fix: add Docker API version negotiation to prevent client/daemon mismatch

[AlexKantor87]

Summary

• Add client.WithAPIVersionNegotiation() to all 8 Docker client creation sites across 3 files
• In internal/docker/docker.go, extract a newDockerClient() helper to centralise the option so it cannot be accidentally omitted in future call sites
• Add regression test TestNewDockerClientNegotiatesAPIVersion that verifies the client can Ping the daemon and the negotiated API version does not exceed the server maximum

Root cause

The Dependabot bump of github.com/docker/docker from v28.0.4 → v28.3.2 changed the SDK's default API version from 1.48 to 1.51. GitHub Actions ubuntu-24.04 runners ship Docker Engine 28.0.4 (max API 1.48), so every kosli attest with --artifact-type docker fails with:

Error response from daemon: client version 1.51 is too new. Maximum supported API version is 1.48

This breaks the server master pipeline — all attestation steps fail, the trail is non-compliant, and deployments are blocked.

Impact

Blocked: kosli-dev/server master branch (run #23892447496) — 5 attestations MISSING (snyk-scan, lint-src, lint-tests, validate-openapi, system-test). Both v2.14.0 and v2.15.0 are affected.

Fix

WithAPIVersionNegotiation() makes the Docker client auto-downgrade its API version to match whatever the daemon supports, as recommended by Docker's documentation. This is a one-line change per call site, and makes the CLI resilient against any future SDK-to-Engine version gap.

Files changed

File	Change
internal/docker/docker.go	Extract newDockerClient() helper with negotiation; replace 6 inline NewClientWithOpts calls
internal/digest/digest.go	Add WithAPIVersionNegotiation() to DockerImageSha256()
cmd/kosli/snapshotDocker.go	Add WithAPIVersionNegotiation() to CreateDockerArtifactsData()
internal/docker/docker_test.go	Add TestNewDockerClientNegotiatesAPIVersion regression test

Test plan

• Existing Docker integration tests pass (pull, push, tag, remove, run container)
• New TestNewDockerClientNegotiatesAPIVersion passes — verifies Ping succeeds and negotiated version ≤ server max
• After release, update kosli-dev/server to use the new CLI version and confirm the pipeline goes green

🤖 Generated with Claude Code

[claude]

Claude finished @AlexKantor87's task in 2m 4s —— View job

---

PR Review: Docker API version negotiation

• Phase 1: Static analysis (go build, go vet, go mod tidy)
• Phase 2: Read and review changed files
• Phase 3: Post inline comments and summary

---

Static Analysis

All checks pass: go build ./..., go vet ./..., and go mod tidy produce no issues.

Summary

The fix is correct and well-motivated. WithAPIVersionNegotiation() is Docker's recommended approach and solves the SDK-to-Engine version gap cleanly. Removing the DOCKER_API_VERSION pin from CI is the right follow-up.

Issues

1. Centralisation is incomplete (main concern)

The newDockerClient() helper in internal/docker/docker.go centralises the negotiation option for the 6 call sites in that file — good. However, 2 of the 8 total call sites (snapshotDocker.go:91 and digest.go:254) still construct the client inline with client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation()).

This means a future contributor could add a new call site in digest.go or cmd/kosli/ without the negotiation option and re-introduce the bug. To fully deliver on the stated centralisation goal, consider exporting the helper as docker.NewDockerClient() and calling it from all sites. See inline comment.

2. Unrelated whitespace change (digest.go:326)

A trailing-space removal on a comment line. Harmless but adds noise to the diff. See inline comment.

3. No regression test

The PR description mentions TestNewDockerClientNegotiatesAPIVersion but it was dropped in commit 09981bd. The existing test suite in docker_test.go exercises the functions that now go through newDockerClient(), so integration coverage is preserved indirectly. A dedicated unit test verifying that newDockerClient() returns a client with negotiation enabled would be nice but isn't strictly necessary — the existing tests will fail if negotiation breaks.

What's good

• Clean extraction of the newDockerClient() helper with a clear doc comment explaining why negotiation is needed
• Removing the CI DOCKER_API_VERSION pin — this was a workaround masking the real problem
• Minimal, focused changes to production code (one-line addition per call site)

[claude]

Nit: this line only has a trailing-whitespace change (removed a trailing space from the comment). Not harmful, but it's unrelated to the fix — consider dropping it to keep the diff focused on the version-negotiation change.

[claude]

This call site and DockerImageSha256 in internal/digest/digest.go still use client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation()) directly instead of going through the new newDockerClient() helper.

The PR description says the helper was introduced to "centralise the option so it cannot be accidentally omitted in future call sites," but these two call sites don't use it. Consider one of:

1. Make newDockerClient() exported (NewDockerClient()) and call it from here and digest.go.
2. Or accept the duplication and document the pattern in a comment.

Option 1 would fully deliver on the stated goal of centralisation.

Suggested change

	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
	cli, err := docker.NewDockerClient()

[claude]

Minor: LessOrEqual does a lexicographic comparison on strings like "1.48" vs "1.51". This works for the current version scheme (single-digit major, two-digit minor) but would break if versions ever reach "1.100" (lexicographically "1.100" < "1.48").

Not urgent — Docker API versions have been incrementing slowly — but worth a comment or a numeric comparison for robustness.

[claude]

The old test also verified the error case (RunDockerContainer("not-existing-image")), which has been dropped. Consider adding it back as a table-driven subtest to maintain coverage of the error path.

[claude]

This call site and DockerImageSha256 in internal/digest/digest.go still construct the client inline rather than going through the newDockerClient() helper introduced in internal/docker/docker.go.

The PR description says the helper was introduced to "centralise the option so it cannot be accidentally omitted in future call sites," but two out of eight call sites don't use it. Consider exporting the helper as docker.NewDockerClient() and calling it from here and digest.go to fully deliver on that centralisation goal.

Suggested change

	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
	cli, err := docker.NewDockerClient()

[claude]

Nit: LessOrEqual on strings does a lexicographic comparison. This works for current Docker API versions (e.g. "1.48" vs "1.51") but would give a wrong result if versions ever reach "1.100" ("1.100" < "1.48" lexicographically). Not urgent since Docker API versions increment slowly, but worth a brief comment noting the assumption.

[claude]

Nit: this line is a whitespace-only change (trailing space removed from the comment). Not harmful, but unrelated to the fix — consider dropping it to keep the diff focused.

[claude]

This call site still constructs the Docker client inline rather than going through the newDockerClient() helper introduced in internal/docker/docker.go.

The PR description says the helper was introduced to "centralise the option so it cannot be accidentally omitted in future call sites," but this site (and DockerImageSha256 in digest.go) don't use it. Consider exporting the helper as docker.NewDockerClient() and calling it from both locations:

Suggested change

	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
	cli, err := docker.NewDockerClient()

This would require adding the import and renaming/exporting the helper, but it fully delivers on the centralisation goal and prevents future drift.

[claude]

Nit: this line is a whitespace-only change (trailing space removed from the comment). Not harmful, but unrelated to the fix — consider dropping it to keep the diff focused.