From a5b4c2af0da37f81e23eaaa2fd1f2d62a038abbf Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@noreply.git.eeqj.de>
Date: Mon, 2 Mar 2026 00:03:04 -0800
Subject: [PATCH] feat: split Dockerfile into dedicated lint stage

Pin all images by sha256 digest and restructure for the standard
split-stage pattern.

- Lint stage: golangci/golangci-lint:v1.64.8 pinned by sha256
- Test stage: golang:1.22 pinned by sha256, depends on lint via COPY
- Final stage: golang:1.22 pinned by sha256
- COPY --from=lint forces BuildKit to execute the lint stage
---
 Dockerfile | 46 +++++++++++++++++-----------------------------
 1 file changed, 17 insertions(+), 29 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index d67989a..9d74310 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,39 +1,27 @@
-# First stage: Use the golangci-lint image to run the linter
-FROM golangci/golangci-lint:latest as lint
-
-# Set the Current Working Directory inside the container
-WORKDIR /app
-
-# Copy the go.mod file and the rest of the application code
-COPY go.mod ./
+# Lint stage — fast feedback on formatting and lint issues
+# golangci/golangci-lint:v1.64.8
+FROM golangci/golangci-lint@sha256:2987913e27f4eca9c8a39129d2c7bc1e74fbcf77f181e01cea607be437aa5cb8 AS lint
+WORKDIR /src
+COPY go.mod go.sum ./
+RUN go mod download
 COPY . .
-
-# Run golangci-lint
 RUN golangci-lint run
-
 RUN sh -c 'test -z "$(gofmt -l .)"'
 
-# Second stage: Use the official Golang image to run tests
-FROM golang:1.22 as test
-
-# Set the Current Working Directory inside the container
-WORKDIR /app
-
-# Copy the go.mod file and the rest of the application code
-COPY go.mod ./
+# Test stage — run tests
+# golang:1.22
+FROM golang@sha256:1cf6c45ba39db9fd6db16922041d074a63c935556a05c5ccb62d181034df7f02 AS test
+WORKDIR /src
+# Force BuildKit to run the lint stage by creating a stage dependency
+COPY --from=lint /src/go.sum /dev/null
+COPY go.mod go.sum ./
+RUN go mod download
 COPY . .
-
-# Run tests
 RUN go test -v ./...
 
 # Final stage: Combine the linting and testing stages
-FROM golang:1.22 as final
-
-# Ensure that the linting stage succeeded
+# golang:1.22
+FROM golang@sha256:1cf6c45ba39db9fd6db16922041d074a63c935556a05c5ccb62d181034df7f02 AS final
 WORKDIR /app
-COPY --from=lint /app .
-COPY --from=test /app .
-
-# Set the final CMD to something minimal since we only needed to verify lint and tests during build
+COPY --from=test /src/go.mod ./
 CMD ["echo", "Build and tests passed successfully!"]
-
-- 
2.49.1