Conversation
There was a problem hiding this comment.
Pull request overview
Updates the project’s publishing pipeline to enable access to the private indexd module during Docker builds (via SSH), and adjusts CI Go versions.
Changes:
- Adds SSH-based GitHub access setup in the Docker build to fetch
go.sia.tech/indexd. - Extends the publish workflow with a Docker build/push job and removes tag-based triggers.
- Updates the main CI matrix Go versions.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
Dockerfile |
Adds SSH key/known_hosts setup and forces GitHub SSH URLs to allow private module access during go mod download. |
.github/workflows/publish.yml |
Removes tag triggers and adds a Docker publish job that injects an SSH key for the Docker build. |
.github/workflows/main.yml |
Updates Go test matrix to include Go 1.26. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Setup Indexd Access | ||
| run: | | ||
| echo "${{ secrets.INDEXD_SSH_KEY }}" > $GITHUB_WORKSPACE/indexd_ed25519 | ||
| - uses: docker/setup-qemu-action@v3 | ||
| - uses: docker/setup-buildx-action@v3 | ||
| - uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.repository_owner }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - uses: docker/build-push-action@v5 | ||
| with: | ||
| context: . | ||
| platforms: linux/amd64,linux/arm64 | ||
| push: true | ||
| tags: ghcr.io/siafoundation/cluster:master | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max |
There was a problem hiding this comment.
The workflow writes the private SSH key into the repository workspace and then builds with context: ., which will include that key in the Docker build context. Combined with cache-to: type=gha,mode=max, the key can also get embedded into BuildKit cache artifacts. Use buildx SSH forwarding or secret mounts instead (and avoid placing the key in the build context).
| on: | ||
| # Triggers the workflow on new SemVer tags | ||
| push: | ||
| branches: | ||
| - master | ||
| tags: | ||
| - "v[0-9]+.[0-9]+.[0-9]+" | ||
| - "v[0-9]+.[0-9]+.[0-9]+-**" | ||
|
|
There was a problem hiding this comment.
The header comment says this workflow triggers on new SemVer tags, but the tags: trigger has been removed. Update the comment (or restore the tag trigger) so the workflow behavior matches the documented intent.
| matrix: | ||
| os: [ubuntu-latest, windows-latest, macos-latest] | ||
| go-version: ['1.24', '1.25'] | ||
| go-version: ["1.25", "1.26"] |
There was a problem hiding this comment.
The test matrix includes Go 1.25, but the repository's go.mod currently specifies go 1.26.0. Go 1.25 will fail with "requires go >= 1.26.0" unless you add a toolchain directive or lower the go.mod version. Align the CI matrix with the minimum supported Go version.
| go-version: ["1.25", "1.26"] | |
| go-version: ["1.26"] |
| docker: | ||
| name: Publish Docker | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| packages: write | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: 1.26 | ||
| - name: Setup Indexd Access | ||
| run: | | ||
| echo "${{ secrets.INDEXD_SSH_KEY }}" > $GITHUB_WORKSPACE/indexd_ed25519 | ||
| - uses: docker/setup-qemu-action@v3 | ||
| - uses: docker/setup-buildx-action@v3 | ||
| - uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.repository_owner }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - uses: docker/build-push-action@v5 | ||
| with: | ||
| context: . | ||
| platforms: linux/amd64,linux/arm64 | ||
| push: true | ||
| tags: ghcr.io/siafoundation/cluster:master | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max |
There was a problem hiding this comment.
This repo uses knope changesets (.changeset/ + knope.toml). Since this PR changes the publishing/release behavior (tag trigger removal + new Docker publish flow), consider adding/updating a changeset entry to document the release/publishing change for maintainers.
| # setup auth for indexd package access | ||
| RUN mkdir -p ~/.ssh \ | ||
| && chmod 700 ~/.ssh \ | ||
| && ssh-keyscan github.com >> ~/.ssh/known_hosts \ | ||
| && chmod 644 ~/.ssh/known_hosts | ||
|
|
||
| COPY indexd_ed25519 /root/.ssh/id_ed25519 | ||
| RUN chmod 600 ~/.ssh/id_ed25519 | ||
| RUN git config --global url."git@github.com:".insteadOf "https://github.com/" | ||
| RUN git config --global url."ssh://git@github.com/".insteadOf "https://github.com/" | ||
|
|
||
| ENV GOPRIVATE=go.sia.tech/indexd |
There was a problem hiding this comment.
The Docker build currently copies an SSH private key from the build context into the image layer (and keeps it there). This leaks the key into the build cache/layers and makes it retrievable by anyone who can pull the intermediate layers or access build caches. Use BuildKit SSH forwarding or secret mounts for the git fetch/go module download instead of COPY-ing the key into the image, and ensure the key never ends up in any layer.
| COPY indexd_ed25519 /root/.ssh/id_ed25519 | ||
| RUN chmod 600 ~/.ssh/id_ed25519 |
There was a problem hiding this comment.
This Dockerfile now requires a local indexd_ed25519 file to exist in the build context. That will break local docker build usage for contributors and any CI environment that doesn't inject this file. Prefer using BuildKit --ssh / --mount=type=ssh (or --mount=type=secret) so the Dockerfile can build without an on-disk key file in the context.
This updates the publish CI action to use an ssh key to be able to access the indexd repo at the cost of no longer building the binaries. If we feel like that's an ok tradeoff we can merge this.