40 lines
1.6 KiB
Docker
40 lines
1.6 KiB
Docker
# ─────────────────────────────────────────────
|
|
# Stage 1: Build
|
|
# ─────────────────────────────────────────────
|
|
# SHA256 pinned for reproducible builds (E10-05).
|
|
# To refresh: docker pull --platform linux/amd64 golang:1.24-alpine && docker inspect ... | jq -r '.[0].RepoDigests[0]'
|
|
FROM golang:1.24-alpine@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder
|
|
|
|
RUN apk add --no-cache git ca-certificates
|
|
|
|
WORKDIR /app
|
|
|
|
# Download dependencies first (cache layer)
|
|
COPY go.mod go.sum ./
|
|
RUN go mod download
|
|
|
|
# Copy source and build
|
|
COPY . .
|
|
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
|
|
go build -ldflags="-s -w -extldflags '-static'" \
|
|
-o /app/bin/proxy ./cmd/proxy/
|
|
|
|
# ─────────────────────────────────────────────
|
|
# Stage 2: Runtime (distroless — no shell, minimal attack surface)
|
|
# ─────────────────────────────────────────────
|
|
# SHA256 pinned for reproducible builds (E10-05).
|
|
FROM gcr.io/distroless/static-debian12@sha256:20bc6c0bc4d625a22a8fde3e55f6515709b32055ef8fb9cfbddaa06d1760f838
|
|
|
|
WORKDIR /app
|
|
|
|
# Copy binary and default config
|
|
COPY --from=builder /app/bin/proxy .
|
|
COPY --from=builder /app/config.yaml .
|
|
|
|
# Non-root user (distroless default uid 65532)
|
|
USER 65532:65532
|
|
|
|
EXPOSE 8090
|
|
|
|
ENTRYPOINT ["/app/proxy"]
|