upgrade tooling to 2022 standards

.dockerignore

@@ -0,0 +1,18 @@
+.dockerignore
+# TODO: uncomment when applications no longer use git to get version information
+#.git/
+.github/
+.gitignore
+.goreleaser.yml
+/*.env*
+.golangci.yaml
+build/
+CONTRIBUTING.md
+Dockerfile
+docs/
+LICENSE*
+Makefile.maker.yaml
+README.md
+report.html
+shell.nix
+/testing/

.github/workflows/ci.yaml

@@ -24,7 +24,7 @@ jobs:
       with:
         go-version: "1.19"
     - name: Make all check
-      run: GO_BUILDFLAGS='-mod vendor' make all check
+      run: make build-all check
   lint:
     name: Lint
     runs-on: ubuntu-latest
@@ -36,7 +36,7 @@ jobs:
       with:
         go-version: "1.19"
     - name: Run gofmt, go vet, staticcheck
-      run: GO_BUILDFLAGS='-mod vendor' make static-check
+      run: make static-check
   test:
     name: Test
     needs:
@@ -50,7 +50,7 @@ jobs:
       with:
         go-version: "1.19"
     - name: Run tests and generate coverage report
-      run: GO_BUILDFLAGS='-mod vendor' make build/cover.out
+      run: make build/cover.out
     - name: Upload coverage report to Coveralls
       env:
         COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.golangci.yaml

@@ -0,0 +1,119 @@
+################################################################################
+# This file is AUTOGENERATED with <https://github.com/sapcc/go-makefile-maker> #
+# Edit Makefile.maker.yaml instead.                                            #
+################################################################################
+
+run:
+  deadline: 3m # 1m by default
+  modules-download-mode: readonly
+
+output:
+  # Do not print lines of code with issue.
+  print-issued-lines: false
+
+issues:
+  exclude:
+    # It is idiomatic Go to reuse the name 'err' with ':=' for subsequent errors.
+    # Ref: https://go.dev/doc/effective_go#redeclaration
+    - 'declaration of "err" shadows declaration at'
+  exclude-rules:
+    - path: _test\.go
+      linters:
+        - bodyclose
+  # '0' disables the following options.
+  max-issues-per-linter: 0
+  max-same-issues: 0
+
+linters-settings:
+  dupl:
+    # Tokens count to trigger issue, 150 by default.
+    threshold: 100
+  errcheck:
+    # Report about assignment of errors to blank identifier.
+    check-blank: true
+    # Report about not checking of errors in type assertions.
+    check-type-assertions: true
+  forbidigo:
+    forbid:
+      # ioutil package has been deprecated: https://github.com/golang/go/issues/42026
+      - ^ioutil\..*$
+  gocritic:
+    enabled-checks:
+      - boolExprSimplify
+      - builtinShadow
+      - emptyStringTest
+      - evalOrder
+      - httpNoBody
+      - importShadow
+      - initClause
+      - methodExprCall
+      - paramTypeCombine
+      - preferFilepathJoin
+      - ptrToRefParam
+      - redundantSprint
+      - returnAfterHttpError
+      - stringConcatSimplify
+      - timeExprSimplify
+      - truncateCmp
+      - typeAssertChain
+      - typeUnparen
+      - unnamedResult
+      - unnecessaryBlock
+      - unnecessaryDefer
+      - weakCond
+      - yodaStyleExpr
+  goimports:
+    # Put local imports after 3rd-party packages.
+    local-prefixes: github.com/sapcc/hermes
+  gosec:
+    excludes:
+      # gosec wants us to set a short ReadHeaderTimeout to avoid Slowloris attacks, but doing so would expose us to Keep-Alive race conditions (see https://iximiuz.com/en/posts/reverse-proxy-http-keep-alive-and-502s/)
+      - G112
+      # created file permissions are restricted by umask if necessary
+      - G306
+  govet:
+    # Report about shadowed variables.
+    check-shadowing: true
+  nolintlint:
+    require-specific: true
+  usestdlibvars:
+      http-method: true
+      http-status-code: true
+      time-weekday: true
+      time-month: true
+      time-layout: true
+      crypto-hash: true
+      default-rpc-path: true
+  whitespace:
+    # Enforce newlines (or comments) after multi-line function signatures.
+    multi-func: true
+
+linters:
+  # We use 'disable-all' and enable linters explicitly so that a newer version
+  # does not introduce new linters unexpectedly.
+  disable-all: true
+  enable:
+    - bodyclose
+    - dupl
+    - errcheck
+    - exportloopref
+    - forbidigo
+    - gocritic
+    - gofmt
+    - goimports
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - misspell
+    - nolintlint
+    - rowserrcheck
+    - sqlclosecheck
+    - staticcheck
+    - stylecheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - whitespace

Dockerfile

@@ -1,8 +1,25 @@
-FROM keppel.eu-de-1.cloud.sap/ccloud-dockerhub-mirror/library/alpine:latest
-MAINTAINER "Nathan Oyler <nathan.oyler@sap.com>"
-LABEL source_repository="https://github.com/sapcc/hermes"
+FROM golang:1.19.2-alpine3.16 as builder
 
-RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
+RUN apk add --no-cache gcc git make musl-dev
 
-ADD build/docker.tar /
-ENTRYPOINT ["/usr/bin/hermes"]
+COPY . /src
+ARG BININFO_BUILD_DATE BININFO_COMMIT_HASH BININFO_VERSION # provided to 'make install'
+RUN make -C /src install PREFIX=/pkg
+
+################################################################################
+
+FROM alpine:3.16
+
+RUN apk add --no-cache ca-certificates
+COPY --from=builder /pkg/ /usr/
+
+ARG BININFO_BUILD_DATE BININFO_COMMIT_HASH BININFO_VERSION
+LABEL source_repository="https://github.com/sapcc/hermes" \
+  org.opencontainers.image.url="https://github.com/sapcc/hermes" \
+  org.opencontainers.image.created=${BININFO_BUILD_DATE} \
+  org.opencontainers.image.revision=${BININFO_COMMIT_HASH} \
+  org.opencontainers.image.version=${BININFO_VERSION}
+
+USER nobody:nobody
+WORKDIR /var/empty
+ENTRYPOINT [ "/usr/bin/hermes" ]