From 4abd40d8e2d469e62961c2ec5f583f68633966a8 Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@noreply.example.org>
Date: Mon, 2 Mar 2026 21:06:53 +0100
Subject: [PATCH] fix: split Dockerfile with pinned images and add CI workflow
 (#14)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

Rewrites the Dockerfile to use sha256-pinned images and proper multi-stage build structure. Adds missing Makefile targets and a Gitea CI workflow.

## Changes

### Dockerfile
- **Lint stage**: `golangci/golangci-lint` v1.64.8 pinned by sha256 — runs `make fmt-check` + `make lint`
- **Test stage**: `golang` 1.22.12 pinned by sha256 — runs `make test` with dependency on lint stage
- Removed redundant final stage (this is a library with no binary to build)
- Both images pinned by digest with version+date comments

### Makefile
- Added `fmt-check` target: verifies `gofmt` compliance without modifying files
- Added `check` target: runs `fmt-check`, `lint`, `test` in sequence
- Added `hooks` target: installs a pre-commit hook that runs `make check`
- Separated `gofmt` check from `lint` target (was previously bundled)
- Changed default target from `test` to `check`

### CI
- Added `.gitea/workflows/check.yml`: runs `docker build .` on push to main and on PRs

## Verification

`docker build --progress plain .` passes — all stages complete successfully.

closes https://git.eeqj.de/sneak/simplelog/issues/9

<!-- session: agent:sdlc-manager:subagent:fffa0a5a-5127-4489-a2e0-314c5eaaed68 -->

Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Reviewed-on: https://git.eeqj.de/sneak/simplelog/pulls/14
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
---
 .gitea/workflows/check.yml | 12 +++++++++
 Dockerfile                 | 53 ++++++++++++--------------------------
 Makefile                   | 17 +++++++++---
 3 files changed, 43 insertions(+), 39 deletions(-)
 create mode 100644 .gitea/workflows/check.yml

diff --git a/.gitea/workflows/check.yml b/.gitea/workflows/check.yml
new file mode 100644
index 0000000..eafafa8
--- /dev/null
+++ b/.gitea/workflows/check.yml
@@ -0,0 +1,12 @@
+name: check
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - run: docker build .
diff --git a/Dockerfile b/Dockerfile
index d67989a..8d4123b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,39 +1,20 @@
-# First stage: Use the golangci-lint image to run the linter
-FROM golangci/golangci-lint:latest as lint
-
-# Set the Current Working Directory inside the container
-WORKDIR /app
-
-# Copy the go.mod file and the rest of the application code
-COPY go.mod ./
+# Lint stage: format check + golangci-lint
+# golangci-lint v1.64.8 (2025-02-18)
+FROM golangci/golangci-lint@sha256:2987913e27f4eca9c8a39129d2c7bc1e74fbcf77f181e01cea607be437aa5cb8 AS lint
+WORKDIR /src
+COPY go.mod go.sum ./
+RUN go mod download
 COPY . .
+RUN make fmt-check
+RUN make lint
 
-# Run golangci-lint
-RUN golangci-lint run
-
-RUN sh -c 'test -z "$(gofmt -l .)"'
-
-# Second stage: Use the official Golang image to run tests
-FROM golang:1.22 as test
-
-# Set the Current Working Directory inside the container
-WORKDIR /app
-
-# Copy the go.mod file and the rest of the application code
-COPY go.mod ./
+# Test stage: run full test suite
+# golang 1.22.12 (2025-02-04)
+FROM golang@sha256:1cf6c45ba39db9fd6db16922041d074a63c935556a05c5ccb62d181034df7f02 AS test
+# Depend on lint stage so both stages always run
+COPY --from=lint /src/go.sum /dev/null
+WORKDIR /src
+COPY go.mod go.sum ./
+RUN go mod download
 COPY . .
-
-# Run tests
-RUN go test -v ./...
-
-# Final stage: Combine the linting and testing stages
-FROM golang:1.22 as final
-
-# Ensure that the linting stage succeeded
-WORKDIR /app
-COPY --from=lint /app .
-COPY --from=test /app .
-
-# Set the final CMD to something minimal since we only needed to verify lint and tests during build
-CMD ["echo", "Build and tests passed successfully!"]
-
+RUN make test
diff --git a/Makefile b/Makefile
index 6ef9919..951120e 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
-.PHONY: test
+.PHONY: test fmt fmt-check lint check docker hooks
 
-default: test
+default: check
 
 test:
 	@go test -v ./...
@@ -9,9 +9,20 @@ fmt:
 	goimports -l -w .
 	golangci-lint run --fix
 
+fmt-check:
+	@test -z "$$(gofmt -l .)" || { echo "gofmt would reformat:"; gofmt -l .; exit 1; }
+
 lint:
 	golangci-lint run
-	sh -c 'test -z "$$(gofmt -l .)"'
+
+check: fmt-check lint test
 
 docker:
 	docker build --progress plain .
+
+hooks:
+	@echo "Installing git hooks..."
+	@mkdir -p .git/hooks
+	@printf '#!/bin/sh\nmake check\n' > .git/hooks/pre-commit
+	@chmod +x .git/hooks/pre-commit
+	@echo "Pre-commit hook installed."