[QA-1608 master] Github template update

[alephnull]

List of changes:

[probelabs]

🔍 Code Analysis Results

This PR updates the release workflow to remove the FIPS-compliant build variant, simplifying the overall build and release process.

Files Changed Analysis

• ci/goreleaser/goreleaser.yml: The primary change is the removal of the nfpms configuration for the fips package. This stops the generation of FIPS-compliant DEB and RPM packages.
• .github/workflows/release.yml: The Docker build steps in the release workflow have been modified to pass an EDITION build argument, which is currently empty. The step IDs for Docker metadata have also been renamed with a trailing underscore (e.g., ci_metadata to ci_metadata_).
• ci/Dockerfile.distroless: The Dockerfile is updated to accept the new EDITION build argument and uses it to dynamically construct the package filename during installation.

Architecture & Impact Assessment

• What this PR accomplishes: It streamlines the CI/CD pipeline by discontinuing the FIPS build, reducing build complexity and the number of release artifacts.
• Key technical changes introduced:
  • Deletion of the FIPS build and packaging configuration in GoReleaser.
  • Introduction of a dynamic EDITION variable in the Docker build process to handle different package names, although only one edition is now being built.
• Affected system components: The changes are confined to the build and release pipeline. There is no impact on the application's runtime behavior, but consumers of the FIPS build artifact will be affected as it will no longer be available.

Build Process Simplification

graph TD
    subgraph "Before"
        A[GoReleaser] --> B[Build Standard Package];
        A --> C[Build FIPS Package];
    end

    subgraph "After"
        F[GoReleaser] --> G[Build Standard Package Only];
    end

Loading

Scope Discovery & Context Expansion

• The scope is limited to the CI/CD configuration. The main consequence is the removal of a build variant from the published artifacts.
• Reviewers should confirm that the deprecation of the FIPS build is an intentional decision. No further code exploration is needed as the changes are self-contained within the repository's CI/CD configuration files.

---

Powered by Visor from Probelabs

Last updated: 2025-11-19T23:17:11.675Z | Triggered by: synchronize | Commit: 54cd21d

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

🔍 Code Analysis Results

• WARNING: The step IDs ci_metadata and tag_metadata have been renamed to ci_metadata_ and tag_metadata_ by adding a trailing underscore. This is an unconventional naming choice that reduces clarity without an obvious reason. Future maintainers might be confused about the purpose of the underscore. Standard practice is to use descriptive names without unusual suffixes. (.github/workflows/release.yml:134)

• WARNING: The configuration for building the FIPS package (tyk-identity-broker-fips) has been removed. While other changes in the PR introduce an EDITION variable to support different build editions, the actual mechanism for building the FIPS package is now missing from this GoReleaser configuration. This appears to be either an incomplete refactoring or an undocumented removal of the FIPS build, as the PR description is empty. (ci/goreleaser/goreleaser.yml:71)

• INFO: The step IDs ci_metadata and tag_metadata have been renamed to ci_metadata_ and tag_metadata_ respectively. Using a trailing underscore is an unconventional naming style that can reduce readability and confuse future maintainers. (.github/workflows/release.yml:134)

• WARNING: The EDITION build argument is used directly in a shell command within the Dockerfile. If an attacker can control the value of EDITION during the build process, they could inject arbitrary commands, leading to a container compromise or build server compromise. The variable is not sanitized before being used in the dpkg command. (ci/Dockerfile.distroless:8)

---

Powered by Visor from Probelabs

Last updated: 2025-11-19T23:17:12.834Z | Triggered by: synchronize | Commit: 54cd21d

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

This PR overhauls the CI/CD pipeline to modernize the toolchain, expand architecture support, and simplify the release process by removing the FIPS build. However, it introduces a critical regression that will cause DEB and RPM packages to be built without any content.

Files Changed Analysis

• .github/workflows/release.yml: The release workflow is updated to use Go 1.24, adds linux/s390x to the build matrix, and replaces the GitHub cache with WarpBuilds/cache. Package installation tests are made more resilient, potentially masking real installation failures.
• ci/goreleaser/goreleaser.yml: This configuration is significantly refactored. The FIPS build variant is removed entirely. The standard build is split into separate configurations for amd64, arm64, and s390x. Critically, this refactoring has removed the contents and scripts definitions from the nfpms package configuration, which will result in empty and non-functional DEB/RPM packages.
• ci/Dockerfile.*: The base Docker images are upgraded from Debian bookworm to trixie, and the Dockerfiles are parameterized with a BUILD_PACKAGE_NAME argument for better reusability.
• ci/install/post_install.sh: Contains minor fixes to the post-installation script, improving cleanup logic and making file permission changes more robust.

Architecture & Impact Assessment

• What this PR accomplishes: It streamlines the release pipeline by upgrading the Go version to 1.24, adding multi-architecture support (amd64, arm64, s390x), and simplifying the build process by removing the FIPS build variant.
• Key technical changes introduced:
  • Go version upgraded from 1.21 to 1.24.
  • Expanded build targets to include linux/s390x.
  • Complete removal of the FIPS build and packaging process.
  • Critical Issue: The GoReleaser configuration for DEB/RPM packaging (nfpms) is missing essential directives (contents, scripts, bindir), which will prevent the application binary and configuration files from being included in the final packages.
• Affected system components: The changes are confined to the build and release infrastructure. The primary impact is on the published release artifacts: FIPS packages will no longer be available, and the standard DEB/RPM packages will be broken until the configuration is fixed.

Build Process Changes

graph TD
    subgraph "Before"
        A[GoReleaser] --> B["Build std (amd64, arm64)"];
        A --> C["Build fips (amd64)"];
        B --> D[Package std];
        C --> E[Package fips];
    end

    subgraph "After"
        F[GoReleaser] --> G["Build std (amd64, arm64, s390x)"];
        G --> H["<font color=red>Package std (multi-arch)</font><br/><b>Warning: Packages will be empty due to<br/>missing 'contents' and 'scripts' config.</b>"];
    end

Loading

Scope Discovery & Context Expansion

• The scope is strictly limited to the CI/CD pipeline. The changes are self-contained within the repository's CI configuration files.
• The most critical point for review is the removal of the FIPS build, which should be confirmed as an intentional product decision.
• Immediate action required: The refactoring of ci/goreleaser/goreleaser.yml has removed the contents and scripts definitions from the nfpms section. This is a critical regression that will result in empty DEB/RPM packages and must be corrected before merging.

Metadata

• Review Effort: 3 / 5
• Primary Label: chore

---

Powered by Visor from Probelabs

Last updated: 2025-12-11T15:13:23.708Z | Triggered by: pr_updated | Commit: ce35d99

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

Security Issues (3)

Severity	Location	Issue
🔴 Critical	.github/workflows/release.yml:113-131	The `docker run` command uses the `--privileged` flag, which gives the container root-equivalent access to the host system. This effectively disables container isolation and poses a significant security risk. If the build container image or any build script is compromised, an attacker could gain control of the GitHub Actions runner. 💡 Suggestion Avoid using the `--privileged` flag. Instead, identify the specific Linux capabilities required by the build process and grant only those using the `--cap-add` flag. If privileged access is required for multi-arch builds via QEMU, ensure the container image and all executed scripts are from trusted sources and cannot be tampered with.
🔴 Critical	.github/workflows/release.yml:123	The Docker socket from the host (`/var/run/docker.sock`) is mounted into the build container. This allows any process inside the container to control the host's Docker daemon, enabling a container escape and full compromise of the GitHub Actions runner. This is a dangerous practice, especially when combined with the `--privileged` flag. 💡 Suggestion Do not mount the host's Docker socket into the container. If container-building capabilities are needed within the job, use safer alternatives like Kaniko, buildah, or Docker's official build-push-action without requiring direct socket access from a custom script within another container.
🟡 Warning	.github/workflows/release.yml:96-100	The workflow uses `WarpBuilds/cache@v1`, a third-party GitHub Action, as a replacement for the official `actions/cache`. While this may offer performance benefits, third-party actions execute with the permissions of the workflow, including access to secrets. This introduces a supply chain risk if the action is compromised. 💡 Suggestion Before using a third-party action, vet its source code and publisher. Pin the action to a specific commit hash (`@<commit-sha>`) instead of a floating version tag (`@v1`) to prevent unexpected or malicious updates from being automatically used. For caching, consider reverting to the official and trusted `actions/cache` unless the performance benefits of the third-party alternative are critical and the risks have been accepted.

Architecture Issues (1)

Severity	Location	Issue
🔴 Critical	ci/goreleaser/goreleaser.yml:89-113	The refactoring of the `nfpms` configuration has removed the essential `contents`, `scripts`, and `bindir` sections. This will result in the creation of empty DEB and RPM packages that lack the application binary, configuration files, and necessary installation scripts, rendering the release artifacts unusable. 💡 Suggestion Restore the `contents`, `scripts`, `bindir`, `rpm.signature`, and `deb.signature` configurations to the `nfpms` section with `id: std`. These configurations are required to correctly package the application and its assets.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (2)

Severity	Location	Issue
🔴 Critical	ci/goreleaser/goreleaser.yml:53-62	The refactoring of the `nfpms` configuration to support multi-architecture builds has inadvertently removed the `contents`, `scripts`, and `bindir` sections. This will result in empty DEB and RPM packages that do not contain the application binary, configuration files, or service definitions, making the release artifacts non-functional. 💡 Suggestion Restore the `contents`, `scripts`, `bindir`, `rpm`, and `deb` sections that were present in the previous `nfpms` configuration for the `std` package. These sections are essential for packaging the application correctly.
🟡 Warning	ci/goreleaser/goreleaser.yml:35-113	The FIPS build configuration has been completely removed. This is a significant change that discontinues a product variant, but it is not documented in the pull request description. This lack of context makes it difficult to verify if the change is intentional and understood by the team. 💡 Suggestion Update the pull request description to clarify whether the removal of FIPS builds is intentional. If so, provide justification and link to any relevant product decisions or tickets.

---

Powered by Visor from Probelabs

Last updated: 2025-12-11T15:13:26.838Z | Triggered by: pr_updated | Commit: ce35d99

💡 TIP: You can chat with Visor using /visor ask <your question>

[github-actions]

🚨 Jira Linter Failed

Commit: ce35d99
Failed at: 2025-12-11 15:11:18 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details

failed to validate branch and PR title rules: branch name 'releng/master' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

---

This comment will be automatically deleted once the linter passes.