fix: publish distroless Docker image with GoReleaser v2#716
fix: publish distroless Docker image with GoReleaser v2#716Siddhant-K-code wants to merge 1 commit into
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
WalkthroughSwitches the Docker base image from ChangesDistroless Multi-Platform Docker Migration
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates the release pipeline to publish a multi-platform Docker image based on a distroless (static, nonroot) base so that CA certificates are present at runtime, fixing TLS failures when the CLI runs in Docker and connects to HTTPS endpoints.
Changes:
- Switch
.goreleaser.Dockerfilefromscratchto distroless static nonroot and adjust the binary copy path. - Replace per-arch
dockers+docker_manifestswith a single multi-platformdockers_v2configuration in GoReleaser v2. - Update the GitHub Actions workflow logic that extracts/publishes the released image digest from GoReleaser artifacts, and document the CA cert behavior in the README.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| README.md | Documents the Docker image’s multi-platform nature and CA certificate availability. |
| .goreleaser.yaml | Migrates Docker publishing configuration to dockers_v2 for multi-platform builds. |
| .goreleaser.Dockerfile | Moves the runtime base image to distroless static nonroot and updates how the binary is copied in. |
| .github/workflows/main.yaml | Adjusts digest extraction to match dockers_v2 “Docker Image” artifacts for provenance/verification steps. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| docker pull openfga/cli; docker run -it openfga/cli | ||
| ``` | ||
|
|
||
| The Docker image is multi-platform and includes CA certificates, so CLI commands can connect to HTTPS OpenFGA endpoints without mounting a certificate bundle. |
| - latest | ||
| - "{{ .Tag }}" | ||
| - "v{{ .Version }}" | ||
| - "v{{ .Major }}" |
| image=$(echo "$artifact" | jq -r '.path | split(":")[0]') | ||
| digest=$(echo "$artifact" | jq -r '.extra.Digest') |
SoulPancake
left a comment
SoulPancake
left a comment
There was a problem hiding this comment.
dockers_v2 is currently still experimental.
There will be a stable release with goreleaser v3 launch, so we probably shouldn't use it right now
|
https://github.com/openfga/cli/pull/634/changes#r2828917491 |
Summary
scratchto distroless static nonroot so CA certificates are present for HTTPS endpoints.dockers+docker_manifestswithdockers_v2, keeping buildx provenance enabled instead of disabling it.dockers_v2Docker Image artifacts.Docs
Validation
PATH=/tmp/go1.26.4/bin:$PATH make buildPATH=/tmp/go1.26.4/bin:$PATH go test ./...PATH=/tmp/go1.26.4/bin:$PATH make test-unitPATH=/tmp/syft-bin:/tmp/go1.26.4/bin:$PATH /tmp/goreleaser-bin/goreleaser release --clean --config .goreleaser.yaml --snapshot --skip sign,publish,announce,dockerdockers_v2pipeline validation with a fake Docker shim:/tmp/goreleaser-bin/goreleaser release --clean --config .goreleaser.yaml --snapshot --skip sign,publish,announce,archive,nfpm,homebrew,aur,sbomReviewer with Docker can additionally run:
goreleaser release --clean --config .goreleaser.yaml --snapshot --skip sign,publish,announce.Fixes #639
Summary by CodeRabbit
New Features
Bug Fixes
Documentation