refactor: use official golangci-lint image for lint stage

Restructure Dockerfile to match upaas/dnswatcher pattern:
- Separate lint stage using golangci/golangci-lint:v2.1.6 image
- Builder stage for tests and compilation (no lint dependency)
- Add fmt-check Makefile target
- Decouple test from lint in Makefile (lint runs in its own stage)
- Run gofmt on all files
- docker build verified passing locally

Dockerfile

@@ -1,57 +1,44 @@
-# Build stage
+# Lint stage — fast feedback on formatting and lint issues
-FROM golang:1.24-alpine AS builder
+# golangci/golangci-lint:v2.1.6
+FROM golangci/golangci-lint:v2.1.6 AS lint
 
-# Install build dependencies
+WORKDIR /src
-RUN apk add --no-cache \
-    gcc \
-    musl-dev \
-    make \
-    git \
-    gnupg
-
-# Set working directory
-WORKDIR /build
-
-# Copy go mod files
 COPY go.mod go.sum ./
-
-# Download dependencies
 RUN go mod download
 
-# Copy source code
 COPY . .
 
-# Install golangci-lint for checks (binary install to avoid Go version constraints)
+RUN make fmt-check
-RUN wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.1.6
+RUN make lint
 
-# Run all checks (lint, vet, test, build)
+# Build stage — tests and compilation
-RUN make check
+FROM golang:1.24-alpine AS builder
 
-# Build the final binary with version info
+# Force BuildKit to run the lint stage
-RUN CGO_ENABLED=1 go build -v -o secret cmd/secret/main.go
+COPY --from=lint /src/go.sum /dev/null
+
+RUN apk add --no-cache gcc musl-dev make git gnupg
+
+WORKDIR /build
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+RUN make test
+RUN CGO_ENABLED=1 go build -v -ldflags "-X 'git.eeqj.de/sneak/secret/internal/cli.Version=0.1.0' -X 'git.eeqj.de/sneak/secret/internal/cli.GitCommit=$(git rev-parse HEAD)'" -o secret cmd/secret/main.go
 
 # Runtime stage
 FROM alpine:latest
 
-# Install runtime dependencies
+RUN apk add --no-cache ca-certificates gnupg
-RUN apk add --no-cache \
-    ca-certificates \
-    gnupg
 
-# Create non-root user
 RUN adduser -D -s /bin/sh secret
 
-# Copy binary from builder
 COPY --from=builder /build/secret /usr/local/bin/secret
-
-# Ensure binary is executable
 RUN chmod +x /usr/local/bin/secret
 
-# Switch to non-root user
 USER secret
-
-# Set working directory
 WORKDIR /home/secret
 
-# Set entrypoint
 ENTRYPOINT ["secret"]

Makefile

@@ -17,7 +17,7 @@ build: ./secret
 vet:
 	go vet ./...
 
-test: lint vet
+test: vet
 	go test ./... || go test -v ./...
 
 fmt:
@@ -26,7 +26,7 @@ fmt:
 lint:
 	golangci-lint run --timeout 5m
 
-check: build test
+check: build lint test
 
 # Build Docker container
 docker:
@@ -42,3 +42,6 @@ clean:
 
 install: ./secret
 	cp ./secret $(HOME)/bin/secret
+
+fmt-check:
+	@test -z "$$(gofmt -l .)" || (echo "Files need formatting:" && gofmt -l . && exit 1)

internal/cli/info.go

@@ -1,10 +1,10 @@
 package cli
 
 import (
-	"log"
 	"encoding/json"
 	"fmt"
 	"io"
+	"log"
 	"path/filepath"
 	"runtime"
 	"strings"

internal/cli/init.go

@@ -1,8 +1,8 @@
 package cli
 
 import (
-	"log"
 	"fmt"
+	"log"
 	"log/slog"
 	"os"
 	"path/filepath"

internal/cli/integration_test.go

@@ -2285,6 +2285,7 @@ func verifyFileExists(t *testing.T, path string) {
 }
 
 // verifyFileNotExists checks if a file does not exist at the given path
+//
 //nolint:unused // kept for future use
 func verifyFileNotExists(t *testing.T, path string) {
 	t.Helper()

internal/cli/secrets.go

@@ -1,10 +1,10 @@
 package cli
 
 import (
-	"log"
 	"encoding/json"
 	"fmt"
 	"io"
+	"log"
 	"path/filepath"
 	"strings"
 

internal/cli/unlockers.go

@@ -1,9 +1,9 @@
 package cli
 
 import (
-	"log"
 	"encoding/json"
 	"fmt"
+	"log"
 	"os"
 	"os/exec"
 	"path/filepath"

internal/cli/vault.go

@@ -1,9 +1,9 @@
 package cli
 
 import (
-	"log"
 	"encoding/json"
 	"fmt"
+	"log"
 	"os"
 	"path/filepath"
 	"strings"

internal/cli/version.go

@@ -1,8 +1,8 @@
 package cli
 
 import (
-	"log"
 	"fmt"
+	"log"
 	"path/filepath"
 	"strings"
 	"text/tabwriter"

internal/secret/derivation_index_test.go

@@ -26,12 +26,12 @@ type realVault struct {
 func (v *realVault) GetDirectory() (string, error) {
 	return filepath.Join(v.stateDir, "vaults.d", v.name), nil
 }
-func (v *realVault) GetName() string        { return v.name }
+func (v *realVault) GetName() string         { return v.name }
 func (v *realVault) GetFilesystem() afero.Fs { return v.fs }
 
 // Unused by getLongTermPrivateKey — these satisfy VaultInterface.
 func (v *realVault) AddSecret(string, *memguard.LockedBuffer, bool) error { panic("not used") }
-func (v *realVault) GetCurrentUnlocker() (Unlocker, error)               { panic("not used") }
+func (v *realVault) GetCurrentUnlocker() (Unlocker, error)                { panic("not used") }
 func (v *realVault) CreatePassphraseUnlocker(*memguard.LockedBuffer) (*PassphraseUnlocker, error) {
 	panic("not used")
 }

internal/secret/secret_test.go

@@ -284,11 +284,11 @@ func TestSecretNameValidation(t *testing.T) {
 		{"valid/path/name", true},
 		{"123valid", true},
 		{"", false},
-		{"Valid-Upper-Name", true},                             // uppercase allowed
+		{"Valid-Upper-Name", true}, // uppercase allowed
-		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true},  // real-world uppercase key ID
+		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true}, // real-world uppercase key ID
-		{"MixedCase/Path/Name", true},                          // mixed case with path
+		{"MixedCase/Path/Name", true},                         // mixed case with path
-		{"invalid name", false}, // space not allowed
+		{"invalid name", false},                               // space not allowed
-		{"invalid@name", false}, // @ not allowed
+		{"invalid@name", false},                               // @ not allowed
 	}
 
 	for _, test := range tests {

internal/secret/validation_test.go

@@ -154,4 +154,3 @@ func TestValidateGPGKeyID(t *testing.T) {
 		})
 	}
 }
-