Dockerfile: split into lint/build/runtime stages with pinned images

- Lint stage: golangci/golangci-lint:v1.64.8 (sha256-pinned) Runs make fmt-check and make lint for fast feedback - Build stage: golang:1.24-bookworm (sha256-pinned, matches go.mod 1.24.0) COPY --from=lint forces BuildKit to run lint stage Runs make test, then make build - Runtime stage: debian:bookworm-slim (sha256-pinned) - All base images updated from ancient versions to current - Removed vendoring/source tarball (per CLAUDE.md: avoid vendoring)
2026-03-02 02:09:14 -08:00 · 2026-03-02 02:09:14 -08:00 · e6d75ed57f
commit e6d75ed57f
parent 3e48b46e3d
1 changed files with 25 additions and 31 deletions
--- a/56
+++ b/56
@ -1,41 +1,35 @@
-## lint image
-FROM golangci/golangci-lint:v1.50.1
-
-RUN mkdir -p /build
-WORKDIR /build
-COPY ./ ./
-RUN golangci-lint run
-
-## build image:
-FROM golang:1.19.3-bullseye AS builder
-
-RUN apt update && apt install -y make bzip2
-
-RUN mkdir -p /build
-WORKDIR /build
-
-COPY go.mod .
-COPY go.sum .
+# Lint stage — fast feedback
+# golangci/golangci-lint:v1.64.8 (2025-03-17)
+FROM golangci/golangci-lint@sha256:2987913e27f4eca9c8a39129d2c7bc1e74fbcf77f181e01cea607be437aa5cb8 AS lint
+WORKDIR /src
+COPY go.mod go.sum ./
 RUN go mod download
+COPY . .
+RUN make fmt-check
+RUN make lint

-COPY ./ ./
-#RUN make lint
-RUN make httpd && mv ./httpd /httpd
-RUN go mod vendor
-RUN tar -c . | bzip2 > /src.tbz2
+# Build stage
+# golang:1.24-bookworm (Go 1.24)
+FROM golang@sha256:1a6d4452c65dea36aac2e2d606b01b4a029ec90cc1ae53890540ce6173ea77ac AS builder
+# Force BuildKit to run the lint stage
+COPY --from=lint /src/go.sum /dev/null
+WORKDIR /build
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+RUN make test
+RUN make build && cp ./httpd /httpd

-## output image:
-FROM debian:bullseye-slim AS final
+# Runtime stage
+# debian:bookworm-slim (2025-03)
+FROM debian@sha256:74d56e3931e0d5a1dd51f8c8a2466d21de84a271cd3b5a733b803aa91abf4421 AS final
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /httpd /app/httpd
-COPY --from=builder /src.tbz2 /usr/local/src/src.tbz2
-

 WORKDIR /app
-ENV HOME /app
-
-ENV PORT 8080
-ENV DBURL none
+ENV HOME=/app
+ENV PORT=8080
+ENV DBURL=none

 EXPOSE 8080