Charon/docs/plans/merge-resolution-plan.md

Merge Conflict Resolution Plan: feature/beta-release → main

Plan ID: MERGE-2026-001 Status: 🔄 PENDING Priority: High Created: 2026-01-25

---

🔴 Workflow Failure Analysis (Added 2026-01-25)

Issue Identified: docker-build.yml Failure

Workflow Run: https://github.com/Wikid82/Charon/actions/runs/21326638353

Root Cause: Base image mismatch after Debian Trixie migration (PR #550)

Component	Before Fix	After Fix
Workflow docker-build.yml	debian:bookworm-slim	debian:trixie-slim
Dockerfile CADDY_IMAGE	debian:trixie-slim	debian:trixie-slim ✓

Problem: The workflow step "Resolve Debian base image digest" was still pulling debian:bookworm-slim while the Dockerfile was updated to use debian:trixie-slim. This caused inconsistency in the build.

Fix Applied: Updated .github/workflows/docker-build.yml:

- name: Resolve Debian base image digest
  run: |
    docker pull debian:trixie-slim
    DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' debian:trixie-slim)

---

Summary

This plan addresses merge conflicts in the feature/beta-release branch that need resolution against main. After analyzing all conflicting files, here is the recommended resolution strategy.

---

File Analysis

1. .github/workflows/codeql.yml

Conflict Likelihood: Low-Medium Current State: No visible conflict markers

Key Features in Current Version:

• Go version: 1.25.6
• Forked PR handling (skips when fork == true)
• CodeQL config file: .github/codeql/codeql-config.yml
• SARIF analysis with error/warning/note counting

Resolution Strategy: Accept feature branch changes

• Feature branch likely has updated Go version and security improvements
• Verify GO_VERSION env var matches other workflows after merge

---

2. .github/workflows/docker-build.yml

Conflict Likelihood: Medium Current State: No visible conflict markers

Key Features in Current Version:

• SBOM generation and attestation
• CVE-2025-68156 verification for Caddy/CrowdSec
• Feature branch detection and artifact handling
• Multi-platform builds (amd64/arm64)
• Trivy vulnerability scanning

Resolution Strategy: Accept feature branch changes

• Feature branch contains critical security patches
• Verify image tag logic matches expected patterns
• Confirm SYFT_VERSION and GRYPE_VERSION are current

---

3. Dockerfile

Conflict Likelihood: High (likely PR #550 Debian Trixie migration) Current State: Already using debian:trixie-slim

Key Features in Current Version:

• Base image: debian:trixie-slim (Debian 13 testing)
• Go version: 1.25 (builder stages)
• Caddy version: 2.11.0-beta.2
• CrowdSec version: 1.7.6
• gosu version: 1.17
• Security patches for expr-lang/expr@v1.17.7
• Multi-stage build with cross-compilation helpers

Resolution Strategy: Accept feature branch changes (post-Trixie migration)

• If main still uses bookworm-slim, take feature branch version
• Critical: Preserve all CVE patches (CVE-2025-68156, CVE-2025-58183, etc.)
• Ensure all renovate: comments are preserved for automated updates

---

4. backend/go.sum

Conflict Likelihood: High Current State: 167 packages, no conflict markers

Key Versions Detected:

• golang.org/x/crypto@v0.47.0
• google.golang.org/grpc@v1.75.0
• gorm.io/gorm@v1.31.1
• github.com/gin-gonic/gin@v1.11.0

Resolution Strategy: Regenerate after merge

• Dependency lock files should never be manually merged
• After resolving other conflicts, run:

  cd backend && go mod tidy && go mod download
  

---

5. frontend/package-lock.json ⚠️ (Not backend/)

Conflict Likelihood: High Current State: 7499 lines, lockfileVersion 3

Resolution Strategy: Regenerate after merge

• Delete the file and regenerate:

  cd frontend && rm package-lock.json && npm install
  

---

6. frontend/package.json ⚠️ (Not backend/)

Conflict Likelihood: Medium Current State: Version 0.3.0, no conflict markers

Key Dependencies:

• React: ^19.2.3
• Vite: ^7.3.1
• Playwright: ^1.57.0
• TypeScript: ^5.9.3

Resolution Strategy: Manual review required

• Compare main and feature branch versions
• Keep higher version numbers when there are conflicts
• Ensure no duplicate entries

---

Command Sequence for Resolution

# 1. Ensure you're on the feature branch
git checkout feature/beta-release

# 2. Fetch latest main
git fetch origin main

# 3. Start the merge (this will show conflicts)
git merge origin/main

# 4. For workflow files (if conflicts exist):
# Accept feature branch changes, then verify
git checkout --theirs .github/workflows/codeql.yml
git checkout --theirs .github/workflows/docker-build.yml
git add .github/workflows/

# 5. For Dockerfile (if conflicts exist):
# Accept feature branch (Trixie migration)
git checkout --theirs Dockerfile
git add Dockerfile

# 6. For Go dependencies:
git checkout --theirs backend/go.sum
cd backend && go mod tidy
cd ..
git add backend/go.sum backend/go.mod

# 7. For frontend dependencies:
cd frontend
rm -f package-lock.json
# Manually resolve package.json if needed
npm install
cd ..
git add frontend/package.json frontend/package-lock.json

# 8. Complete the merge
git commit -m "Merge main into feature/beta-release - resolve conflicts"

# 9. Validate
make lint
make test

---

Post-Merge Validation Checklist

• go mod tidy completes without errors
• npm install (frontend) completes without errors
• Docker build succeeds: docker build -t charon:test .
• CI workflows pass on push
• Go version consistent across all workflows (1.25.6)
• Debian Trixie base image in Dockerfile

---

Notes

1. File Path Correction: The conflicting package files are in frontend/, not backend/. The Go backend uses go.mod/go.sum, not npm.

2. Conflict markers not visible: The files read don't show <<<<<<< markers, suggesting either:

   • The merge hasn't been attempted yet
   • Conflicts would appear after running git merge

3. PR #550 Reference: The Dockerfile already shows Trixie migration is complete in the current branch.