secret/Dockerfile

# Lint stage — fast feedback on formatting and lint issues
# golangci/golangci-lint v2.1.6 (2026-03-10)
FROM golangci/golangci-lint@sha256:568ee1c1c53493575fa9494e280e579ac9ca865787bafe4df3023ae59ecf299b AS lint

WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download

COPY . .

RUN make fmt-check
RUN make lint

# Build stage — tests and compilation
# golang 1.24.13-alpine (2026-03-10)
FROM golang@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder

# Force BuildKit to run the lint stage
COPY --from=lint /src/go.sum /dev/null

RUN apk add --no-cache gcc musl-dev make git gnupg

WORKDIR /build
COPY go.mod go.sum ./
RUN go mod download

COPY . .

RUN make test
RUN make build

# Runtime stage
# alpine 3.23 (2026-03-10)
FROM alpine@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659

RUN apk add --no-cache ca-certificates gnupg

RUN adduser -D -s /bin/sh secret

COPY --from=builder /build/secret /usr/local/bin/secret
RUN chmod +x /usr/local/bin/secret

USER secret
WORKDIR /home/secret

ENTRYPOINT ["secret"]