sneak/simplelog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: split Dockerfile with pinned images and add CI workflow #14

Merged
sneak merged 2 commits from fix/issue-9-dockerfile-split into main 2026-03-02 21:06:53 +01:00
Conversation 5 Commits 2 Files Changed 3 +43 -39
clawbot commented 2026-03-02 11:13:39 +01:00
Collaborator
Copy Link

Summary

Rewrites the Dockerfile to use sha256-pinned images and proper multi-stage build structure. Adds missing Makefile targets and a Gitea CI workflow.

Changes

Dockerfile

  • Lint stage: golangci/golangci-lint v1.64.8 pinned by sha256 — runs make fmt-check + make lint
  • Test stage: golang 1.22.12 pinned by sha256 — runs make test with dependency on lint stage
  • Removed redundant final stage (this is a library with no binary to build)
  • Both images pinned by digest with version+date comments

Makefile

  • Added fmt-check target: verifies gofmt compliance without modifying files
  • Added check target: runs fmt-check, lint, test in sequence
  • Added hooks target: installs a pre-commit hook that runs make check
  • Separated gofmt check from lint target (was previously bundled)
  • Changed default target from test to check

CI

  • Added .gitea/workflows/check.yml: runs docker build . on push to main and on PRs

Verification

docker build --progress plain . passes — all stages complete successfully.

closes #9

## Summary Rewrites the Dockerfile to use sha256-pinned images and proper multi-stage build structure. Adds missing Makefile targets and a Gitea CI workflow. ## Changes ### Dockerfile - **Lint stage**: `golangci/golangci-lint` v1.64.8 pinned by sha256 — runs `make fmt-check` + `make lint` - **Test stage**: `golang` 1.22.12 pinned by sha256 — runs `make test` with dependency on lint stage - Removed redundant final stage (this is a library with no binary to build) - Both images pinned by digest with version+date comments ### Makefile - Added `fmt-check` target: verifies `gofmt` compliance without modifying files - Added `check` target: runs `fmt-check`, `lint`, `test` in sequence - Added `hooks` target: installs a pre-commit hook that runs `make check` - Separated `gofmt` check from `lint` target (was previously bundled) - Changed default target from `test` to `check` ### CI - Added `.gitea/workflows/check.yml`: runs `docker build .` on push to main and on PRs ## Verification `docker build --progress plain .` passes — all stages complete successfully. closes https://git.eeqj.de/sneak/simplelog/issues/9 <!-- session: agent:sdlc-manager:subagent:fffa0a5a-5127-4489-a2e0-314c5eaaed68 -->
clawbot added 1 commit 2026-03-02 11:13:40 +01:00
fix: split Dockerfile with pinned images and add CI workflow e76b1cbcb5 
- Pin golangci-lint to v1.64.8 by sha256 digest
- Pin golang to 1.22.12 by sha256 digest
- Lint stage runs make fmt-check + make lint
- Test stage runs make test with dependency on lint stage
- Remove redundant final stage (library has no binary)
- Add fmt-check, check, hooks targets to Makefile
- Add .gitea/workflows/check.yml for CI

closes #9
clawbot added the botneeds-review labels 2026-03-02 11:13:55 +01:00
clawbot commented 2026-03-02 11:15:29 +01:00
Author
Collaborator
Copy Link

Closing — split Dockerfile work was cancelled. All related issues are closed.

Closing — split Dockerfile work was cancelled. All related issues are closed.
clawbot closed this pull request 2026-03-02 11:15:29 +01:00
clawbot reopened this pull request 2026-03-02 11:21:38 +01:00
clawbot added merge-ready and removed needs-reviewbot labels 2026-03-02 11:23:51 +01:00
sneak was assigned by clawbot 2026-03-02 11:24:01 +01:00
clawbot closed this pull request 2026-03-02 11:24:17 +01:00
clawbot commented 2026-03-02 11:24:22 +01:00
Author
Collaborator
Copy Link

Review: PASS

Reviewed PR #14 closing issue #9.

Checklist

Requirement Status
Lint stage sha256-pinned golangci/golangci-lint@sha256:2987913e...
Test stage sha256-pinned golang@sha256:1cf6c45b...
COPY --from=lint dependency COPY --from=lint /src/go.sum /dev/null ensures lint runs before tests
Makefile fmt-check target Clean gofmt check with proper error output
Makefile check prereqs check: fmt-check lint test (correct order)
Makefile hooks target Installs pre-commit hook running make check
.golangci.yml unmodified No .golangci.yml exists (unchanged)
No test weakening Zero changes to test files
Library-only (no binary) Dockerfile proves checks pass, no final binary stage
CI workflow .gitea/workflows/check.yml runs docker build . on push/PR
docker build . All stages pass: fmt-check, lint, tests

Summary

Clean single-commit PR. The Dockerfile is rewritten from scratch with:

  • Two-stage build (lint → test), both sha256-pinned
  • Proper go mod download caching layer in each stage
  • Stage dependency via COPY --from=lint to ensure both stages always execute
  • No final image (library has no binary — build just validates)

Makefile additions are correct and complete. CI workflow is minimal and appropriate.

Branch is already up-to-date with main (no rebase needed). Labelled merge-ready, assigned to @sneak.

## Review: PASS ✅ Reviewed [PR #14](https://git.eeqj.de/sneak/simplelog/pulls/14) closing [issue #9](https://git.eeqj.de/sneak/simplelog/issues/9). ### Checklist | Requirement | Status | |---|---| | Lint stage sha256-pinned | ✅ `golangci/golangci-lint@sha256:2987913e...` | | Test stage sha256-pinned | ✅ `golang@sha256:1cf6c45b...` | | `COPY --from=lint` dependency | ✅ `COPY --from=lint /src/go.sum /dev/null` ensures lint runs before tests | | Makefile `fmt-check` target | ✅ Clean gofmt check with proper error output | | Makefile `check` prereqs | ✅ `check: fmt-check lint test` (correct order) | | Makefile `hooks` target | ✅ Installs pre-commit hook running `make check` | | `.golangci.yml` unmodified | ✅ No `.golangci.yml` exists (unchanged) | | No test weakening | ✅ Zero changes to test files | | Library-only (no binary) | ✅ Dockerfile proves checks pass, no final binary stage | | CI workflow | ✅ `.gitea/workflows/check.yml` runs `docker build .` on push/PR | | `docker build .` | ✅ All stages pass: fmt-check, lint, tests | ### Summary Clean single-commit PR. The Dockerfile is rewritten from scratch with: - Two-stage build (lint → test), both sha256-pinned - Proper `go mod download` caching layer in each stage - Stage dependency via `COPY --from=lint` to ensure both stages always execute - No final image (library has no binary — build just validates) Makefile additions are correct and complete. CI workflow is minimal and appropriate. Branch is already up-to-date with `main` (no rebase needed). Labelled `merge-ready`, assigned to @sneak. <!-- session: agent:sdlc-manager:subagent:6fa16f70-b4de-4fe4-94ef-e75a019d4c66 -->
sneak reopened this pull request 2026-03-02 21:02:19 +01:00
sneak commented 2026-03-02 21:03:24 +01:00
Owner
Copy Link

@clawbot please fix this branch. it's not in line with our repo policies - images need to be cryptographically pinned otherwise it's RCE as image tags are mutable. also the CI should run on push on every branch, not just main.

@clawbot please fix this branch. it's not in line with our repo policies - images need to be cryptographically pinned otherwise it's RCE as image tags are mutable. also the CI should run on push on every branch, not just main.
sneak commented 2026-03-02 21:04:19 +01:00
Owner
Copy Link

in this case the image i am referring to is the CI runner image in the CI config. the dockerfile looks ok

in this case the image i am referring to is the CI runner image in the CI config. the dockerfile looks ok
clawbot added 1 commit 2026-03-02 21:06:09 +01:00
ci: pin checkout action by SHA, run on all branches 4ccd3b6bb1 
- Pin actions/checkout to full SHA (v4.2.2) to prevent mutable tag RCE
- Remove branch filter so CI runs on push to every branch, not just main
clawbot commented 2026-03-02 21:06:18 +01:00
Author
Collaborator
Copy Link

Rework Complete

Addressed both review items:

  1. Pinned actions/checkout by SHAactions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2) instead of mutable @v4 tag, eliminating the RCE vector.
  2. CI now runs on push to all branches — removed branches: [main] filter so every push triggers the workflow.

docker build . passes locally (fmt-check , lint , tests ).

## Rework Complete Addressed both review items: 1. **Pinned `actions/checkout` by SHA** — `actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683` (v4.2.2) instead of mutable `@v4` tag, eliminating the RCE vector. 2. **CI now runs on push to all branches** — removed `branches: [main]` filter so every push triggers the workflow. `docker build .` passes locally (fmt-check ✅, lint ✅, tests ✅). <!-- session: agent:sdlc-manager:subagent:9018c1e9-bd2f-43f3-b808-e9da9f38750b -->
clawbot added botneeds-review and removed merge-ready labels 2026-03-02 21:06:41 +01:00
sneak merged commit 4abd40d8e2 into main 2026-03-02 21:06:53 +01:00
sneak deleted branch fix/issue-9-dockerfile-split 2026-03-02 21:06:53 +01:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bot
Agent's turn to work
 merge-ready
needs-checks
needs-rebase
needs-review
needs-rework
No Label bot needs-review
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
clawbot sneak
No Assignees sneak
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sneak/simplelog#14
Delete Branch "fix/issue-9-dockerfile-split"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?