Skip to content

Refactor CLI to modular architecture, add linted CI, multi-arch builds, and tag-based releases #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Duke1715 wants to merge 20 commits into
base: main
Choose a base branch
from
Open

Refactor CLI to modular architecture, add linted CI, multi-arch builds, and tag-based releases #3

Duke1715 wants to merge 20 commits into from

Conversation

@Duke1715
Copy link

@Duke1715 Duke1715 commented Oct 17, 2025

Summary

This PR refactors the CLI from a single procedural main into a modular, testable design and introduces robust CI/release automation. It keeps the same CLI surface (start|stop|restart|update), but significantly improves structure, error handling, and security posture.

Key Go code changes

  • New package structure:
    • app/ top-level application orchestration (Application).
    • app/commands/ command routing and execution of docker compose.
    • app/services/ secret retrieval and response parsing.
    • app/environment/ environment variable validation and accessors.
    • app/client/ HTTP client (resty) with typed header constants.
    • app/models/ typed models for Vault KV v2 responses.
  • Execution flow:
    • Before: monolithic dcs.go did argument parsing, HTTP calls, JSON parsing, and docker compose execution inline.
    • After: dcs.go wires services; Application delegates to commands.Service; secrets fetched via SecretService and injected into exec.Cmd env.
  • Environment handling:
    • Now strictly validates required env vars at startup via environment.Service.
    • Uses explicit VAULT_PATH instead of deriving the path from the binary’s directory name.
  • HTTP client:
    • Introduced resty to simplify HTTP requests and headers management.
    • Added HeaderVaultTokenName constant; guarded with //nolint:gosec as it’s not a credential.
  • Response parsing:
    • Typed structs in app/models and dedicated JSON parsing with semantic error handling (errors array, missing data).
  • Docker compose execution:
    • Helper to build exec.Cmd, inject env, and run with inherited stdio.
    • update pulls images, then restart is executed automatically at the application level.
  • Error handling & logging:
    • Early validation (guard clauses), log.Fatal on irrecoverable states, clear messages when no secrets found.
  • Lint-driven fixes:
    • fmt.Errorf used instead of errors.New(fmt.Sprintf(...)).
    • Gosec suppression only for non-secret header name.

Behavior changes (user-facing)

  • Required env vars: VAULT_ADDR, VAULT_TOKEN, and now explicitly VAULT_PATH (previously the path was implicitly derived from executable directory name). This is a deliberate change for clarity and portability.
  • update performs docker compose pull and then restarts the stack.
  • When no secrets are present, the app logs a message and continues without secrets (consistent with previous UX but clearer).

CI and release automation

  • CI (.github/workflows/go.yml):
    • Runs build + tests + golangci-lint on push and pull_request.
    • Includes Go module caching.
  • Dependency review:
    • Runs only on pull_request to avoid base/head ref errors on push.
  • Binaries on main:
    • slsa-goreleaser.yml builds matrix artifacts for linux/darwin on amd64/arm64 and uploads them as workflow artifacts.
  • Releases:
    • Proper .goreleaser.yaml (not a workflow) with CGO_ENABLED=0, -trimpath, -s -w, archives and checksums.
    • Tag-driven release workflow (release.yml) on tags v*, GoReleaser action pinned to v1.26.2.
    • Homebrew tap publishing removed for now (can re-enable when token/repo are ready).

Why

  • Improve maintainability and testability via clear separation of concerns.
  • Enforce code quality and security scanning.
  • Provide deterministic, multi-arch binaries and straightforward tag-based releases.

Risks and mitigations

  • Behavior change: explicit VAULT_PATH required. Mitigated with README Usage docs and clear error message.
  • New dependency resty: mature, widely used; impact limited to HTTP client.
  • Auto-restart after update: aligns with operational expectations; documented.

How to test

  • Lint & tests: open a PR → CI runs.
  • Binaries: push to main → check “Build binaries on master” artifacts.
  • Release: create a tag v1.1 (or vX.Y.Z) → GoReleaser publishes archives and checksums.

Docs

  • README updated with Usage: required env vars (VAULT_ADDR, VAULT_TOKEN, VAULT_PATH), commands, and examples (export and one-liner).

@KNIF KNIF requested a review from Copilot October 17, 2025 16:06
Copilot AI reviewed Oct 17, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR refactors the CLI from a monolithic procedural design into a modular, testable architecture while maintaining the same command-line interface. It introduces robust CI/CD pipelines with linting, multi-architecture builds, and automated tag-based releases.

Key changes:

  • Restructured code into separate packages (app/, app/commands/, app/services/, app/environment/, app/client/, app/models/) for better separation of concerns
  • Replaced manual HTTP handling with the resty library for cleaner HTTP client implementation
  • Changed from implicit path derivation (from executable directory) to explicit VAULT_PATH environment variable requirement
  • Added comprehensive CI workflows including linting, dependency review, multi-arch binary builds, and GoReleaser-based releases

Reviewed Changes

Copilot reviewed 19 out of 25 changed files in this pull request and generated no comments.

Show a summary per file
File Description
go.mod Updated Go version to 1.22 and added resty dependency
dcs.go Refactored from monolithic main to modular service orchestration
app/app.go New application orchestration layer with command routing
app/commands/commands.go Command execution logic with docker compose integration
app/services/secrets.go Secret retrieval service with Vault KV v2 API integration
app/models/get_secrets_result.go Typed models for Vault API responses
app/environment/environment.go Environment variable validation and accessor service
app/client/http_client.go HTTP client wrapper using resty with header management
README.md Added comprehensive usage documentation with examples
.goreleaser.yaml GoReleaser configuration for release automation
.golangci.yml Linter configuration with enabled rules
.github/workflows/go.yml CI workflow for build, test, and lint
.github/workflows/release.yml Tag-based release workflow
.github/workflows/slsa-goreleaser.yml Multi-arch binary builds on main branch
.github/workflows/dependency-review.yml Dependency security scanning for pull requests
.slsa-goreleaser/*.yml SLSA build configurations for various OS/arch combinations
Files not reviewed (4)
  • .idea/.gitignore: Language not supported
  • .idea/docker-compose-secrets.iml: Language not supported
  • .idea/modules.xml: Language not supported
  • .idea/vcs.xml: Language not supported

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Duke1715 @eugeneuskov