fix: Ensure api-runner image includes build tools

[gocanto]

Summary

• add a custom api-runner Dockerfile that installs Alpine build-base for gcc availability
• update docker-compose to build the api-runner service from the new image so cgo builds succeed.

Summary by CodeRabbit

• New Features

  • Enhanced CLI run command with robust validation for database secrets, masking secrets in logs and allowing secrets via values or files.

• Bug Fixes

  • Prevents runs from proceeding with missing or invalid database secrets; exits with clear, actionable messages.

• Chores

  • Compose now builds the API runner image locally for more consistent environments.
  • Expanded ignore rules to exclude additional Go build/cache artifacts.

[gemini-code-assist]

Summary of Changes

Hello @gocanto, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses the requirement for build tools within the api-runner service's Docker image, specifically to support cgo compilation. It achieves this by creating a dedicated Dockerfile that extends the base Go Alpine image with the build-base package, and then configures docker-compose to utilize this newly built image. This change ensures that any Go code requiring C interoperability can be successfully compiled and executed within the api-runner container.

Highlights

• Custom Dockerfile for api-runner: A new Dockerfile, docker/dockerfile-api-runner, has been introduced to specifically build the api-runner service image.
• Inclusion of Build Tools: The new custom Dockerfile extends golang:1.25.1-alpine and installs the build-base package, providing essential tools like gcc for successful cgo compilation within the container.
• Docker Compose Configuration Update: The docker-compose.yml file has been updated to build the api-runner service using this new custom Dockerfile, ensuring the service runs with the necessary build environment.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

The PR changes the api-runner service in docker-compose to be built from a local Dockerfile, adds .gocache and .gopath to .gitignore, and updates metal/makefile/app.mk with DB secret variables plus robust secret validation and updated run-cli/run-cli-docker behavior.

Changes

Cohort / File(s)	Summary
Docker compose: api-runner image build docker-compose.yml	Replaces the pinned golang:1.25.1-alpine@sha256:... image with a build section (context: ., dockerfile: ./docker/dockerfile-api, target: builder) and sets image name to api-api-runner.
Git ignores: Go caches .gitignore	Adds .gocache and .gopath to ignored entries.
Makefile: DB secrets and CLI flow metal/makefile/app.mk	Adds DB_SECRET_USERNAME, DB_SECRET_PASSWORD, DB_SECRET_DBNAME defaults; reworks run-cli to validate secrets (accepts direct values or file paths), accumulates and reports missing values/files, exits non-zero on errors, logs masked sources; updates run-cli-docker to forward the same env vars.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Developer
  participant Make as make run-cli
  participant FS as File System
  participant Docker as Docker/Compose

  rect rgba(220,235,245,0.4)
    note over Make: Secret validation
    Dev->>Make: make run-cli DB_SECRET_*=...
    Make->>FS: Check secret values or files exist
    alt Any missing values/files
      Make-->>Dev: Print missing items and exit (non-zero)
    else All secrets valid
      note over Make,Docker: Execution branch
      alt Docker unavailable
        Make-->>Dev: Run CLI locally (no Docker)
      else Docker available
        Make->>Docker: docker compose run api-runner ...
        Docker-->>Make: Exit status
        Make-->>Dev: Propagate exit status
      end
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Introduce <api-runner> service #44 — Introduced the api-runner service with a Golang base image; this PR replaces that image with a build-based image.
• fix: Handle WebP encoding without CGO dependency #132 — Modifies docker/dockerfile-api (build stages/CGO), directly relevant to switching api-runner to build from that Dockerfile.
• Define db secret files path #42 — Adds and wires DB secret path variables in Makefiles; related to the new DB secret variables and validation here.

Suggested labels

testing

Poem

Hop, hop! I stash my secrets tight,
Validate by day, compose by night.
No pulled image—built on cue,
A cache ignored, our paths made new.
Thump goes the log with tidy cheer—🥕🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title accurately and succinctly describes the core change of replacing the prebuilt api-runner image with a custom build that provides necessary build tools, directly aligning with the pull request’s intent to install Alpine build-base for gcc support.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch gus/fix-missing-gcc-compiler-in-path-2025-10-14

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request correctly updates the api-runner service to use a custom Docker image with build tools, which is necessary for cgo builds to succeed. My review includes a couple of suggestions to improve build reproducibility and security by pinning the base image digest and the version of the installed build-base package. These changes would align the new Dockerfile with best practices already in use elsewhere in this repository.

[gocanto]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

• @codex fix this CI failure
• @codex address that feedback

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

• @codex fix this CI failure
• @codex address that feedback

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 880c37d and e84ef80.

📒 Files selected for processing (3)

• .gitignore (1 hunks)
• docker-compose.yml (1 hunks)
• metal/makefile/app.mk (2 hunks)

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e84ef80 and 7fada94.

📒 Files selected for processing (1)

• metal/makefile/app.mk (2 hunks)

🔇 Additional comments (4)

metal/makefile/app.mk (4)

3-5: LGTM! Clear default secret paths.

The conditional variable assignments allow easy override while providing sensible defaults.

---

42-82: Solid validation logic with good error messages.

The secret validation correctly distinguishes between missing values and missing files, accumulates all errors before exiting, and uses POSIX-compatible shell syntax. The path pattern /*|./*|../* covers the common cases, though it won't match tilde-expanded paths like ~/secrets/file.

---

83-101: Secret masking implementation looks good.

The case-based masking correctly distinguishes file paths from inline values and redacts sensitive data appropriately. This addresses the previous concern about printing raw secrets.

Note: Past review comment about printing raw DB secrets is now resolved.

---

108-108: Clean delegation pattern.

The target correctly forwards DB_SECRET_* variables to run-cli using Make's variable override mechanism. This maintains consistency and avoids duplicating validation logic.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Recipe lines must use tabs, not spaces.

Lines 102-106 appear to have leading spaces instead of tab characters. Makefile recipes must begin with a tab (not spaces), or Make will reject the file with "missing separator" errors. Please replace the leading whitespace on these lines with a single tab character.

Apply this fix to correct the indentation:

-        @DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" docker compose run --rm api-runner go run ./metal/cli/main.go || { \
-                status=$$?; \
-                printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
-                exit $$status; \
-        }
+	@DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" docker compose run --rm api-runner go run ./metal/cli/main.go || { \
+		status=$$?; \
+		printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
+		exit $$status; \
+	}

Note: The inline environment variable assignment (VAR=value command) correctly exports values to the child process, resolving the previous concern about variable export.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" docker compose run --rm api-runner go run ./metal/cli/main.go || { \
	status=$$?; \
	printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
	exit $$status; \
	}
	@DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" docker compose run --rm api-runner go run ./metal/cli/main.go || { \
	status=$$?; \
	printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
	exit $$status; \
	}

🤖 Prompt for AI Agents

In metal/makefile/app.mk around lines 102 to 106 the recipe lines currently
start with spaces which causes Make to error with "missing separator"; replace
the leading spaces on each of these recipe lines with a single tab character so
the command lines are valid Makefile recipe entries (preserve the rest of the
line exactly, only change the indentation to a tab).