chore: bump dependencies, migrate CI to Nix, and modernize build tooling

[shini4i]

Summary

Bump Go dependencies to latest versions, migrate CI workflows to Nix, upgrade goreleaser to v2 configuration format, and replace Makefile with Taskfile.

Changes

Go Dependency Updates

• github.com/go-git/go-git/v5: v5.16.3 → v5.17.0 (security fixes, performance improvements)
• github.com/spf13/afero: v1.14.0 → v1.15.0 (bug fixes)
• github.com/spf13/cobra: v1.10.1 → v1.10.2 (internal yaml dependency migration)
• github.com/stretchr/testify: v1.10.0 → v1.11.1 (stringer argument matching fix)
• github.com/go-git/go-billy/v5: v5.6.2 → v5.8.0 (transitive, pulled in by go-git)
• Go version: 1.24 → 1.25

CI/CD Migration to Nix

• Replace actions/setup-go with cachix/install-nix-action in both workflows
• All GitHub Actions are now SHA-pinned for supply-chain security:
  • actions/checkout@de0fac2e... (v6.0.2)
  • cachix/install-nix-action@19effe9f... (v31.10.0)
  • docker/setup-qemu-action@ce360397... (v4.0.0)
  • docker/login-action@b45d80f8... (v4.0.0)
  • codecov/codecov-action@671740ac... (v5.5.2)
• Remove securego/gosec@master action in favor of running gosec directly via Nix
• Remove goreleaser/goreleaser-action in favor of running goreleaser directly via Nix
• Fix pre-existing bug: "Fetch target branch" step now only runs on pull request events

GoReleaser v2 Migration

• Add version: 2 configuration header
• Migrate dockers + docker_manifests → dockers_v2 (simplified multi-platform config)
• Migrate snapshot.name_template → snapshot.version_template
• Remove deprecated Homebrew tap configuration (no longer in use)

Build System: Makefile → Taskfile

• Replace Makefile with Taskfile.yml (go-task)
• Update goreleaser before hooks to use task instead of make
• Update CI workflow to use task commands

Nix Development Environment

• Add goreleaser, gosec, go-junit-report, and go-task to flake.nix dev shell
• Update flake.lock to match Go 1.25 toolchain

Documentation

• Update README installation instructions (remove stale Homebrew tap reference)

Summary by CodeRabbit

• Documentation

  • Installation instructions updated to recommend direct binary download or Docker image pull.

• Chores

  • Bumped Go toolchain to 1.25 and updated project dependencies.
  • Migrated build/release and CI workflows to a Nix-based setup and pinned workflow actions.
  • Replaced Makefile with Taskfile-based automation for build, test, and coverage tasks.
  • Updated Docker base image to Alpine 3.23.3 and Helm to 3.19.5.
  • Restructured image/release configuration for unified multi-architecture builds.

[coderabbitai]

Warning

Rate limit exceeded

@shini4i has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 8 minutes and 9 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1e9c31c2-07d0-424f-b04e-b8e54058d3fd

📥 Commits

Reviewing files that changed from the base of the PR and between 8d7e4fa and c1a92e6.

📒 Files selected for processing (6)

• .github/workflows/release.yml
• .github/workflows/run-tests.yml
• .goreleaser.yaml
• Dockerfile
• Taskfile.yml
• internal/comment/gitlab/poster.go

Walkthrough

The repository migrates build and CI tooling to a Nix-based workflow: Makefile removed and replaced by Taskfile, GitHub Actions now run nix-driven commands, Goreleaser config moved to v2 layout, Go toolchain and dependencies bumped, Docker base and Helm versions updated, and README install instructions switched to Docker pulls.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Modernization .github/workflows/release.yml, .github/workflows/run-tests.yml	Replaced actions/setup-go and goreleaser/goreleaser-action/gosec steps with cachix/install-nix-action and nix develop --command ... invocations. Pinned several actions to commit hashes and added conditional branch fetch for PRs.
Build Tooling Migration Makefile, Taskfile.yml	Deleted Makefile. Added Taskfile.yml implementing mocks, test, test-coverage, test-coverage-html, build, and clean tasks with dependencies using mockgen, go test, go-junit-report, and go tool cover.
Release Configuration .goreleaser.yaml	Reworked to Goreleaser v2 structure: unified docker images under dockers_v2/images, consolidated multi-platform settings, added OCI labels, renamed snapshot template, removed brew section, and adjusted before hooks to call task mocks.
Development Environment & Dependencies flake.nix, go.mod	Bumped Go toolchain from 1.24 → 1.25; added goreleaser, gosec, go-junit-report, go-task to flake. Updated Go module versions for go-git, afero, cobra, testify and an indirect go-billy update.
Container & Documentation Dockerfile, README.md	Updated base image from alpine:3.22 → alpine:3.23.3 and HELM_VERSION 3.15.2 → 3.19.5. README install instructions changed from Homebrew to Docker image pull (docker pull ghcr.io/shini4i/argo-compare:<version>).
Small Code/Comment Adjustments internal/comment/gitlab/poster.go, internal/models/repo.go, internal/ports/ports.go	Added #nosec inline comments to suppress security scanners for credential-related fields / HTTP client usage; no runtime behavior changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 I hopped from Make to Nix’s glade so green,
Tasks now bustle where targets once were seen,
Goreleaser twirls in a v2 gown,
Docker pulls arrive—no brew around town! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main changes: dependency bumps, CI migration to Nix, and modernization of build tooling. It directly reflects the primary objectives of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/version-bump

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.01%. Comparing base (7c45fd6) to head (c1a92e6).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #128      +/-   ##
==========================================
+ Coverage   75.87%   78.01%   +2.14%     
==========================================
  Files          20       20              
  Lines        2006     1601     -405     
==========================================
- Hits         1522     1249     -273     
+ Misses        352      220     -132     
  Partials      132      132              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

5-13: ⚠️ Potential issue | 🟠 Major

Verify the Helm tarball before extracting it.

Line 11 downloads an executable artifact without validating its integrity. Helm publishes SHA-256 checksums for all releases at https://get.helm.sh/helm-v${HELM_VERSION}-linux-${TARGETARCH}.tar.gz.sha256. Download and verify the checksum before extracting the tarball on line 12 to prevent arbitrary code execution from a compromised artifact.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 5 - 13, The Dockerfile currently downloads the Helm
tarball using ENV HELM_VERSION and ENV TARGETARCH and extracts it immediately;
update the RUN sequence that contains wget
"https://get.helm.sh/helm-v${HELM_VERSION}-linux-${TARGETARCH}.tar.gz" and tar
-xf to first download the corresponding .sha256 checksum file
(https://get.helm.sh/helm-v${HELM_VERSION}-linux-${TARGETARCH}.tar.gz.sha256),
verify the tarball against that checksum (e.g., using sha256sum -c or by
comparing computed sha256sum to the downloaded value), fail the build if
verification fails, and only then proceed to tar -xf and mv the extracted
linux-${TARGETARCH}/helm to /usr/bin/helm; also ensure you remove the downloaded
tar and checksum after successful install for cleanliness.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 16-17: The workflow currently sets up QEMU via the "Set up QEMU"
step using docker/setup-qemu-action but does not initialize Buildx; add a pinned
docker/setup-buildx-action step (run before invoking GoReleaser or the
dockers_v2 publishing step) so multi-arch builds for linux/amd64 and linux/arm64
succeed; ensure the added step is placed prior to the GoReleaser invocation and
uses a fixed action SHA or tag to avoid transient failures.

In @.goreleaser.yaml:
- Around line 5-8: The release hook currently runs both the "mocks" task and "go
mod tidy" which allows the release process to modify module files during
tagging; remove the "go mod tidy" entry from the hooks in .goreleaser.yaml so
the release remains read-only (keep only the "mocks" task), and move the module
tidy check into CI so the pipeline fails on a dirty tree instead of allowing
releases to rewrite go.mod/go.sum during publish.

In `@Taskfile.yml`:
- Around line 34-37: Update the Taskfile.yml "clean" task to remove all
artifacts emitted by the test targets: extend the clean cmds for the clean task
to delete coverage.out, coverage.html, report.xml and the .tmp directory (and
keep removing bin), so that running the clean task fully clears outputs produced
by test-coverage and test-coverage-html.

---

Outside diff comments:
In `@Dockerfile`:
- Around line 5-13: The Dockerfile currently downloads the Helm tarball using
ENV HELM_VERSION and ENV TARGETARCH and extracts it immediately; update the RUN
sequence that contains wget
"https://get.helm.sh/helm-v${HELM_VERSION}-linux-${TARGETARCH}.tar.gz" and tar
-xf to first download the corresponding .sha256 checksum file
(https://get.helm.sh/helm-v${HELM_VERSION}-linux-${TARGETARCH}.tar.gz.sha256),
verify the tarball against that checksum (e.g., using sha256sum -c or by
comparing computed sha256sum to the downloaded value), fail the build if
verification fails, and only then proceed to tar -xf and mv the extracted
linux-${TARGETARCH}/helm to /usr/bin/helm; also ensure you remove the downloaded
tar and checksum after successful install for cleanliness.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: bc7eedd6-adb7-4927-ad95-88ba9ba96ff2

📥 Commits

Reviewing files that changed from the base of the PR and between 7c45fd6 and a2c43cb.

⛔ Files ignored due to path filters (2)

• flake.lock is excluded by !**/*.lock
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (9)

• .github/workflows/release.yml
• .github/workflows/run-tests.yml
• .goreleaser.yaml
• Dockerfile
• Makefile
• README.md
• Taskfile.yml
• flake.nix
• go.mod

💤 Files with no reviewable changes (1)

• Makefile

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/run-tests.yml:
- Around line 18-23: The workflow job currently sets explicit permissions but
omits repository read access, which breaks actions/checkout and the git fetch
step; update the job's permissions block to include "contents: read" (not write)
so actions/checkout@... and the "git fetch" run have repository read access —
add or merge a permissions: { contents: read } entry at the same job scope where
"permissions" is declared to ensure those steps succeed.

In `@internal/comment/gitlab/poster.go`:
- Line 130: Replace the incorrect gosec annotation on the HTTP call line so the
linter suppression matches the actual rule: change the comment attached to the
p.client.Do(req) call from "// `#nosec` G704 -- endpoint is built from
operator-configured BaseURL, not user input" to use "G107" instead; locate the
p.client.Do(req) invocation in poster.go (method using p.client.Do) and update
the rule id to G107 to properly suppress the SSRF/variable-URL warning.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d37831fc-2dd6-4d59-9757-802158756b89

📥 Commits

Reviewing files that changed from the base of the PR and between a2c43cb and 8d7e4fa.

📒 Files selected for processing (4)

• .github/workflows/run-tests.yml
• internal/comment/gitlab/poster.go
• internal/models/repo.go
• internal/ports/ports.go

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud