Refactor CLI to modular architecture, add linted CI, multi-arch builds, and tag-based releases

[Duke1715]

Summary

This PR refactors the CLI from a single procedural main into a modular, testable design and introduces robust CI/release automation. It keeps the same CLI surface (start|stop|restart|update), but significantly improves structure, error handling, and security posture.

Key Go code changes

• New package structure:
  • app/ top-level application orchestration (Application).
  • app/commands/ command routing and execution of docker compose.
  • app/services/ secret retrieval and response parsing.
  • app/environment/ environment variable validation and accessors.
  • app/client/ HTTP client (resty) with typed header constants.
  • app/models/ typed models for Vault KV v2 responses.
• Execution flow:
  • Before: monolithic dcs.go did argument parsing, HTTP calls, JSON parsing, and docker compose execution inline.
  • After: dcs.go wires services; Application delegates to commands.Service; secrets fetched via SecretService and injected into exec.Cmd env.
• Environment handling:
  • Now strictly validates required env vars at startup via environment.Service.
  • Uses explicit VAULT_PATH instead of deriving the path from the binary’s directory name.
• HTTP client:
  • Introduced resty to simplify HTTP requests and headers management.
  • Added HeaderVaultTokenName constant; guarded with //nolint:gosec as it’s not a credential.
• Response parsing:
  • Typed structs in app/models and dedicated JSON parsing with semantic error handling (errors array, missing data).
• Docker compose execution:
  • Helper to build exec.Cmd, inject env, and run with inherited stdio.
  • update pulls images, then restart is executed automatically at the application level.
• Error handling & logging:
  • Early validation (guard clauses), log.Fatal on irrecoverable states, clear messages when no secrets found.
• Lint-driven fixes:
  • fmt.Errorf used instead of errors.New(fmt.Sprintf(...)).
  • Gosec suppression only for non-secret header name.

Behavior changes (user-facing)

• Required env vars: VAULT_ADDR, VAULT_TOKEN, and now explicitly VAULT_PATH (previously the path was implicitly derived from executable directory name). This is a deliberate change for clarity and portability.
• update performs docker compose pull and then restarts the stack.
• When no secrets are present, the app logs a message and continues without secrets (consistent with previous UX but clearer).

CI and release automation

• CI (.github/workflows/go.yml):
  • Runs build + tests + golangci-lint on push and pull_request.
  • Includes Go module caching.
• Dependency review:
  • Runs only on pull_request to avoid base/head ref errors on push.
• Binaries on main:
  • slsa-goreleaser.yml builds matrix artifacts for linux/darwin on amd64/arm64 and uploads them as workflow artifacts.
• Releases:
  • Proper .goreleaser.yaml (not a workflow) with CGO_ENABLED=0, -trimpath, -s -w, archives and checksums.
  • Tag-driven release workflow (release.yml) on tags v*, GoReleaser action pinned to v1.26.2.
  • Homebrew tap publishing removed for now (can re-enable when token/repo are ready).

Why

• Improve maintainability and testability via clear separation of concerns.
• Enforce code quality and security scanning.
• Provide deterministic, multi-arch binaries and straightforward tag-based releases.

Risks and mitigations

• Behavior change: explicit VAULT_PATH required. Mitigated with README Usage docs and clear error message.
• New dependency resty: mature, widely used; impact limited to HTTP client.
• Auto-restart after update: aligns with operational expectations; documented.

How to test

• Lint & tests: open a PR → CI runs.
• Binaries: push to main → check “Build binaries on master” artifacts.
• Release: create a tag v1.1 (or vX.Y.Z) → GoReleaser publishes archives and checksums.

Docs

• README updated with Usage: required env vars (VAULT_ADDR, VAULT_TOKEN, VAULT_PATH), commands, and examples (export and one-liner).

[Copilot]

Pull Request Overview

This PR refactors the CLI from a monolithic procedural design into a modular, testable architecture while maintaining the same command-line interface. It introduces robust CI/CD pipelines with linting, multi-architecture builds, and automated tag-based releases.

Key changes:

• Restructured code into separate packages (app/, app/commands/, app/services/, app/environment/, app/client/, app/models/) for better separation of concerns
• Replaced manual HTTP handling with the resty library for cleaner HTTP client implementation
• Changed from implicit path derivation (from executable directory) to explicit VAULT_PATH environment variable requirement
• Added comprehensive CI workflows including linting, dependency review, multi-arch binary builds, and GoReleaser-based releases

Reviewed Changes

Copilot reviewed 19 out of 25 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
go.mod	Updated Go version to 1.22 and added resty dependency
dcs.go	Refactored from monolithic main to modular service orchestration
app/app.go	New application orchestration layer with command routing
app/commands/commands.go	Command execution logic with docker compose integration
app/services/secrets.go	Secret retrieval service with Vault KV v2 API integration
app/models/get_secrets_result.go	Typed models for Vault API responses
app/environment/environment.go	Environment variable validation and accessor service
app/client/http_client.go	HTTP client wrapper using resty with header management
README.md	Added comprehensive usage documentation with examples
.goreleaser.yaml	GoReleaser configuration for release automation
.golangci.yml	Linter configuration with enabled rules
.github/workflows/go.yml	CI workflow for build, test, and lint
.github/workflows/release.yml	Tag-based release workflow
.github/workflows/slsa-goreleaser.yml	Multi-arch binary builds on main branch
.github/workflows/dependency-review.yml	Dependency security scanning for pull requests
.slsa-goreleaser/*.yml	SLSA build configurations for various OS/arch combinations

Files not reviewed (4)

• .idea/.gitignore: Language not supported
• .idea/docker-compose-secrets.iml: Language not supported
• .idea/modules.xml: Language not supported
• .idea/vcs.xml: Language not supported

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}