chore: Modernize CI pipeline, update dependencies, and fortify build process#62
Open
dmirtillo wants to merge 27 commits intogorcon:masterfrom
Open
chore: Modernize CI pipeline, update dependencies, and fortify build process#62dmirtillo wants to merge 27 commits intogorcon:masterfrom
dmirtillo wants to merge 27 commits intogorcon:masterfrom
Conversation
This commit introduces automated dependency updates via Dependabot and adds validation steps to the Docker build workflow to prevent broken or vulnerable images from being pushed. Changes include: - Add Dependabot configuration for Go modules, GitHub Actions, and Docker. - Update Docker base image to Go 1.21 to align with go.mod. - Add Dockerfile linting (hadolint) to CI. - Add a runtime smoke test (`docker run --help`) to CI. - Add vulnerability scanning (Trivy) to CI. - Add OpenSpec specifications and configurations.
This commit updates the CI pipeline and local build scripts to use GitHub Container Registry (ghcr.io) instead of Docker Hub. Key changes: - Update build.yml to authenticate via GITHUB_TOKEN for GHCR. - Add packages: write permissions to the Docker release job. - Update image tags to ghcr.io/dmirtillo/rcon-cli in workflow and Makefile. - Update Docker CI validation specifications to include GHCR scenario. - Archive the switch-to-ghcr change artifacts.
This commit aligns local Make targets with the GitHub Actions pipeline and modernizes the Go runtime to 1.26. Key changes: - Bump Go version to 1.26 across go.mod, Dockerfile, and GitHub Actions. - Add local Makefile targets (deps, test, build) matching CI steps. - Upgrade golangci-lint to v2.10.1 locally and in GitHub Actions (v9). - Clean up deprecated linters and fix resulting errcheck warnings. - Update upstream Go dependencies. - Add CONTRIBUTING.md to document the standardized build and CI process. - Archive build-alignment OpenSpec change.
This commit splits the monolithic 'build' job in GitHub Actions into standalone 'lint', 'test', and 'build' jobs that run in parallel. It also ensures that the 'docker-release' job only executes after all upstream Go CI jobs have passed. Key changes: - Split monolithic 'build' job into 'lint', 'test', and 'build' in build.yml. - Enable parallel execution for independent CI tasks. - Add 'needs: [lint, test, build]' to the 'docker-release' job. - Update Docker CI validation specifications to reflect the new dependency. - Archive the 'refactor-ci-pipeline' OpenSpec change.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Hello! 👋
I've been using
rcon-cliand noticed a few areas in the build, distribution, and CI/CD pipeline that could be modernized to improve developer experience, increase build speed, and fortify the security of the released Docker images.This PR bundles those improvements into a cohesive update that aligns local development with a robust, automated CI pipeline, culminating in a fully automated, multi-platform release process powered by GoReleaser.
🛠 What changed
1. Automated Release Pipeline (GoReleaser)
scripts/local/compile.shbash script with an industry-standard.goreleaser.yamlconfiguration.amd64,386, andarm64), generatingtar.gz/ziparchives, and computing SHA256 checksums whenever a newv*git tag is pushed.2. Fortified Multi-Arch Docker Pipeline & GHCR Migration
ghcr.io).dockers_v2(usingdocker buildxandQEMU) to natively build and publish multi-arch Docker images (linux/amd64andlinux/arm64).hadolintto statically analyze the Dockerfile.load: true).docker run /rcon --help) to ensure the binary boots correctly in the Alpine runner.trivysecurity scan to check forCRITICALorHIGHvulnerabilities.3.23and addedapk upgradeduring the build to automatically patch critical OS-level vulnerabilities (e.g., CVE-2026-22184 inzlib).3. CI Pipeline Refactoring (GitHub Actions)
buildjob inbuild.ymlinto distinct, granular jobs (lint,test, andbuild). This allows linting and testing to run concurrently, speeding up the feedback loop.releasejob now explicitlyneeds: [lint, test, build, docker-ci]. Previously, it ran independently, meaning a broken commit could theoretically still trigger a published Docker image.deps,test,build, andlinttargets to theMakefileso developers can run the exact same checks locally that run in CI. Added aCONTRIBUTING.mdguide to document this workflow.4. Go Toolchain & Dependency Modernization
1.26acrossgo.modand.github/workflows/build.yml.golangci-lintv2.10.1 and configured the GitHub Action (golangci-lint-action@v9) to useinstall-mode: go-installto ensure strict compatibility with Go 1.26. Cleaned up deprecated linter rules and fixed discovered issues..github/dependabot.ymlconfiguration to automatically track and update Go modules, GitHub Actions, and Docker base images weekly.🧪 How it was tested
make test.golangci-lintpasses cleanly without warnings viamake lint.v0.11.0). It correctly ran jobs in parallel, validated the Docker image, published the multi-arch images to GHCR, and created the GitHub Release with the cross-compiled binaries.Let me know if you'd like any adjustments to the approach or if you'd prefer me to split any of these changes into separate PRs. Thank you for the great project!