flight-path/Dockerfile at main · AndriyKalashnykov/flight-path · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# syntax=docker/dockerfile:1@sha256:4a43a54dd1fedceb30ba47e76cfcf2b47304f4161c0caeac2db1c61804ea3c91

# build
FROM --platform=$BUILDPLATFORM golang:1.26-alpine@sha256:c2a1f7b2095d046ae14b286b18413a05bb82c9bca9b25fe7ff5efef0f0826166 AS build
WORKDIR /app
COPY go.mod go.sum ./
ARG GOMODCACHE=/go/pkg/mod
ARG GOCACHE=/root/.cache/go-build
RUN --mount=type=cache,target="$GOMODCACHE" go mod download
ARG TARGETOS TARGETARCH
COPY . .
RUN --mount=type=cache,target="$GOMODCACHE" \
    --mount=type=cache,target="$GOCACHE" \
    CGO_ENABLED=0 GOOS="$TARGETOS" GOARCH="$TARGETARCH" go build -o /app/main .

# runtime image
FROM alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 AS runtime
WORKDIR /
# Weekly cache-bust for security updates. CI passes APK_UPGRADE_WEEK=$(date -u +%Y-W%V)
# as a build-arg so the `apk upgrade` layer re-runs at least once per week, picking
# up new CVE fixes from the Alpine package repo even when the Dockerfile is unchanged.
# Without this, the cached layer can serve stale package versions for weeks after a
# CVE is fixed upstream (e.g., CVE-2026-28390 openssl: apk repo has 3.5.6-r0 but the
# cached layer still ships 3.5.5-r0).
ARG APK_UPGRADE_WEEK=manual
RUN apk upgrade --no-cache
RUN addgroup -g 1000 srvgroup && \
    adduser -D srvuser -u 1000 -G srvgroup
USER srvuser:srvgroup

# runtime image
#FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3 AS runtime
#WORKDIR /
#COPY --from=build /app/main /
#CMD ["./main"]

#FROM gcr.io/distroless/static:nonroot
#WORKDIR /
#COPY --from=build /app/main /
#USER 65532:65532

COPY --from=build /app/main /
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD wget --no-verbose --tries=1 --spider http://localhost:8080/ || exit 1
ENTRYPOINT ["/main"]