Main

.github/dependabot.yml

@@ -0,0 +1,19 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: "/"
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "go.mod:"
+    assignees:
+      - willnorris
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: ".github:"
+    assignees:
+      - willnorris

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,38 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 1 * * 6" # run weekly on Saturdays
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@4c3e5362829f0b0bb62ff5f6c938d7f95574c306 #v2.21.1
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@4c3e5362829f0b0bb62ff5f6c938d7f95574c306 #v2.21.1
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@4c3e5362829f0b0bb62ff5f6c938d7f95574c306 #v2.21.1

.github/workflows/docker.yml

@@ -0,0 +1,67 @@
+name: Docker
+
+on:
+  push:
+    branches: ["main"]
+    tags: ["v*"]
+  pull_request:
+    # Run the workflow on pull_request events to ensure we can still build the image.
+    # We only publish the image on push events (see if statements in steps below).
+    branches: ["main"]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        if: github.event_name == 'push'
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        with:
+          context: .
+          push: ${{ github.event_name == 'push' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+
+      # Sign the Docker image
+      - name: Install cosign
+        if: github.event_name == 'push'
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
+      - name: Sign the published Docker image
+        if: github.event_name == 'push'
+        env:
+          COSIGN_YES: "true"
+        run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}

.github/workflows/linter.yml

@@ -0,0 +1,23 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - "**"
+name: linter
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version: stable
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd #v7.0.0
+        with:
+          version: v2.1.2

.github/workflows/tests.yml

@@ -1,4 +1,10 @@
-on: [push, pull_request]
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - "**"
 name: tests
 env:
   GO111MODULE: on
@@ -7,56 +13,39 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.12.x, 1.13.x]
+        go-version:
+          # support the two most recent major go versions
+          - stable
+          - oldstable
         platform: [ubuntu-latest]
+        include:
+          # minimum go version that works. This is not necessarily supported in
+          # any way, and will be bumped up without notice as needed.  But it at
+          # least lets us know what go version should work.
+          - go-version: 1.21
+            platform: ubuntu-latest
+
+          # include windows, but only with the latest Go version, since there
+          # is very little in the library that is platform specific
+          - go-version: stable
+            platform: windows-latest
+
+          # only update test coverage stats with most recent go version on linux
+          - go-version: stable
+            platform: ubuntu-latest
+            update-coverage: true
     runs-on: ${{ matrix.platform }}
 
     steps:
-    - uses: actions/setup-go@v1
-      with:
-        go-version: ${{ matrix.go-version }}
-    - uses: actions/checkout@v1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Cache go modules
-      uses: actions/cache@preview
-      with:
-        path: ~/go/pkg/mod
-        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version: ${{ matrix.go-version }}
 
-    - name: Run go fmt
-      run: diff -u <(echo -n) <(gofmt -d -s .)
+      - name: Run go test
+        run: go test -v -race -coverprofile coverage.txt -covermode atomic ./...
 
-    - name: Run go vet
-      run: go vet ./...
-
-    - name: Run go test
-      run: go test -v -race -coverprofile=coverage.txt -covermode=atomic ./...
-
-    - name: Upload coverage to Codecov
-      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-      run: bash <(curl -s https://codecov.io/bash)
-
-  # On Windows, just run the local tests.  Don't bother with checking gofmt, go
-  # vet, or uploading results to Codecov
-  test-windows:
-    strategy:
-      matrix:
-        go-version: [1.12.x, 1.13.x]
-        platform: [windows-latest]
-    runs-on: ${{ matrix.platform }}
-    steps:
-    - uses: actions/setup-go@v1
-      with:
-        go-version: ${{ matrix.go-version }}
-    - uses: actions/checkout@v1
-    - name: Cache go modules
-      uses: actions/cache@preview
-      with:
-        path: ~/go/pkg/mod
-        key: ${{ runner.os }}-go-${{ hashFiles('**\go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-
-    - run: go test ./...
+      - name: Upload coverage to Codecov
+        if: ${{ matrix.update-coverage }}
+        uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2

.golangci.yml

@@ -0,0 +1,31 @@
+version: "2"
+linters:
+  enable:
+    - dogsled
+    - dupl
+    - errorlint
+    - gosec
+    - misspell
+    - nakedret
+    - unconvert
+    - unparam
+    - whitespace
+
+  # TODO: fix issues and reenable these checks
+  disable:
+    - errcheck
+    - gosec
+    - staticcheck
+
+  exclusions:
+    rules:
+      # Some cache implementations use md5 hashes for cached filenames. There is
+      # a slight risk of cache poisoning if an attacker could construct a URL
+      # with the same hash, but the URL would also need to be allowed by the
+      # proxy's security settings (host allowlist, URL signature, etc). Changing
+      # these to a more secure hash algorithm would result in 100% cache misses
+      # when users upgrade. For now, just leave these alone.
+      - path: internal/.*cache
+        linters:
+          - gosec
+        text: G(401|501)

Dockerfile

@@ -1,27 +1,23 @@
-FROM golang:1.12 as build
-MAINTAINER Will Norris <will@willnorris.com>
+# syntax=docker/dockerfile:1.4
+FROM --platform=$BUILDPLATFORM cgr.dev/chainguard/wolfi-base as build
+LABEL maintainer="Will Norris <will@willnorris.com>"
 
-RUN useradd -u 1001 go
+RUN apk update && apk add build-base git openssh go-1.21
 
 WORKDIR /app
-
 COPY go.mod go.sum ./
-COPY third_party/envy/go.mod ./third_party/envy/
 RUN go mod download
 
 COPY . .
 
-RUN CGO_ENABLED=0 GOOS=linux go build -v ./cmd/imageproxy
+ARG TARGETOS
+ARG TARGETARCH
+RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -v ./cmd/imageproxy
 
-FROM scratch
+FROM cgr.dev/chainguard/static:latest
 
-COPY --from=build /etc/passwd /etc/passwd
-COPY --from=build /usr/share/zoneinfo /usr/share/zoneinfo
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=build /app/imageproxy /app/imageproxy
 
-USER go
-
 CMD ["-addr", "0.0.0.0:8080"]
 ENTRYPOINT ["/app/imageproxy"]