DeerHide · miragecentury · Feb 15, 2026 · Feb 15, 2026 · Feb 15, 2026 · Feb 15, 2026
diff --git a/.commitlintrc.yaml b/.commitlintrc.yaml
@@ -0,0 +1,2 @@
+extends:
+  - "@commitlint/config-conventional"
diff --git a/.containerignore b/.containerignore
@@ -0,0 +1,13 @@
+.git
+.github
+build
+.env
+*.md
+LICENSE
+.dive-ci
+.hadolint.yaml
+.releaserc.yaml
+.commitlintrc.yaml
+.containerignore
+.pre-commit-config.yaml
+scripts/
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,40 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [master]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  commitlint:
+    name: Lint commit messages
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: wagoid/commitlint-github-action@v6
+
+  hadolint:
+    name: Lint Containerfile
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Containerfile
+
+  build:
+    name: Test build
+    runs-on: ubuntu-latest
+    needs: [hadolint]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build image
+        run: docker build -f Containerfile -t test-build .
-      - name: Build image
-        run: docker build -f Containerfile -t test-build .
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build image using manifest
+        run: docker buildx bake -f manifest.yaml --set *.tags=test-build
-      - name: Build image
-        run: docker build -f Containerfile -t test-build .
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build image using manifest
+        run: docker buildx bake -f manifest.yaml --set *.tags=test-build
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,145 @@
+name: Release
+
+on:
+  push:
+    branches: [master]
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    name: Semantic release
+    runs-on: ubuntu-latest
+    outputs:
+      new_release_published: ${{ steps.semantic.outputs.new_release_published }}
+      new_release_version: ${{ steps.semantic.outputs.new_release_version }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - uses: cycjimmy/semantic-release-action@v4
+        id: semantic
+        with:
+          extra_plugins: |
+            @semantic-release/changelog
+            @semantic-release/git
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  build-and-push:
+    name: Build, scan & push
+    needs: release
+    if: needs.release.outputs.new_release_published == 'true'
+    runs-on: ubuntu-latest
+    env:
+      IMAGE_VERSION: ${{ needs.release.outputs.new_release_version }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install build tools
+        run: ./scripts/install_tools.sh
+
+      - name: Read manifest
+        id: manifest
+        run: |
+          echo "image_name=$(yq e '.name' manifest.yaml)" >> "$GITHUB_OUTPUT"
+          echo "registry=$(yq e '.registry' manifest.yaml)" >> "$GITHUB_OUTPUT"
+          echo "format=$(yq e '.build.format' manifest.yaml)" >> "$GITHUB_OUTPUT"
+
+      - name: Validate Containerfile
+        run: |
+          docker pull -q ghcr.io/hadolint/hadolint:latest
+          docker run --rm -i hadolint/hadolint:latest < Containerfile
-          docker run --rm -i hadolint/hadolint:latest < Containerfile
+          docker run --rm -i -v "${PWD}/.hadolint.yaml:/.hadolint.yaml" hadolint/hadolint:latest --config /.hadolint.yaml < Containerfile
-          docker run --rm -i hadolint/hadolint:latest < Containerfile
+          docker run --rm -i -v "${PWD}/.hadolint.yaml:/.hadolint.yaml" hadolint/hadolint:latest --config /.hadolint.yaml < Containerfile
+
+      - name: Build image
+        env:
+          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
+          IMAGE_FORMAT: ${{ steps.manifest.outputs.format }}
+        run: |
+          # Build args from manifest
+          BUILD_ARGS=""
+          for arg in $(yq e '.build.args[]' manifest.yaml); do
+            BUILD_ARGS="${BUILD_ARGS} --build-arg ${arg}"
+          done
+
+          # Labels from manifest
+          LABELS=""
+          while IFS= read -r label; do
+            if [[ -n "${label}" ]]; then
+              label_key="${label%%=*}"
+              label_value="${label#*=}"
+              label_value="${label_value%\"}"
+              label_value="${label_value#\"}"
+              LABELS="${LABELS} --label ${label_key}=${label_value}"
+            fi
+          done < <(yq e '.build.labels[]' manifest.yaml)
+
+          # Add version label
+          LABELS="${LABELS} --label org.opencontainers.image.version=${IMAGE_VERSION}"
+
+          # shellcheck disable=SC2086
+          buildah build \
+            --squash \
+            --pull-always \
+            --format "${IMAGE_FORMAT}" \
+            ${BUILD_ARGS} \
+            ${LABELS} \
+            --tag "${IMAGE_NAME}:${IMAGE_VERSION}" \
+            .
+
+          # Save to OCI archive for scanning and pushing
+          mkdir -p build
+          buildah push "${IMAGE_NAME}:${IMAGE_VERSION}" "oci-archive:build/${IMAGE_NAME}.tar"
+
+          # Load into Docker daemon for dive scan
+          docker load -i "build/${IMAGE_NAME}.tar" 2>/dev/null || true
+          docker tag "$(docker images -q | head -1)" "${IMAGE_NAME}:${IMAGE_VERSION}" 2>/dev/null || true
-          docker load -i "build/${IMAGE_NAME}.tar" 2>/dev/null || true
-          docker tag "$(docker images -q | head -1)" "${IMAGE_NAME}:${IMAGE_VERSION}" 2>/dev/null || true
+          docker load -i "build/${IMAGE_NAME}.tar"
+          docker tag "$(docker images -q | head -1)" "${IMAGE_NAME}:${IMAGE_VERSION}"
-          docker load -i "build/${IMAGE_NAME}.tar" 2>/dev/null || true
-          docker tag "$(docker images -q | head -1)" "${IMAGE_NAME}:${IMAGE_VERSION}" 2>/dev/null || true
+          docker load -i "build/${IMAGE_NAME}.tar"
+          docker tag "$(docker images -q | head -1)" "${IMAGE_NAME}:${IMAGE_VERSION}"
+
+      - name: Dive filesystem scan
+        env:
+          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
+        run: dive --ci --source=docker "${IMAGE_NAME}:${IMAGE_VERSION}"
+
+      - name: Trivy vulnerability scan
+        env:
+          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
+        run: |
+          trivy image \
+            --input "build/${IMAGE_NAME}.tar" \
+            --severity HIGH,CRITICAL \
+            --exit-code 1 \
+            "${IMAGE_NAME}:${IMAGE_VERSION}"
+
+      - name: Login to GHCR
+        env:
+          REGISTRY: ${{ steps.manifest.outputs.registry }}
+        run: skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Push to registry
+        env:
+          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
+          REGISTRY: ${{ steps.manifest.outputs.registry }}
+        run: |
+          MAJOR_MINOR="${IMAGE_VERSION%.*}"
+          MAJOR="${IMAGE_VERSION%%.*}"
+
-          MAJOR_MINOR="${IMAGE_VERSION%.*}"
-          MAJOR="${IMAGE_VERSION%%.*}"
+          IFS='.' read -r MAJOR MINOR PATCH <<< "$IMAGE_VERSION"
+
+          if [ -z "$MAJOR" ]; then
+            echo "ERROR: Failed to parse IMAGE_VERSION '$IMAGE_VERSION' into a major version component." >&2
+            exit 1
+          fi
+
+          if [ -n "$MINOR" ]; then
+            MAJOR_MINOR="${MAJOR}.${MINOR}"
+          else
+            MAJOR_MINOR="${MAJOR}"
+          fi
-          MAJOR_MINOR="${IMAGE_VERSION%.*}"
-          MAJOR="${IMAGE_VERSION%%.*}"
+          IFS='.' read -r MAJOR MINOR PATCH <<< "$IMAGE_VERSION"
+
+          if [ -z "$MAJOR" ]; then
+            echo "ERROR: Failed to parse IMAGE_VERSION '$IMAGE_VERSION' into a major version component." >&2
+            exit 1
+          fi
+
+          if [ -n "$MINOR" ]; then
+            MAJOR_MINOR="${MAJOR}.${MINOR}"
+          else
+            MAJOR_MINOR="${MAJOR}"
+          fi
+          # Push semantic version tag (1.2.3)
+          skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:${IMAGE_VERSION}"
+
+          # Push major.minor tag (1.2)
+          skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:${MAJOR_MINOR}"
+
+          # Push major tag (1)
+          skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:${MAJOR}"
+
+          # Push latest tag
+          skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:latest"
+
+      - name: Verify pushed image
+        env:
+          REGISTRY: ${{ steps.manifest.outputs.registry }}
+        run: |
+          skopeo inspect "docker://${REGISTRY}:${IMAGE_VERSION}" --format '{{.Labels}}'
diff --git a/.github/workflows/update-tools.yaml b/.github/workflows/update-tools.yaml
@@ -0,0 +1,132 @@
+name: Update tool versions
+
+on:
+  schedule:
+    - cron: "0 8 * * 1" # Every Monday at 08:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-tools:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Fetch latest tool versions
+        id: versions
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          get_latest_version() {
+            local repo="$1"
+            gh api "repos/${repo}/releases/latest" --jq '.tag_name' | sed 's/^v//'
+          }
+
+          ARGO_LATEST=$(get_latest_version "argoproj/argo-workflows")
+          KARGO_LATEST=$(get_latest_version "akuity/kargo")
+          PACK_LATEST=$(get_latest_version "buildpacks/pack")
+          DIVE_LATEST=$(get_latest_version "wagoodman/dive")
+          HADOLINT_LATEST=$(get_latest_version "hadolint/hadolint")
+          YQ_LATEST=$(get_latest_version "mikefarah/yq")
+
+          echo "argo=${ARGO_LATEST}" >> "$GITHUB_OUTPUT"
+          echo "kargo=${KARGO_LATEST}" >> "$GITHUB_OUTPUT"
+          echo "pack=${PACK_LATEST}" >> "$GITHUB_OUTPUT"
+          echo "dive=${DIVE_LATEST}" >> "$GITHUB_OUTPUT"
+          echo "hadolint=${HADOLINT_LATEST}" >> "$GITHUB_OUTPUT"
+          echo "yq=${YQ_LATEST}" >> "$GITHUB_OUTPUT"
+
+          ARGO_CURRENT=$(grep -oP 'ARGO_VERSION=\K[0-9.]+' Containerfile)
+          KARGO_CURRENT=$(grep -oP 'KARGO_VERSION=\K[0-9.]+' Containerfile)
+          PACK_CURRENT=$(grep -oP 'PACK_VERSION=\K[0-9.]+' Containerfile)
+          DIVE_CURRENT=$(grep -oP 'DIVE_VERSION=\K[0-9.]+' Containerfile)
+          HADOLINT_CURRENT=$(grep -oP 'HADOLINT_VERSION=\K[0-9.]+' Containerfile)
+          YQ_CURRENT=$(grep -oP 'YQ_VERSION=\K[0-9.]+' Containerfile)
+
+          echo "argo_current=${ARGO_CURRENT}" >> "$GITHUB_OUTPUT"
+          echo "kargo_current=${KARGO_CURRENT}" >> "$GITHUB_OUTPUT"
+          echo "pack_current=${PACK_CURRENT}" >> "$GITHUB_OUTPUT"
+          echo "dive_current=${DIVE_CURRENT}" >> "$GITHUB_OUTPUT"
+          echo "hadolint_current=${HADOLINT_CURRENT}" >> "$GITHUB_OUTPUT"
+          echo "yq_current=${YQ_CURRENT}" >> "$GITHUB_OUTPUT"
+
+          UPDATES=""
+          if [ "${ARGO_CURRENT}" != "${ARGO_LATEST}" ]; then
+            UPDATES="${UPDATES}- Argo Workflows CLI: ${ARGO_CURRENT} -> ${ARGO_LATEST}\n"
+          fi
+          if [ "${KARGO_CURRENT}" != "${KARGO_LATEST}" ]; then
+            UPDATES="${UPDATES}- Kargo CLI: ${KARGO_CURRENT} -> ${KARGO_LATEST}\n"
+          fi
+          if [ "${PACK_CURRENT}" != "${PACK_LATEST}" ]; then
+            UPDATES="${UPDATES}- pack (Buildpacks): ${PACK_CURRENT} -> ${PACK_LATEST}\n"
+          fi
+          if [ "${DIVE_CURRENT}" != "${DIVE_LATEST}" ]; then
+            UPDATES="${UPDATES}- dive: ${DIVE_CURRENT} -> ${DIVE_LATEST}\n"
+          fi
+          if [ "${HADOLINT_CURRENT}" != "${HADOLINT_LATEST}" ]; then
+            UPDATES="${UPDATES}- hadolint: ${HADOLINT_CURRENT} -> ${HADOLINT_LATEST}\n"
+          fi
+          if [ "${YQ_CURRENT}" != "${YQ_LATEST}" ]; then
+            UPDATES="${UPDATES}- yq: ${YQ_CURRENT} -> ${YQ_LATEST}\n"
+          fi
+
+          if [ -z "${UPDATES}" ]; then
+            echo "has_updates=false" >> "$GITHUB_OUTPUT"
+            echo "No updates found."
+          else
+            echo "has_updates=true" >> "$GITHUB_OUTPUT"
+            # Use a delimiter for multiline output
+            {
+              echo "summary<<EOF"
+              echo -e "${UPDATES}"
+              echo "EOF"
+            } >> "$GITHUB_OUTPUT"
+            echo -e "Updates found:\n${UPDATES}"
+          fi
+
+      - name: Update versions in Containerfile and manifest
+        if: steps.versions.outputs.has_updates == 'true'
+        env:
+          ARGO_LATEST: ${{ steps.versions.outputs.argo }}
+          KARGO_LATEST: ${{ steps.versions.outputs.kargo }}
+          PACK_LATEST: ${{ steps.versions.outputs.pack }}
+          DIVE_LATEST: ${{ steps.versions.outputs.dive }}
+          HADOLINT_LATEST: ${{ steps.versions.outputs.hadolint }}
+          YQ_LATEST: ${{ steps.versions.outputs.yq }}
+          ARGO_CURRENT: ${{ steps.versions.outputs.argo_current }}
+          KARGO_CURRENT: ${{ steps.versions.outputs.kargo_current }}
+          PACK_CURRENT: ${{ steps.versions.outputs.pack_current }}
+          DIVE_CURRENT: ${{ steps.versions.outputs.dive_current }}
+          HADOLINT_CURRENT: ${{ steps.versions.outputs.hadolint_current }}
+          YQ_CURRENT: ${{ steps.versions.outputs.yq_current }}
+        run: |
+          update_version() {
+            local name="$1" current="$2" latest="$3"
+            if [ "${current}" != "${latest}" ]; then
+              sed -i "s/${name}=${current}/${name}=${latest}/g" Containerfile manifest.yaml
-              sed -i "s/${name}=${current}/${name}=${latest}/g" Containerfile manifest.yaml
+              # Update ARG declaration in Containerfile, e.g.:
+              #   ARG ARGO_VERSION=1.2.3
+              sed -i -E "s/^(ARG ${name}=)${current}$/\1${latest}/" Containerfile
+
+              # Update YAML key in manifest.yaml, e.g.:
+              #   ARGO_VERSION: 1.2.3
+              sed -i -E "s/^([[:space:]]*${name}:[[:space:]]*)${current}/\1${latest}/" manifest.yaml
-              sed -i "s/${name}=${current}/${name}=${latest}/g" Containerfile manifest.yaml
+              # Update ARG declaration in Containerfile, e.g.:
+              #   ARG ARGO_VERSION=1.2.3
+              sed -i -E "s/^(ARG ${name}=)${current}$/\1${latest}/" Containerfile
+
+              # Update YAML key in manifest.yaml, e.g.:
+              #   ARGO_VERSION: 1.2.3
+              sed -i -E "s/^([[:space:]]*${name}:[[:space:]]*)${current}/\1${latest}/" manifest.yaml
+            fi
+          }
+
+          update_version "ARGO_VERSION" "${ARGO_CURRENT}" "${ARGO_LATEST}"
+          update_version "KARGO_VERSION" "${KARGO_CURRENT}" "${KARGO_LATEST}"
+          update_version "PACK_VERSION" "${PACK_CURRENT}" "${PACK_LATEST}"
+          update_version "DIVE_VERSION" "${DIVE_CURRENT}" "${DIVE_LATEST}"
+          update_version "HADOLINT_VERSION" "${HADOLINT_CURRENT}" "${HADOLINT_LATEST}"
+          update_version "YQ_VERSION" "${YQ_CURRENT}" "${YQ_LATEST}"
+
+      - name: Create pull request
+        if: steps.versions.outputs.has_updates == 'true'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          commit-message: "chore: update tool versions"
+          branch: chore/update-tool-versions
+          title: "chore: update tool versions"
+          body: |
+            Automated tool version updates:
+
+            ${{ steps.versions.outputs.summary }}
+          labels: dependencies
diff --git a/.hadolint.yaml b/.hadolint.yaml
@@ -0,0 +1,3 @@
+trustedRegistries:
+  - docker.io
+  - ghcr.io
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,30 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: detect-private-key
+
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.12.0
+    hooks:
+      - id: hadolint-docker
+        entry: hadolint/hadolint hadolint
-        entry: hadolint/hadolint hadolint
-        entry: hadolint/hadolint hadolint
+        args: ["--config", ".hadolint.yaml"]
+
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.10.0.1
+    hooks:
+      - id: shellcheck
+        args: ["-e", "SC1091"]
+
+  - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
+    rev: v9.21.0
+    hooks:
+      - id: commitlint
+        stages: [commit-msg]
+        additional_dependencies: ["@commitlint/config-conventional"]
diff --git a/.releaserc.yaml b/.releaserc.yaml
@@ -0,0 +1,14 @@
+branches:
+  - master
+
+plugins:
+  - "@semantic-release/commit-analyzer"
+  - "@semantic-release/release-notes-generator"
+  - - "@semantic-release/changelog"
+    - changelogFile: CHANGELOG.md
+  - - "@semantic-release/github"
+    - assets: []
+  - - "@semantic-release/git"
+    - assets:
+        - CHANGELOG.md
+      message: "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"