pixa/Dockerfile

# Build stage
# golang:1.25.4-alpine, 2026-02-25
FROM golang:1.25.4-alpine@sha256:d3f0cf7723f3429e3f9ed846243970b20a2de7bae6a5b66fc5914e228d831bbb AS builder

ARG VERSION=dev

# Install build dependencies for CGO image libraries
RUN apk add --no-cache \
    build-base \
    vips-dev \
    libheif-dev \
    pkgconfig \
    curl

# golangci-lint v2.10.1, 2026-02-25
# SHA-256 checksums per architecture (amd64 / arm64)
RUN set -e; \
    ARCH="$(uname -m)"; \
    if [ "$ARCH" = "aarch64" ] || [ "$ARCH" = "arm64" ]; then \
      GOARCH="arm64"; \
      HASH="6652b42ae02915eb2f9cb2a2e0cac99514c8eded8388d88ae3e06e1a52c00de8"; \
    else \
      GOARCH="amd64"; \
      HASH="dfa775874cf0561b404a02a8f4481fc69b28091da95aa697259820d429b09c99"; \
    fi; \
    curl -sSfL "https://github.com/golangci/golangci-lint/releases/download/v2.10.1/golangci-lint-2.10.1-linux-${GOARCH}.tar.gz" -o /tmp/golangci-lint.tar.gz && \
    echo "${HASH}  /tmp/golangci-lint.tar.gz" | sha256sum -c - && \
    tar -xzf /tmp/golangci-lint.tar.gz -C /tmp && \
    mv "/tmp/golangci-lint-2.10.1-linux-${GOARCH}/golangci-lint" /usr/local/bin/ && \
    rm -rf /tmp/golangci-lint*

WORKDIR /src

# Copy go mod files first for better layer caching
COPY go.mod go.sum ./
RUN GOTOOLCHAIN=auto go mod download

# Copy source code
COPY . .

# Run all checks (fmt-check, lint, test)
RUN make check

# Build with CGO enabled
RUN CGO_ENABLED=1 GOTOOLCHAIN=auto go build -ldflags "-X main.Version=${VERSION}" -o /pixad ./cmd/pixad

# Runtime stage
# alpine:3.21, 2026-02-25
FROM alpine:3.21@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709

# Install runtime dependencies only
RUN apk add --no-cache \
    vips \
    libheif \
    ca-certificates \
    tzdata

# Copy binary from builder
COPY --from=builder /pixad /usr/local/bin/pixad

# Create non-root user, config directory, and data directory
RUN adduser -D -H -s /sbin/nologin pixad && \
    mkdir -p /var/lib/pixa /etc/pixa && \
    chown pixad:pixad /var/lib/pixa

# Copy default config (edit signing_key before use)
COPY config.example.yml /etc/pixa/config.yml

USER pixad
WORKDIR /var/lib/pixa

EXPOSE 8080

ENTRYPOINT ["/usr/local/bin/pixad", "--config", "/etc/pixa/config.yml"]