- Install golangci-lint v2 via binary download instead of go install
(avoids Go 1.25 requirement of golangci-lint v2.10+)
- Add darwin build tags to tests that depend on macOS keychain:
derivation_index_test.go, pgpunlock_test.go, validation (keychain tests)
- Move generateRandomString to helpers_darwin.go (only called from
darwin-only keychainunlocker.go)
- Fix unchecked error returns flagged by errcheck linter
- Add gnupg to builder stage for PGP-related tests
- Use --ulimit memlock=-1:-1 in CI for memguard large secret tests
- Add //nolint:unused for intentionally kept but currently unused test helpers
Per new policy: CI actions simply run 'docker build .'. The Dockerfile
now installs golangci-lint and runs 'make check' early in the build
process, so a successful docker build implies all checks pass.
- Dockerfile: add golangci-lint install and 'make check' before final build
- CI workflow: simplify to just 'docker build .' (no Go setup needed)
- Makefile targets unchanged
- Add DOCKER_HOST export to Makefile for remote Docker daemon
- Create multi-stage Dockerfile:
- Build stage: golang:1.24-alpine with gcc, make, git
- Runtime stage: alpine with ca-certificates, gnupg
- Runs as non-root 'secret' user
- Add Makefile targets:
- docker: build container as sneak/secret
- docker-run: run container interactively
- Add .dockerignore to exclude build artifacts but keep .git
for potential linker flags
Container includes GPG support for PGP unlockers and runs on Linux,
making it suitable for cross-platform testing and deployment.
