Oci containers

.github/workflows/go.yaml

@@ -18,7 +18,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.24.4"
+          go-version: "1.24.6"
 
       - name: Check formatting
         run: |
@@ -29,10 +29,14 @@ jobs:
             exit 1
           fi
 
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
-        with:
-          args: ./...
+      - name: Run Go vet
+        run: make lint
+
+      - name: Run Shellcheck
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y shellcheck
+          make shellcheck
 
   test:
     runs-on: ubuntu-latest
@@ -43,7 +47,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.24.4"
+          go-version: "1.24.6"
 
       - name: Test
         run: make test
@@ -55,3 +59,28 @@ jobs:
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         run: bash <(curl -s https://codecov.io/bash)
+
+  docker-build:
+    runs-on: ubuntu-latest
+    needs: [quality-checks, test]
+    # Only build and push Docker images on main branch after tests pass
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build info
+        run: make docker-info
+
+      - name: Build and push Docker image
+        run: make docker-push
+        env:
+          DOCKER_PUSH: true

.github/workflows/release.yaml

@@ -0,0 +1,43 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  promote-release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract version from tag
+        id: version
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+
+      - name: Build info
+        run: |
+          echo "Promoting release: ${{ steps.version.outputs.VERSION }}"
+          make docker-info
+
+      - name: Promote Docker image
+        run: |
+          # The image should already exist from the main branch build
+          # We're just adding the version tag to it (immutable tags - no latest)
+          make docker-promote TAGS="${{ steps.version.outputs.VERSION }}"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          generate_release_notes: true
+          draft: false
+          prerelease: false

Makefile

@@ -1,5 +1,14 @@
-.PHONEY: coverage test inspect install sec-scan lint fmt check
+.PHONY: coverage test inspect install sec-scan lint fmt check shellcheck
+.PHONY: tree-hash docker-build docker-push docker-exists docker-promote docker-release docker-list
 
+# Docker configuration with defaults (override with environment variables)
+export DOCKER_REGISTRY ?= docker.io
+export DOCKER_REPO ?= nomasters/haystack
+export DOCKER_PLATFORMS ?= linux/amd64,linux/arm64
+export DOCKER_PUSH ?= false
+export SKIP_GIT_CHECK ?= false
+
+# Go targets
 test:
 	go test -v ./...
 
@@ -13,16 +22,76 @@ sec-scan:
 	gosec -fmt=json -out=gosec-report.json -stdout -verbose=text ./...
 
 lint:
-	golangci-lint run ./...
+	go vet ./...
 
 fmt:
 	go fmt ./...
 
-check: fmt lint test
+# Check shell scripts for issues
+shellcheck:
+	@echo "Checking shell scripts with shellcheck..."
+	@shellcheck scripts/*.sh
+
+check: fmt lint test shellcheck
 	@echo "All checks passed!"
 
 update-deps:
 	go get -u && go mod tidy
 
 install:
-	go install github.com/nomasters/haystack/cmd/haystack
+	go install github.com/nomasters/haystack/cmd/haystack
+
+# Docker targets - Local-first hermetic builds
+# These commands work identically on your machine and in CI
+
+# Calculate the tree hash of source files
+tree-hash:
+	@./scripts/tree-hash.sh
+
+# Build Docker image (idempotent - only builds if tree hash changed)
+# Requires clean git working directory (override with SKIP_GIT_CHECK=true)
+docker-build:
+	@./scripts/docker-build.sh
+
+# Build and push Docker image to registry
+docker-push:
+	@DOCKER_PUSH=true ./scripts/docker-build.sh
+
+# Check if image exists for current tree hash
+docker-exists:
+	@TREE_HASH=$$(./scripts/tree-hash.sh) && \
+		./scripts/docker-tags.sh exists "tree-$$TREE_HASH"
+
+# Promote current commit's image with additional tags
+# Usage: make docker-promote TAGS="v1.0.0"
+docker-promote:
+	@if [ -z "$(TAGS)" ]; then \
+		echo "Error: TAGS variable required. Usage: make docker-promote TAGS=\"v1.0.0\""; \
+		exit 1; \
+	fi
+	@./scripts/docker-tags.sh release $(TAGS)
+
+# Release workflow - build if needed, then tag
+# Usage: make docker-release VERSION=v1.0.0
+docker-release: docker-push
+	@if [ -z "$(VERSION)" ]; then \
+		echo "Error: VERSION variable required. Usage: make docker-release VERSION=v1.0.0"; \
+		exit 1; \
+	fi
+	@./scripts/docker-tags.sh release $(VERSION)
+
+# List all Docker tags in the registry
+docker-list:
+	@./scripts/docker-tags.sh list
+
+# Clean up local Docker buildx builders
+docker-clean:
+	@docker buildx rm haystack-builder 2>/dev/null || true
+
+# Show current build information
+docker-info:
+	@echo "Tree hash:   $$(./scripts/tree-hash.sh)"
+	@echo "Commit SHA:  $$(git rev-parse --short HEAD)"
+	@echo "Branch:      $$(git rev-parse --abbrev-ref HEAD)"
+	@echo "Registry:    $${DOCKER_REGISTRY:-docker.io}"
+	@echo "Repository:  $${DOCKER_REPO:-nomasters/haystack}"