From e76b1cbcb520a56529f60e9f1e00675c3192dd47 Mon Sep 17 00:00:00 2001 From: clawbot Date: Mon, 2 Mar 2026 02:13:08 -0800 Subject: [PATCH 1/2] fix: split Dockerfile with pinned images and add CI workflow - Pin golangci-lint to v1.64.8 by sha256 digest - Pin golang to 1.22.12 by sha256 digest - Lint stage runs make fmt-check + make lint - Test stage runs make test with dependency on lint stage - Remove redundant final stage (library has no binary) - Add fmt-check, check, hooks targets to Makefile - Add .gitea/workflows/check.yml for CI closes https://git.eeqj.de/sneak/simplelog/issues/9 --- .gitea/workflows/check.yml | 13 ++++++++++ Dockerfile | 53 ++++++++++++-------------------------- Makefile | 17 +++++++++--- 3 files changed, 44 insertions(+), 39 deletions(-) create mode 100644 .gitea/workflows/check.yml diff --git a/.gitea/workflows/check.yml b/.gitea/workflows/check.yml new file mode 100644 index 0000000..ec317c3 --- /dev/null +++ b/.gitea/workflows/check.yml @@ -0,0 +1,13 @@ +name: check + +on: + push: + branches: [main] + pull_request: + +jobs: + check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: docker build . diff --git a/Dockerfile b/Dockerfile index d67989a..8d4123b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,39 +1,20 @@ -# First stage: Use the golangci-lint image to run the linter -FROM golangci/golangci-lint:latest as lint - -# Set the Current Working Directory inside the container -WORKDIR /app - -# Copy the go.mod file and the rest of the application code -COPY go.mod ./ +# Lint stage: format check + golangci-lint +# golangci-lint v1.64.8 (2025-02-18) +FROM golangci/golangci-lint@sha256:2987913e27f4eca9c8a39129d2c7bc1e74fbcf77f181e01cea607be437aa5cb8 AS lint +WORKDIR /src +COPY go.mod go.sum ./ +RUN go mod download COPY . . +RUN make fmt-check +RUN make lint -# Run golangci-lint -RUN golangci-lint run - -RUN sh -c 'test -z "$(gofmt -l .)"' - -# Second stage: Use the official Golang image to run tests -FROM golang:1.22 as test - -# Set the Current Working Directory inside the container -WORKDIR /app - -# Copy the go.mod file and the rest of the application code -COPY go.mod ./ +# Test stage: run full test suite +# golang 1.22.12 (2025-02-04) +FROM golang@sha256:1cf6c45ba39db9fd6db16922041d074a63c935556a05c5ccb62d181034df7f02 AS test +# Depend on lint stage so both stages always run +COPY --from=lint /src/go.sum /dev/null +WORKDIR /src +COPY go.mod go.sum ./ +RUN go mod download COPY . . - -# Run tests -RUN go test -v ./... - -# Final stage: Combine the linting and testing stages -FROM golang:1.22 as final - -# Ensure that the linting stage succeeded -WORKDIR /app -COPY --from=lint /app . -COPY --from=test /app . - -# Set the final CMD to something minimal since we only needed to verify lint and tests during build -CMD ["echo", "Build and tests passed successfully!"] - +RUN make test diff --git a/Makefile b/Makefile index 6ef9919..951120e 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ -.PHONY: test +.PHONY: test fmt fmt-check lint check docker hooks -default: test +default: check test: @go test -v ./... @@ -9,9 +9,20 @@ fmt: goimports -l -w . golangci-lint run --fix +fmt-check: + @test -z "$$(gofmt -l .)" || { echo "gofmt would reformat:"; gofmt -l .; exit 1; } + lint: golangci-lint run - sh -c 'test -z "$$(gofmt -l .)"' + +check: fmt-check lint test docker: docker build --progress plain . + +hooks: + @echo "Installing git hooks..." + @mkdir -p .git/hooks + @printf '#!/bin/sh\nmake check\n' > .git/hooks/pre-commit + @chmod +x .git/hooks/pre-commit + @echo "Pre-commit hook installed." -- 2.49.1 From 4ccd3b6bb1fffec5aef5eb8442de83926100c050 Mon Sep 17 00:00:00 2001 From: clawbot Date: Mon, 2 Mar 2026 12:05:39 -0800 Subject: [PATCH 2/2] ci: pin checkout action by SHA, run on all branches - Pin actions/checkout to full SHA (v4.2.2) to prevent mutable tag RCE - Remove branch filter so CI runs on push to every branch, not just main --- .gitea/workflows/check.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.gitea/workflows/check.yml b/.gitea/workflows/check.yml index ec317c3..eafafa8 100644 --- a/.gitea/workflows/check.yml +++ b/.gitea/workflows/check.yml @@ -2,12 +2,11 @@ name: check on: push: - branches: [main] pull_request: jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: docker build . -- 2.49.1