lerkolabs/uptop
1
1
Fork 0
Code Issues 17 Pull Requests Actions Packages Projects 2 Releases 4 Wiki Activity

ci: harden release pipeline + swap to pure-Go SQLite #104

Merged
lerko merged 2 commits from ci/test-gated-release into main 2026-06-11 17:21:12 +00:00
Conversation 0 Commits 2 Files Changed 10
+78 -39
lerko commented 2026-06-11 17:16:10 +00:00
Owner
Copy Link
Copy Source

Summary

Phase 2 of the review-findings backlog — release engineering arc. Both changes must land before next CalVer tag.

Commit 1 — pipeline hardening:

  • Un-neuter grype CVE gate (was || echo, now fails on critical)
  • .grype.yaml ignore for CVE-2026-41589 (wish SCP — unreachable, we only import wish/bubbletea)
  • Pin: grype v0.114.0, git-cliff v2.13.1, govulncheck v1.1.4
  • latest Docker tag only on tag push, not workflow_dispatch
  • Build path ./cmd/uptop (survives main.go split)
  • .dockerignore adds dist/ and uptop

Commit 2 — modernc.org/sqlite swap:

  • Pure-Go SQLite driver, CGO_ENABLED=0, no C compiler needed
  • Statically linked binaries (verified with file)
  • GoReleaser: 6 OS/arch targets (linux/darwin/windows × amd64/arm64)
  • Windows archives ship as .zip
  • Dockerfile drops gcc/musl-dev
  • Homebrew cask block removed (was skip_upload:true dead config)
  • CI test job keeps gcc for race detector (-race still needs CGO)

Verification

  • CGO_ENABLED=0 go build → static ELF binary
  • CGO_ENABLED=0 go test → all packages pass
  • CGO_ENABLED=1 go test -race → all packages pass
  • golangci-lint → 0 issues

Post-merge

Branch protection already configured (required status checks, ff-only, no direct push).
Next step: smoke test, tag, verify all three install paths (docker pull, binary, go install).

## Summary Phase 2 of the review-findings backlog — release engineering arc. Both changes must land before next CalVer tag. **Commit 1 — pipeline hardening:** - Un-neuter grype CVE gate (was `|| echo`, now fails on critical) - `.grype.yaml` ignore for CVE-2026-41589 (wish SCP — unreachable, we only import wish/bubbletea) - Pin: grype v0.114.0, git-cliff v2.13.1, govulncheck v1.1.4 - `latest` Docker tag only on tag push, not workflow_dispatch - Build path `./cmd/uptop` (survives main.go split) - `.dockerignore` adds `dist/` and `uptop` **Commit 2 — modernc.org/sqlite swap:** - Pure-Go SQLite driver, CGO_ENABLED=0, no C compiler needed - Statically linked binaries (verified with `file`) - GoReleaser: 6 OS/arch targets (linux/darwin/windows × amd64/arm64) - Windows archives ship as .zip - Dockerfile drops gcc/musl-dev - Homebrew cask block removed (was skip_upload:true dead config) - CI test job keeps gcc for race detector (`-race` still needs CGO) ## Verification - [x] `CGO_ENABLED=0 go build` → static ELF binary - [x] `CGO_ENABLED=0 go test` → all packages pass - [x] `CGO_ENABLED=1 go test -race` → all packages pass - [x] `golangci-lint` → 0 issues ## Post-merge Branch protection already configured (required status checks, ff-only, no direct push). Next step: smoke test, tag, verify all three install paths (docker pull, binary, go install).
lerko added 2 commits 2026-06-11 17:16:11 +00:00
ci: harden release pipeline and pin tooling d1ab842283 
Un-neuter grype CVE gate (was || echo, now fails on critical).
Add .grype.yaml with ignore for CVE-2026-41589 (wish SCP —
unreachable, we only import wish/bubbletea).

Pin: grype v0.114.0, git-cliff v2.13.1, govulncheck v1.1.4.
Tag `latest` only on tag push, not workflow_dispatch.
Build path ./cmd/uptop (survives a main.go split).
Add dist/ and uptop to .dockerignore.
refactor(store): swap mattn/go-sqlite3 for modernc.org/sqlite
CI / test (pull_request) Successful in 2m0s
Details
CI / lint (pull_request) Successful in 1m22s
Details
CI / vulncheck (pull_request) Successful in 56s
Details
61c28fac62 
Pure-Go SQLite driver — no CGO, no C compiler. Enables:
- static binaries (verified: `file` shows statically linked)
- cross-compile to linux/arm64, darwin/amd64+arm64, windows/amd64+arm64
- goreleaser now builds 6 OS/arch targets + windows .zip
- Dockerfile drops gcc/musl-dev, sets CGO_ENABLED=0
- release-binaries drops gcc/musl-dev

Driver name changes sqlite3 → sqlite, DSN pragmas use
_pragma=name(value) format. All tests pass CGO=0 and CGO=1 -race.

Homebrew cask block removed (was skip_upload:true dead config).
lerko merged commit 61c28fac62 into main 2026-06-11 17:21:12 +00:00
lerko deleted branch ci/test-gated-release 2026-06-11 17:21:12 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
 distribution
Packaging, publishing, branding
 feature
New functionality
 polish
UX/visual refinement
 refactor
Code quality, no behavior change
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
lerko (Tyler Koenig)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: lerkolabs/uptop#104
Delete Branch "ci/test-gated-release"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?