Ensure static linked binary and bump distroless

[friegger]

The default for CGO_ENABLED is true for regular builds. This results in a dynamically linked binary against e.g. glibc of the system where the binary was built. Setting CGO_ENABLED to false ensures statically linked binaries are created.

This enables also to run on distoless static build.

Summary by CodeRabbit

• Chores
  • Updated container runtime base image to latest stable version for improved security and performance.

[coderabbitai]

Warning

Rate limit exceeded

@friegger has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 54 minutes and 36 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 72dc7425-9e5c-471f-98bd-37c5db89524e

📥 Commits

Reviewing files that changed from the base of the PR and between 5ff1f3f and f4accfd.

📒 Files selected for processing (2)

• .github/workflows/publish-docker.yml
• Dockerfile

📝 Walkthrough

Walkthrough

The Dockerfile build process is updated to disable CGO (via CGO_ENABLED=0) for the libvirt-provider and irictl-machine binaries. The runtime base image is upgraded from Debian 11 to Debian 12.

Changes

Cohort / File(s)	Summary
Build Configuration Dockerfile	Added CGO_ENABLED=0 to Go build and install steps; updated base image from gcr.io/distroless/base-debian11 to gcr.io/distroless/base-debian12.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Remove CGO build flag #698: Modifies Dockerfile Go build steps to adjust CGO build flags for similar binary compilation optimization.

Suggested labels

chore, area/compute

Suggested reviewers

• lukasfrank

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided. The required template sections (Proposed Changes and Fixes) are completely missing.	Add a pull request description following the template, including proposed changes and any issue fixes being addressed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the two main changes: disabling CGO for static binary linking and upgrading the distroless base image.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/disable-cgo-explicitly

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

Dockerfile (1)

62-62: Consider pinning the distroless base image by digest for reproducibility.

Using gcr.io/distroless/base-debian12 as a floating tag makes builds less reproducible and complicates supply-chain tracking. Pin to a specific platform digest (e.g., gcr.io/distroless/base-debian12:latest-amd64@sha256:...) for immutable, traceable deployments. Note that this is a multi-platform image index, so each target platform requires its own digest; obtain it via docker inspect or skopeo inspect for your build architecture.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 62, The Dockerfile uses a floating base image
"gcr.io/distroless/base-debian12" in the stage named libvirt-provider; replace
that floating tag with a specific platform digest (e.g.,
gcr.io/distroless/base-debian12@sha256:<digest>) to make builds reproducible and
supply-chain traceable, obtaining the correct digest for your target
architecture via docker inspect or skopeo inspect and updating the FROM line
accordingly (one digest per platform).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Dockerfile`:
- Line 62: The Dockerfile uses a floating base image
"gcr.io/distroless/base-debian12" in the stage named libvirt-provider; replace
that floating tag with a specific platform digest (e.g.,
gcr.io/distroless/base-debian12@sha256:<digest>) to make builds reproducible and
supply-chain traceable, obtaining the correct digest for your target
architecture via docker inspect or skopeo inspect and updating the FROM line
accordingly (one digest per platform).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bb0c2289-a843-4932-a873-fb7c15f4fc99

📥 Commits

Reviewing files that changed from the base of the PR and between 15ef48c and 5ff1f3f.

📒 Files selected for processing (1)

• Dockerfile