chore: update Dockerfiles and deployment workflow for improved compatibility and CORS handling

- Upgraded Go version in Dockerfiles from 1.24 to 1.26 for better performance and security.
- Modified deployment workflow to disable OCI provenance and SBOM to prevent Lambda image issues.
- Enhanced CORS middleware to set the "Vary" header and changed OPTIONS response status to 200 for better browser compatibility.
- Updated tests to reflect changes in CORS handling.

Author: rithulkamesh

.github/workflows/deploy.yml

@@ -147,6 +147,9 @@ jobs:
           context: api
           platforms: linux/arm64
           push: true
+          # OCI index + attestation manifests break Lambda (InvalidImage / inactive function).
+          provenance: false
+          sbom: false
           tags: |
             ${{ steps.ecr-login.outputs.registry }}/devsper-registry-api:latest
             ${{ steps.ecr-login.outputs.registry }}/devsper-registry-api:${{ github.sha }}
@@ -160,6 +163,8 @@ jobs:
           context: web
           platforms: linux/arm64
           push: true
+          provenance: false
+          sbom: false
           tags: |
             ${{ steps.ecr-login.outputs.registry }}/devsper-registry-web:latest
             ${{ steps.ecr-login.outputs.registry }}/devsper-registry-web:${{ github.sha }}

api/Dockerfile

@@ -1,5 +1,5 @@
 # Stage 1: builder
-FROM golang:1.24-alpine AS builder
+FROM golang:1.26-alpine AS builder
 RUN apk add --no-cache ca-certificates git
 WORKDIR /app
 COPY go.mod go.sum ./

api/Dockerfile.lambda

@@ -4,7 +4,7 @@
 
 ARG BUILDPLATFORM
 # Stage 1: builder (native platform so no exec format error on amd64 runners)
-FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS builder
 RUN apk add --no-cache ca-certificates git
 WORKDIR /app
 COPY go.mod go.sum ./

api/internal/middleware/cors.go

@@ -27,12 +27,16 @@ func CORSWithAllowlist(allowedOrigins ...string) func(next http.Handler) http.Ha
 			if origin != "" && allowed[origin] {
 				w.Header().Set("Access-Control-Allow-Origin", origin)
 				w.Header().Set("Access-Control-Allow-Credentials", "true")
+				// Required when reflecting Origin so caches (e.g. CloudFront) do not serve one
+				// origin’s CORS headers to another.
+				w.Header().Add("Vary", "Origin")
 			}
 			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
 			w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Requested-With, Accept, X-API-Key")
 			w.Header().Set("Access-Control-Max-Age", "86400")
 			if r.Method == http.MethodOptions {
-				w.WriteHeader(http.StatusNoContent)
+				// 200 is more widely treated as a successful preflight than 204 by browsers and proxies.
+				w.WriteHeader(http.StatusOK)
 				return
 			}
 			next.ServeHTTP(w, r)

api/internal/middleware/middleware_test.go

@@ -22,12 +22,15 @@ func TestCORSWithAllowlist_AllowedOrigin(t *testing.T) {
 	rr := httptest.NewRecorder()
 	handler.ServeHTTP(rr, req)
 
-	if rr.Code != http.StatusNoContent {
-		t.Errorf("expected 204 for OPTIONS, got %d", rr.Code)
+	if rr.Code != http.StatusOK {
+		t.Errorf("expected 200 for OPTIONS, got %d", rr.Code)
 	}
 	if got := rr.Header().Get("Access-Control-Allow-Origin"); got != "http://localhost:3000" {
 		t.Errorf("Allow-Origin = %q, want %q", got, "http://localhost:3000")
 	}
+	if got := rr.Header().Get("Vary"); got != "Origin" {
+		t.Errorf("Vary = %q, want %q", got, "Origin")
+	}
 	if got := rr.Header().Get("Access-Control-Allow-Credentials"); got != "true" {
 		t.Errorf("Allow-Credentials = %q, want %q", got, "true")
 	}