refactor: use pinned golangci-lint Docker image for linting (#55)

Closes [issue #50](#50) ## Summary Refactors the Dockerfile to use a separate lint stage with a pinned golangci-lint Docker image, following the pattern used by [sneak/pixa](https://git.eeqj.de/sneak/pixa). This replaces the previous approach of installing golangci-lint via curl in the builder stage. ## Changes ### Dockerfile - **New `lint` stage** using `golangci/golangci-lint:v2.11.3` (Debian-based, pinned by sha256 digest) as a separate build stage - **Builder stage** depends on lint via `COPY --from=lint /src/go.sum /dev/null` — build won't proceed unless linting passes - **Go bumped** from 1.24 to 1.26.1 (`golang:1.26.1-bookworm`, pinned by sha256) - **golangci-lint bumped** from v1.64.8 to v2.11.3 - All three Docker images (golangci-lint, golang, alpine) pinned by sha256 digest - Debian-based golangci-lint image used (not Alpine) because mattn/go-sqlite3 CGO does not compile on musl (off64_t) ### Linter Config (.golangci.yml) - Migrated from v1 to v2 format (`version: "2"` added) - Removed linters no longer available in v2: `gofmt` (handled by `make fmt-check`), `gosimple` (merged into `staticcheck`), `typecheck` (always-on in v2) - Same set of linters enabled — no rules weakened ### Code Fixes (all lint issues from v2 upgrade) - Added package comments to all packages - Added doc comments to all exported types, functions, and methods - Fixed unchecked errors flagged by `errcheck` (sqlDB.Close, os.Setenv in tests, resp.Body.Close, fmt.Fprint) - Fixed unused parameters flagged by `revive` (renamed to `_`) - Fixed `gosec` G120 warnings: added `http.MaxBytesReader` before `r.ParseForm()` calls - Fixed `staticcheck` QF1012: replaced `WriteString(fmt.Sprintf(...))` with `fmt.Fprintf` - Fixed `staticcheck` QF1003: converted if/else chain to tagged switch - Renamed `DeliveryTask` → `Task` to avoid package stutter (`delivery.Task` instead of `delivery.DeliveryTask`) - Renamed shadowed builtin `max` parameter to `upperBound` in `cryptoRandInt` - Used `t.Setenv` instead of `os.Setenv` in tests (auto-restores) ### README.md - Updated version requirements: Go 1.26+, golangci-lint v2.11+ - Updated Dockerfile description in project structure ## Verification `docker build .` passes cleanly — formatting check, linting, all tests, and build all succeed. Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Reviewed-on: #55 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>
2026-03-25 02:16:38 +01:00
parent d771fe14df
commit afe88c601a
59 changed files with 7792 additions and 4282 deletions
--- a/internal/middleware/ratelimit_test.go
+++ b/internal/middleware/ratelimit_test.go
@@ -1,90 +1,147 @@
-package middleware
+package middleware_test

 import (
+	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"

 	"github.com/stretchr/testify/assert"
 	"sneak.berlin/go/webhooker/internal/config"
+	"sneak.berlin/go/webhooker/internal/middleware"
 )

 func TestLoginRateLimit_AllowsGET(t *testing.T) {
 	t.Parallel()
+
 	m, _ := testMiddleware(t, config.EnvironmentDev)

 	var callCount int
-	handler := m.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-		callCount++
-		w.WriteHeader(http.StatusOK)
-	}))
+
+	handler := m.LoginRateLimit()(http.HandlerFunc(
+		func(w http.ResponseWriter, _ *http.Request) {
+			callCount++
+
+			w.WriteHeader(http.StatusOK)
+		},
+	))

 	// GET requests should never be rate-limited
-	for i := 0; i < 20; i++ {
-		req := httptest.NewRequest(http.MethodGet, "/pages/login", nil)
+	for i := range 20 {
+		req := httptest.NewRequestWithContext(
+			context.Background(),
+			http.MethodGet, "/pages/login", nil,
+		)
 		req.RemoteAddr = "192.168.1.1:12345"
+
 		w := httptest.NewRecorder()
 		handler.ServeHTTP(w, req)
-		assert.Equal(t, http.StatusOK, w.Code, "GET request %d should pass", i)
+
+		assert.Equal(
+			t, http.StatusOK, w.Code,
+			"GET request %d should pass", i,
+		)
 	}
+
 	assert.Equal(t, 20, callCount)
 }

 func TestLoginRateLimit_LimitsPOST(t *testing.T) {
 	t.Parallel()
+
 	m, _ := testMiddleware(t, config.EnvironmentDev)

 	var callCount int
-	handler := m.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-		callCount++
-		w.WriteHeader(http.StatusOK)
-	}))
+
+	handler := m.LoginRateLimit()(http.HandlerFunc(
+		func(w http.ResponseWriter, _ *http.Request) {
+			callCount++
+
+			w.WriteHeader(http.StatusOK)
+		},
+	))

 	// First loginRateLimit POST requests should succeed
-	for i := 0; i < loginRateLimit; i++ {
-		req := httptest.NewRequest(http.MethodPost, "/pages/login", nil)
+	for i := range middleware.LoginRateLimitConst {
+		req := httptest.NewRequestWithContext(
+			context.Background(),
+			http.MethodPost, "/pages/login", nil,
+		)
 		req.RemoteAddr = "10.0.0.1:12345"
+
 		w := httptest.NewRecorder()
 		handler.ServeHTTP(w, req)
-		assert.Equal(t, http.StatusOK, w.Code, "POST request %d should pass", i)
+
+		assert.Equal(
+			t, http.StatusOK, w.Code,
+			"POST request %d should pass", i,
+		)
 	}

 	// Next POST should be rate-limited
-	req := httptest.NewRequest(http.MethodPost, "/pages/login", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(),
+		http.MethodPost, "/pages/login", nil,
+	)
 	req.RemoteAddr = "10.0.0.1:12345"
+
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
-	assert.Equal(t, http.StatusTooManyRequests, w.Code, "POST after limit should be 429")
-	assert.Equal(t, loginRateLimit, callCount)
+
+	assert.Equal(
+		t, http.StatusTooManyRequests, w.Code,
+		"POST after limit should be 429",
+	)
+	assert.Equal(t, middleware.LoginRateLimitConst, callCount)
 }

 func TestLoginRateLimit_IndependentPerIP(t *testing.T) {
 	t.Parallel()
+
 	m, _ := testMiddleware(t, config.EnvironmentDev)

-	handler := m.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	}))
+	handler := m.LoginRateLimit()(http.HandlerFunc(
+		func(w http.ResponseWriter, _ *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		},
+	))

 	// Exhaust limit for IP1
-	for i := 0; i < loginRateLimit; i++ {
-		req := httptest.NewRequest(http.MethodPost, "/pages/login", nil)
+	for range middleware.LoginRateLimitConst {
+		req := httptest.NewRequestWithContext(
+			context.Background(),
+			http.MethodPost, "/pages/login", nil,
+		)
 		req.RemoteAddr = "1.2.3.4:12345"
+
 		w := httptest.NewRecorder()
 		handler.ServeHTTP(w, req)
 	}

 	// IP1 should be rate-limited
-	req := httptest.NewRequest(http.MethodPost, "/pages/login", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(),
+		http.MethodPost, "/pages/login", nil,
+	)
 	req.RemoteAddr = "1.2.3.4:12345"
+
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
+
 	assert.Equal(t, http.StatusTooManyRequests, w.Code)

 	// IP2 should still be allowed
-	req2 := httptest.NewRequest(http.MethodPost, "/pages/login", nil)
+	req2 := httptest.NewRequestWithContext(
+		context.Background(),
+		http.MethodPost, "/pages/login", nil,
+	)
 	req2.RemoteAddr = "5.6.7.8:12345"
+
 	w2 := httptest.NewRecorder()
 	handler.ServeHTTP(w2, req2)
-	assert.Equal(t, http.StatusOK, w2.Code, "different IP should not be affected")
+
+	assert.Equal(
+		t, http.StatusOK, w2.Code,
+		"different IP should not be affected",
+	)
 }