Problem
Currently, the Docker image is built FROM scratch, which omits CA certificates and causes all HTTPS (TLS) requests to fail with the following error:
tls: failed to verify certificate: x509: certificate signed by unknown authority
This issue occurs even for well-known public endpoints (e.g., https://example.com), making the CLI unusable in Docker for any TLS-enabled OpenFGA deployment.
Steps to Reproduce
- Build the CLI binary:
GOOS=linux GOARCH=amd64 BUILD_DIR=$PWD make build
- Build the Docker image:
docker build --platform=linux/amd64 -t fgacli -f .goreleaser.Dockerfile .
- Run with Docker:
docker run --platform=linux/amd64 -it --rm -v $PWD:/workdir fgacli --debug model write --file /workdir/model.fga --store-id=some-store-id --api-url=https://example.com
- Observe the error:
tls: failed to verify certificate: x509: certificate signed by unknown authority
Solution Attempted
We tried switching to gcr.io/distroless/static:nonroot:
FROM gcr.io/distroless/static:nonroot
COPY fga /fga
ENTRYPOINT ["/fga"]
Benefits of distroless:
- Includes CA certificates → enables HTTPS out of the box
- Minimal attack surface, non-root default, small image size
- Recommended for static Go binaries (per Google)
Complication: GoReleaser Incompatibility
However, when this change was applied, it caused issues during the GoReleaser publishing step:
- GoReleaser failed to create/push Docker manifests, reporting:
is a manifest list error
- Workarounds exist (e.g., disabling provenance), but are not desirable
- As a result, the change was reverted to restore release stability
Request
We would like to migrate to a distroless image while preserving GoReleaser release/publishing compatibility. Please investigate a solution or guidance that achieves both goals:
- Enable HTTPS/TLS support for the Docker image (CA certs included)
- Ensure multi-platform release via GoReleaser continues to work without errors
- No workaround that disables provenance or key release features
Additional Context
Failing goreleaser logs : https://github.com/openfga/cli/actions/runs/22150410982/job/64040133213
- See earlier PR/discussion for attempted distroless migration and reversion rationale
- Reference issue relates to both release process robustness and user security/trust using the CLI via Docker
Problem
Currently, the Docker image is built
FROM scratch, which omits CA certificates and causes all HTTPS (TLS) requests to fail with the following error:This issue occurs even for well-known public endpoints (e.g., https://example.com), making the CLI unusable in Docker for any TLS-enabled OpenFGA deployment.
Steps to Reproduce
GOOS=linux GOARCH=amd64 BUILD_DIR=$PWD make builddocker build --platform=linux/amd64 -t fgacli -f .goreleaser.Dockerfile .docker run --platform=linux/amd64 -it --rm -v $PWD:/workdir fgacli --debug model write --file /workdir/model.fga --store-id=some-store-id --api-url=https://example.comSolution Attempted
We tried switching to
gcr.io/distroless/static:nonroot:Benefits of distroless:
Complication: GoReleaser Incompatibility
However, when this change was applied, it caused issues during the GoReleaser publishing step:
is a manifest listerrorRequest
We would like to migrate to a distroless image while preserving GoReleaser release/publishing compatibility. Please investigate a solution or guidance that achieves both goals:
Additional Context
Failing goreleaser logs : https://github.com/openfga/cli/actions/runs/22150410982/job/64040133213