GoogleCloudPlatform · hessjcg · Sep 30, 2025 · Oct 6, 2025 · Oct 6, 2025
@@ -29,14 +29,7 @@ jobs:
         with:
           go-version: "1.24"
       - name: Checkout code
-        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
-      - name: >
-          Verify go mod tidy. If you're reading this and the check has
-          failed, run `goimports -w . && go mod tidy && golangci-lint run`
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.2.2
+      - name: lint
         run: |
-          go mod tidy && git diff --exit-code
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
-        with:
-          version: latest
-          args: --timeout 3m
+          ./build.sh lint_ci
@@ -4,10 +4,12 @@
 # IDEs
 .idea/
 .vscode/
+*.iml
 
 /cloud-sql-proxy
 /cloud-sql-proxy.exe
 
 /key.json
 /logs/
 .tools
+test_results.txt
@@ -12,47 +12,56 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # .golangci.yml
+version: "2"
 linters:
-  disable-all: true
+  default: none
   enable:
-    # From https://golangci-lint.run/usage/linters/
-    # This is a minor deviation from the default linters
-    - goimports
-    - gosimple
     - govet
     - ineffassign
     - revive
     - staticcheck
     - unused
-issues:
-  exclude-use-default: false
-linters-settings:
-  revive:
-    rules:
-      # From https://revive.run/docs#recommended-configuration
-      - name: blank-imports
-      - name: context-as-argument
-      - name: context-keys-type
-      - name: dot-imports
-      - name: empty-block
-      - name: errorf
-      - name: error-naming
-      - name: error-return
-      - name: error-strings
-      - name: exported
-      - name: if-return
-      - name: import-shadowing
-      - name: increment-decrement
-      - name: indent-error-flow
-      - name: range
-      - name: range-val-address
-      - name: range-val-in-closure
-      - name: receiver-naming
-      - name: redefines-builtin-id
-      - name: superfluous-else
-      - name: time-naming
-      - name: unexported-return
-      - name: unreachable-code
-      - name: unused-parameter
-      - name: var-declaration
-      - name: var-naming
+  settings:
+    revive:
+      rules:
+        - name: blank-imports
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: dot-imports
+        - name: empty-block
+        - name: errorf
+        - name: error-naming
+        - name: error-return
+        - name: error-strings
+        - name: exported
+        - name: if-return
+        - name: import-shadowing
+        - name: increment-decrement
+        - name: indent-error-flow
+        - name: range
+        - name: range-val-address
+        - name: range-val-in-closure
+        - name: receiver-naming
+        - name: redefines-builtin-id
+        - name: superfluous-else
+        - name: time-naming
+        - name: unexported-return
+        - name: unreachable-code
+        - name: unused-parameter
+        - name: var-declaration
+        - name: var-naming
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
@@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
     go build -ldflags "-X github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cmd.metadataString=container"
 
 # Final Stage
-FROM gcr.io/distroless/static:nonroot@sha256:cdf4daaf154e3e27cfffc799c16f343a384228f38646928a1513d925f473cb46
+FROM gcr.io/distroless/static:nonroot@sha256:127eb3c971acb50a3c7b511a978bb497b56add4c91225e57605b3b43cc0a9662
 
 LABEL org.opencontainers.image.source="https://github.com/GoogleCloudPlatform/cloud-sql-proxy"
 

@@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
     go build -ldflags "-X github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cmd.metadataString=container.alpine"
 
 # Final stage
-FROM alpine:3@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1
+FROM alpine:3@sha256:eafc1edb577d2e9b458664a15f23ea1c370214193226069eb22921169fc7e43f
 
 LABEL org.opencontainers.image.source="https://github.com/GoogleCloudPlatform/cloud-sql-proxy"
 

@@ -0,0 +1,44 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Use the latest stable golang 1.x to compile to a binary
+FROM --platform=$BUILDPLATFORM golang:1-alpine as build
+
+WORKDIR /go/src/cloud-sql-proxy
+COPY . .
+
+ARG TARGETOS
+ARG TARGETARCH
+
+RUN go get ./...
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -ldflags "-X github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cmd.metadataString=container.alpine"
+
+# Final stage
+FROM alpine:3@sha256:eafc1edb577d2e9b458664a15f23ea1c370214193226069eb22921169fc7e43f
+
+LABEL org.opencontainers.image.source="https://github.com/GoogleCloudPlatform/cloud-sql-proxy"
+
+RUN apk add --no-cache \
+    ca-certificates \
+    libc6-compat
+# Install fuse and allow enable non-root users to mount
+RUN apk add --no-cache fuse && sed -i 's/^#user_allow_other$/user_allow_other/g' /etc/fuse.conf
+# Add a non-root user matching the nonroot user from the main container
+RUN addgroup -g 65532 -S nonroot && adduser -u 65532 -S nonroot -G nonroot
+# Set the uid as an integer for compatibility with runAsNonRoot in Kubernetes
+USER 65532
+
+COPY --from=build --chown=nonroot /go/src/cloud-sql-proxy/cloud-sql-proxy /cloud-sql-proxy
+ENTRYPOINT ["/cloud-sql-proxy"]
@@ -0,0 +1,44 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Use the latest stable golang 1.x to compile to a binary
+FROM --platform=$BUILDPLATFORM golang:1-alpine as build
+
+WORKDIR /go/src/cloud-sql-proxy
+COPY . .
+
+ARG TARGETOS
+ARG TARGETARCH
+
+RUN go get ./...
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -ldflags "-X github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cmd.metadataString=container.alpine"
+
+# Final stage
+FROM alpine:3@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1
+
+LABEL org.opencontainers.image.source="https://github.com/GoogleCloudPlatform/cloud-sql-proxy"
+
+RUN apk add --no-cache \
+    ca-certificates \
+    libc6-compat
+# Install fuse and allow enable non-root users to mount
+RUN apk add --no-cache fuse && sed -i 's/^#user_allow_other$/user_allow_other/g' /etc/fuse.conf
+# Add a non-root user matching the nonroot user from the main container
+RUN addgroup -g 65532 -S nonroot && adduser -u 65532 -S nonroot -G nonroot
+# Set the uid as an integer for compatibility with runAsNonRoot in Kubernetes
+USER 65532
+
+COPY --from=build --chown=nonroot /go/src/cloud-sql-proxy/cloud-sql-proxy /cloud-sql-proxy
+ENTRYPOINT ["/cloud-sql-proxy"]
@@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
     go build -ldflags "-X github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cmd.metadataString=container.bookworm"
 
 # Final stage
-FROM gcr.io/cloud-marketplace-containers/google/debian12@sha256:f13f9826c524466f844e74534b8add32f51acd2be428b5dee782fe9086e59861
+FROM gcr.io/cloud-marketplace-containers/google/debian12@sha256:57b2a46728f6f1000649671bb3c7b1d66116b92b55cfb97ec6c1394fe5d44709
 
 LABEL org.opencontainers.image.source="https://github.com/GoogleCloudPlatform/cloud-sql-proxy"
 

@@ -0,0 +1,42 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Use the latest stable golang 1.x to compile to a binary
+FROM --platform=$BUILDPLATFORM golang:1 as build
+
+WORKDIR /go/src/cloud-sql-proxy
+COPY . .
+
+ARG TARGETOS
+ARG TARGETARCH
+
+RUN go get ./...
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -ldflags "-X github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cmd.metadataString=container.bookworm"
+
+# Final stage
+FROM gcr.io/cloud-marketplace-containers/google/debian12@sha256:57b2a46728f6f1000649671bb3c7b1d66116b92b55cfb97ec6c1394fe5d44709
+
+LABEL org.opencontainers.image.source="https://github.com/GoogleCloudPlatform/cloud-sql-proxy"
+
+RUN apt-get update && apt-get install -y ca-certificates
+# Install fuse and allow enable non-root users to mount
+RUN apt-get update && apt-get install -y fuse && sed -i 's/^#user_allow_other$/user_allow_other/g' /etc/fuse.conf
+# Add a non-root user matching the nonroot user from the main container
+RUN groupadd -g 65532 -r nonroot && useradd -u 65532 -g 65532 -r nonroot
+# Set the uid as an integer for compatibility with runAsNonRoot in Kubernetes
+USER 65532
+
+COPY --from=build --chown=nonroot /go/src/cloud-sql-proxy/cloud-sql-proxy /cloud-sql-proxy
+ENTRYPOINT ["/cloud-sql-proxy"]
@@ -0,0 +1,42 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Use the latest stable golang 1.x to compile to a binary
+FROM --platform=$BUILDPLATFORM golang:1 as build
+
+WORKDIR /go/src/cloud-sql-proxy
+COPY . .
+
+ARG TARGETOS
+ARG TARGETARCH
+
+RUN go get ./...
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -ldflags "-X github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cmd.metadataString=container.bookworm"
+
+# Final stage
+FROM gcr.io/cloud-marketplace-containers/google/debian12@sha256:f13f9826c524466f844e74534b8add32f51acd2be428b5dee782fe9086e59861
+
+LABEL org.opencontainers.image.source="https://github.com/GoogleCloudPlatform/cloud-sql-proxy"
+
+RUN apt-get update && apt-get install -y ca-certificates
+# Install fuse and allow enable non-root users to mount
+RUN apt-get update && apt-get install -y fuse && sed -i 's/^#user_allow_other$/user_allow_other/g' /etc/fuse.conf
+# Add a non-root user matching the nonroot user from the main container
+RUN groupadd -g 65532 -r nonroot && useradd -u 65532 -g 65532 -r nonroot
+# Set the uid as an integer for compatibility with runAsNonRoot in Kubernetes
+USER 65532
+
+COPY --from=build --chown=nonroot /go/src/cloud-sql-proxy/cloud-sql-proxy /cloud-sql-proxy
+ENTRYPOINT ["/cloud-sql-proxy"]
@@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
     go build -ldflags "-X github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cmd.metadataString=container.bullseye"
 
 # Final stage
-FROM gcr.io/cloud-marketplace-containers/google/debian11@sha256:737a2643043d22f2a4bfa56461dc904fc9a430db4415a4214723f9f8dfb9e6aa
+FROM gcr.io/cloud-marketplace-containers/google/debian11@sha256:196a55bd60c6e7fd35b262fc5ccc6aa1b88491851112f4b07e63d2e79b411386
 
 LABEL org.opencontainers.image.source="https://github.com/GoogleCloudPlatform/cloud-sql-proxy"
 

@@ -0,0 +1,42 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Use the latest stable golang 1.x to compile to a binary
+FROM --platform=$BUILDPLATFORM golang:1 as build
+
+WORKDIR /go/src/cloud-sql-proxy
+COPY . .
+
+ARG TARGETOS
+ARG TARGETARCH
+
+RUN go get ./...
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -ldflags "-X github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cmd.metadataString=container.bullseye"
+
+# Final stage
+FROM gcr.io/cloud-marketplace-containers/google/debian11@sha256:196a55bd60c6e7fd35b262fc5ccc6aa1b88491851112f4b07e63d2e79b411386
+
+LABEL org.opencontainers.image.source="https://github.com/GoogleCloudPlatform/cloud-sql-proxy"
+
+RUN apt-get update && apt-get install -y ca-certificates
+# Install fuse and allow enable non-root users to mount
+RUN apt-get update && apt-get install -y fuse && sed -i 's/^#user_allow_other$/user_allow_other/g' /etc/fuse.conf
+# Add a non-root user matching the nonroot user from the main container
+RUN groupadd -g 65532 -r nonroot && useradd -u 65532 -g 65532 -r nonroot
+# Set the uid as an integer for compatibility with runAsNonRoot in Kubernetes
+USER 65532
+
+COPY --from=build --chown=nonroot /go/src/cloud-sql-proxy/cloud-sql-proxy /cloud-sql-proxy
+ENTRYPOINT ["/cloud-sql-proxy"]