Thank you for contributing to the ioFog NATS wrapper image (github.com/eclipse-iofog/nats-server). The wrapper binary is iofog-nats; it execs upstream nats-server v2.14.3 as a child process with config watch, JWT sync, JetStream reconcile, and claims push.
The same codebase is maintained on two GitHub remotes. CI variables select the registry and OCI labels per repo; wrapper code does not branch on product name.
| Variable | eclipse-iofog/nats-server | Datasance/nats-server |
|---|---|---|
IMAGE_REGISTRY |
ghcr.io/eclipse-iofog |
ghcr.io/datasance |
NATS_CONTAINER_IMAGE |
ghcr.io/eclipse-iofog/nats |
ghcr.io/datasance/nats |
OCI_SOURCE_REPO |
https://github.com/eclipse-iofog/nats-server |
https://github.com/Datasance/nats-server |
NATS_DISTRIBUTION |
iofog |
datasance |
NATS_GITHUB_REPO |
eclipse-iofog/nats-server |
Datasance/nats-server |
Set these under Settings → Actions → Variables on each repo (Plan 8 bootstrap). When unset, .github/actions/set-build-env derives defaults from github.repository.
Development flow: implement on Datasance/nats-server develop, open a PR to eclipse-iofog/nats-server develop. Integration branch is develop (not main for daily work).
git remote add upstream https://github.com/eclipse-iofog/nats-server.git
git remote add datasance https://github.com/Datasance/nats-server.gitPush feature branches to datasance; merge target upstream is upstream develop.
Feature branches: nats-server/<plan>-<slug> (e.g. nats-server/03-ci, nats-server/07-docs).
Run from the repository root before opening a pull request:
make fmt-check
make lint # golangci-lint — zero issues required
make test
make security-code # gosec on ./cmd/... ./internal/...
make vulncheck # govulncheck + go mod verifyCI runs the same gates on PR and push to develop, plus a Docker runtime smoke test on all four platforms (build, start with test/fixtures/ci/server.conf, verify /healthz from host and in-container curl).
- Target
developwith a focused description and test notes. - Update CHANGELOG.md under
[Unreleased]for user-facing changes that ship before the next tagged release. - Preserve wrapper integration contracts documented in README.md: child exec of nats-server, SIGHUP reload (leaf: SIGHUP for TLS only, SIGINT+restart otherwise), JWT sync, JetStream purge, claims push, and the
NATS_*env contract. - Do not add product-specific runtime env vars (
IOFOG_*,POT_*,NATS_DISTRIBUTIONin Go code). - Do not rename the workload label
iofog-natsor the wrapper binary name.
Production Dockerfiles pin base images by digest:
Dockerfile—golang:1.26.4-alpine, UBI 9 minimal/micro (amd64/arm64).Dockerfile.edge—golang:1.26.4-alpine,alpine:3.22(arm/v7, riscv64).
When bumping a base image:
- Pull the new tag and note its
sha256:digest. - Update the
FROM ...@sha256:...line in the relevant Dockerfile(s). - Update the matching comment line above each
FROM(edgelet pattern — digest documented in comment and pin). - Rebuild locally:
make docker-buildand/ordocker buildx build -f Dockerfile.edge .... - Confirm CI docker-build-smoke job passes on your PR.
Workflows SHA-pin third-party actions with a version comment (e.g. # v4). When upgrading an action:
- Find the release tag’s full commit SHA on GitHub.
- Replace
uses: org/action@<sha> # vX.Y.Zin.github/workflows/*.yml. - Keep
permissions: read-allon CI workflows; release publish job alone usespackages: write.
- Bump
goingo.modandGO_VERSIONin workflows together. - Pin embedded server with
go install github.com/nats-io/nats-server/v2@vX.Y.Zin Dockerfiles; align git tag and CHANGELOG with that version.
Container images publish only on v* git tags (not ordinary develop pushes). For dual-mirror releases:
- Merge to
developon both remotes at the same SHA. - Create identical annotated tags (e.g.
v2.14.3) on both remotes and push. - Verify both release.yml workflows succeed and tags
:semver,:latest,:mainexist on each registry.
Record published image digests in CHANGELOG release notes when tagging.
Report vulnerabilities privately — do not file public issues for exploitable findings.
Open a GitHub issue for bugs and feature discussion.