Skip to content

feat: Add goreleaser docker publish channel #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thumbrise merged 1 commit into from
May 29, 2026
Merged

feat: Add goreleaser docker publish channel #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,15 @@ jobs:
version: latest
install-only: true

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

- name: Login do docker.io
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Install dependencies
run: npm ci

Expand Down
46 changes: 45 additions & 1 deletion .goreleaser.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,48 @@ changelog:
disable: true

release:



dockers_v2:
- id: commitlint-scope
images:
- 'thumbrise/commitlint-scope'
dockerfile: publish/buildx.Dockerfile
platforms:
- linux/amd64
- linux/arm64
tags:
- 'latest'
- '{{ .Tag }}'
- 'v{{ .Major }}.{{ .Minor }}'
labels:
# https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
'org.opencontainers.image.title': '{{.ProjectName}}'
'org.opencontainers.image.description': 'Linter that checks if declared commit scopes match the changed files'
'org.opencontainers.image.source': '{{.GitURL}}'
'org.opencontainers.image.url': '{{.GitURL}}'
'org.opencontainers.image.documentation': '{{.GitURL}}'
'org.opencontainers.image.created': '{{.Date}}'
'org.opencontainers.image.revision': '{{.FullCommit}}'
'org.opencontainers.image.version': '{{.Version}}'
- id: commitlint-scope-alpine
images:
- 'thumbrise/commitlint-scope'
dockerfile: publish/buildx-alpine.Dockerfile
platforms:
- linux/amd64
- linux/arm64
tags:
- 'latest-alpine'
- '{{ .Tag }}-alpine'
- 'v{{ .Major }}.{{ .Minor }}-alpine'
labels:
# https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
'org.opencontainers.image.title': '{{.ProjectName}}'
'org.opencontainers.image.description': 'Linter that checks if declared commit scopes match the changed files'
'org.opencontainers.image.source': '{{.GitURL}}'
'org.opencontainers.image.url': '{{.GitURL}}'
'org.opencontainers.image.documentation': '{{.GitURL}}'
'org.opencontainers.image.created': '{{.Date}}'
'org.opencontainers.image.revision': '{{.FullCommit}}'
'org.opencontainers.image.version': '{{.Version}}'
15 changes: 15 additions & 0 deletions publish/buildx-alpine.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# syntax=docker/dockerfile:1.4
FROM golang:1.26-alpine

ARG TARGETPLATFORM

ENV GOROOT /usr/local/go

ENV GOTOOLCHAIN auto

RUN apk --no-cache add gcc musl-dev git mercurial

RUN git config --global --add safe.directory '*'

COPY $TARGETPLATFORM/commitlint-scope /usr/bin/
CMD ["commitlint-scope"]
Comment on lines +10 to +15
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Trim unnecessary packages and run as non-root in runtime image.

This image executes a prebuilt binary; keeping compilers/VCS tools plus root runtime user is avoidable exposure.

Suggested patch 
-RUN apk --no-cache add gcc musl-dev git mercurial
-
-RUN git config --global --add safe.directory '*'
+RUN adduser -D appuser
@@
 COPY $TARGETPLATFORM/commitlint-scope /usr/bin/
+USER appuser
 CMD ["commitlint-scope"]
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RUN apk --no-cache add gcc musl-dev git mercurial
RUN git config --global --add safe.directory '*'
COPY $TARGETPLATFORM/commitlint-scope /usr/bin/
CMD ["commitlint-scope"]
RUN adduser -D appuser
COPY $TARGETPLATFORM/commitlint-scope /usr/bin/
USER appuser
CMD ["commitlint-scope"]
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@publish/buildx-alpine.Dockerfile` around lines 10 - 15, The runtime
Dockerfile currently installs compilers and VCS tools (gcc, musl-dev, git,
mercurial) and runs as root; instead, remove those packages from the final image
and ensure the prebuilt binary is copied from a builder stage (leave COPY
$TARGETPLATFORM/commitlint-scope /usr/bin/ and CMD ["commitlint-scope"] intact),
then create a non-root user (e.g., user/group creation and chown of
/usr/bin/commitlint-scope) and add a USER instruction so the container runs as
that unprivileged account at runtime.

13 changes: 13 additions & 0 deletions publish/buildx.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# syntax=docker/dockerfile:1.4
FROM golang:1.26

ARG TARGETPLATFORM

ENV GOROOT /usr/local/go

ENV GOTOOLCHAIN auto

RUN git config --global --add safe.directory '*'

COPY $TARGETPLATFORM/commitlint-scope /usr/bin/
CMD ["commitlint-scope"]
Comment on lines +10 to +13
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden runtime image: drop root and remove wildcard git trust.

Running as root and trusting all git directories broadens blast radius unnecessarily for a runtime image.

Suggested patch 
-FROM golang:1.26
+FROM golang:1.26
@@
-RUN git config --global --add safe.directory '*'
-
-COPY $TARGETPLATFORM/commitlint-scope /usr/bin/
+RUN adduser --disabled-password --gecos "" appuser
+COPY $TARGETPLATFORM/commitlint-scope /usr/bin/
+USER appuser
 CMD ["commitlint-scope"]
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@publish/buildx.Dockerfile` around lines 10 - 13, Remove the global wildcard
git trust and stop running as root: delete the RUN git config --global --add
safe.directory '*' line, add a non-root user (e.g., create a user/group with
addgroup/adduser or useradd), copy the commitlint-scope binary into /usr/bin/
then chown it to that non-root user (reference COPY
$TARGETPLATFORM/commitlint-scope /usr/bin/ and the commitlint-scope binary), and
switch execution to that user with USER <username> before the CMD
["commitlint-scope"]; if git access is required at runtime, set a single
explicit safe.directory value instead of '*' or configure trust outside the
runtime image.

Loading