GitHub Actions workflow

Some important changes to GitHub Actions workflows:

  1. golangci-lint
  2. Docker build secrets

golangci-lint and its builder (golangci-lint-action v8.0.0)

The Go extension for Visual Studio Code supports golangci-lint albeit through the “Go” debug console. An advantage of accessing it in Visual Studio Code is that recommendations hyperlink to the code.

I’ve added golangci-lint to most of my repos’ GitHub Actions workflows. Belatedly, I realized it should run before not in parallel with the e.g. container builder.

golangci-lint:
  name: lint
  runs-on: ubuntu-latest
  steps:
  - name: Checkout
    uses: actions/checkout@v4
  - name: Setup
    uses: actions/setup-go@v5
    with:
      go-version: stable
  - run: |
      git config \
      --global \
        url."https://${{ secrets.TOKEN }}@github.com/".insteadOf \
        "https://github.com/"
  - name: golangci-lint
    uses: golangci/golangci-lint-action@v8
    with:
      version: v2.1.0
    env:
      GOPRIVATE: ${{ github.org }}

Because I use private Go repos, the job needs a way to access the private repos. In the container builder step, I have:

steps:
- name: login
  uses: docker/login-action$v3
  with:
    registry: ghcr.io
    username: ${{ github.repository_owner }}
    password: ${{ secrets.TOKEN }}

Where TOKEN is defined in the repo’s “Actions secrets and variables” (https://github.com/{owner|org}/{repo}/settings/secrets/actions) and is a GitHub token with repository pull permission.

So, the golangci-lint job uses a similar pattern to configure git to access repos using this token.

Docker build secrets

I won’t replicate the documentation and this doesn’t work for locally (!) but:

steps:
- name: docker-build-push
  id: docker-build-push
  uses: docker/build-push-action@v6
  with:
    context: .
    file: ./Dockerfile
    build-args: |
      VERSION=${{ env.VERSION }}
      COMMIT=${{ github.sha }}
    secrets: |
      "token=${{ secrets.TOKEN }}"
    tags: ${{ matrix.image }}:${{ github.sha }}
    push: true

Using the secrets property in a similar way to build-args but NOTE the secret is called token

Dockerfile:

RUN --mount=type=secret,id=token,env=TOKEN \
    git config \
    --global \
      url."https://${TOKEN}@github.com/".insteadOf \
      "https://github.com/"

# Define GOPRIVATE for this environment to circumvent Go Module proxy
ENV GOPRIVATE="github.com/brabantcourt"

RUN go mod download

Notice that this mirrors the GitHub Actions workflow golangci-lint job use

This works for GitHub Actions workflows which is what I primarily need but I’m unable to get it to work with Podman (5.4.1). I think the version of Podman I’m using just doesn’t (yet) support type=env.

export TOKEN="..."

{binary} build \
--tag=deleteme \
--secret=id=token,type=env,env=TOKEN \
--build-arg=VERSION="foo" \
--build-arg=COMMIT="bar" \
--file=${PWD}/Dockerfile \
${PWD}

NOTE The environment variable must be exported; if not

With Docker, the above succeeds.

With Podman, it fails:

secret should have syntax id=id[,target=path,required=bool,mode=uint,uid=uint,gid=uint