## Summary
Splits the Dockerfile into separate lint and build stages to provide faster CI feedback on formatting and lint issues.
### Changes
**Dockerfile:**
- **Lint stage** (`golangci/golangci-lint:v2.10.1`, pinned by sha256): Runs `make fmt-check` and `make lint` using the official golangci-lint image which has the linter pre-installed. No more downloading golangci-lint on every build.
- **Build stage** (`golang:1.25-alpine`, pinned by sha256): Runs `make test` and `make build`. Same alpine image as before.
- **Runtime stage**: Unchanged.
**Makefile:**
- Added `fmt-check` target for standalone gofmt checking.
- Refactored `check` target to use `fmt-check`, `lint`, `test` as dependencies instead of inline commands. Still works identically for local use.
### Benefits
- Lint failures surface immediately without waiting for golangci-lint download
- Uses official pre-built golangci-lint image instead of manual binary download
- Cleaner separation of concerns between lint and build stages
- `make check` still runs everything sequentially for local development
closes #151
Co-authored-by: clawbot <clawbot@eeqj.de>
Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Reviewed-on: #152
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
go install fails in alpine Docker builder because the linker (ld) is not
available. Download the official pre-built binary with SHA256 verification
instead. Supports both amd64 and arm64 architectures.
Fixes#126
Docker does not support inline comments on FROM lines. Move the
human-readable image tag comments to their own line above each FROM.
Fixes broken docker build on PR #126 and main.
- Pin Docker base images to sha256 digests (golang, alpine)
- Pin go install commands to commit SHAs (not version tags)
- golangci-lint: 5d1e709b7be35cb2025444e19de266b056b7b7ee (v2.10.1)
- goimports: 009367f5c17a8d4c45a961a3a509277190a9a6f0 (v0.42.0)
- CI workflow was already correctly pinned to commit SHAs
All references now use cryptographic identity, eliminating RCE risk
from mutable tags.
- Generate random 32-byte session secret if not set via env var
- Persist to $UPAAS_DATA_DIR/session.key for container restarts
- Load existing secret from file on subsequent startups
- Change container data directory to /var/lib/upaas
