Merging to release-5.8: Gromit sync with tyk repo TT-16131 (#7542)

[probelabs]

Gromit sync with tyk repo TT-16131 (#7542)

Description

Carry over changes from gromit into the tyk repo

Related Issue

TT-16131

Motivation and Context

Ensure the tyk repo is in sync as the buildenv for this repo will
continue to be 1.24-bullseye with the addition of a manual pull of the
latest go version, this is done upstream when the image is built.
This PR carries over other changes from gromit ensuring everything is in
sync after this change.

Co-authored-by: Gromit policy@gromit
Co-authored-by: Leonid Bugaev leonsbox@gmail.com

Ticket Details

TT-16131

Status	In Code Review
Summary	Gromit sync with tyk repo

Generated at: 2025-11-19 09:22:29

[github-actions]

API Changes

no api changes detected

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶 7542 - Partially compliant Compliant requirements: Sync changes from the gromit repository into tyk. Keep build environment base at golang-cross 1.24-bullseye. Align CI/CD (goreleaser, docker images, metadata) with gromit changes. Include FIPS build/image pipeline as per upstream. Maintain packaging and post-install behaviors consistent with upstream, improving safety and idempotency. Non-compliant requirements: Ensure latest Go version is pulled manually/upstream as per build image process. Requires further human verification: Verify upstream image build actually pulls the desired latest Go version during CI runs. Validate end-to-end release flow (snapshot vs tag) for docker push/signing behaviors across std/ee/fips images.

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 Security concerns Permissions hardening: The config file chmod is now conditional on existence, preserving security while avoiding failures; good. However, CI Dockerfiles curl remote scripts and proceed on failure for repo setup, which is acceptable for tests but consider verifying package signatures where possible.

⚡ Recommended focus areas for review Possible Logic Inversion The cleanup logic now removes the SysV init script when systemd is used, and removes the systemd unit otherwise; verify this matches intended platforms. A mismatch could leave the wrong service file present on certain distros. if [ "${use_systemctl}" = "True" ]; then rm -f /etc/init.d/tyk-gateway else rm -f /lib/systemd/system/tyk-gateway.service fi Changed Snapshot Behavior The goreleaser invocation now skips docker in snapshots but not sign; previously snapshots skipped signing but built docker. Confirm this is intended and does not break snapshot testing expectations. echo '#!/bin/sh ci/bin/unlock-agent.sh git config --global url."https://${{ secrets.ORG_GH_TOKEN }}@github.com".insteadOf "https://github.com" git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign,docker' || '--skip=docker' }}' | tee /tmp/build.sh chmod +x /tmp/build.sh Package Copy/Install Path Change The deb copy/install logic moved from wildcard patterns to dist/ path and altered cleanup; confirm the pattern matches how artifacts are produced and no stale .deb remains in image layers. # Comment this to test in dev COPY dist/${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb / RUN dpkg -i /${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb && find / -maxdepth 1 -name "*.deb" -delete # Clean up caches, unwanted .a and .o files RUN rm -rf /root/.cache \ && apt-get -y autoremove \ && apt-get clean \ && rm -rf /usr/include/* /var/cache/apt/archives /var/lib/apt /var/lib/cache /var/log/* \ && find /usr/lib -type f -name '*.a' -o -name '*.o' -delete

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix flag spacing in command The conditional string interpolation may include unintended leading spaces that break flag parsing. Drop the leading space inside injected strings to ensure flags are parsed correctly by the shell. .github/workflows/release.yml [102] -goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign,docker' || '--skip=docker' }}' +goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && '--snapshot --skip=sign,docker' || '--skip=docker' }}' Suggestion importance[1-10]: 7 __ Why: Correctly targets the modified command line; removing the leading space in the interpolated flags can prevent parsing issues, improving robustness without altering behavior.	Medium
	Prevent deleting active init file Avoid removing the active init file for the detected init system. In systemd environments, remove only the sysv script, and in non-systemd environments, remove only the systemd unit file. This prevents breaking service management on the target system. ci/install/post_install.sh [20-24] if [ "${use_systemctl}" = "True" ]; then + # systemd in use: remove SysV init script only rm -f /etc/init.d/tyk-gateway else + # SysV (or no systemd): remove systemd unit only rm -f /lib/systemd/system/tyk-gateway.service fi Suggestion importance[1-10]: 5 __ Why: Matches the new hunk lines and aligns with the PR’s intent to remove the non-relevant init artifact based on use_systemctl; it mostly reiterates current logic with clarifying comments, offering a minor safety/readability improvement.	Low
General	Preserve apt metadata directories Avoid deleting entire /var/lib/apt which can break future package operations in derived images. Remove only apt caches to stay distroless-like without crippling apt metadata. ci/Dockerfile.std [21-25] RUN rm -rf /root/.cache \ && apt-get -y autoremove \ && apt-get clean \ - && rm -rf /usr/include/* /var/cache/apt/archives /var/lib/apt /var/lib/cache /var/log/* \ + && rm -rf /usr/include/* /var/cache/apt/archives/* /var/lib/apt/lists/* /var/lib/cache /var/log/* \ && find /usr/lib -type f -name '*.a' -o -name '*.o' -delete Suggestion importance[1-10]: 6 __ Why: Accurately maps to the new cleanup command and suggests avoiding deletion of /var/lib/apt, which can aid derived images; impact is moderate since the image trends distroless but the advice is reasonable.	Low

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud