Merge pull request #1 from ldornele/HYPERFLEET-268

Implement MVP pull secret job with Dockerfile, Makefile, and job execution framework

Author: ciaranRoche

.github/workflows/ci.yml

@@ -0,0 +1,83 @@
+name: CI
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23.9'
+          cache: true
+
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
+          args: --timeout=5m
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23.9'
+          cache: true
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Build binary
+        run: make binary
+
+      - name: Verify binary
+        run: |
+          ./pull-secret --help
+          ls -lh pull-secret
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23.9'
+          cache: true
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Run tests
+        run: make test
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@v4
+        if: success()
+        with:
+          files: ./coverage.txt
+          flags: unittests
+          fail_ci_if_error: false

.gitignore

@@ -0,0 +1,130 @@
+# Binaries for programs and plugins
+pull-secret
+pull-secret-mvp
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool
+*.out
+coverage.txt
+coverage.html
+
+# Go workspace file
+go.work
+
+# Dependency directories
+vendor/
+
+# Go build cache
+.cache/
+
+# IDE - VSCode
+.vscode/
+*.code-workspace
+
+# IDE - IntelliJ / GoLand
+.idea/
+*.iml
+*.iws
+*.ipr
+
+# IDE - Vim
+*.swp
+*.swo
+*~
+.*.sw?
+
+# IDE - Emacs
+*~
+\#*\#
+.\#*
+
+# OS - macOS
+.DS_Store
+.AppleDouble
+.LSOverride
+._*
+
+# OS - Windows
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+Desktop.ini
+
+# OS - Linux
+.directory
+.Trash-*
+
+# Temporary files
+tmp/
+temp/
+*.tmp
+*.bak
+*.log
+
+# Environment variables and secrets
+.env
+.env.*
+!.env.example
+*.key
+*.pem
+*.crt
+*.csr
+secrets/
+*.secret
+
+# GCP credentials (NEVER commit these!)
+*-credentials.json
+*-serviceaccount.json
+service-account-*.json
+gcp-*.json
+application_default_credentials.json
+
+# Database files
+*.db
+*.sqlite
+*.sqlite3
+
+# Container/Docker local artifacts
+*.tar
+*.tar.gz
+
+# Build artifacts and binaries
+dist/
+build/
+bin/
+
+# Test cache
+testdata/output/
+
+# Air (live reload) temp files
+tmp/
+
+# Delve debugger
+__debug_bin
+
+# Go sum backup
+go.sum.backup
+
+# Templates rendered (if any)
+templates/*-template.json
+
+# Local test files
+*_local_test.go
+
+# Performance profiles
+*.prof
+*.pprof
+
+# Migration files (if dynamically generated)
+migrations/*.sql.tmp
+
+# Claude settings (local only)
+.claude/

.golangci.yml

@@ -0,0 +1,71 @@
+# golangci-lint configuration for HyperFleet Pull Secret Job
+# https://golangci-lint.run/usage/configuration/
+
+run:
+  timeout: 5m
+  tests: true
+  modules-download-mode: readonly
+
+linters:
+  enable:
+    - gofmt          # Checks whether code was gofmt-ed
+    - goimports      # Checks import statements are formatted according to the 'goimport' command
+    - govet          # Reports suspicious constructs
+    - errcheck       # Checks for unchecked errors
+    - staticcheck    # Static analysis checks
+    - unused         # Checks for unused constants, variables, functions and types
+    - gosimple       # Simplify code
+    - ineffassign    # Detects ineffectual assignments
+    - typecheck      # Type-checks Go code
+    - misspell       # Finds commonly misspelled English words
+    - revive         # Fast, configurable, extensible, flexible, and beautiful linter for Go
+    - gocritic       # Provides diagnostics that check for bugs, performance and style issues
+
+linters-settings:
+  gofmt:
+    simplify: true
+
+  govet:
+    enable:
+      - shadow
+    disable:
+      - check-shadowing
+
+  errcheck:
+    check-type-assertions: true
+    check-blank: true
+
+  revive:
+    rules:
+      - name: exported
+        severity: warning
+        disabled: true  # Disabled for MVP - can enable later
+      - name: unexported-return
+        severity: warning
+        disabled: false
+      - name: var-naming
+        severity: warning
+        disabled: false
+
+issues:
+  exclude-use-default: false
+  max-issues-per-linter: 0
+  max-same-issues: 0
+
+  # Exclude some linters from running on tests files
+  exclude-rules:
+    - path: _test\.go
+      linters:
+        - errcheck
+        - gosec
+    # Exclude pkg/job and pkg/config (external framework code)
+    - path: pkg/
+      linters:
+        - revive
+        - goimports
+
+output:
+  formats:
+    - format: colored-line-number
+  print-issued-lines: true
+  print-linter-name: true

Dockerfile

@@ -0,0 +1,54 @@
+# Multi-stage build for pull-secret-mvp
+# Stage 1: Builder
+FROM registry.access.redhat.com/ubi9/go-toolset:1.23 AS builder
+
+# Switch to root to set up workspace
+USER root
+
+# Set working directory
+WORKDIR /workspace
+
+# Copy go mod files
+COPY --chown=default:root go.mod go.sum ./
+
+# Download dependencies
+RUN go mod download
+
+# Copy source code
+COPY --chown=default:root . .
+
+# Switch back to default user
+USER default
+
+# Build the binary
+# CGO_ENABLED=0 for static binary (simplified MVP build)
+RUN CGO_ENABLED=0 go build \
+    -o pull-secret \
+    ./cmd/pull-secret
+
+# Stage 2: Runtime
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
+
+# Install CA certificates for TLS
+RUN microdnf install -y ca-certificates && microdnf clean all
+
+# Create non-root user
+RUN useradd -u 1000 -m -s /sbin/nologin pullsecret-job
+
+# Set working directory
+WORKDIR /app
+
+# Copy binary from builder
+COPY --from=builder --chown=1000:1000 /workspace/pull-secret /usr/local/bin/pull-secret
+
+# Set permissions
+RUN chmod 755 /usr/local/bin/pull-secret
+
+# Use non-root user
+USER 1000
+
+# Set entrypoint
+ENTRYPOINT ["/usr/local/bin/pull-secret"]
+
+# Default command (can be overridden)
+CMD ["run-job", "pull-secret"]