0ed2d02dfe
All checks were successful
Check / check (pull_request) Successful in 11m41s
- Pin Docker base images to sha256 digests (golang, alpine) - Pin go install commands to commit SHAs (not version tags) - golangci-lint: 5d1e709b7be35cb2025444e19de266b056b7b7ee (v2.10.1) - goimports: 009367f5c17a8d4c45a961a3a509277190a9a6f0 (v0.42.0) - CI workflow was already correctly pinned to commit SHAs All references now use cryptographic identity, eliminating RCE risk from mutable tags.
39 lines
975 B
Docker
39 lines
975 B
Docker
# Build stage
|
|
FROM golang@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder # golang:1.25-alpine
|
|
|
|
RUN apk add --no-cache git make gcc musl-dev
|
|
|
|
# Install golangci-lint v2
|
|
RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
|
|
RUN go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0 # v0.42.0
|
|
|
|
WORKDIR /src
|
|
COPY go.mod go.sum ./
|
|
RUN go mod download
|
|
|
|
COPY . .
|
|
|
|
# Run all checks - build fails if any check fails
|
|
RUN make check
|
|
|
|
# Build the binary
|
|
RUN make build
|
|
|
|
# Runtime stage
|
|
FROM alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1 # alpine:3.19
|
|
|
|
RUN apk add --no-cache ca-certificates tzdata git openssh-client docker-cli
|
|
|
|
WORKDIR /app
|
|
|
|
COPY --from=builder /src/bin/upaasd /app/upaasd
|
|
|
|
# Create data directory
|
|
RUN mkdir -p /var/lib/upaas
|
|
|
|
ENV UPAAS_DATA_DIR=/var/lib/upaas
|
|
|
|
EXPOSE 8080
|
|
|
|
ENTRYPOINT ["/app/upaasd"]
|