Skip to content

build: multi-stage scratch Docker image + Go 1.26 + ci-templates migration#189

Open
michaelbeutler wants to merge 2 commits into
mainfrom
build/scratch-docker-ci-templates
Open

build: multi-stage scratch Docker image + Go 1.26 + ci-templates migration#189
michaelbeutler wants to merge 2 commits into
mainfrom
build/scratch-docker-ci-templates

Conversation

@michaelbeutler
Copy link
Copy Markdown
Contributor

@michaelbeutler michaelbeutler commented May 26, 2026

Summary

Reworks the Docker image, bumps Go to 1.26, introduces the ENTRYPOINT pattern, and migrates CI to the shared truvami/ci-templates@v1 reusable workflows — the same shape as truvami/gateway#96, adapted for this pure-Go CLI.

Docker image rework

The old build/buildx.Dockerfile + build/buildx-alpine.Dockerfile pair only copied a prebuilt binary into a full golang:1.23 (~800 MB) base. Replaced with a single root Dockerfile:

  • Multi-stage → scratch: an alpine stage sources only CA certs, tzdata and a non-root passwd/group entry (uid/gid 65532); the final image is FROM scratch.
  • ENTRYPOINT ["/usr/bin/decoder"] (was CMD), non-root, EXPOSE 8080 (HTTP API + /metrics). Absolute path because scratch has no PATH.
  • Multi-arch (linux/amd64 + linux/arm64): unlike gateway (cgo/musl → amd64-only), decoder is pure CGO_ENABLED=0, so the static binary runs on scratch and a single multi-arch manifest is trivial.
  • Binary is supplied by GoReleaser per-platform: COPY $TARGETPLATFORM/decoder.

Verified locally: the built scratch image runs (docker run … --version → exit 0) at 19.9 MB.

GoReleaser

  • dockers:dockers_v2: (ghcr.io/truvami/decoder, single multi-arch manifest).
  • Moving tags (latest/{major}/{major.minor}) gated to stable releases — an RC can never move them; {{ .Tag }}/{{ .Version }} always apply.
  • docker_digest: — digests file for published images.
  • docker_signs: — keyless cosign (OIDC) signing.
  • sboms: — SBOM for the binary; dockers_v2.sbom: "true" for the image.
  • Modernized the deprecated archives.formatformats, added -trimpath.

CI migration (truvami/ci-templates@v1)

File Change Backed by
ci.yml Rewritten quality-gates.yml + go-ci.yml (Go 1.26, runs check-json-tags/check-metrics in lint)
release.yml Rewritten go-release.yml (auto-detects RC vs stable; installs cosign + syft; QEMU for the multi-arch image)
release-candidate.yml Deleted folded into release.yml
codecov.yml Deleted Codecov upload dropped (go-ci uploads coverage as an artifact)

Notes:

  • go-ci.yml already runs check-json-tags + check-metrics automatically, so no extra-make-targets needed.
  • goreleaser-snapshot: false (matches gateway): the snapshot job isn't provisioned with the syft/cosign the dockers_v2 SBOM + keyless signing need — the Release workflow is. PR correctness is covered by lint + test.
  • private-modules: false (public repo); no AWS secrets needed (the AWS solver test t.Skips and the example test recovers/skips).

Go 1.26

go.mod bumped to 1.26.0; go mod tidy only changed the directive. govulncheck's only called vulnerabilities are Go stdlib, fixed by the 1.26.x toolchain — so no dependency bumps were required (unlike gateway#96).

⚠️ Branch protection & tag changes

  • Required-status-check names change: update repo settings to Quality gates / …, Go CI / Lint, Go CI / Test (Go 1.26.x).
  • Dropped image tags: :alpine, :latest-alpine, *-arm64 suffix tags, the golang-base variants. latest / {tag} / {version} / {major} / {major.minor} remain (arm64 now via the multi-arch manifest, not a -arm64 tag).

Validation done locally

  • goreleaser check ✅ and goreleaser release --snapshot builds both arches ✅
  • go build ./... ✅, go test ./... ✅ on Go 1.26
  • gofmt, go vet, make check-json-tags, make check-metrics, yamllint
  • go mod tidy → only the go 1.26.0 directive changes
  • detect-secrets baseline regenerated with the exact quality-gates command (before == after)

Test plan

  • CI green (Quality gates + Go CI)
  • Tag a vX.Y.Z-rcN → pre-release image to GHCR, signed, with digests/SBOM
  • Tag a vX.Y.Z → stable release (moving tags applied)
  • cosign verify the pushed image
  • Update branch-protection required checks

@michaelbeutler
build: rework docker image to multi-stage scratch via goreleaser dock…
30bb2a9 
…ers_v2

- Replace the prebuilt-binary build/buildx*.Dockerfile pair with a single root
  Dockerfile: an Alpine stage sources CA certs/tzdata/passwd, the final image is
  FROM scratch with the binary as ENTRYPOINT (non-root, EXPOSE 8080).
- Migrate .goreleaser.yaml from dockers: to dockers_v2: (single multi-arch
  amd64+arm64 manifest), gate moving tags (latest/major/minor) to stable
  releases, add docker_digest, keyless docker_signs (cosign) and binary SBOMs.
- Modernize deprecated archives.format -> formats and add -trimpath.
- Bump the go directive to 1.26.0 (CGO_ENABLED=0, fully static, runs on scratch).
- Update README docker examples for the ENTRYPOINT image.
@michaelbeutler
ci: migrate workflows to truvami/ci-templates@v1
8fe5268 
- ci.yml -> quality-gates.yml + go-ci.yml (Go 1.26, runs check-json-tags/
  check-metrics in lint; goreleaser-snapshot off since syft/cosign live in the
  release workflow, matching truvami/gateway#96).
- release.yml -> go-release.yml (single workflow auto-detecting RC vs stable,
  installs cosign + syft, sets up QEMU for the multi-arch image).
- Delete release-candidate.yml (folded into release.yml) and codecov.yml
  (Codecov upload dropped; go-ci uploads coverage as an artifact).
- Regenerate .secrets.baseline: record the benign 'secrets: inherit' keyword
  matches in the new workflows plus the build-artifact exclude pattern, so the
  quality-gates detect-secrets rescan matches the committed baseline.
Copilot AI review requested due to automatic review settings May 26, 2026 21:42
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 26, 2026

Warning

Review limit reached

@michaelbeutler, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 4 minutes and 8 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7a2995fb-c473-4c43-afca-5ba1206bf847

📥 Commits

Reviewing files that changed from the base of the PR and between 73522cb and 8fe5268.

📒 Files selected for processing (11)
  • .github/workflows/ci.yml
  • .github/workflows/release-candidate.yml
  • .github/workflows/release.yml
  • .goreleaser.yaml
  • .secrets.baseline
  • Dockerfile
  • README.md
  • build/buildx-alpine.Dockerfile
  • build/buildx.Dockerfile
  • codecov.yml
  • go.mod
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch build/scratch-docker-ci-templates

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR modernizes the project’s build/release pipeline by switching to a minimal multi-stage scratch Docker image, bumping the Go toolchain to 1.26, and migrating CI/release automation to truvami/ci-templates@v1 reusable workflows. It also updates GoReleaser to publish a single multi-arch image (with signing/SBOM/digests support).

Changes:

  • Replace prior buildx Dockerfiles with a root multi-stage scratch Dockerfile using an ENTRYPOINT and non-root user.
  • Update GoReleaser config to dockers_v2 multi-arch publishing plus signing/SBOM/digests outputs.
  • Migrate GitHub Actions workflows to truvami/ci-templates@v1 and bump Go to 1.26.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
README.md Updates Docker usage examples to reflect ENTRYPOINT behavior.
go.mod Bumps the module Go version directive to 1.26.0.
Dockerfile Introduces a multi-stage scratch runtime image with CA certs/tzdata and non-root user.
.goreleaser.yaml Migrates to dockers_v2 and adds image signing/SBOM/digest generation configuration.
.github/workflows/ci.yml Replaces bespoke CI with quality-gates.yml + go-ci.yml reusable workflows.
.github/workflows/release.yml Replaces bespoke release logic with go-release.yml reusable workflow.
.github/workflows/release-candidate.yml Deletes RC-specific workflow (folded into unified release workflow).
build/buildx.Dockerfile Deletes legacy Docker build file.
build/buildx-alpine.Dockerfile Deletes legacy Alpine Docker build file.
codecov.yml Removes Codecov configuration (coverage upload dropped).
.secrets.baseline Regenerates detect-secrets baseline and adds exclude regex for reproducibility.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Dockerfile
Comment on lines +31 to +35
# Files a networked, time-aware, non-root CLI needs (scratch ships none):
# - CA certificates: outbound TLS (AWS IoT Wireless, LoRa Cloud, self-update, ...)
# - tzdata: timezone-aware time handling
# - passwd/group: so USER nonroot resolves to a real uid/gid
COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
Comment thread Dockerfile
ARG TARGETPLATFORM
COPY ${TARGETPLATFORM}/decoder /usr/bin/decoder

USER nonroot:nonroot
Comment thread README.md

# Run the Docker container
docker run -it ghcr.io/truvami/decoder decoder --help
# Run the Docker container (the image ENTRYPOINT is `decoder`)
Comment thread .goreleaser.yaml

# Write a digests file with the digests of all published images/manifests.
# https://goreleaser.com/customization/package/docker_digests/
docker_digest:
Comment thread .github/workflows/release.yml
# cosign + syft (for dockers_v2 signing/SBOM) and publishes to GHCR.
uses: truvami/ci-templates/.github/workflows/go-release.yml@v1
with:
go-version: '1.26'
Comment thread .github/workflows/ci.yml
Comment on lines +23 to +34
go-ci:
name: Go CI
uses: truvami/ci-templates/.github/workflows/go-ci.yml@v1
with:
# No `make generate` target / no go:generate directives in this repo.
code-generation: false
# Off (matches truvami/gateway#96): the snapshot job isn't provisioned with
# the syft/cosign that the dockers_v2 SBOM + keyless signing config needs —
# the Release workflow (go-release.yml) is. PR correctness is covered by
# lint + test, and `make check-json-tags` / `make check-metrics` run in lint.
goreleaser-snapshot: false
secrets: inherit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@michaelbeutler