Use this checklist before publishing a tag and after the image is available in GHCR.
Run locally from a clean worktree:
go test ./...
go test -race -count=1 ./...
go vet ./...
golangci-lint run
govulncheck ./...
kubectl kustomize manifests/overlays/productionCheck the rendered production overlay:
- image is pinned and does not use
:latest, PROD_MODE=true,REDIS_REQUIRED=true,PKCE_REQUIRED=true,RENDER_CONSENT_PAGE=true(default; explicit in the overlay so a prior=falseoverride is loud at release time),- metrics port is reachable only through NetworkPolicy,
- Redis egress points at the intended managed/operator Redis endpoint,
- pod security context remains nonroot with dropped capabilities.
Use a semver tag with a leading v:
git tag v1.2.3
git push origin v1.2.3The release workflow publishes image tags without the leading v
(ghcr.io/babs/mcp-auth-proxy:1.2.3).
Verify the published image signature:
cosign verify \
--certificate-identity-regexp '^https://github\.com/babs/mcp-auth-proxy/\.github/workflows/release\.yml@refs/tags/v' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/babs/mcp-auth-proxy:1.2.3Inspect provenance and SBOM:
docker buildx imagetools inspect ghcr.io/babs/mcp-auth-proxy:1.2.3 \
--format '{{json .Provenance}}' | jq
docker buildx imagetools inspect ghcr.io/babs/mcp-auth-proxy:1.2.3 \
--format '{{json .SBOM}}' | jqRecord any manually run IdP compatibility checks in
docs/conformance.md.