controlplaneio · g-bgg · Jan 27, 2026 · Jan 19, 2026
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -1,44 +1,65 @@
 name: Lint and Build
 on:
   push:
-  ## do not lint and build when tagged, we already do that in push to master
     tags-ignore:
       - '*'
-
     branches:
     - '*'
   pull_request:
     branches: ['main', 'master']
 
 jobs:
-  # lint:
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - name: Checkout repository
-  #       uses: actions/checkout@v3
-
-  #     - name: Run golangci-lint
-  #       uses: reviewdog/action-golangci-lint@v2
-  #       with:
-  #         go_version: "1.24.3"
-  #         golangci_lint_flags: "--timeout=5m0s"
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+
+      - name: Run golangci-lint
+        uses: reviewdog/action-golangci-lint@f9bba13753278f6a73b27a56a3ffb1bfda90ed71 # v2
+        with:
+          go_version: "1.25.4"
+          fail_level: "none"
+
   build:
     runs-on: ubuntu-latest
-    #needs: lint
+    needs: lint
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3
         with:
-          go-version: '1.24.3'
+          go-version: '1.25.4'
 
       - name: Install dependencies
         run: go get ./...
 
       - name: Test
         run: go test -v ./... --race
 
+      - name: E2E Test
+        env:
+          KIND_E2E_TESTS: yes
+        run: go test -timeout 20m -v ./e2e/...
+
       - name: Build
         run: go build -v ./...
+
+      - name: Build Container
+        run: go build -v ./...
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t controlplane/netassert:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'controlplane/netassert:${{ github.sha }}'
+          format: 'table'
+          ignore-unfixed: true
+          exit-code: '1'
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH,MEDIUM'
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -8,98 +8,116 @@ on:
 
 permissions:
   contents: write
+  packages: write
+  id-token: write
+  attestations: write
 
 env:
   GH_REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
   RELEASE_VERSION: ${{ github.ref_name }}
+  SCANNER_IMG_VERSION: v1.0.11
+  SNIFFER_IMG_VERSION: v1.1.9
 
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3
         with:
-          go-version: '1.24.3'
-      - uses: anchore/sbom-action/download-syft@v0.20.6
+          go-version: '1.25.4'
+
+      - uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
+
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4
         with:
           distribution: goreleaser
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-  packagerelease:
+  docker:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      attestations: write
-      id-token: write
+
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+
+      # - name: Extract metadata (tags, labels) for Docker
+      #   id: meta
+      #   uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+      #   with:
+      #     images: ${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
+
       - name: Log in to the GitHub Container registry
         uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
         with:
           registry: ${{ env.GH_REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
-        with:
-          images: ${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Build and push Docker image
-        id: push
-        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            VERSION=${{ env.RELEASE_VERSION }}
+
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       - name: Build and push
-        uses: docker/build-push-action@v4
+        id: buildpush
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
-          context: .
           platforms: linux/amd64,linux/arm64
+          sbom: true
+          provenance: mode=max
           push: true
           tags: |
-            controlplane/netassert:${{ github.ref_name }}
-            controlplane/netassert:latest
+            docker.io/controlplane/netassert:${{ env.RELEASE_VERSION }}
+            docker.io/controlplane/netassert:latest
+            ${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
+            ${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
           build-args: |
             VERSION=${{ env.RELEASE_VERSION }}
+            SCANNER_IMG_VERSION=${{ env.SCANNER_IMG_VERSION }}
+            SNIFFER_IMG_VERSION=${{ env.SNIFFER_IMG_VERSION }}
 
-      - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v3
-        with:
-          subject-name: ${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME}}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+      - name: Sign artifact
+        run: |
+          cosign sign --yes \
+            "${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.buildpush.outputs.digest }}"
+          cosign sign --yes \
+            "docker.io/controlplane/netassert@${{ steps.buildpush.outputs.digest }}"
+
+  helm:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+
       - name: Setup yq
-        uses: mikefarah/yq@v4
+        uses: mikefarah/yq@065b200af9851db0d5132f50bc10b1406ea5c0a8 # v4
+
       - name: Log in to GitHub Container Registry
         run: |
           echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+
       - name: Prepare and package Helm chart
         run: |
           CLEAN_VERSION=$(echo "$RELEASE_VERSION" | sed 's/^v//')
@@ -108,7 +126,8 @@ jobs:
           yq -i ".version = \"${CLEAN_VERSION}\"" ./helm/Chart.yaml
           yq -i ".appVersion = \"${CLEAN_VERSION}\"" ./helm/Chart.yaml
           helm package ./helm -d .
+
       - name: Push Helm chart to GHCR
         run: |
           CLEAN_VERSION=$(echo "$RELEASE_VERSION" | sed 's/^v//')
-          helm push "./netassert-${CLEAN_VERSION}.tgz" oci://ghcr.io/${{ github.repository_owner }}/charts
+          helm push "./netassert-${CLEAN_VERSION}.tgz" oci://ghcr.io/${{ github.repository_owner }}/charts
diff --git a/Dockerfile b/Dockerfile
@@ -1,12 +1,12 @@
-FROM golang:1.24-alpine AS builder
+FROM golang:1.25-alpine AS builder
 
 ARG VERSION
 
 COPY . /build
 WORKDIR /build
 
 RUN go mod download && \
-    CGO_ENABLED=0 GO111MODULE=on go build -ldflags="-X 'main.appName=NetAssert' -X 'main.version=${VERSION}'" -v -o /netassertv2 cmd/netassert/cli/*.go && \
+    CGO_ENABLED=0 GO111MODULE=on go build -ldflags="-X 'main.appName=NetAssert' -X 'main.version=${VERSION}' -X 'main.scannerImgVersion=${SCANNER_IMG_VERSION}' -X 'main.snifferImgVersion=${SNIFFER_IMG_VERSION}'" -v -o /netassertv2 cmd/netassert/cli/*.go && \
     ls -ltr /netassertv2
 
 FROM gcr.io/distroless/base:nonroot