Parallel multi-platform builds (amd64 + arm64) fire ~14 unauthenticated
GitHub API calls concurrently — well over the 60 req/hr limit — causing
05-custom.sh to fail with a 403 on dominikh/go-tools (staticcheck).
Fix: _gh_latest now retries up to 3 times with a 60-second delay on
failure before giving up. A GITHUB_TOKEN build arg is also wired through
to the build stage ENV so callers can pass --build-arg GITHUB_TOKEN=$(gh
auth token) to raise the limit to 5000 req/hr and avoid the delay.
- Dockerfile: add ARG GITHUB_TOKEN="" and ENV GITHUB_TOKEN in build stage
- rootfs/root/docker/setup/05-custom.sh: retry loop (3 attempts, 60s backoff) in _gh_latest
Dockerfile
rootfs/root/docker/setup/05-custom.sh
The arm64 build was stuck for 12+ hours compiling gopls, dlv, and other
Go tools from source under QEMU user-mode emulation. QEMU makes Go
compilation 20-50× slower than native; gopls alone can take hours.
Fix: add a --platform=$BUILDPLATFORM go-tools stage in the Dockerfile that
cross-compiles all go install tools natively on amd64 using Go's built-in
cross-compilation (GOOS=linux GOARCH=$TARGETARCH). The binaries are then
COPYed into the main build stage before 05-custom.sh runs. No QEMU is
involved for any compilation step.
- Dockerfile: add go-tools stage using --platform=$BUILDPLATFORM with golang:alpine;
cross-compiles goimports, stringer, gopls, govulncheck, dlv, gops, benchstat,
wire, mockgen, protoc-gen-go, protoc-gen-go-grpc; COPY /go/bin/ → /usr/local/bin/
before the 05-custom.sh RUN layer
- rootfs/root/docker/setup/05-custom.sh: remove all go install commands (11 tools
now provided by the Dockerfile stage); keep go clean -modcache/-cache cleanup
Dockerfile
rootfs/root/docker/setup/05-custom.sh
The casjaysdev/alpine base image routes *.github.com IPv6 addresses through
casjay.in infrastructure, which presents CN=casjay.in instead of GitHub's
certificate. curl -fsSL to api.github.com resolves to 2402:d0c0:12:e04e::1
and fails with "no alternative certificate subject name matches target
hostname api.github.com". Standard alpine:latest uses the IPv4 address
140.82.114.6 and succeeds.
Fix: write "-4" to /root/.curlrc at the top of 05-custom.sh so every curl
call in the script (including the golangci-lint installer sub-script) uses
IPv4. Build now completes successfully.
- rootfs/root/docker/setup/05-custom.sh: add printf '-4' > /root/.curlrc
before any network calls
rootfs/root/docker/setup/05-custom.sh
Four asset naming bugs found and fixed; gopls and govulncheck moved back
to go install (neither publishes binary release assets).
- rootfs/root/docker/setup/05-custom.sh:
- gofumpt: asset includes version tag (gofumpt_v0.x.y_linux_amd64)
- gotestsum: uses amd64/arm64 convention, not x86_64
- air: asset includes version without v prefix (air_1.x.y_linux_amd64)
- gopls: no binary release assets → go install golang.org/x/tools/gopls@latest
- govulncheck: no binary release assets → go install golang.org/x/vuln/cmd/govulncheck@latest
- _gh_latest: add null/empty guard; print per-tool progress; auth header
when GITHUB_TOKEN is set
rootfs/root/docker/setup/05-custom.sh
Replaces go install for 11 tools with direct binary/tarball downloads
from GitHub releases. Build time drops from 2+ hours to ~10 minutes
and arm64 QEMU segfaults are eliminated (no Go compilation for goreleaser).
- rootfs/root/docker/setup/05-custom.sh: add _gh_latest/_install_tar/_install_bin
helpers; download goreleaser, golangci-lint, staticcheck, gofumpt,
gotestsum, ko, air, buf, goose, gopls, govulncheck from release artifacts;
keep go install only for goimports, stringer, dlv, gops, benchstat,
wire, mockgen, protoc-gen-go, protoc-gen-go-grpc; remove -p=1 arm64
workaround (no longer needed)
rootfs/root/docker/setup/05-custom.sh
The arm64 build was failing with:
github.com/caarlos0/go-version: .../linux_arm64/compile: signal: segmentation fault
Under QEMU emulation, parallel Go package compilation creates memory
pressure that causes the compiler to crash. Setting GOFLAGS=-p=1 on
aarch64 serialises compilation, eliminating the segfault. amd64 builds
are unaffected (no flag set on x86_64).
- rootfs/root/docker/setup/05-custom.sh: detect aarch64 via uname -m
and export GOFLAGS=-p=1 before all go install calls
rootfs/root/docker/setup/05-custom.sh
Add buf (modern protobuf toolchain) and goose (Go-native DB migration
runner) to complete the Go dev toolchain. Fix PATH order so baked image
tools in /usr/local/bin always take precedence over anything installed
at runtime into $GOPATH/bin. Full README rewrite following canonical
section order.
- Dockerfile: insert /usr/local/bin between /usr/local/go/bin and
/usr/local/share/go/bin in both build and final stage ENV PATH
- rootfs/etc/profile.d/go.sh: same PATH fix; explicit /usr/local/bin
guard added; $GOPATH/bin appended last
- rootfs/root/docker/setup/05-custom.sh: add buf@latest and
goose/v3@latest installs with descriptive comments
- README.md: full rewrite — H1 title, canonical section order (Pull,
Docker, Tools table, Env vars, PATH order, Persistence, Cross-compile,
Development, License); accurate tool list matching actual image content
Dockerfile
README.md
rootfs/etc/profile.d/go.sh
rootfs/root/docker/setup/05-custom.sh
Add two debug/profiling tools to 05-custom.sh:
- gops: live process diagnostics (list Go processes, dump stacks, force GC)
- benchstat: statistically sound benchmark comparison via pprof
Both tools baked into /usr/local/bin at build time.
Build verified: go1.26.3, all 19 tools confirmed on PATH.
- rootfs/root/docker/setup/05-custom.sh: add gops and benchstat installs
rootfs/root/docker/setup/05-custom.sh
Go is now downloaded from go.dev/dl at build time (always latest stable,
never pinned). All tools are baked into /usr/local/bin so they are on
PATH out of the box. Module cache and build cache live in the volumed
GOPATH (/usr/local/share/go) so they persist across container restarts
without re-downloading.
- Dockerfile: add /usr/local/go/bin to PATH in both build and final stage
- rootfs/root/docker/setup/05-custom.sh: full Go install + tool install
- detects arch (amd64/arm64/armv6l/386) via uname -m
- fetches latest stable version from go.dev/dl?mode=json via jq
- extracts to /usr/local/go; symlinks go+gofmt to /usr/local/bin
- installs with GOBIN=/usr/local/bin (baked into image, not in volume):
gopls, goimports, gofumpt, stringer, golangci-lint, staticcheck,
govulncheck, gotestsum, dlv, air, goreleaser, wire, mockgen (uber),
ko, protoc-gen-go, protoc-gen-go-grpc
- cleans modcache and build cache after install to keep layer lean
- rootfs/etc/profile.d/go.sh: add /usr/local/go/bin prepend so
interactive shells always find the Go distribution binaries first
Volume strategy:
/usr/local/share/go → GOPATH (module cache + build cache + user bins)
Mount a named volume or bind-mount here to avoid re-downloading modules:
docker run -v go-cache:/usr/local/share/go casjaysdevdocker/go
Dockerfile
rootfs/etc/profile.d/go.sh
rootfs/root/docker/setup/05-custom.sh
Sync project with updated upstream template files while preserving all
Go-specific customizations (EXEC_CMD_BIN='', DATA_DIR='', Go env vars,
/data/go symlink, Go-named dirs, etc.).
- .env.scripts: bump version stamp to 202605292219-git
- .gitattributes: update date stamp from template
- .gitea/workflows/docker.yaml: replace bare echo with printf %q for
GITHUB_OUTPUT assignments; use local var assignments for docker org/tag
- .gitignore: expand with editor configs (VSCode/JetBrains/Vim), AI tool
configs (Claude/.cursor/Copilot), env/secrets, build artifacts,
dependency dirs, logs, test/coverage dirs from updated template
- Dockerfile: bump BUILD_DATE to 202605292219; fix PHP_FPM detection from
ls subshell to set -- glob pattern; fix systemd cleanup to use for loop
instead of rm -f $(ls | grep -v ...)
- rootfs/root/docker/setup/00-init.sh through 07-cleanup.sh: update
version/date stamps to 202605292220-git template versions
- rootfs/usr/local/bin/entrypoint.sh: update stamp; fix echo quoting to
use double quotes for CONTAINER_NAME expansion
- rootfs/usr/local/etc/docker/init.d/00-go.sh: apply template improvements:
split SIGPWR trap onto separate line with 2>/dev/null || true; expand
debugger setup to multi-line if/else; use $(<file) instead of cat for
old_pid; apply _script_hash invalidation (W14) before START_SCRIPT
generation; replace heredoc/eval approach with printf %q for safe
quoting; launch START_SCRIPT with bash not eval sh -c (W15); add null
guard on chown in __run_secure_function; use _resolved temp var pattern
for type -P resolution (remove SERVICE_PID_NUMBER); explicit
[ "$1" = "check" ] guard on __check_service; errorCode=${PIPESTATUS[0]};
fix command -v pre check; add grep -- separator; fix ps|awk|grep chain
to pure awk; remove duplicate mkdir block
- rootfs/usr/local/share/template-files/config/env/default.sample:
ENTRYPOINT_PID_FILE path /run/.entrypoint.pid → /run/init.d/entrypoint.pid
- rootfs/usr/local/share/template-files/config/env/examples/zz-entrypoint.sh:
same ENTRYPOINT_PID_FILE path fix
Dockerfile
.env.scripts
.gitattributes
.gitea/workflows/docker.yaml
.gitignore
rootfs/root/docker/setup/00-init.sh
rootfs/root/docker/setup/01-system.sh
rootfs/root/docker/setup/02-packages.sh
rootfs/root/docker/setup/03-files.sh
rootfs/root/docker/setup/04-users.sh
rootfs/root/docker/setup/05-custom.sh
rootfs/root/docker/setup/06-post.sh
rootfs/root/docker/setup/07-cleanup.sh
rootfs/usr/local/bin/entrypoint.sh
rootfs/usr/local/etc/docker/init.d/00-go.sh
rootfs/usr/local/share/template-files/config/env/default.sample
rootfs/usr/local/share/template-files/config/env/examples/zz-entrypoint.sh
- Rename ENV_IMAGE_NAME to ENV_REGISTRY_REPO and ENV_ORG_NAME to ENV_REGISTRY_ORG for consistent naming
- Clarify ENV_REGISTRY_URL to be the provider base URL and rename ENV_IMAGE_PUSH to ENV_REGISTRY_PUSH
- Extract install_go_tool helper to handle best-effort installs with periodic cache flushing every 5 tools
- Add GOMAXPROCS, GOMEMLIMIT, and GOFLAGS env vars for controlled Go build resource usage
- Clear test cache before module cache cleanup to reduce peak disk usage during image builds
.env.scripts
rootfs/root/docker/setup/05-custom.sh
jason
