Thanks for wanting to help keep this fork alive. The bar is pragmatism, not perfection — small, focused PRs are far more welcome than grand rewrites.
- Devbox — the single tool you need. It pins Go, golangci-lint, gofumpt, gci, go-task, ginkgo, docker, and goreleaser at the exact versions CI uses. No global Go install required; no
GO111MODULEjuggling. - Docker — for integration-style runs via
docker compose up --build.
curl -fsSL https://get.jetify.com/devbox | bash
git clone git@github.com:<yourfork>/watchtower.git
cd watchtower
devbox shell # enters the pinned toolchainEverything runs through go-task inside Devbox — CI uses the same targets, so green locally means green in CI (barring runner flakes):
devbox run -- task # list targets
devbox run -- task deps # go mod download + tidy + vendor
devbox run -- task fmt # gci + gofumpt
devbox run -- task lint # golangci-lint (auto-runs fmt first) — must be 0 findings
devbox run -- task test # full Ginkgo v2 suite with coverage
devbox run -- task build # ./build/watchtowerFocus a single Ginkgo spec:
devbox run -- go test -mod vendor ./internal/actions -v -ginkgo.focus="the update action"Spin up the full stack locally (Watchtower + Prometheus + Grafana + a few demo containers):
docker compose up --build-
devbox run -- task lintpasses with 0 findings. Fix findings rather than suppress them; if an exclusion is justified, edit.golangci.ymlwith a reason, not//nolint. -
devbox run -- task testpasses. Tests use Ginkgo v2 + Gomega — prefer extending the existingDescribe/Itsuites over adding plaintesting.Ttests. -
devbox run -- task buildsucceeds. - You're editing flags in
internal/flags/(the single source of truth) — not inline incmd/. - Commit message is a short imperative ("Fix X when Y" / "Add Z support for W"). No noise like "update code". The full PR description is where the why belongs.
- You haven't reintroduced
github.com/containrrr/watchtoweras a Go import path — the module path isgithub.com/openserbia/watchtower. - Every commit is signed off (
git commit -s) — see Developer Certificate of Origin below. A CI check enforces this on pull requests.
Contributions to this project require a Developer Certificate of Origin sign-off. The DCO is a lightweight, legally meaningful statement — read the full text at https://developercertificate.org/ — that certifies you wrote the patch, or otherwise have the right to submit it under the project's Apache-2.0 license. It is not a copyright assignment.
You sign off by adding a Signed-off-by trailer to each commit message:
Signed-off-by: Your Name <your.email@example.com>
Git adds it for you with the -s flag:
git commit -s -m "Fix X when Y"The name and email must be real and match your commit author identity. If you forgot to sign off, add it retroactively across a branch with:
git rebase --signoff <base>The DCO workflow verifies that every commit in a pull request carries a sign-off; PRs without it will fail the check.
For a deeper tour of the codebase — package boundaries, the Cobra/cron scheduling wiring, how actions.Update orchestrates a run, how the Docker client is mocked — see CLAUDE.md. It's written for AI coding assistants but reads well for humans navigating the project for the first time.
Do not file public issues for security bugs — use GitHub Security Advisories instead. See SECURITY.md for the full policy.
Roles, responsibilities, decision-making, and how to become a maintainer are documented in GOVERNANCE.md.
By participating, you agree to follow the code of conduct.