sneak/secret

ci: add Gitea Actions workflow for make check #21

Open

clawbot wants to merge 13 commits from ci/make-check into main

Author	SHA1	Message	Date
clawbot	efa8647166	fix: use make build instead of inline go build in Dockerfile All checks were successful check / check (push) Successful in 59s Details REPO_POLICIES requires using Makefile targets instead of invoking tools directly. Replace inline go build with make build.	2026-03-17 02:26:35 -07:00
clawbot	044ad92feb	fix: add darwin build constraints to Objective-C source files All checks were successful check / check (push) Successful in 22s Details Add //go:build darwin to secure_enclave.m and secure_enclave.h so Go ignores them on non-darwin platforms. Without this, the lint stage fails on Linux with 'Objective-C source files not allowed when not using cgo or SWIG' because the !darwin stub (macse_stub.go) doesn't use CGO.	2026-03-14 17:54:41 -07:00
clawbot	386baaea70	fix: include .golangci.yml in Docker build context	2026-03-14 17:54:41 -07:00
clawbot	8edc629dd6	fix: add fmt-check to make check prerequisites REPO_POLICIES requires make check prereqs to include test, lint, and fmt-check.	2026-03-14 17:54:41 -07:00
clawbot	59839309b3	fix: use digest-only FROM syntax (no tags) Remove tags from FROM lines — use image@sha256:digest only, matching the upaas pattern. tag@sha256 syntax is invalid.	2026-03-14 17:54:41 -07:00
clawbot	66a390d685	fix: pin all Docker base images by SHA256 digest Pin all three FROM lines with SHA256 digests per REPO_POLICIES.md: - golangci/golangci-lint:v2.1.6@sha256:568ee1c1... - golang:1.24-alpine@sha256:8bee1901... - alpine:3.23@sha256:25109184... (was alpine:latest) Also replaced mutable 'alpine:latest' tag with 'alpine:3.23'.	2026-03-14 17:54:41 -07:00
clawbot	7b84aa345f	refactor: use official golangci-lint image for lint stage Restructure Dockerfile to match upaas/dnswatcher pattern: - Separate lint stage using golangci/golangci-lint:v2.1.6 image - Builder stage for tests and compilation (no lint dependency) - Add fmt-check Makefile target - Decouple test from lint in Makefile (lint runs in its own stage) - Run gofmt on all files - docker build verified passing locally	2026-03-14 17:54:41 -07:00
clawbot	a8ce1ff7c8	fix: use correct checkout SHA and simplify CI workflow The previous checkout SHA was invalid, causing immediate CI failure. Use the known-good actions/checkout v4.2.2 SHA. Simplify trigger to on: [push] to match other repos. Keep --ulimit memlock=-1:-1 for 10MB secret tests that need mlock.	2026-03-14 17:54:41 -07:00
user	afa4f799da	fix: resolve CI failures in docker build - Install golangci-lint v2 via binary download instead of go install (avoids Go 1.25 requirement of golangci-lint v2.10+) - Add darwin build tags to tests that depend on macOS keychain: derivation_index_test.go, pgpunlock_test.go, validation (keychain tests) - Move generateRandomString to helpers_darwin.go (only called from darwin-only keychainunlocker.go) - Fix unchecked error returns flagged by errcheck linter - Add gnupg to builder stage for PGP-related tests - Use --ulimit memlock=-1:-1 in CI for memguard large secret tests - Add //nolint:unused for intentionally kept but currently unused test helpers	2026-03-14 17:54:41 -07:00
user	9ada080821	ci: encapsulate checks in Dockerfile, simplify CI to docker build Per new policy: CI actions simply run 'docker build .'. The Dockerfile now installs golangci-lint and runs 'make check' early in the build process, so a successful docker build implies all checks pass. - Dockerfile: add golangci-lint install and 'make check' before final build - CI workflow: simplify to just 'docker build .' (no Go setup needed) - Makefile targets unchanged	2026-03-14 17:54:41 -07:00
clawbot	25febccec1	security: pin all go install refs to commit SHAs	2026-03-14 17:54:41 -07:00
user	b68e1eb3d1	security: pin CI actions to commit SHAs	2026-03-14 17:54:41 -07:00
user	cbca2e59c5	ci: add Gitea Actions workflow for make check	2026-03-14 17:54:41 -07:00