The lint stage only needs golangci-lint (built into base image) and
gofmt for fmt-check. Neither make fmt-check nor make lint uses the
goimports binary directly. Removing it makes the lint stage faster,
which is the whole point of the multi-stage split.
goimports is only used by 'make fmt' which is a local developer
tool, not run during Docker builds.
- Add dedicated lint stage using golangci/golangci-lint:v2.10.1 image
(pinned by sha256 digest) for fast formatting and lint checks
- Keep build stage with golang:1.25-alpine for tests and compilation
- Remove manual golangci-lint download/install from builder stage
- Add fmt-check Makefile target for standalone format checking
- Refactor check target to use fmt-check, lint, test dependencies
The lint stage uses the official golangci-lint image which has the
linter pre-installed, eliminating the need to download it on every
build. Lint failures now surface immediately without waiting for
the download step.
closes#151
go install fails in alpine Docker builder because the linker (ld) is not
available. Download the official pre-built binary with SHA256 verification
instead. Supports both amd64 and arm64 architectures.
Fixes#126
Docker does not support inline comments on FROM lines. Move the
human-readable image tag comments to their own line above each FROM.
Fixes broken docker build on PR #126 and main.
- Pin Docker base images to sha256 digests (golang, alpine)
- Pin go install commands to commit SHAs (not version tags)
- golangci-lint: 5d1e709b7be35cb2025444e19de266b056b7b7ee (v2.10.1)
- goimports: 009367f5c17a8d4c45a961a3a509277190a9a6f0 (v0.42.0)
- CI workflow was already correctly pinned to commit SHAs
All references now use cryptographic identity, eliminating RCE risk
from mutable tags.
- Generate random 32-byte session secret if not set via env var
- Persist to $UPAAS_DATA_DIR/session.key for container restarts
- Load existing secret from file on subsequent startups
- Change container data directory to /var/lib/upaas
