chore: promote dev to main (top-down dep tree sweep)

.coderabbit.yaml

@@ -0,0 +1,13 @@
+# CodeRabbit Configuration
+# Inherits from: https://github.com/host-uk/coderabbit/.coderabbit.yaml
+
+reviews:
+  review_status: false
+
+  path_instructions:
+    - path: "**/Dockerfile*"
+      instructions: "Check for security best practices, multi-stage builds, and pinned versions"
+    - path: "**/*.yml"
+      instructions: "Ansible/Docker Compose - validate syntax and idempotency"
+    - path: "**/*.sh"
+      instructions: "Shell scripts - check for shellcheck compliance and proper error handling"

.github/workflows/build.yml

@@ -1,15 +1,24 @@
+# Host UK Container Images
+#
+# Dev branch:  ghcr.io/host-uk/{core-dev,server-php}:dev
+# Tags/Main:   ghcr.io/host-uk/{core-dev,server-php}:latest + lthn/{core-dev,server-php}:latest
+
 name: Build Images
 
 on:
   push:
-    branches: [main]
+    branches: [dev, main]
     tags: ['v*']
   pull_request:
-    branches: [main]
+    branches: [dev, main]
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
-  REGISTRY: ghcr.io
+  GHCR_REGISTRY: ghcr.io
 
 jobs:
   # ============================================================
@@ -23,10 +32,18 @@ jobs:
       packages: write
 
     strategy:
+      fail-fast: false
       matrix:
         image:
           - developer
           - server-php
+        include:
+          - image: developer
+            ghcr_name: core-dev
+            dockerhub_name: core-dev
+          - image: server-php
+            ghcr_name: server-php
+            dockerhub_name: server-php
 
     steps:
       - name: Checkout
@@ -42,84 +59,122 @@ jobs:
         if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
-          registry: ${{ env.REGISTRY }}
+          registry: ${{ env.GHCR_REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Extract metadata
-        id: meta
+      - name: Login to Docker Hub
+        if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Determine if release build
+        id: release
+        run: |
+          if [[ "${{ github.ref }}" == "refs/heads/main" ]] || [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            echo "is_release=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_release=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Extract metadata (GHCR only - dev builds)
+        if: steps.release.outputs.is_release == 'false'
+        id: meta-dev
         uses: docker/metadata-action@v5
         with:
-          images: ${{ env.REGISTRY }}/host-uk/${{ matrix.image == 'developer' && 'core-dev' || matrix.image }}
+          images: |
+            ${{ env.GHCR_REGISTRY }}/host-uk/${{ matrix.ghcr_name }}
           tags: |
             type=ref,event=branch
             type=ref,event=pr
+          flavor: |
+            latest=false
+
+      - name: Extract metadata (GHCR + Docker Hub - release builds)
+        if: steps.release.outputs.is_release == 'true'
+        id: meta-release
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.GHCR_REGISTRY }}/host-uk/${{ matrix.ghcr_name }}
+            lthn/${{ matrix.dockerhub_name }}
+          tags: |
+            # main branch -> latest
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            # Semver tags (v1.0.0 -> 1.0.0, 1.0, 1, latest)
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
-            type=raw,value=latest,enable={{is_default_branch}}
+            type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
+            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+          flavor: |
+            latest=false
 
       - name: Build and push
         uses: docker/build-push-action@v5
         with:
           context: ./${{ matrix.image }}
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta-dev.outputs.tags || steps.meta-release.outputs.tags }}
+          labels: ${{ steps.meta-dev.outputs.labels || steps.meta-release.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
   # ============================================================
-  # Build LinuxKit Images
+  # Build LinuxKit Images (only on tags)
   # ============================================================
   linuxkit:
     name: LinuxKit (${{ matrix.image }}-${{ matrix.arch }})
     runs-on: ubuntu-latest
-    needs: docker  # Needs Docker images to be built first
+    needs: docker
+    if: startsWith(github.ref, 'refs/tags/v')
 
     strategy:
+      fail-fast: false
       matrix:
         image: [developer, server-php]
         arch: [amd64, arm64]
         format: [qcow2-bios, iso-bios]
+        include:
+          - image: developer
+            output_name: core-dev
+          - image: server-php
+            output_name: server-php
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Install Core CLI
+      - name: Install LinuxKit
         run: |
-          # Download latest core binary
-          curl -fsSL "https://github.com/host-uk/core/releases/latest/download/core-linux-amd64.tar.gz" -o core.tar.gz
-          tar -xzf core.tar.gz
-          sudo mv core /usr/local/bin/core
-          chmod +x /usr/local/bin/core
-          core --version
+          curl -fsSL "https://github.com/linuxkit/linuxkit/releases/download/v1.5.3/linuxkit-linux-amd64" -o linuxkit
+          chmod +x linuxkit
+          sudo mv linuxkit /usr/local/bin/
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
       - name: Login to GHCR
-        if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
-          registry: ${{ env.REGISTRY }}
+          registry: ${{ env.GHCR_REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build LinuxKit Image
         run: |
           mkdir -p dist
-          core build --type linuxkit \
-            --config ./${{ matrix.image }}/linuxkit.yml \
+          linuxkit build \
             --format ${{ matrix.format }} \
-            --arch ${{ matrix.arch }} \
-            -o ./dist/${{ matrix.image == 'developer' && 'core-dev' || matrix.image }}-${{ matrix.arch }}
+            --name ./dist/${{ matrix.output_name }}-${{ matrix.arch }} \
+            ./${{ matrix.image }}/linuxkit.yml
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:
-          name: ${{ matrix.image == 'developer' && 'core-dev' || matrix.image }}-${{ matrix.arch }}-${{ matrix.format }}
+          name: ${{ matrix.output_name }}-${{ matrix.arch }}-${{ matrix.format }}
           path: ./dist/*
 
   # ============================================================
@@ -152,39 +207,3 @@ jobs:
             dist/*
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  # ============================================================
-  # Build TIM Bundles (when core build --type tim is ready)
-  # ============================================================
-  # tim:
-  #   name: TIM (${{ matrix.image }})
-  #   runs-on: ubuntu-latest
-  #   needs: docker
-  #
-  #   strategy:
-  #     matrix:
-  #       image: [developer, server-php]
-  #       os: [linux, darwin]
-  #       arch: [amd64, arm64]
-  #
-  #   steps:
-  #     - uses: actions/checkout@v4
-  #
-  #     - name: Install Core
-  #       run: |
-  #         curl -fsSL https://github.com/host-uk/core/releases/latest/download/core-linux-amd64 -o /usr/local/bin/core
-  #         chmod +x /usr/local/bin/core
-  #
-  #     - name: Build TIM
-  #       run: |
-  #         core build --type tim \
-  #           --borgfile ./${{ matrix.image }}/Borgfile \
-  #           --os ${{ matrix.os }} \
-  #           --arch ${{ matrix.arch }} \
-  #           -o ./dist/${{ matrix.image }}-${{ matrix.os }}-${{ matrix.arch }}.tim
-  #
-  #     - name: Upload artifact
-  #       uses: actions/upload-artifact@v4
-  #       with:
-  #         name: ${{ matrix.image }}-${{ matrix.os }}-${{ matrix.arch }}
-  #         path: ./dist/*.tim

Taskfile.yaml

@@ -19,12 +19,14 @@ tasks:
     deps:
       - build:developer
       - build:server-php
+      - build:scanner-go
 
   build:docker:
     desc: Build all Docker images
     deps:
       - build:developer:docker
       - build:server-php:docker
+      - build:scanner-go:docker
 
   build:tim:
     desc: Build all TIM bundles
@@ -96,6 +98,43 @@ tasks:
       - docker push {{.REGISTRY}}/server-php:{{.VERSION}}
       - docker push {{.REGISTRY}}/server-php:latest
 
+  # ============================================================
+  # Scanner Go Image
+  # ============================================================
+  build:scanner-go:
+    desc: Build scanner-go image (Docker + TIM)
+    deps:
+      - build:scanner-go:docker
+      - build:scanner-go:tim
+
+  build:scanner-go:docker:
+    desc: Build scanner-go Docker image
+    dir: scanner-go
+    cmds:
+      - |
+        docker build \
+          --tag {{.REGISTRY}}/core-scanner-go:{{.VERSION}} \
+          --tag {{.REGISTRY}}/core-scanner-go:latest \
+          --build-arg VERSION={{.VERSION}} \
+          .
+
+  build:scanner-go:tim:
+    desc: Build scanner-go TIM bundle
+    dir: scanner-go
+    cmds:
+      - echo "TODO: core build --type tim -o ../dist/core-scanner-go-{{OS}}-{{ARCH}}.tim"
+
+  push:scanner-go:
+    desc: Push scanner-go image to registry
+    cmds:
+      - docker push {{.REGISTRY}}/core-scanner-go:{{.VERSION}}
+      - docker push {{.REGISTRY}}/core-scanner-go:latest
+
+  scan:
+    desc: "Run full scan against /src (mount your repo: -v \$(pwd):/src)"
+    cmds:
+      - docker run --rm -v {{.CLI_ARGS}}:/src {{.REGISTRY}}/core-scanner-go:latest sh -c "cd /src && govulncheck ./... && gosec ./... && golangci-lint run ./... && trivy fs ."
+
   # ============================================================
   # Release
   # ============================================================
@@ -105,6 +144,7 @@ tasks:
       - task: build
       - task: push:developer
       - task: push:server-php
+      - task: push:scanner-go
 
   # ============================================================
   # Utilities
@@ -115,6 +155,7 @@ tasks:
       - rm -rf dist/
       - docker rmi {{.REGISTRY}}/core-dev:{{.VERSION}} || true
       - docker rmi {{.REGISTRY}}/server-php:{{.VERSION}} || true
+      - docker rmi {{.REGISTRY}}/core-scanner-go:{{.VERSION}} || true
 
   dist:
     desc: Create dist directory

developer/.claude/.claude.json

@@ -0,0 +1,16 @@
+{
+  "oauthAccount": {
+    "accountUuid": "d47abd23-1dc4-4ccc-b22a-1d91ddcf286b",
+    "emailAddress": "snider@host.uk.com",
+    "organizationUuid": "886228c1-02f3-4d8f-8d05-fb5d0dbba39c",
+    "hasExtraUsageEnabled": false,
+    "billingType": "stripe_subscription",
+    "accountCreatedAt": "2025-12-24T12:49:08.592329Z",
+    "subscriptionCreatedAt": "2025-12-24T12:52:04.017154Z",
+    "displayName": "Snider",
+    "organizationRole": "admin",
+    "workspaceRole": null,
+    "organizationName": "snider@host.uk.com's Organization"
+  },
+  "hasCompletedOnboarding": true
+}