Skip to content

Move Docker image to distroless while preserving GoReleaser compatibility #639

New issue
New issue
Open
Bug
Open
Move Docker image to distroless while preserving GoReleaser compatibility#639
Bug
Labels
release
@SoulPancake

Description

@SoulPancake
SoulPancake
opened on Mar 3, 2026

Problem

Currently, the Docker image is built FROM scratch, which omits CA certificates and causes all HTTPS (TLS) requests to fail with the following error:

tls: failed to verify certificate: x509: certificate signed by unknown authority

This issue occurs even for well-known public endpoints (e.g., https://example.com), making the CLI unusable in Docker for any TLS-enabled OpenFGA deployment.

Steps to Reproduce

  1. Build the CLI binary: 
    GOOS=linux GOARCH=amd64  BUILD_DIR=$PWD make build
  2. Build the Docker image: 
    docker build --platform=linux/amd64 -t fgacli -f .goreleaser.Dockerfile .
  3. Run with Docker: 
    docker run --platform=linux/amd64 -it --rm -v $PWD:/workdir fgacli --debug model write --file /workdir/model.fga --store-id=some-store-id --api-url=https://example.com
  4. Observe the error: 
    tls: failed to verify certificate: x509: certificate signed by unknown authority

Solution Attempted

We tried switching to gcr.io/distroless/static:nonroot:

FROM gcr.io/distroless/static:nonroot
COPY fga /fga
ENTRYPOINT ["/fga"]

Benefits of distroless:

  • Includes CA certificates → enables HTTPS out of the box
  • Minimal attack surface, non-root default, small image size
  • Recommended for static Go binaries (per Google)

Complication: GoReleaser Incompatibility

However, when this change was applied, it caused issues during the GoReleaser publishing step:

  • GoReleaser failed to create/push Docker manifests, reporting: is a manifest list error
  • Workarounds exist (e.g., disabling provenance), but are not desirable
  • As a result, the change was reverted to restore release stability

Request

We would like to migrate to a distroless image while preserving GoReleaser release/publishing compatibility. Please investigate a solution or guidance that achieves both goals:

  • Enable HTTPS/TLS support for the Docker image (CA certs included)
  • Ensure multi-platform release via GoReleaser continues to work without errors
  • No workaround that disables provenance or key release features

Additional Context

Failing goreleaser logs : https://github.com/openfga/cli/actions/runs/22150410982/job/64040133213

  • See earlier PR/discussion for attempted distroless migration and reversion rationale
  • Reference issue relates to both release process robustness and user security/trust using the CLI via Docker

Metadata

Metadata

Assignees

No one assigned

    Labels

    release

    Type

    Bug

    Projects

    SDKs and Tooling

    Status

    Intake

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions