Upgrade Go version from 1.24 to 1.25

[mliu33]

Summary

This PR upgrades the project's Go version from 1.24 to 1.25 across all services and documentation.

Key Changes

• Updated go.mod to Go 1.25.8 (from 1.24.7)
• Updated all service Dockerfiles to use golang:1.25-alpine builder image
• Updated CLAUDE.md documentation to reflect the new Go version requirement

Services Updated

• auth-service
• broadcast-worker
• history-service
• inbox-worker
• message-gatekeeper
• message-worker
• notification-worker
• room-service
• room-worker
• tools/nats-debug

Notes

This is a straightforward version bump that ensures consistency across the entire codebase and Docker build environments.

https://claude.ai/code/session_01U1Ef9k4KyQoEGCb6KqvuVC

Summary by CodeRabbit

• Chores
  • Upgraded Go toolchain from 1.24 to 1.25 across the project and updated service container build images to use the newer compiler.
  • Bumped numerous internal dependencies (networking, database, observability, and testing libraries) to newer stable versions for improved stability, security, and compatibility; no functional behavior changes expected.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e9653ae5-26ae-4a3d-a6d8-4143d729b455

📥 Commits

Reviewing files that changed from the base of the PR and between 0b210e8 and 559a5bd.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• history-service/deploy/Dockerfile

---

📝 Walkthrough

Walkthrough

Go toolchain and related module versions upgraded from 1.24 → 1.25; numerous direct and indirect Go module dependencies updated in go.mod. Docker builder stage images across services/tools changed from golang:1.24-alpine to golang:1.25-alpine.

Changes

Cohort / File(s)	Summary
Docs & module file CLAUDE.md, go.mod	Project Go version reference and go directive updated to 1.25; go.mod updates include direct bumps (e.g., github.com/gin-gonic/gin, NATS libs, testify, mongo-driver, golang.org/x/crypto) and wide set of indirect dependency upgrades; OpenTelemetry components moved to v1.43.0 series.
Service & tool Dockerfiles auth-service/deploy/Dockerfile, broadcast-worker/deploy/Dockerfile, history-service/deploy/Dockerfile, inbox-worker/deploy/Dockerfile, message-gatekeeper/deploy/Dockerfile, message-worker/deploy/Dockerfile, notification-worker/deploy/Dockerfile, room-service/deploy/Dockerfile, room-worker/deploy/Dockerfile, tools/nats-debug/deploy/Dockerfile	Builder stage base image changed from golang:1.24-alpine → golang:1.25-alpine in all listed Dockerfiles; runtime images and build/entrypoint steps unchanged.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped through code, a tiny furred scribe,
Bumped Go and crates to keep builds alive.
Builder images leapt to twenty-five,
Dependencies fresh so the tree can thrive.
🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: upgrading Go from version 1.24 to 1.25 across the entire codebase, which is reflected consistently in the CLAUDE.md updates, go.mod directive, and all service Dockerfiles.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/upgrade-go-1-25-4-EYnTA

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (5)

room-service/deploy/Dockerfile (1)

9-12: ⚠️ Potential issue | 🟠 Major

Add non-root user to the final stage for runtime hardening.

The final stage runs the binary as root by default. Create a non-root user and set it with the USER directive before the ENTRYPOINT.

Example:

FROM alpine:3.21
RUN apk add --no-cache ca-certificates && \
    addgroup -g 10001 appuser && \
    adduser -u 10001 -G appuser -s /sbin/nologin -D appuser
COPY --from=builder /room-service /room-service
USER appuser
ENTRYPOINT ["/room-service"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@room-service/deploy/Dockerfile` around lines 9 - 12, The final Dockerfile
runs the /room-service binary as root; add a non-root runtime user and switch to
it before ENTRYPOINT to harden the image: create a group and user (e.g., appuser
with UID/GID like 10001) using addgroup/adduser in the final stage, ensure
ownership/perms of /room-service are appropriate for that user, then set USER
appuser prior to ENTRYPOINT ["/room-service"] so the container no longer runs as
root.

message-gatekeeper/deploy/Dockerfile (1)

9-12: ⚠️ Potential issue | 🟠 Major

Add non-root user and USER directive to the runtime stage.

The container currently runs the binary as root. Create a dedicated non-root user (e.g., appuser) and add USER appuser before the ENTRYPOINT directive in the final stage.

Note: The builder uses golang:1.25-alpine but coding guidelines specify golang:1.24-alpine.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@message-gatekeeper/deploy/Dockerfile` around lines 9 - 12, The final runtime
stage runs the binary as root; create a dedicated non-root user (e.g., appuser)
in the final stage, chown the copied binary to that user and add USER appuser
before the ENTRYPOINT ["/message-gatekeeper"] so the container runs
unprivileged; also update the builder stage base image reference FROM
golang:1.25-alpine to FROM golang:1.24-alpine to match coding guidelines (ensure
any adjustments to file ownership are done in the final stage after COPY to
/message-gatekeeper).

room-worker/deploy/Dockerfile (1)

9-12: ⚠️ Potential issue | 🟠 Major

Runtime image runs as root and violates builder image version guideline.

The final stage lacks a USER directive, so the container runs as root. Add a non-root user and set it with USER before the ENTRYPOINT.

Additionally, the builder image should use golang:1.24-alpine instead of golang:1.25-alpine per coding guidelines.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@room-worker/deploy/Dockerfile` around lines 9 - 12, Update the Dockerfile to
use the approved builder base image and ensure the runtime does not run as root:
change the builder stage base image from golang:1.25-alpine to
golang:1.24-alpine, and in the final stage create a non-root user (e.g., add a
user/group and chown the binary) and set USER to that non-root user before the
ENTRYPOINT; ensure you still COPY --from=builder /room-worker /room-worker and
keep ENTRYPOINT ["/room-worker"] but run it as the new non-root user.

auth-service/deploy/Dockerfile (1)

9-12: ⚠️ Potential issue | 🟠 Major

Add USER directive for non-root execution and update builder Go version.

The final stage is missing a USER directive. Create a dedicated app user/group and add USER appuser before ENTRYPOINT to harden runtime security.

Additionally, the builder stage uses golang:1.25-alpine but the coding guidelines specify golang:1.24-alpine.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@auth-service/deploy/Dockerfile` around lines 9 - 12, Update the Dockerfile to
use the approved builder base and create a non-root runtime user: change the
builder stage image from golang:1.25-alpine to golang:1.24-alpine, and in the
final stage create a dedicated app group/user (e.g., addgroup -S appgroup &&
adduser -S -G appgroup appuser or equivalent) and switch to it by adding USER
appuser immediately before ENTRYPOINT ["/auth-service"] to ensure the service
does not run as root.

inbox-worker/deploy/Dockerfile (1)

13-19: ⚠️ Potential issue | 🟠 Major

Run the runtime stage as non-root and update Go builder version.

The final image runs as root (no USER), which is a security hardening gap. Additionally, the builder stage uses golang:1.25-alpine but should use golang:1.24-alpine per project guidelines.

Suggested fixes

-FROM golang:1.25-alpine AS builder
+FROM golang:1.24-alpine AS builder
 
 WORKDIR /app
 
 COPY go.mod go.sum ./
 RUN go mod download
 
 COPY pkg/ pkg/
 COPY inbox-worker/ inbox-worker/
 
 RUN CGO_ENABLED=0 go build -o /inbox-worker ./inbox-worker/
 
 FROM alpine:3.21
 
 RUN apk add --no-cache ca-certificates
+RUN addgroup -S app && adduser -S -G app app
 
 COPY --from=builder /inbox-worker /inbox-worker
+RUN chown app:app /inbox-worker
+USER app
 
 ENTRYPOINT ["/inbox-worker"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@inbox-worker/deploy/Dockerfile` around lines 13 - 19, The Dockerfile
currently produces a root-owned runtime image and the builder stage should use
golang:1.24-alpine instead of golang:1.25-alpine; update the builder stage base
image to golang:1.24-alpine and modify the final stage to create a non-root user
(e.g., addgroup/adduser or use adduser -D -g '' nonroot), chown the copied
binary (/inbox-worker) to that user, and add a USER nonroot line before
ENTRYPOINT so the container runs as that non-root user; ensure the binary
remains executable and the ENTRYPOINT ["/inbox-worker"] is preserved.

🧹 Nitpick comments (3)

broadcast-worker/deploy/Dockerfile (1)

13-19: Consider adding a non-root user.

Similar to other services, the Trivy static analysis flags the root user issue (DS-0002). While pre-existing, adding a non-root user would improve security.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@broadcast-worker/deploy/Dockerfile` around lines 13 - 19, Add a non-root user
in the Dockerfile: create a dedicated user/group (e.g., broadcast user), chown
the copied binary (/broadcast-worker) to that user, and switch to that user with
the USER instruction before the ENTRYPOINT to avoid running the container as
root; update the Dockerfile around the COPY --from=builder /broadcast-worker and
ENTRYPOINT ["/broadcast-worker"] steps to create the user/group, adjust
ownership of /broadcast-worker, and set USER to the non-root account.

history-service/deploy/Dockerfile (1)

9-12: Consider adding a non-root user.

The Trivy static analysis flags the root user concern (DS-0002). This is a pre-existing pattern, but adding a non-root user would enhance security.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@history-service/deploy/Dockerfile` around lines 9 - 12, The Dockerfile
currently runs the container as root (ENTRYPOINT ["/history-service"]); add a
non-root runtime user and ensure /history-service is owned by that user: create
a user/group (e.g., "history" or UID/GID), adjust ownership of the binary copied
from builder, and add a USER instruction before ENTRYPOINT so the service runs
non-root; reference the Dockerfile COPY --from=builder /history-service, the
binary path /history-service, and the ENTRYPOINT ["/history-service"] when
making these changes.

notification-worker/deploy/Dockerfile (1)

13-19: Consider adding a non-root user for security.

The Trivy static analysis tool flags that the container runs as root (DS-0002). While this is a pre-existing pattern across all services and not introduced by this PR, consider adding a non-root user in the runtime stage to improve security posture.

🔒 Optional security enhancement

 FROM alpine:3.21
 
 RUN apk add --no-cache ca-certificates
+RUN addgroup -g 1000 appuser && adduser -D -u 1000 -G appuser appuser
 
 COPY --from=builder /notification-worker /notification-worker
+RUN chown appuser:appuser /notification-worker
+
+USER appuser
 
 ENTRYPOINT ["/notification-worker"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@notification-worker/deploy/Dockerfile` around lines 13 - 19, Add a non-root
user to the runtime Dockerfile stage so the container doesn't run as root:
create a dedicated user/group (e.g., "notification"), chown the copied binary
(/notification-worker) to that user, set WORKDIR appropriately if needed, and
switch to that user with USER before the ENTRYPOINT; update references to the
binary ownership and ensure ENTRYPOINT ["/notification-worker"] remains valid
under the non-root user context so the service starts correctly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@auth-service/deploy/Dockerfile`:
- Line 1: The Dockerfile uses the wrong base image tag; change the builder stage
FROM line from golang:1.25-alpine to golang:1.24-alpine so the builder stage
(the existing FROM statement) matches the enforced baseline; update the FROM
instruction accordingly in the Dockerfile.

In `@inbox-worker/deploy/Dockerfile`:
- Line 1: Update the Dockerfile to comply with policy by changing the builder
base image FROM golang:1.25-alpine to FROM golang:1.24-alpine and ensure the
final runtime stage uses the specified runtime base (alpine:3.21) and adds a
non-root USER directive (create/assign a user and add USER <username or uid>) in
the runtime stage so the container does not run as root; locate these changes in
the Dockerfile's builder and final stages to replace the image tags and insert
the USER directive accordingly.

In `@message-gatekeeper/deploy/Dockerfile`:
- Line 1: The Dockerfile's builder stage uses FROM golang:1.25-alpine which
violates the repo policy requiring golang:1.24-alpine; update the FROM
instruction in the builder stage to golang:1.24-alpine so the image tag matches
the standard used across the repository (look for the initial FROM line at the
top of the Dockerfile defining the builder image).

In `@message-worker/deploy/Dockerfile`:
- Line 1: Replace the builder base image tag in the Dockerfile FROM line from
golang:1.25-alpine to golang:1.24-alpine to conform to the repository Docker
standard; update the Dockerfile's FROM instruction accordingly so the builder
stage uses golang:1.24-alpine.

In `@room-service/deploy/Dockerfile`:
- Line 1: The Dockerfile base image in the builder stage is set to "FROM
golang:1.25-alpine" which violates repo guidelines requiring
"golang:1.24-alpine"; update the builder image in this Dockerfile (and the other
listed Dockerfiles: auth-service, broadcast-worker, history-service,
inbox-worker, message-gatekeeper, message-worker, notification-worker,
room-service, room-worker) to use "golang:1.24-alpine" or, if you intend to
standardize on Go 1.25, update the repository coding guidelines accordingly so
all Dockerfiles and the guideline agree.

In `@room-worker/deploy/Dockerfile`:
- Line 1: Update the Dockerfile base image to the policy-compliant Go version by
replacing the current FROM image reference (currently "golang:1.25-alpine" in
the Dockerfile) with "golang:1.24-alpine"; ensure the single FROM line in the
builder stage is updated so the builder stage name (builder) continues to use
the new base image.

---

Outside diff comments:
In `@auth-service/deploy/Dockerfile`:
- Around line 9-12: Update the Dockerfile to use the approved builder base and
create a non-root runtime user: change the builder stage image from
golang:1.25-alpine to golang:1.24-alpine, and in the final stage create a
dedicated app group/user (e.g., addgroup -S appgroup && adduser -S -G appgroup
appuser or equivalent) and switch to it by adding USER appuser immediately
before ENTRYPOINT ["/auth-service"] to ensure the service does not run as root.

In `@inbox-worker/deploy/Dockerfile`:
- Around line 13-19: The Dockerfile currently produces a root-owned runtime
image and the builder stage should use golang:1.24-alpine instead of
golang:1.25-alpine; update the builder stage base image to golang:1.24-alpine
and modify the final stage to create a non-root user (e.g., addgroup/adduser or
use adduser -D -g '' nonroot), chown the copied binary (/inbox-worker) to that
user, and add a USER nonroot line before ENTRYPOINT so the container runs as
that non-root user; ensure the binary remains executable and the ENTRYPOINT
["/inbox-worker"] is preserved.

In `@message-gatekeeper/deploy/Dockerfile`:
- Around line 9-12: The final runtime stage runs the binary as root; create a
dedicated non-root user (e.g., appuser) in the final stage, chown the copied
binary to that user and add USER appuser before the ENTRYPOINT
["/message-gatekeeper"] so the container runs unprivileged; also update the
builder stage base image reference FROM golang:1.25-alpine to FROM
golang:1.24-alpine to match coding guidelines (ensure any adjustments to file
ownership are done in the final stage after COPY to /message-gatekeeper).

In `@room-service/deploy/Dockerfile`:
- Around line 9-12: The final Dockerfile runs the /room-service binary as root;
add a non-root runtime user and switch to it before ENTRYPOINT to harden the
image: create a group and user (e.g., appuser with UID/GID like 10001) using
addgroup/adduser in the final stage, ensure ownership/perms of /room-service are
appropriate for that user, then set USER appuser prior to ENTRYPOINT
["/room-service"] so the container no longer runs as root.

In `@room-worker/deploy/Dockerfile`:
- Around line 9-12: Update the Dockerfile to use the approved builder base image
and ensure the runtime does not run as root: change the builder stage base image
from golang:1.25-alpine to golang:1.24-alpine, and in the final stage create a
non-root user (e.g., add a user/group and chown the binary) and set USER to that
non-root user before the ENTRYPOINT; ensure you still COPY --from=builder
/room-worker /room-worker and keep ENTRYPOINT ["/room-worker"] but run it as the
new non-root user.

---

Nitpick comments:
In `@broadcast-worker/deploy/Dockerfile`:
- Around line 13-19: Add a non-root user in the Dockerfile: create a dedicated
user/group (e.g., broadcast user), chown the copied binary (/broadcast-worker)
to that user, and switch to that user with the USER instruction before the
ENTRYPOINT to avoid running the container as root; update the Dockerfile around
the COPY --from=builder /broadcast-worker and ENTRYPOINT ["/broadcast-worker"]
steps to create the user/group, adjust ownership of /broadcast-worker, and set
USER to the non-root account.

In `@history-service/deploy/Dockerfile`:
- Around line 9-12: The Dockerfile currently runs the container as root
(ENTRYPOINT ["/history-service"]); add a non-root runtime user and ensure
/history-service is owned by that user: create a user/group (e.g., "history" or
UID/GID), adjust ownership of the binary copied from builder, and add a USER
instruction before ENTRYPOINT so the service runs non-root; reference the
Dockerfile COPY --from=builder /history-service, the binary path
/history-service, and the ENTRYPOINT ["/history-service"] when making these
changes.

In `@notification-worker/deploy/Dockerfile`:
- Around line 13-19: Add a non-root user to the runtime Dockerfile stage so the
container doesn't run as root: create a dedicated user/group (e.g.,
"notification"), chown the copied binary (/notification-worker) to that user,
set WORKDIR appropriately if needed, and switch to that user with USER before
the ENTRYPOINT; update references to the binary ownership and ensure ENTRYPOINT
["/notification-worker"] remains valid under the non-root user context so the
service starts correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8c455324-eeaf-40c9-a7dc-9ae0348781d5

📥 Commits

Reviewing files that changed from the base of the PR and between 80ce58f and 0b210e8.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

• CLAUDE.md
• auth-service/deploy/Dockerfile
• broadcast-worker/deploy/Dockerfile
• go.mod
• history-service/deploy/Dockerfile
• inbox-worker/deploy/Dockerfile
• message-gatekeeper/deploy/Dockerfile
• message-worker/deploy/Dockerfile
• notification-worker/deploy/Dockerfile
• room-service/deploy/Dockerfile
• room-worker/deploy/Dockerfile
• tools/nats-debug/deploy/Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n auth-service/deploy/Dockerfile

Repository: hmchangw/chat

Length of output: 472

---

Use golang:1.24-alpine as the builder base image.

Line 1 currently specifies golang:1.25-alpine but the enforced baseline requires golang:1.24-alpine per service Dockerfile standards.

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@auth-service/deploy/Dockerfile` at line 1, The Dockerfile uses the wrong base
image tag; change the builder stage FROM line from golang:1.25-alpine to
golang:1.24-alpine so the builder stage (the existing FROM statement) matches
the enforced baseline; update the FROM instruction accordingly in the
Dockerfile.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n inbox-worker/deploy/Dockerfile

Repository: hmchangw/chat

Length of output: 528

---

Builder image version and runtime user configuration violate Dockerfile policy.

Line 1 must use golang:1.24-alpine instead of golang:1.25-alpine. Additionally, the runtime stage (line 13) should include a USER directive to run as a non-root user instead of root.

Per coding guidelines, use "Multi-stage Dockerfiles: 'golang:1.24-alpine' builder, 'alpine:3.21' runtime".

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@inbox-worker/deploy/Dockerfile` at line 1, Update the Dockerfile to comply
with policy by changing the builder base image FROM golang:1.25-alpine to FROM
golang:1.24-alpine and ensure the final runtime stage uses the specified runtime
base (alpine:3.21) and adds a non-root USER directive (create/assign a user and
add USER <username or uid>) in the runtime stage so the container does not run
as root; locate these changes in the Dockerfile's builder and final stages to
replace the image tags and insert the USER directive accordingly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd /tmp && find . -name "Dockerfile" -path "*/message-gatekeeper/deploy/*" 2>/dev/null | head -5

Repository: hmchangw/chat

Length of output: 39

---

🏁 Script executed:

cat -n message-gatekeeper/deploy/Dockerfile

Repository: hmchangw/chat

Length of output: 514

---

🏁 Script executed:

rg "golang:" message-gatekeeper/deploy/Dockerfile -A 10 -B 2

Repository: hmchangw/chat

Length of output: 395

---

Use golang:1.24-alpine as the builder image per repository policy.

Line 1 specifies golang:1.25-alpine, but coding guidelines require golang:1.24-alpine for the builder stage. Update to match the standard builder image version.

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@message-gatekeeper/deploy/Dockerfile` at line 1, The Dockerfile's builder
stage uses FROM golang:1.25-alpine which violates the repo policy requiring
golang:1.24-alpine; update the FROM instruction in the builder stage to
golang:1.24-alpine so the image tag matches the standard used across the
repository (look for the initial FROM line at the top of the Dockerfile defining
the builder image).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n message-worker/deploy/Dockerfile

Repository: hmchangw/chat

Length of output: 486

---

Update builder image to match repository Docker standard.

Line 1 must use golang:1.24-alpine per coding guidelines, not golang:1.25-alpine.

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@message-worker/deploy/Dockerfile` at line 1, Replace the builder base image
tag in the Dockerfile FROM line from golang:1.25-alpine to golang:1.24-alpine to
conform to the repository Docker standard; update the Dockerfile's FROM
instruction accordingly so the builder stage uses golang:1.24-alpine.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name Dockerfile -type f | head -20

Repository: hmchangw/chat

Length of output: 411

---

🏁 Script executed:

cat -n room-service/deploy/Dockerfile | head -30

Repository: hmchangw/chat

Length of output: 472

---

🏁 Script executed:

git log --oneline -n 5 -- room-service/deploy/Dockerfile

Repository: hmchangw/chat

Length of output: 121

---

🏁 Script executed:

grep -h "FROM golang" ./*/deploy/Dockerfile

Repository: hmchangw/chat

Length of output: 371

---

🏁 Script executed:

grep -h "FROM alpine" ./*/deploy/Dockerfile

Repository: hmchangw/chat

Length of output: 209

---

Builder image version violates repository coding guidelines.

Line 1 uses golang:1.25-alpine, but coding guidelines mandate golang:1.24-alpine. This mismatch exists across all Dockerfiles in the repository (auth-service, broadcast-worker, history-service, inbox-worker, message-gatekeeper, message-worker, notification-worker, room-service, room-worker). Either update all Dockerfiles back to golang:1.24-alpine or update the coding guidelines to reflect the Go 1.25 upgrade.

The runtime image alpine:3.21 is correct.

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@room-service/deploy/Dockerfile` at line 1, The Dockerfile base image in the
builder stage is set to "FROM golang:1.25-alpine" which violates repo guidelines
requiring "golang:1.24-alpine"; update the builder image in this Dockerfile (and
the other listed Dockerfiles: auth-service, broadcast-worker, history-service,
inbox-worker, message-gatekeeper, message-worker, notification-worker,
room-service, room-worker) to use "golang:1.24-alpine" or, if you intend to
standardize on Go 1.25, update the repository coding guidelines accordingly so
all Dockerfiles and the guideline agree.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n room-worker/deploy/Dockerfile

Repository: hmchangw/chat

Length of output: 465

---

Update builder base image to policy-compliant version.

Line 1 uses golang:1.25-alpine but policy requires golang:1.24-alpine.

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@room-worker/deploy/Dockerfile` at line 1, Update the Dockerfile base image to
the policy-compliant Go version by replacing the current FROM image reference
(currently "golang:1.25-alpine" in the Dockerfile) with "golang:1.24-alpine";
ensure the single FROM line in the builder stage is updated so the builder stage
name (builder) continues to use the new base image.

[yenta]

LGTM