Four defects from the rc.1 dress rehearsal:
- Dockerfile pinned golang:1.26-alpine3.23 at a 1.26.3 digest while
go.mod requires 1.26.4; golang images set GOTOOLCHAIN=local, so the
build hard-fails. Pin 1.26.4-alpine3.23 explicitly.
- changelog.disable swallowed --release-notes (the flag is consumed by
the changelog pipe), publishing empty release bodies. Re-enable.
- Remove the Gitea-side GitHub relay step: redundant with
.github/workflows/mirror-release.yml, which runs on GitHub Actions
with the built-in token and copies the canonical Gitea assets.
- mirror-release.yml: jq '.body // empty' treats "" as truthy so the
notes fallback never fired; use select(). Mark rc tags --prerelease.
1. Kuma import now maps push monitor tokens (generates crypto/rand
token) and paused state (Active=false → Paused=true). Previously
push monitors imported with empty token sat DOWN forever, and
paused Kuma monitors came in unpaused and started alerting.
2. Dockerfile adds HEALTHCHECK against /api/health on port 8080.
Container orchestrators can now detect unhealthy instances.
3. migrate-secrets sets the encryptor before loading alerts, so
already-encrypted settings are decrypted correctly on second run
instead of failing with a JSON unmarshal error.
4. docker-compose.yml adds container hardening: read_only filesystem,
cap_drop ALL, no-new-privileges, tmpfs for /tmp.
Un-neuter grype CVE gate (was || echo, now fails on critical).
Add .grype.yaml with ignore for CVE-2026-41589 (wish SCP —
unreachable, we only import wish/bubbletea).
Pin: grype v0.114.0, git-cliff v2.13.1, govulncheck v1.1.4.
Tag `latest` only on tag push, not workflow_dispatch.
Build path ./cmd/uptop (survives a main.go split).
Add dist/ and uptop to .dockerignore.
BREAKING: Container now runs as UID 1000 (uptop) instead of root.
Existing volumes with root-owned files need migration:
docker run --rm -v <volume>:/data alpine chown -R 1000:1000 /data
- Add uptop user (UID/GID 1000) with entrypoint writability check
- Enable SBOM and provenance attestations for Docker Scout compliance
- Prune dangling images and build cache after release builds
- Add module + build cache to CI (was only caching go-build, not go/pkg/mod)
- Declare explicit Alpine container instead of relying on runner image
- Drop redundant go vet (already in golangci-lint)
- Add govulncheck job for dependency CVE scanning
- Add GoReleaser config for Gitea-native binary releases + checksums
- Replace .github/workflows/docker.yml with .gitea/workflows/release.yml
- Docker multiarch (amd64+arm64) via buildx in release workflow
- Dockerfile: add --mount=type=cache for mod/build, add -trimpath
Supports `goupkeep version`, `--version`, and `-v`. Prints version,
commit hash, and build date when injected via ldflags. Shows "dev"
for local builds. Dockerfile updated with ARGs for version injection.
lerko
