-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
36 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,42 +1,67 @@ | ||
| # build app | ||
| FROM --platform=$BUILDPLATFORM golang:1.23-alpine3.20 AS app-builder | ||
| # syntax=docker/dockerfile:1 | ||
|
|
||
| # Build stage | ||
| FROM --platform=$BUILDPLATFORM golang:1.23-alpine3.20 AS app-builder | ||
|
|
||
| # Install git for revision info and ca-certificates for potential downloads | ||
| RUN apk add --no-cache git ca-certificates tzdata | ||
|
|
||
| # Create non-root user for build | ||
| RUN adduser -D -g '' appuser | ||
|
|
||
| WORKDIR /src | ||
|
|
||
| # Copy dependency files first for better cache utilization | ||
| COPY go.mod go.sum ./ | ||
| RUN go mod download | ||
|
|
||
| COPY . ./ | ||
| # Copy source code | ||
| COPY cmd/ ./cmd/ | ||
| COPY internal/ ./internal/ | ||
|
|
||
| # Copy rest of the files | ||
| COPY . . | ||
|
|
||
| ARG VERSION=dev | ||
| ARG REVISION=dev | ||
| ARG BUILDTIME | ||
| ARG TARGETOS TARGETARCH | ||
|
|
||
| # Build with security flags and proper versioning | ||
| # Network is disabled during build | ||
| RUN --network=none --mount=target=. \ | ||
| BUILDTIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \ | ||
| REVISION=$(git rev-parse --short HEAD) \ | ||
| CGO_ENABLED=0 \ | ||
| GOOS=$TARGETOS GOARCH=$TARGETARCH \ | ||
| go build -ldflags "-s -w -X main.version=${VERSION} -X main.commit=${REVISION} -X main.buildDate=${BUILDTIME}" \ | ||
| go build -trimpath \ | ||
| -ldflags "-s -w -X main.version=${VERSION} -X main.commit=${REVISION} -X main.buildDate=${BUILDTIME} -extldflags '-static'" \ | ||
| -o /out/bin/redactedhook cmd/redactedhook/main.go | ||
|
|
||
| # build runner | ||
| # Runtime stage | ||
| FROM gcr.io/distroless/static-debian12:nonroot | ||
|
|
||
| LABEL org.opencontainers.image.source = "https://github.com/s0up4200/redactedhook" | ||
| LABEL org.opencontainers.image.licenses = "MIT" | ||
| LABEL org.opencontainers.image.base.name = "distroless/static-debian12:nonroot" | ||
| LABEL org.opencontainers.image.source="https://github.com/s0up4200/redactedhook" | ||
| LABEL org.opencontainers.image.licenses="MIT" | ||
| LABEL org.opencontainers.image.base.name="distroless/static-debian12:nonroot" | ||
| LABEL org.opencontainers.image.description="RedactedHook CI image" | ||
|
|
||
| # Set environment variables | ||
| ENV HOME="/redactedhook" \ | ||
| XDG_CONFIG_HOME="/redactedhook" \ | ||
| XDG_DATA_HOME="/redactedhook" | ||
|
|
||
| WORKDIR /redactedhook | ||
| VOLUME /redactedhook | ||
|
|
||
| # Copy the binary from builder | ||
| COPY --from=app-builder /out/bin/redactedhook /usr/local/bin/ | ||
|
|
||
| # Expose the application port | ||
| EXPOSE 42135 | ||
|
|
||
| COPY --from=app-builder /out/bin/redactedhook /usr/local/bin/ | ||
| # Use nonroot user | ||
| USER nonroot:nonroot | ||
|
|
||
| USER nobody | ||
| ENTRYPOINT ["/usr/local/bin/redactedhook", "--config", "config.toml"] | ||
| # Set entry point | ||
| ENTRYPOINT ["/usr/local/bin/redactedhook", "--config", "config.toml"] |