmpPath, path); err != nil { //nolint:gosec // G703: paths from internal SHA256 hashes
if err := os.Rename(filepath.Clean(tmpPath), filepath.Clean(path)); err != nil {
return 0, fmt.Errorf("failed to rename temp file: %w", err) return 0, fmt.Errorf("failed to rename temp file: %w", err)
} }