Fix/spoc 468/trivy image scan triage

[rasifr]

No description provided.

[coderabbitai]

Warning

Rate limit exceeded

@rasifr has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 50 minutes and 58 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 50 minutes and 58 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5b431d9a-90d7-4bb0-86fe-4396bb13009a

📥 Commits

Reviewing files that changed from the base of the PR and between f907482 and 1060f45.

📒 Files selected for processing (2)

• .github/workflows/release.yaml
• Dockerfile

📝 Walkthrough

Walkthrough

The pull request modernizes the build and runtime infrastructure by pinning GitHub Actions to commit SHAs, consolidating GoReleaser build configurations with CGO disabled, upgrading the Go toolchain to 1.26.0, migrating from mattn/go-sqlite3 to modernc.org/sqlite, and changing the container base image to a static variant with explicit user configuration.

Changes

Cohort / File(s)	Summary
GitHub Actions & Build Configuration .github/workflows/release.yaml, .goreleaser.yaml	Pinned Docker setup actions to commit SHAs for reproducibility. Consolidated three platform-specific GoReleaser builds into a single unified entry with CGO_ENABLED=0, expanding targets to include Linux alongside Darwin and Windows for both amd64 and arm64.
Container Runtime Dockerfile	Switched base image from gcr.io/distroless/base-debian12:nonroot to gcr.io/distroless/static-debian12:nonroot and added explicit USER nonroot declaration before entrypoint configuration.
Go Toolchain & SQLite Migration go.mod, pkg/taskstore/taskstore.go	Advanced Go version from 1.25.4 to 1.26.0. Replaced github.com/mattn/go-sqlite3 with modernc.org/sqlite v1.48.2, updating the database driver invocation from sqlite3 to sqlite. Added related modernc.org indirect dependencies and bumped OpenTelemetry and gRPC versions.

Poem

🐰 The builds now shine with CGO turned down,
Static images bound for every town,
SQLite switched to a purer way,
Go 1.26 lights the path today! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No description was provided by the author; the PR is missing context about the rationale and scope of changes.	Add a detailed description explaining the purpose of switching to modernc.org/sqlite, the Dockerfile base image change, and the build configuration updates.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title references an issue (SPOC-468) related to Trivy image scan triage, which aligns with the changeset's modifications to the Dockerfile base image and build configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/SPOC-468/trivy-image-scan-triage

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	0

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[coderabbitai]

🧹 Nitpick comments (2)

Dockerfile (1)

46-46: Minor: CA certificates copy may be redundant.

The gcr.io/distroless/static-debian12 image already includes /etc/ssl/certs/ca-certificates.crt. The explicit copy from the downloader stage (line 46) is harmless but potentially unnecessary. The explicit USER nonroot directive (line 52) is good for clarity even though the :nonroot tag already sets it.

Also applies to: 52-53

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 46, The Dockerfile currently copies CA certs from the
downloader stage using the COPY instruction ("COPY --from=downloader
/etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt") which is
redundant because the base image gcr.io/distroless/static-debian12 already
contains that file; remove that COPY line to simplify the build, and you can
keep the explicit "USER nonroot" directive for clarity even though the :nonroot
tag sets it implicitly.

.github/workflows/release.yaml (1)

33-34: Pin the GoReleaser image to a specific version tag.

Using goreleaser/goreleaser:latest introduces reproducibility and supply-chain risks—builds may behave differently over time as the image updates. Pin to a specific version tag (e.g., goreleaser/goreleaser:v2.15.2) for consistency with the other pinned actions in this workflow.

Example fix

-            goreleaser/goreleaser:latest \
+            goreleaser/goreleaser:v2.15.2 \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yaml around lines 33 - 34, Replace the floating
image tag "goreleaser/goreleaser:latest" with a specific released version (for
example "goreleaser/goreleaser:v2.15.2") to ensure reproducible builds; locate
the step that invokes the goreleaser image (the line containing
goreleaser/goreleaser:latest and the subsequent release --clean) and update the
image tag to a fixed version that matches your pinned actions policy.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release.yaml:
- Around line 33-34: Replace the floating image tag
"goreleaser/goreleaser:latest" with a specific released version (for example
"goreleaser/goreleaser:v2.15.2") to ensure reproducible builds; locate the step
that invokes the goreleaser image (the line containing
goreleaser/goreleaser:latest and the subsequent release --clean) and update the
image tag to a fixed version that matches your pinned actions policy.

In `@Dockerfile`:
- Line 46: The Dockerfile currently copies CA certs from the downloader stage
using the COPY instruction ("COPY --from=downloader
/etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt") which is
redundant because the base image gcr.io/distroless/static-debian12 already
contains that file; remove that COPY line to simplify the build, and you can
keep the explicit "USER nonroot" directive for clarity even though the :nonroot
tag sets it implicitly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1be7b314-6a59-44aa-9d58-d036667d49b9

📥 Commits

Reviewing files that changed from the base of the PR and between cf8794d and f907482.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• .github/workflows/release.yaml
• .goreleaser.yaml
• Dockerfile
• go.mod
• pkg/taskstore/taskstore.go

[mason-sharp]

LGTM