fix: use make build instead of inline go build in Dockerfile

REPO_POLICIES requires using Makefile targets instead of invoking tools directly. Replace inline go build with make build.
fix: add darwin build constraints to Objective-C source files
2026-03-17 02:26:35 -07:00 · 2026-03-14 17:54:41 -07:00 · 2026-03-14 17:54:41 -07:00 · 2026-03-14 17:54:41 -07:00 · 2026-03-14 17:54:41 -07:00 · 2026-03-14 17:54:41 -07:00
14 changed files with 244 additions and 212 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -17,5 +17,4 @@ coverage.out
 .claude/

 # Local settings
-.golangci.yml
 .claude/settings.local.json
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@@ -0,0 +1,9 @@
+name: check
+on: [push]
+jobs:
+    check:
+        runs-on: ubuntu-latest
+        steps:
+            # actions/checkout v4.2.2, 2026-02-28
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+            - run: docker build --ulimit memlock=-1:-1 .
--- a/60
+++ b/60
@@ -1,50 +1,46 @@
-# Build stage
-FROM golang:1.24-alpine AS builder
+# Lint stage — fast feedback on formatting and lint issues
+# golangci/golangci-lint v2.1.6 (2026-03-10)
+FROM golangci/golangci-lint@sha256:568ee1c1c53493575fa9494e280e579ac9ca865787bafe4df3023ae59ecf299b AS lint

-# Install build dependencies
-RUN apk add --no-cache \
-    gcc \
-    musl-dev \
-    make \
-    git
-
-# Set working directory
-WORKDIR /build
-
-# Copy go mod files
+WORKDIR /src
 COPY go.mod go.sum ./
-
-# Download dependencies
 RUN go mod download

-# Copy source code
 COPY . .

-# Build the binary
-RUN CGO_ENABLED=1 go build -v -o secret cmd/secret/main.go
+RUN make fmt-check
+RUN make lint
+
+# Build stage — tests and compilation
+# golang 1.24.13-alpine (2026-03-10)
+FROM golang@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder
+
+# Force BuildKit to run the lint stage
+COPY --from=lint /src/go.sum /dev/null
+
+RUN apk add --no-cache gcc musl-dev make git gnupg
+
+WORKDIR /build
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+RUN make test
+RUN make build

 # Runtime stage
-FROM alpine:latest
+# alpine 3.23 (2026-03-10)
+FROM alpine@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659

-# Install runtime dependencies
-RUN apk add --no-cache \
-    ca-certificates \
-    gnupg
+RUN apk add --no-cache ca-certificates gnupg

-# Create non-root user
 RUN adduser -D -s /bin/sh secret

-# Copy binary from builder
 COPY --from=builder /build/secret /usr/local/bin/secret
-
-# Ensure binary is executable
 RUN chmod +x /usr/local/bin/secret

-# Switch to non-root user
 USER secret
-
-# Set working directory
 WORKDIR /home/secret

-# Set entrypoint
-ENTRYPOINT ["secret"]
+ENTRYPOINT ["secret"]
--- a/7
+++ b/7
@@ -17,7 +17,7 @@ build: ./secret
 vet:
 	go vet ./...

-test: lint vet
+test: vet
 	go test ./... || go test -v ./...

 fmt:
@@ -26,7 +26,7 @@ fmt:
 lint:
 	golangci-lint run --timeout 5m

-check: build test
+check: build lint test fmt-check

 # Build Docker container
 docker:
@@ -42,3 +42,6 @@ clean:

 install: ./secret
 	cp ./secret $(HOME)/bin/secret
+
+fmt-check:
+	@test -z "$$(gofmt -l .)" || (echo "Files need formatting:" && gofmt -l . && exit 1)
--- a/internal/cli/integration_test.go
+++ b/internal/cli/integration_test.go
@@ -48,7 +48,7 @@ func TestMain(m *testing.M) {
 	code := m.Run()

 	// Clean up the binary
-	os.Remove(filepath.Join(projectRoot, "secret"))
+	_ = os.Remove(filepath.Join(projectRoot, "secret"))

 	os.Exit(code)
 }
@@ -450,10 +450,10 @@ func test02ListVaults(t *testing.T, runSecret func(...string) (string, error)) {

 func test03CreateVault(t *testing.T, tempDir string, runSecret func(...string) (string, error)) {
 	// Set environment variables for vault creation
-	os.Setenv("SB_SECRET_MNEMONIC", testMnemonic)
-	os.Setenv("SB_UNLOCK_PASSPHRASE", "test-passphrase")
-	defer os.Unsetenv("SB_SECRET_MNEMONIC")
-	defer os.Unsetenv("SB_UNLOCK_PASSPHRASE")
+	_ = os.Setenv("SB_SECRET_MNEMONIC", testMnemonic)
+	_ = os.Setenv("SB_UNLOCK_PASSPHRASE", "test-passphrase")
+	defer func() { _ = os.Unsetenv("SB_SECRET_MNEMONIC") }()
+	defer func() { _ = os.Unsetenv("SB_UNLOCK_PASSPHRASE") }()

 	// Create work vault
 	output, err := runSecret("vault", "create", "work")
@@ -489,6 +489,7 @@ func test03CreateVault(t *testing.T, tempDir string, runSecret func(...string) (
 	assert.Contains(t, output, "work", "should list work vault")
 }

+//nolint:unused // TODO: re-enable when vault import is implemented
 func test04ImportMnemonic(t *testing.T, tempDir, testMnemonic, testPassphrase string, runSecretWithEnv func(map[string]string, ...string) (string, error)) {
 	// Import mnemonic into work vault
 	output, err := runSecretWithEnv(map[string]string{
@@ -1667,9 +1668,9 @@ func test19DisasterRecovery(t *testing.T, tempDir, secretPath, testMnemonic stri
 	assert.Equal(t, testSecretValue, strings.TrimSpace(toolOutput), "tool output should match original")

 	// Clean up temporary files
-	os.Remove(ltPrivKeyPath)
-	os.Remove(versionPrivKeyPath)
-	os.Remove(decryptedValuePath)
+	_ = os.Remove(ltPrivKeyPath)
+	_ = os.Remove(versionPrivKeyPath)
+	_ = os.Remove(decryptedValuePath)
 }

 func test20VersionTimestamps(t *testing.T, tempDir, secretPath, testMnemonic string, runSecretWithEnv func(map[string]string, ...string) (string, error)) {
@@ -1788,7 +1789,7 @@ func test23ErrorHandling(t *testing.T, tempDir, secretPath, testMnemonic string,

 	// Add secret without mnemonic or unlocker
 	unsetMnemonic := os.Getenv("SB_SECRET_MNEMONIC")
-	os.Unsetenv("SB_SECRET_MNEMONIC")
+	_ = os.Unsetenv("SB_SECRET_MNEMONIC")
 	cmd := exec.Command(secretPath, "add", "test/nomnemonic")
 	cmd.Env = []string{
 		fmt.Sprintf("SB_SECRET_STATE_DIR=%s", tempDir),
@@ -2128,7 +2129,7 @@ func test30BackupRestore(t *testing.T, tempDir, secretPath, testMnemonic string,
 						versionsPath := filepath.Join(secretPath, "versions")
 						if _, err := os.Stat(versionsPath); os.IsNotExist(err) {
 							// This is a malformed secret directory, remove it
-							os.RemoveAll(secretPath)
+							_ = os.RemoveAll(secretPath)
 						}
 					}
 				}
@@ -2178,7 +2179,7 @@ func test30BackupRestore(t *testing.T, tempDir, secretPath, testMnemonic string,
 	require.NoError(t, err, "restore vaults should succeed")

 	// Restore currentvault
-	os.Remove(currentVaultSrc)
+	_ = os.Remove(currentVaultSrc)
 	restoredData := readFile(t, currentVaultDst)
 	writeFile(t, currentVaultSrc, restoredData)

@@ -2284,6 +2285,8 @@ func verifyFileExists(t *testing.T, path string) {
 }

 // verifyFileNotExists checks if a file does not exist at the given path
+//
+//nolint:unused // kept for future use
 func verifyFileNotExists(t *testing.T, path string) {
 	t.Helper()
 	_, err := os.Stat(path)
--- a/internal/macse/secure_enclave.h
+++ b/internal/macse/secure_enclave.h
@@ -1,3 +1,5 @@
+//go:build darwin
+
 #ifndef SECURE_ENCLAVE_H
 #define SECURE_ENCLAVE_H

--- a/internal/macse/secure_enclave.m
+++ b/internal/macse/secure_enclave.m
@@ -1,3 +1,5 @@
+//go:build darwin
+
 #import <Foundation/Foundation.h>
 #import <Security/Security.h>
 #include "secure_enclave.h"
--- a/internal/secret/derivation_index_test.go
+++ b/internal/secret/derivation_index_test.go
@@ -1,3 +1,5 @@
+//go:build darwin
+
 package secret

 import (
--- a/internal/secret/helpers.go
+++ b/internal/secret/helpers.go
@@ -1,33 +1,11 @@
 package secret

 import (
-	"crypto/rand"
 	"fmt"
-	"math/big"
 	"os"
 	"path/filepath"
 )

-// generateRandomString generates a random string of the specified length using the given character set
-func generateRandomString(length int, charset string) (string, error) {
-	if length <= 0 {
-		return "", fmt.Errorf("length must be positive")
-	}
-
-	result := make([]byte, length)
-	charsetLen := big.NewInt(int64(len(charset)))
-
-	for i := range length {
-		randomIndex, err := rand.Int(rand.Reader, charsetLen)
-		if err != nil {
-			return "", fmt.Errorf("failed to generate random number: %w", err)
-		}
-		result[i] = charset[randomIndex.Int64()]
-	}
-
-	return string(result), nil
-}
-
 // DetermineStateDir determines the state directory based on environment variables and OS.
 // It returns an error if no usable directory can be determined.
 func DetermineStateDir(customConfigDir string) (string, error) {
--- a/internal/secret/helpers_darwin.go
+++ b/internal/secret/helpers_darwin.go
@@ -0,0 +1,29 @@
+//go:build darwin
+
+package secret
+
+import (
+	"crypto/rand"
+	"fmt"
+	"math/big"
+)
+
+// generateRandomString generates a random string of the specified length using the given character set
+func generateRandomString(length int, charset string) (string, error) {
+	if length <= 0 {
+		return "", fmt.Errorf("length must be positive")
+	}
+
+	result := make([]byte, length)
+	charsetLen := big.NewInt(int64(len(charset)))
+
+	for i := range length {
+		randomIndex, err := rand.Int(rand.Reader, charsetLen)
+		if err != nil {
+			return "", fmt.Errorf("failed to generate random number: %w", err)
+		}
+		result[i] = charset[randomIndex.Int64()]
+	}
+
+	return string(result), nil
+}
--- a/internal/secret/passphrase_test.go
+++ b/internal/secret/passphrase_test.go
@@ -24,7 +24,7 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to create temp dir: %v", err)
 	}
-	defer os.RemoveAll(tempDir) // Clean up after test
+	defer func() { _ = os.RemoveAll(tempDir) }() // Clean up after test

 	// Use the real filesystem
 	fs := afero.NewOsFs()
@@ -155,7 +155,7 @@ func TestPassphraseUnlockerWithRealFS(t *testing.T) {
 	})

 	// Unset the environment variable to test interactive prompt
-	os.Unsetenv(secret.EnvUnlockPassphrase)
+	_ = os.Unsetenv(secret.EnvUnlockPassphrase)

 	// Test getting identity from prompt (this would require mocking the prompt)
 	// For real integration tests, we'd need to provide a way to mock the passphrase input
--- a/internal/secret/pgpunlock_test.go
+++ b/internal/secret/pgpunlock_test.go
@@ -1,3 +1,5 @@
+//go:build darwin
+
 package secret_test

 import (
@@ -140,7 +142,7 @@ func TestPGPUnlockerWithRealFS(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to create temp dir: %v", err)
 	}
-	defer os.RemoveAll(tempDir) // Clean up after test
+	defer func() { _ = os.RemoveAll(tempDir) }() // Clean up after test

 	// Create a temporary GNUPGHOME
 	gnupgHomeDir := filepath.Join(tempDir, "gnupg")
--- a/internal/secret/validation_darwin_test.go
+++ b/internal/secret/validation_darwin_test.go
@@ -0,0 +1,148 @@
+//go:build darwin
+
+package secret
+
+import (
+	"testing"
+)
+
+func TestValidateKeychainItemName(t *testing.T) {
+	tests := []struct {
+		name     string
+		itemName string
+		wantErr  bool
+	}{
+		// Valid cases
+		{
+			name:     "valid simple name",
+			itemName: "my-secret-key",
+			wantErr:  false,
+		},
+		{
+			name:     "valid name with dots",
+			itemName: "com.example.app.key",
+			wantErr:  false,
+		},
+		{
+			name:     "valid name with underscores",
+			itemName: "my_secret_key_123",
+			wantErr:  false,
+		},
+		{
+			name:     "valid alphanumeric",
+			itemName: "Secret123Key",
+			wantErr:  false,
+		},
+		{
+			name:     "valid with hyphen at start",
+			itemName: "-my-key",
+			wantErr:  false,
+		},
+		{
+			name:     "valid with dot at start",
+			itemName: ".hidden-key",
+			wantErr:  false,
+		},
+
+		// Invalid cases
+		{
+			name:     "empty item name",
+			itemName: "",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with spaces",
+			itemName: "my secret key",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with semicolon",
+			itemName: "key;rm -rf /",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with pipe",
+			itemName: "key|cat /etc/passwd",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with backticks",
+			itemName: "key`whoami`",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with dollar sign",
+			itemName: "key$(whoami)",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with quotes",
+			itemName: "key\"name",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with single quotes",
+			itemName: "key'name",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with backslash",
+			itemName: "key\\name",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with newline",
+			itemName: "key\nname",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with carriage return",
+			itemName: "key\rname",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with ampersand",
+			itemName: "key&echo test",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with redirect",
+			itemName: "key>/tmp/test",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with null byte",
+			itemName: "key\x00name",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with parentheses",
+			itemName: "key(test)",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with brackets",
+			itemName: "key[test]",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with asterisk",
+			itemName: "key*",
+			wantErr:  true,
+		},
+		{
+			name:     "item name with question mark",
+			itemName: "key?",
+			wantErr:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateKeychainItemName(tt.itemName)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("validateKeychainItemName() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
--- a/internal/secret/validation_test.go
+++ b/internal/secret/validation_test.go
@@ -154,144 +154,3 @@ func TestValidateGPGKeyID(t *testing.T) {
 		})
 	}
 }
-
-func TestValidateKeychainItemName(t *testing.T) {
-	tests := []struct {
-		name     string
-		itemName string
-		wantErr  bool
-	}{
-		// Valid cases
-		{
-			name:     "valid simple name",
-			itemName: "my-secret-key",
-			wantErr:  false,
-		},
-		{
-			name:     "valid name with dots",
-			itemName: "com.example.app.key",
-			wantErr:  false,
-		},
-		{
-			name:     "valid name with underscores",
-			itemName: "my_secret_key_123",
-			wantErr:  false,
-		},
-		{
-			name:     "valid alphanumeric",
-			itemName: "Secret123Key",
-			wantErr:  false,
-		},
-		{
-			name:     "valid with hyphen at start",
-			itemName: "-my-key",
-			wantErr:  false,
-		},
-		{
-			name:     "valid with dot at start",
-			itemName: ".hidden-key",
-			wantErr:  false,
-		},
-
-		// Invalid cases
-		{
-			name:     "empty item name",
-			itemName: "",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with spaces",
-			itemName: "my secret key",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with semicolon",
-			itemName: "key;rm -rf /",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with pipe",
-			itemName: "key|cat /etc/passwd",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with backticks",
-			itemName: "key`whoami`",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with dollar sign",
-			itemName: "key$(whoami)",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with quotes",
-			itemName: "key\"name",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with single quotes",
-			itemName: "key'name",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with backslash",
-			itemName: "key\\name",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with newline",
-			itemName: "key\nname",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with carriage return",
-			itemName: "key\rname",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with ampersand",
-			itemName: "key&echo test",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with redirect",
-			itemName: "key>/tmp/test",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with null byte",
-			itemName: "key\x00name",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with parentheses",
-			itemName: "key(test)",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with brackets",
-			itemName: "key[test]",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with asterisk",
-			itemName: "key*",
-			wantErr:  true,
-		},
-		{
-			name:     "item name with question mark",
-			itemName: "key?",
-			wantErr:  true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := validateKeychainItemName(tt.itemName)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("validateKeychainItemName() error = %v, wantErr %v", err, tt.wantErr)
-			}
-		})
-	}
-}
Author	SHA1	Message	Date
clawbot	efa8647166	fix: use make build instead of inline go build in Dockerfile All checks were successful check / check (push) Successful in 59s Details REPO_POLICIES requires using Makefile targets instead of invoking tools directly. Replace inline go build with make build.	2026-03-17 02:26:35 -07:00
clawbot	044ad92feb	fix: add darwin build constraints to Objective-C source files All checks were successful check / check (push) Successful in 22s Details Add //go:build darwin to secure_enclave.m and secure_enclave.h so Go ignores them on non-darwin platforms. Without this, the lint stage fails on Linux with 'Objective-C source files not allowed when not using cgo or SWIG' because the !darwin stub (macse_stub.go) doesn't use CGO.	2026-03-14 17:54:41 -07:00
clawbot	386baaea70	fix: include .golangci.yml in Docker build context	2026-03-14 17:54:41 -07:00
clawbot	8edc629dd6	fix: add fmt-check to make check prerequisites REPO_POLICIES requires make check prereqs to include test, lint, and fmt-check.	2026-03-14 17:54:41 -07:00
clawbot	59839309b3	fix: use digest-only FROM syntax (no tags) Remove tags from FROM lines — use image@sha256:digest only, matching the upaas pattern. tag@sha256 syntax is invalid.	2026-03-14 17:54:41 -07:00
clawbot	66a390d685	fix: pin all Docker base images by SHA256 digest Pin all three FROM lines with SHA256 digests per REPO_POLICIES.md: - golangci/golangci-lint:v2.1.6@sha256:568ee1c1... - golang:1.24-alpine@sha256:8bee1901... - alpine:3.23@sha256:25109184... (was alpine:latest) Also replaced mutable 'alpine:latest' tag with 'alpine:3.23'.	2026-03-14 17:54:41 -07:00
clawbot	7b84aa345f	refactor: use official golangci-lint image for lint stage Restructure Dockerfile to match upaas/dnswatcher pattern: - Separate lint stage using golangci/golangci-lint:v2.1.6 image - Builder stage for tests and compilation (no lint dependency) - Add fmt-check Makefile target - Decouple test from lint in Makefile (lint runs in its own stage) - Run gofmt on all files - docker build verified passing locally	2026-03-14 17:54:41 -07:00
clawbot	a8ce1ff7c8	fix: use correct checkout SHA and simplify CI workflow The previous checkout SHA was invalid, causing immediate CI failure. Use the known-good actions/checkout v4.2.2 SHA. Simplify trigger to on: [push] to match other repos. Keep --ulimit memlock=-1:-1 for 10MB secret tests that need mlock.	2026-03-14 17:54:41 -07:00
user	afa4f799da	fix: resolve CI failures in docker build - Install golangci-lint v2 via binary download instead of go install (avoids Go 1.25 requirement of golangci-lint v2.10+) - Add darwin build tags to tests that depend on macOS keychain: derivation_index_test.go, pgpunlock_test.go, validation (keychain tests) - Move generateRandomString to helpers_darwin.go (only called from darwin-only keychainunlocker.go) - Fix unchecked error returns flagged by errcheck linter - Add gnupg to builder stage for PGP-related tests - Use --ulimit memlock=-1:-1 in CI for memguard large secret tests - Add //nolint:unused for intentionally kept but currently unused test helpers	2026-03-14 17:54:41 -07:00
user	9ada080821	ci: encapsulate checks in Dockerfile, simplify CI to docker build Per new policy: CI actions simply run 'docker build .'. The Dockerfile now installs golangci-lint and runs 'make check' early in the build process, so a successful docker build implies all checks pass. - Dockerfile: add golangci-lint install and 'make check' before final build - CI workflow: simplify to just 'docker build .' (no Go setup needed) - Makefile targets unchanged	2026-03-14 17:54:41 -07:00
clawbot	25febccec1	security: pin all go install refs to commit SHAs	2026-03-14 17:54:41 -07:00
user	b68e1eb3d1	security: pin CI actions to commit SHAs	2026-03-14 17:54:41 -07:00
user	cbca2e59c5	ci: add Gitea Actions workflow for make check	2026-03-14 17:54:41 -07:00