audit: idempotency, hardening, and consistency improvements

[atngit2]

Summary

This PR applies the findings from a thorough audit of the repository's workflow, Dockerfile, and README. All changes are non-breaking and backward-compatible — no logic was altered, only hardened or clarified.

---

Changes

.github/workflows/build-caddy.yml

• Step 3 — GHCR pre-auth comment expanded: The inline docker login ghcr.io before docker manifest inspect already existed in the repo but lacked a clear explanation. Added a detailed comment documenting why it must happen here (before Step 5's conditional login-action) — prevents a race condition on first runs and when the package is private.
• Step 3 — Fingerprint diff loop hardened: The CHANGE_SUMMARY diff loop now guards against unequal part counts between the new and published fingerprints (e.g., if a new plugin is ever added to the fingerprint schema). Previously, iterating with ${#NEW_PARTS[@]} only would silently skip MISSING entries in the old fingerprint. Now uses MAX_IDX across both arrays and emits a schema-change notice.
• Step 7 — Module name mapping documented: Added a comment block above the smoke test step mapping each module identifier (as emitted by caddy list-modules) to its upstream repo, making future verification unambiguous.
• Step 9 — DockerHub floating-tag rationale expanded: The comment explaining why major/minor tags are omitted from DockerHub now explicitly states that DockerHub tag immutability is an opt-in paid feature (not enabled on atnplex) and documents the user-safety rationale.
• Step 11 — GNU coreutils dependency documented: Added a step-level comment noting that date -d 'next monday' is GNU-only and will break if the runner OS changes from ubuntu-latest. Documents the mitigation path.

docker/caddy/Dockerfile

• Builder stage comment expanded: Replaced the brief IMPORTANT comment with a full explanation of why the ARG default and FROM tag must be kept in sync manually (Docker ARGs declared before the first FROM are not in scope inside build stages, so the FROM tag cannot reference the ARG).
• Docker group GID comment expanded: The getent group docker guard already existed; added a detailed comment explaining the GID-mismatch risk it protects against and directing users to the --group-add workaround in the README.
• Healthcheck rationale documented: Added a comment explaining why caddy environ is used instead of an HTTP probe against the admin API (port 2019), and provides the alternative HTTP probe command for users who prefer it.

README.md

• Tag Strategy table updated: Added a Registry column to make it unambiguous which tags land where. Added the missing 2.11.2 patch-level row. Added a callout block explaining the GHCR-only floating tag policy and directing production users to digest pinning.
• Repository Setup — Step 5 added: Added an explicit checklist item for filling in the GitHub repository About section (description, website URL, topics) since this cannot be automated by the workflow.

---

Manual follow-up required

• Set the repository About section (cannot be done via workflow or API without admin scope):

  • Description: Hardened multi-arch custom Caddy image with docker-proxy, Cloudflare DNS/IP, cache-handler, transform-encoder, and caddy-security modules
  • Website: https://hub.docker.com/r/atnplex/caddy
  • Topics: caddy, docker, reverse-proxy, cloudflare, homelab, xcaddy, github-actions

  Do this via the ⚙️ gear icon next to About on the repo homepage.

---

What was reviewed and found to be correct (no changes needed)

• cosign and docker-scout SHA-256 pinning — both binaries are already verified via pinned SHA-256 in COSIGN_SHA256 / SCOUT_SHA256 env vars with sha256sum -c checks in the install step. ✅
• bws CLI SHA-256 pinning — already pinned and verified. ✅
• Renovate automerge scope — .github/renovate.json correctly scopes automerge to patch/minor only; major version bumps require manual review. ✅
• git pull --rebase before push in Step 12 — already present. ✅
• [skip ci] commit tag with concurrency group — the cancel-in-progress: true concurrency group prevents concurrent runs; [skip ci] prevents the metadata commit from re-triggering the workflow. Combination is correct. ✅
• Cleanup Step 14 || true guards — docker stop/rm/rmi all use || true; orphaned containers cannot accumulate across failed runs. ✅
• xcaddy plugin version pinning — ARGs are injected from the workflow fingerprint step via --build-arg and consumed via ${REF:+@${REF}} bash expansion. Fully deterministic when workflow supplies values. ✅

Summary by CodeRabbit

• Documentation

  • Clarified tag distribution: floating major/minor tags on GHCR only; immutable patch/release tags published to both GHCR and DockerHub
  • Added repository setup step for GitHub metadata
  • Updated Dockerfile docs for healthcheck behavior and group handling guidance

• Improvements

  • Strengthened CI image publishing and fingerprint verification for more reliable releases
  • Adjusted Docker group handling to reduce GID conflicts during image builds

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4e55a55f-5d89-40d0-bfef-c4239a68d961

📥 Commits

Reviewing files that changed from the base of the PR and between 860670c and a11b21f.

📒 Files selected for processing (1)

• .github/workflows/build-caddy.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/build-caddy.yml

---

📝 Walkthrough

Walkthrough

Updated GitHub Actions workflow adjusts GHCR authentication timing and improves fingerprint diffing/reporting logic; README refines tag-to-registry mapping and immutability guidance; Dockerfile tweaks user/group creation to check for an existing docker group and updates healthcheck documentation.

Changes

Cohort / File(s)	Summary
Build Workflow \.github/workflows/build-caddy\.yml	Switch HEAD resolution to main for certain repos; pre-authenticate to GHCR before docker manifest inspect; enhance fingerprint diff generation (schema-change detection, MISSING defaults, per-part comparisons); expand smoke-test comments; add GNU coreutils note; remove trailing blank line.
Documentation README\.md	Revise Tag Strategy: map each tag type to registries (GHCR vs DockerHub), mark DockerHub as receiving only immutable tags, document reproducible tags and repository "About" setup step.
Container Configuration docker/caddy/Dockerfile	Clarify CADDY_VERSION synchronization between ARG and builder image reference; change user/group creation to conditionally check/create docker group and add caddy user to it; rewrite healthcheck guidance to prefer caddy environ with optional alternatives.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Runner as GitHub Runner
  participant GHCR as GHCR
  participant DockerHub as DockerHub
  participant Manifest as docker manifest inspect
  Runner->>GHCR: Pre-authenticate (GITHUB_TOKEN) before manifest inspect
  Runner->>Manifest: docker manifest inspect GHCR/DockerHub image
  Manifest-->>Runner: manifest metadata or error
  Runner->>Runner: Compute build fingerprint (HEAD from main, parts with MISSING defaults)
  alt fingerprint mismatch
    Runner->>Runner: Emit schema-change / per-part diffs
  end
  alt should_build == 'true'
    Runner->>DockerHub: Push images/tags (per tag strategy)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 With tokens early and fingerprints neat,
I hop through manifests on nimble feet.
Tags find their homes, immutable and clear,
Docker groups checked — no GID fear.
A tiny carrot of CI cheer! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: audit findings leading to idempotency, hardening, and consistency improvements across workflows, Dockerfile, and documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch audit/idempotency-and-consistency

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the documentation and Dockerfile comments to clarify tag strategies, registry distributions, and build-time configurations. Specifically, it refines the 'Tag Strategy' table in the README to distinguish between GHCR and DockerHub availability and adds instructions for repository metadata. In the Dockerfile, it expands on the reasoning for the health check and group management. Feedback was provided regarding a technical inaccuracy in the Dockerfile comments concerning ARG scoping and a contradiction in the README regarding the 'latest' tag's availability on DockerHub.

[gemini-code-assist]

The comment incorrectly states that the FROM tag cannot reference the ARG directly. In Docker, ARGs declared before the first FROM are specifically designed to be used in FROM instructions, as demonstrated on line 12. The need for manual synchronization is due to the hardcoded SHA digest being tied to a specific version, not a scoping limitation of the tag itself.

# The FROM tag references the ARG below; both must be updated with the SHA.
# Note that ARGs before the first FROM are not in scope inside build stages.

[gemini-code-assist]

This note contradicts the Tag Strategy table, which shows the latest tag being pushed to both GHCR and DockerHub. To maintain consistency, the note should clarify that latest is an exception to the immutability policy on DockerHub.

Suggested change

	> DockerHub receives only immutable tags (patch version, date-stamped, and SHA)
	> to prevent silent overwrites for users who may have pinned these tags in
	> compose files expecting stability.
	> DockerHub receives only immutable tags (patch version, date-stamped, and SHA)
	> and the latest floating tag. Major/minor floating tags (2, 2.11) are
	> excluded from DockerHub to prevent silent overwrites for users.

[Copilot]

Pull request overview

This PR applies audit-driven hardening and consistency updates across the build workflow, Docker image build, and README—primarily by expanding/clarifying rationale comments and documenting tag and module verification behavior.

Changes:

• Hardened the workflow fingerprint comparison and expanded documentation for authentication, tag strategy, and runner assumptions.
• Expanded Dockerfile documentation around version/digest coupling, docker group GID handling, and the healthcheck rationale.
• Updated README tag strategy documentation and added a one-time repo setup checklist item for the GitHub “About” section.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/build-caddy.yml	Improves fingerprint diff robustness and expands rationale comments for GHCR auth, module mapping, tag policy, and GNU date dependency.
docker/caddy/Dockerfile	Adds detailed commentary around version/digest management, docker group GID handling, and healthcheck approach.
README.md	Clarifies tag distribution across registries and adds a repo setup step for populating GitHub “About” metadata.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The Stage 1 header comment is internally inconsistent with the Dockerfile behavior: the FROM line does reference ${CADDY_VERSION}, and global ARGs declared before the first FROM are in scope for FROM substitution. If the real constraint is the pinned digest (and/or needing to re-declare ARG after FROM to use it in later instructions), please adjust the wording so it accurately describes Docker’s ARG scoping and why the digest/tag must be updated together.

Suggested change

	# IMPORTANT: The ARG default below AND the tag in the FROM line must
	# always be kept in sync. When upgrading Caddy, update BOTH the ARG
	# default AND the image tag (and its SHA digest) together in one commit.
	# The FROM tag cannot reference the ARG directly because ARGs declared
	# before the first FROM are not in scope inside the build stage.
	# Renovate keeps the SHA digest up to date automatically; the tag and
	# ARG default must be updated manually (or via a Renovate customManager).
	# IMPORTANT: The ARG default below, the tag in the FROM line, and the
	# pinned SHA digest must always describe the same Caddy version. The
	# global ARG CADDY_VERSION is in scope for the FROM instruction and is
	# used in `caddy:${CADDY_VERSION}-builder@sha256:...`.
	# When upgrading Caddy, update ALL of the following together in one commit:
	# 1) the CADDY_VERSION ARG default,
	# 2) the tag portion of the FROM image reference, and
	# 3) the SHA256 digest.
	# Renovate keeps the SHA digest up to date automatically; the tag and ARG
	# default must be updated manually (or via a Renovate customManager).

[Copilot]

The table says the patch-level semver tag (e.g. 2.11.2) is pushed to DockerHub, but the workflow currently only pushes latest, ${version}-${date}, and sha-${short_sha} to DockerHub (no plain ${version} tag). Either add the ${version} DockerHub tag in the workflow, or update this row to reflect the actual published tags.

Suggested change

	| `2.11.2` | GHCR · DockerHub | Patch-level version pin |
	| `2.11.2-2026.03.28` | GHCR · DockerHub | Version + build date for fully reproducible deployments |
	| `sha-abc1234` | GHCR · DockerHub | Git SHA of the Dockerfile at build time |
	> **Note:** Floating major/minor tags (`2`, `2.11`) are only pushed to GHCR.
	> DockerHub receives only immutable tags (patch version, date-stamped, and SHA)
	| `2.11.2` | GHCR only | Patch-level version pin |
	| `2.11.2-2026.03.28` | GHCR · DockerHub | Version + build date for fully reproducible deployments |
	| `sha-abc1234` | GHCR · DockerHub | Git SHA of the Dockerfile at build time |
	> **Note:** Floating major/minor tags (`2`, `2.11`) and patch-level tags (`2.11.2`) are only pushed to GHCR.
	> DockerHub receives only immutable tags (date-stamped and SHA-based)

[Copilot]

This note says DockerHub receives immutable tags including the patch version, but the workflow tag list doesn’t currently publish the plain ${version}/patch tag to DockerHub. Please adjust the note (and/or the workflow) so DockerHub tag policy is described accurately.

Suggested change

	| `2.11.2` | GHCR · DockerHub | Patch-level version pin |
	| `2.11.2-2026.03.28` | GHCR · DockerHub | Version + build date for fully reproducible deployments |
	| `sha-abc1234` | GHCR · DockerHub | Git SHA of the Dockerfile at build time |
	> **Note:** Floating major/minor tags (`2`, `2.11`) are only pushed to GHCR.
	> DockerHub receives only immutable tags (patch version, date-stamped, and SHA)
	| `2.11.2` | GHCR only | Patch-level version pin (GHCR-only; not published to DockerHub) |
	| `2.11.2-2026.03.28` | GHCR · DockerHub | Version + build date for fully reproducible deployments |
	| `sha-abc1234` | GHCR · DockerHub | Git SHA of the Dockerfile at build time |
	> **Note:** Floating major/minor tags (`2`, `2.11`) and patch tags (for example, `2.11.2`)
	> are only pushed to GHCR. DockerHub receives only immutable tags (date-stamped and SHA)

[Copilot]

Comment says the diff will "compare only the parts that are present in both fingerprints", but the implementation compares up to MAX_IDX and uses MISSING for absent entries (i.e., it compares the union and explicitly reports missing parts). Consider updating the comment to match the current behavior to avoid confusion during future audits.

Suggested change

	# Human-readable diff — compare only the parts that are present
	# in both fingerprints; guard against unequal part counts (e.g.,
	# if a new plugin is added to the fingerprint schema).
	# Human-readable diff — compare all indexed parts from both
	# fingerprints (up to MAX_IDX), marking missing entries as
	# MISSING; this guards against unequal part counts (e.g., when
	# the fingerprint schema changes or a new plugin is added).

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/build-caddy.yml (1)

240-241: Inconsistent variable expansion style is minor but worth noting.

Line 240 uses NEW="${NEW_PARTS[$i]:-MISSING}" while line 241 uses OLD="${OLD_PARTS[$i]:-MISSING}". Both are functionally correct, but line 242 then uses "${NEW}" with braces while both could use the same style consistently.

This is purely a style nit and doesn't affect functionality.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-caddy.yml around lines 240 - 241, The code uses
inconsistent variable expansion/quoting styles for NEW and OLD
(NEW="${NEW_PARTS[$i]:-MISSING}" vs OLD="${OLD_PARTS[$i]:-MISSING}" and later
"${NEW}"), so standardize them for readability; update the assignments and
subsequent uses to the same style (e.g., either always use brace form
NEW="${NEW_PARTS[$i]:-MISSING}" and OLD="${OLD_PARTS[$i]:-MISSING}" and refer to
"${NEW}" / "${OLD}", or drop braces consistently) ensuring you reference the
variables NEW, OLD, NEW_PARTS and OLD_PARTS in the same style throughout.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.md`:
- Line 121: Update the README to resolve the inconsistency about the `latest`
tag: change the table row and the explanatory note that currently states
"DockerHub receives only immutable tags" so it explicitly says DockerHub is
intentionally pushed both the mutable `latest` tag (floating) and immutable,
version-pinned tags, while omitting semver-floating tags like `2` and `2.11`;
locate and edit the `latest` table entry and the sentence containing "DockerHub
receives only immutable tags" to state this behavior clearly and mention
`latest`, `2`, and `2.11` by name.

---

Nitpick comments:
In @.github/workflows/build-caddy.yml:
- Around line 240-241: The code uses inconsistent variable expansion/quoting
styles for NEW and OLD (NEW="${NEW_PARTS[$i]:-MISSING}" vs
OLD="${OLD_PARTS[$i]:-MISSING}" and later "${NEW}"), so standardize them for
readability; update the assignments and subsequent uses to the same style (e.g.,
either always use brace form NEW="${NEW_PARTS[$i]:-MISSING}" and
OLD="${OLD_PARTS[$i]:-MISSING}" and refer to "${NEW}" / "${OLD}", or drop braces
consistently) ensuring you reference the variables NEW, OLD, NEW_PARTS and
OLD_PARTS in the same style throughout.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 37d224f8-9876-490c-9f61-8cdfbb3efeea

📥 Commits

Reviewing files that changed from the base of the PR and between 33306d2 and 860670c.

📒 Files selected for processing (3)

• .github/workflows/build-caddy.yml
• README.md
• docker/caddy/Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Minor documentation inconsistency: latest tag classification.

The note on lines 127-130 states "DockerHub receives only immutable tags" to prevent silent overwrites, yet line 121 shows latest is pushed to both registries. The latest tag is by definition a floating/mutable tag that gets overwritten on every build.

Consider clarifying that DockerHub receives latest (which users understand is mutable) plus immutable version-pinned tags, but intentionally omits the semver floating tags (2, 2.11) which users might mistakenly assume are stable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 121, Update the README to resolve the inconsistency about
the `latest` tag: change the table row and the explanatory note that currently
states "DockerHub receives only immutable tags" so it explicitly says DockerHub
is intentionally pushed both the mutable `latest` tag (floating) and immutable,
version-pinned tags, while omitting semver-floating tags like `2` and `2.11`;
locate and edit the `latest` table entry and the sentence containing "DockerHub
receives only immutable tags" to state this behavior clearly and mention
`latest`, `2`, and `2.11` by name.