feat: Add goreleaser docker publish channel

[thumbrise]

Summary by CodeRabbit

Release Notes

• New Features
  • Docker images now released for multi-platform deployment, supporting x86-64 and ARM64 architectures
  • Two image variants available: standard and lightweight Alpine Linux versions
  • Images include comprehensive metadata and version tracking information
  • Automated release process integrated into deployment pipeline

[coderabbitai]

Warning

Review limit reached

@thumbrise, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 41 minutes and 2 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c50272f9-b457-41c4-aaad-b060ec32a854

📥 Commits

Reviewing files that changed from the base of the PR and between 588695c and 6035ef4.

📒 Files selected for processing (4)

• .github/workflows/release.yml
• .goreleaser.yaml
• publish/buildx-alpine.Dockerfile
• publish/buildx.Dockerfile

📝 Walkthrough

Walkthrough

This PR adds Docker multi-architecture image build and publishing infrastructure. It extends the release workflow with Docker Buildx and Hub authentication, configures GoReleaser to build and push images for two variants across linux/amd64 and linux/arm64 platforms, and provides corresponding Dockerfile implementations.

Changes

Docker multi-architecture build pipeline

Layer / File(s)	Summary
GitHub Actions workflow Docker Buildx and authentication setup .github/workflows/release.yml	Release workflow adds Docker Buildx initialization and Docker Hub login steps using repository credentials before semantic-release execution.
GoReleaser multi-architecture Docker configuration .goreleaser.yaml	GoReleaser adds release.dockers_v2 section with two Docker image definitions (commitlint-scope, commitlint-scope-alpine), each specifying a Dockerfile, target platforms (linux/amd64, linux/arm64), version-derived tag patterns, and OCI image labels.
Standard and Alpine Dockerfile implementations publish/buildx.Dockerfile, publish/buildx-alpine.Dockerfile	Two Dockerfiles define the container image builds using golang:1.26 and golang:1.26-alpine base images respectively, configure Go environment variables and Git safe directories, copy the platform-specific binary, and set the container command to run commitlint-scope.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A rabbit's release day wish:
Docker and Go, arm64 and amd64,
Multi-arch images fly fast and far,
Alpine's light touch, the standard's delight,
GoReleaser orchestrates through the night! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: Add goreleaser docker publish channel' accurately summarizes the main changes—adding Docker publishing capability to the GoReleaser configuration and release workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch publish-docker

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.goreleaser.yaml:
- Around line 42-43: Update the dockerfile paths in .goreleaser.yaml to match
the repository: replace references to build/buildx.Dockerfile and
build/buildx-alpine.Dockerfile with publish/buildx.Dockerfile and
publish/buildx-alpine.Dockerfile (i.e., update the dockerfile key and any
platforms/docker build entries that refer to those filenames so GoReleaser can
locate the Dockerfiles during image builds).

In `@publish/buildx-alpine.Dockerfile`:
- Around line 10-15: The runtime Dockerfile currently installs compilers and VCS
tools (gcc, musl-dev, git, mercurial) and runs as root; instead, remove those
packages from the final image and ensure the prebuilt binary is copied from a
builder stage (leave COPY $TARGETPLATFORM/commitlint-scope /usr/bin/ and CMD
["commitlint-scope"] intact), then create a non-root user (e.g., user/group
creation and chown of /usr/bin/commitlint-scope) and add a USER instruction so
the container runs as that unprivileged account at runtime.

In `@publish/buildx.Dockerfile`:
- Around line 10-13: Remove the global wildcard git trust and stop running as
root: delete the RUN git config --global --add safe.directory '*' line, add a
non-root user (e.g., create a user/group with addgroup/adduser or useradd), copy
the commitlint-scope binary into /usr/bin/ then chown it to that non-root user
(reference COPY $TARGETPLATFORM/commitlint-scope /usr/bin/ and the
commitlint-scope binary), and switch execution to that user with USER <username>
before the CMD ["commitlint-scope"]; if git access is required at runtime, set a
single explicit safe.directory value instead of '*' or configure trust outside
the runtime image.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 543063ae-7edc-4fd6-bb97-226f9e410742

📥 Commits

Reviewing files that changed from the base of the PR and between 8134cc6 and 588695c.

📒 Files selected for processing (4)

• .github/workflows/release.yml
• .goreleaser.yaml
• publish/buildx-alpine.Dockerfile
• publish/buildx.Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Trim unnecessary packages and run as non-root in runtime image.

This image executes a prebuilt binary; keeping compilers/VCS tools plus root runtime user is avoidable exposure.

Suggested patch

-RUN apk --no-cache add gcc musl-dev git mercurial
-
-RUN git config --global --add safe.directory '*'
+RUN adduser -D appuser
@@
 COPY $TARGETPLATFORM/commitlint-scope /usr/bin/
+USER appuser
 CMD ["commitlint-scope"]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN apk --no-cache add gcc musl-dev git mercurial
	RUN git config --global --add safe.directory '*'
	COPY $TARGETPLATFORM/commitlint-scope /usr/bin/
	CMD ["commitlint-scope"]
	RUN adduser -D appuser
	COPY $TARGETPLATFORM/commitlint-scope /usr/bin/
	USER appuser
	CMD ["commitlint-scope"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@publish/buildx-alpine.Dockerfile` around lines 10 - 15, The runtime
Dockerfile currently installs compilers and VCS tools (gcc, musl-dev, git,
mercurial) and runs as root; instead, remove those packages from the final image
and ensure the prebuilt binary is copied from a builder stage (leave COPY
$TARGETPLATFORM/commitlint-scope /usr/bin/ and CMD ["commitlint-scope"] intact),
then create a non-root user (e.g., user/group creation and chown of
/usr/bin/commitlint-scope) and add a USER instruction so the container runs as
that unprivileged account at runtime.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden runtime image: drop root and remove wildcard git trust.

Running as root and trusting all git directories broadens blast radius unnecessarily for a runtime image.

Suggested patch

-FROM golang:1.26
+FROM golang:1.26
@@
-RUN git config --global --add safe.directory '*'
-
-COPY $TARGETPLATFORM/commitlint-scope /usr/bin/
+RUN adduser --disabled-password --gecos "" appuser
+COPY $TARGETPLATFORM/commitlint-scope /usr/bin/
+USER appuser
 CMD ["commitlint-scope"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@publish/buildx.Dockerfile` around lines 10 - 13, Remove the global wildcard
git trust and stop running as root: delete the RUN git config --global --add
safe.directory '*' line, add a non-root user (e.g., create a user/group with
addgroup/adduser or useradd), copy the commitlint-scope binary into /usr/bin/
then chown it to that non-root user (reference COPY
$TARGETPLATFORM/commitlint-scope /usr/bin/ and the commitlint-scope binary), and
switch execution to that user with USER <username> before the CMD
["commitlint-scope"]; if git access is required at runtime, set a single
explicit safe.directory value instead of '*' or configure trust outside the
runtime image.

[thumbrise]

@coderabbitai what you think about potentially ambiguous .git owner problem?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
cat publish/buildx.Dockerfile
echo "---"
cat publish/buildx-alpine.Dockerfile

Length of output: 676

---

---

@thumbrise Great question. Both Dockerfiles bake in:

RUN git config --global --add safe.directory '*'

This is the wildcard bypass for CVE-2022-24765 (Git ≥ 2.35.2 refuses to operate on repos owned by a different UID). The wildcard disables that ownership check for every directory, globally, and it's written into the image layer at build time — so every container based on this image inherits it permanently.

Why it's potentially problematic

Concern	Detail
Overly broad	'*' turns off the protection entirely rather than targeting the specific mount point where users place their repo.
Baked into the image	Set at build time via RUN, so it can't be opted out of at runtime without overriding ~/.gitconfig.
Privilege escalation risk	If the container is run with additional mounts (e.g., secrets volumes that happen to contain a .git), Git won't warn about the ownership mismatch.

Better alternatives

Option 1 — Entrypoint that scopes to the actual working directory (most flexible):

COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["commitlint-scope"]

#!/bin/sh
# entrypoint.sh
git config --global --add safe.directory "$PWD"
exec "$@"

Option 2 — Target a fixed, well-known mount point:

# For GitHub Actions
RUN git config --global --add safe.directory /github/workspace
# For generic CI
RUN git config --global --add safe.directory /workspace

Option 3 — Leave it to the user / document it:
Remove the RUN git config line entirely and document in the README that users must pass:

-e GIT_CONFIG_GLOBAL=/dev/null   # or add their own safe.directory

---

For a tool like commitlint-scope that is typically invoked on the user's own checked-out repo, Option 1 (entrypoint-scoped $PWD) is the safest balance — it solves the ownership error without permanently disabling the protection for all possible paths.

[github-actions]

🎉 This PR is included in version 2.1.0 🎉

The release is available on:

• GitHub release
• v2.1.0

Your semantic-release bot 📦🚀