chore: update all go builds to 1.25.1 (#164)

* chore: update all go builds to 1.25.1

This brings the Dockerfile and `go.mod` up-to-date
with the `stable` designation we use in our GHA
workflows.

This change also includes some Docker hygiene updates
with the includion of `.dockerignore` and a `README.md`
with clear instructions on building and running the image.

Finally, a basic CI workflow is added for the Dockerfile
to ensure it receives better maintenance/attention moving
forward.

Signed-off-by: Travis Truman <trumant@gmail.com>

* feat: adopt app-specific user in container image

Signed-off-by: Travis Truman <trumant@gmail.com>

* fix(ci): secure checkout action usage

Signed-off-by: Travis Truman <trumant@gmail.com>

* chore(ci): update golangci-lint version

* chore(ci): pin docker actions to ref

Signed-off-by: Travis Truman <trumant@gmail.com>

---------

Signed-off-by: Travis Truman <trumant@gmail.com>

Author: trumant

.dockerignore

@@ -1 +1,9 @@
 config.yml
+evaluation_results
+.github
+.goreleaser.yml
+.gitignore
+example-config.yml
+github-repo
+*.png
+*.md

.github/workflows/docker-ci.yml

@@ -0,0 +1,30 @@
+name: Docker CI
+
+on:
+  push:
+    paths:
+      - 'Dockerfile'
+      - '.dockerignore'
+  pull_request:
+    paths:
+      - 'Dockerfile'
+      - '.dockerignore'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+      - name: Set up buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+      - name: Build container image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        with:
+          context: .
+          file: ./Dockerfile
+          push: false

.github/workflows/lint.yaml

@@ -24,4 +24,4 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9
         with:
-          version: v2.1
+          version: v2.5.0

Dockerfile

@@ -1,27 +1,30 @@
-FROM alpine:3.21 AS core
+FROM alpine:3.22 AS core
 RUN apk add --no-cache wget tar unzip
 
 WORKDIR /app
-ARG VERSION=0.7.0
+ARG VERSION=0.9.1
 ARG PLATFORM=Linux_x86_64  # Change this based on your target system
 
 RUN wget https://github.com/privateerproj/privateer/releases/download/v${VERSION}/privateer_${PLATFORM}.tar.gz
 RUN tar -xzf privateer_${PLATFORM}.tar.gz
 
-FROM golang:1.23.4-alpine3.21 AS plugin
+FROM golang:1.25.1-alpine3.22 AS plugin
 RUN apk add --no-cache make git
 WORKDIR /plugin
 COPY . .
 RUN make binary
 
-FROM golang:1.23.4-alpine3.21
-RUN apk add --no-cache make git && \
-    mkdir -p /.privateer/bin
+FROM golang:1.25.1-alpine3.22
+RUN addgroup -g 1001 -S appgroup && adduser -u 1001 -S appuser -G appgroup
+
+RUN mkdir -p /.privateer/bin && chown -R appuser:appgroup /.privateer
 WORKDIR /.privateer/bin
+USER appuser
+
 COPY --from=core /app/privateer .
 COPY --from=plugin /plugin/github-repo .
 COPY --from=plugin /plugin/container-entrypoint.sh .
 
 # The config file must be provided at run time.
-# example: docker run -v /path/to/config.yml:/.privateer/bin/config.yml privateer-image
+# example: docker run -v /path/to/config.yml:/.privateer/config.yml privateer-image
 CMD ["./container-entrypoint.sh"]

README.md

@@ -12,6 +12,17 @@ Currently 39 control requirements across OSPS Baselines levels 1-3 are covered,
 
 Level 2 and Level 3 requirements are undergoing current development and may be less rigorously tested.
 
+## Docker Usage
+
+```sh
+# build the image
+docker build . -t local
+docker run \
+  --mount type=bind,source=./config.yml,destination=/.privateer/config.yml \
+  --mount type=bind,source=./evaluation_results,destination=/.privateer/bin/evaluation_results \
+  local
+```
+
 ## GitHub Actions Usage
 
 We've pushed an image to docker hub for use in GitHub Actions.

go.mod

@@ -1,6 +1,6 @@
 module github.com/revanite-io/pvtr-github-repo // Replace this globally with your module name
 
-go 1.24.4
+go 1.25.1
 
 require (
 	github.com/goccy/go-yaml v1.18.0