deps: update docker images

Signed-off-by: Dmitry Kharitonov <[email protected]>

Dockerfile

@@ -6,7 +6,7 @@
 # BUILDPLATFORM is an automatic platform ARG enabled by Docker BuildKit.
 # Represents the plataform where the build is happening, do not mix with
 # TARGETARCH
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:18-alpine3.18@sha256:435dcad253bb5b7f347ebc69c8cc52de7c912eb7241098b920f2fc2d7843183d as stage1
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:18.19.0-alpine3.18@sha256:4bdb3f3105718f0742bc8d64bb4e36e8f955ebbee295325e40ae80bc8ef78833 as stage1
 RUN apk add bash
 WORKDIR /app
 
@@ -26,5 +26,8 @@ COPY . .
 ARG NODE_ENV=production
 RUN npm run build
 
-FROM docker.io/nginxinc/nginx-unprivileged:1.25-alpine3.18@sha256:428e086ab26adf52ac6486ac525d5ad06122c1cb5e0a8e0e5e781c47dcf62996
+FROM docker.io/nginxinc/nginx-unprivileged:1.25.3-alpine3.18-slim@sha256:57a630cf4a357007959cac5b8a6d91ff381a55699b31545792fa9b88b26c5f5c
+USER root
+RUN apk upgrade --no-cache
+USER 101
 COPY --from=stage1 /app/server/public /app

backend/Dockerfile

@@ -3,38 +3,28 @@
 # Copyright 2021 Authors of Cilium
 # SPDX-License-Identifier: Apache-2.0
 
-ARG GOLANG_IMAGE=docker.io/library/golang:1.21-bullseye@sha256:31848c4f02b08469e159ea1ee664a3f29602418b13e7d67dfd4560d169e14d55
+# skopeo inspect --override-os linux docker://docker.io/library/golang:1.21.6-bookworm | jq -r '.Digest'
+ARG GOLANG_IMAGE=docker.io/library/golang:1.21.6-bookworm@sha256:d26cc6bb9b582095098ef54c115ec9ff43647fa3cf157330c57f5aafb97de842
 
-# BUILDPLATFORM is an automatic platform ARG enabled by Docker BuildKit.
-# Represents the plataform where the build is happening, do not mix with
-# TARGETARCH
+# $ skopeo inspect --override-os linux docker://gcr.io/distroless/static-debian12:nonroot | jq -r '.Digest'
+# distroless images are signed by cosign. You should verify the image with the
+# following commands:
+# $ docker pull gcr.io/distroless/static-debian12:nonroot
+# $ cosign verify gcr.io/distroless/static-debian12:nonroot --certificate-oidc-issuer https://accounts.google.com --certificate-identity [email protected]
+ARG BASE_IMAGE=gcr.io/distroless/static-debian12:nonroot@sha256:39ae7f0201fee13b777a3e4a5a9326a8889269172c8b4f4289d9f19c831f45f4
 
 FROM --platform=${BUILDPLATFORM} ${GOLANG_IMAGE} as app-build
 WORKDIR /app
 
 COPY . .
-# TARGETARCH is an automatic platform ARG enabled by Docker BuildKit.
 ARG TARGETARCH
 RUN CGO_ENABLED=0 GOARCH=${TARGETARCH} go build -ldflags "-s -w" -o backend
 
-# BUILDPLATFORM is an automatic platform ARG enabled by Docker BuildKit.
-# Represents the plataform where the build is happening, do not mix with
-# TARGETARCH
-FROM --platform=${BUILDPLATFORM} ${GOLANG_IMAGE} as gops
-
-RUN apt-get update && apt-get install -y binutils-aarch64-linux-gnu
-COPY ./build-gops.sh .
-RUN --mount=target=/root/.cache,type=cache --mount=target=/go/pkg/mod,type=cache \
-    ./build-gops.sh
-
-FROM docker.io/library/node:18-alpine3.18@sha256:435dcad253bb5b7f347ebc69c8cc52de7c912eb7241098b920f2fc2d7843183d
+FROM ${BASE_IMAGE}
 # TARGETOS is an automatic platform ARG enabled by Docker BuildKit.
 ARG TARGETOS
 # TARGETARCH is an automatic platform ARG enabled by Docker BuildKit.
 ARG TARGETARCH
 COPY --from=app-build /app/backend /usr/bin
-COPY --from=gops /out/${TARGETOS}/${TARGETARCH}/bin/gops /usr/bin/gops
-RUN mkdir -p /home/gops && chown 1001:1001 /home/gops
-
-ENV GOPS_CONFIG_DIR=/home/gops
-CMD ["/usr/bin/backend"]
+USER 65532:65532
+CMD ["/usr/bin/backend"]