fix(security): harden Docker images + bump vulnerable Go modules (Phase 1)

caddy.Dockerfile

@@ -1,23 +1,22 @@
-# Declare version argument only once at the beginning
-ARG version="2.8.4"
+# Caddy 2.11.2: clears Go-stdlib CVEs in 2.8.4's binary + CVE-2026-27586.
+# Bumping requires editing all three "2.11.2" sites below (two FROMs + xcaddy).
+# Refresh: docker buildx imagetools inspect caddy:X.Y.Z[-builder]
 
-# Use a builder image for compiling Caddy
-FROM caddy:${version}-builder AS builder
+FROM caddy:2.11.2-builder@sha256:10ed0251c5cd1dbb4db0b71ad43121147961a51adfec35febce2c93ea25c24f4 AS builder
 
-# Pass ARG version explicitly
-ARG version
-ENV CADDY_VERSION="${version}"
-
-# Build Caddy with the required module using BuildKit cache mounts
-# Cache mounts persist across builds on the same runner, more efficient than layer caching
 RUN --mount=type=cache,target=/go/pkg/mod,sharing=locked \
     --mount=type=cache,target=/root/.cache,sharing=locked \
-    xcaddy build "v${CADDY_VERSION}" \
-        --with github.com/grafana/certmagic-gcs@v0.1.2 && \
-    caddy version
+    xcaddy build "v2.11.2" \
+        --with github.com/grafana/certmagic-gcs@v0.1.7 \
+    && caddy version
+
+FROM caddy:2.11.2@sha256:25cdc846626b62d05f6b633b9b40c2c9f6ef89b515dc76133cefd920f7dbe562
+
+RUN apk update && apk upgrade --no-cache && rm -rf /var/cache/apk/*
 
-# Final runtime image
-FROM caddy:${version}
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
 
-# Copy the compiled Caddy binary
-COPY --from=builder /usr/bin/caddy /usr/bin/caddy
+LABEL org.opencontainers.image.source="https://github.com/simple-container-com/api" \
+      org.opencontainers.image.licenses="Apache-2.0" \
+      org.opencontainers.image.title="simplecontainer/caddy" \
+      org.opencontainers.image.description="Caddy with grafana/certmagic-gcs"

cloud-helpers.aws.Dockerfile

@@ -1,10 +1,17 @@
-#FROM gcr.io/distroless/base-debian12
-FROM public.ecr.aws/lambda/provided:al2023
+# Refresh: docker buildx imagetools inspect public.ecr.aws/lambda/provided:al2023
+FROM public.ecr.aws/lambda/provided:al2023@sha256:a48275a6cb21dbd9cae6f8cc10ee8ccc416e1b48f9376d049c5b347985239456
 
-WORKDIR /
-
-ADD dist/cloud-helpers /cloud-helpers
+# Pull post-tag distro fixes (e.g. glibc CVE-2026-4046 once published to AL2023 dnf).
+RUN dnf upgrade -y --setopt=tsflags=nodocs \
+    && dnf clean all \
+    && rm -rf /var/cache/dnf
 
+WORKDIR /
+COPY dist/cloud-helpers /cloud-helpers
 EXPOSE 8080
 
-ENTRYPOINT ["/cloud-helpers"]
+LABEL org.opencontainers.image.source="https://github.com/simple-container-com/api" \
+      org.opencontainers.image.licenses="Apache-2.0" \
+      org.opencontainers.image.title="simplecontainer/cloud-helpers"
+
+ENTRYPOINT ["/cloud-helpers"]

github-actions-staging.Dockerfile

@@ -1,109 +1,104 @@
-# Staging GitHub Actions Dockerfile - Uses pre-built static github-actions binary for fast development iteration
-#
-# Development Workflow:
-#   1. welder run build-github-actions-staging  # Builds static ./bin/github-actions binary (Alpine/MUSL compatible)
-#   2. Push to staging branch → triggers build-staging.yml workflow
-#   3. BuildKit + GitHub Actions cache handles optimized Docker build with layer caching
-#   4. Test with simplecontainer/github-actions:staging in your workflows
-#
-# This approach eliminates the need to rebuild Go dependencies in Docker for every test iteration
-# Uses CGO_ENABLED=0 to build a static binary that works in Alpine (MUSL) environment
-# Docker layers are optimized for caching and size: dependencies first, binary last
+# Staging variant of github-actions.Dockerfile. Mirrors prod hardening; the only
+# difference is that it consumes ./bin/github-actions (built by welder) instead
+# of dist/github-actions (built by CI). Keep the two files in sync.
 
-# Use specific Alpine version for reproducibility and smaller size
-FROM alpine:3.19
+FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d AS builder
 
-# Install runtime dependencies in single layer with aggressive cleanup
-RUN apk --no-cache add \
-    ca-certificates \
-    git \
-    openssh-client \
-    curl \
-    jq \
-    bash \
-    python3 \
-    py3-pip \
-    upx \
-    binutils \
-    && rm -rf /var/cache/apk/* /tmp/* /var/tmp/*
+RUN apk update && apk upgrade --no-cache \
+    && apk add --no-cache curl bash binutils upx ca-certificates tar python3 \
+    && rm -rf /var/cache/apk/*
 
-# Install Pulumi CLI - Required for Simple Container provisioning
-# Read version from go.mod to ensure consistency with Go dependencies
 COPY go.mod /tmp/go.mod
-RUN PULUMI_VERSION=$(grep 'github.com/pulumi/pulumi/sdk/v3' /tmp/go.mod | awk '{print $2}' | sed 's/^v//') && \
-    echo "Installing Pulumi version: ${PULUMI_VERSION} (extracted from go.mod)" && \
-    curl -fsSL https://get.pulumi.com | sh -s -- --version ${PULUMI_VERSION} && \
-    # Optimize Pulumi binaries - strip debug symbols and compress
-    strip /root/.pulumi/bin/* 2>/dev/null || true && \
-    upx --best --lzma /root/.pulumi/bin/* 2>/dev/null || true && \
-    rm -rf /tmp/* /var/tmp/*
+RUN --mount=type=cache,target=/tmp/pulumi-dl,sharing=locked \
+    set -euo pipefail \
+    && PULUMI_VERSION="$(grep 'github.com/pulumi/pulumi/sdk/v3' /tmp/go.mod | awk '{print $2}' | sed 's/^v//')" \
+    && [ -n "${PULUMI_VERSION}" ] || { echo "no pulumi version in go.mod" >&2; exit 1; } \
+    && TARBALL="pulumi-v${PULUMI_VERSION}-linux-x64.tar.gz" \
+    && CHECKSUMS="pulumi-${PULUMI_VERSION}-checksums.txt" \
+    && cd /tmp/pulumi-dl \
+    && [ -f "${TARBALL}" ] || curl -fsSL -o "${TARBALL}" \
+        "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/${TARBALL}" \
+    && curl -fsSL -o "${CHECKSUMS}" \
+        "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/${CHECKSUMS}" \
+    && EXPECTED_SHA="$(grep "${TARBALL}" "${CHECKSUMS}" | awk '{print $1}')" \
+    && [ -n "${EXPECTED_SHA}" ] || { echo "no checksum entry for ${TARBALL}" >&2; exit 1; } \
+    && echo "${EXPECTED_SHA}  ${TARBALL}" | sha256sum -c - \
+    && mkdir -p /opt/pulumi/bin \
+    && tar -xzf "${TARBALL}" -C /tmp \
+    && mv /tmp/pulumi/* /opt/pulumi/bin/ \
+    && rm -rf /tmp/pulumi /tmp/go.mod \
+    && strip /opt/pulumi/bin/* 2>/dev/null || true \
+    && upx --best --lzma /opt/pulumi/bin/* 2>/dev/null || true
 
-ENV PATH="/root/.pulumi/bin:${PATH}"
+ARG GCLOUD_VERSION="567.0.0"
+ARG GCLOUD_SHA256="bd5afc0d249609cb40d45f665209190fdd38b9937954291b8f9ae54206c75d83"
+RUN --mount=type=cache,target=/tmp/gcloud-dl,sharing=locked \
+    set -euo pipefail \
+    && TARBALL="google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" \
+    && cd /tmp/gcloud-dl \
+    && [ -f "${TARBALL}" ] || curl -fsSL -o "${TARBALL}" \
+        "https://storage.googleapis.com/cloud-sdk-release/${TARBALL}" \
+    && echo "${GCLOUD_SHA256}  ${TARBALL}" | sha256sum -c - \
+    && tar -xzf "${TARBALL}" -C /opt \
+    && /opt/google-cloud-sdk/install.sh --quiet \
+        --usage-reporting=false --path-update=false --bash-completion=false \
+    && /opt/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet
 
-# Install Google Cloud SDK (gcloud CLI) - Fixed installation with proper cleanup
-RUN cd /tmp && \
-    curl -sSL https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-x86_64.tar.gz -o gcloud.tar.gz && \
-    tar -xzf gcloud.tar.gz && \
-    mv google-cloud-sdk /opt/ && \
-    /opt/google-cloud-sdk/install.sh --quiet --usage-reporting=false --path-update=false --bash-completion=false && \
-    # Remove unnecessary components, documentation, and cache files
-    rm -rf /opt/google-cloud-sdk/.install/.backup \
-           /opt/google-cloud-sdk/.install/.download \
-           /opt/google-cloud-sdk/bin/anthoscli \
-           /opt/google-cloud-sdk/bin/docker-credential-gcloud \
-           /opt/google-cloud-sdk/bin/git-credential-gcloud.sh \
-           /opt/google-cloud-sdk/platform/bundledpythonunix \
-           /opt/google-cloud-sdk/platform/gsutil/third_party/pyasn1* \
-           /opt/google-cloud-sdk/platform/gsutil/third_party/rsa/doc \
-           /opt/google-cloud-sdk/platform/gsutil/third_party/oauth2client/contrib \
-           /opt/google-cloud-sdk/lib/third_party/grpc \
-           /opt/google-cloud-sdk/lib/googlecloudsdk/api_lib/container/images \
-           /opt/google-cloud-sdk/help \
-           /opt/google-cloud-sdk/data/cli \
-           /opt/google-cloud-sdk/completion.bash.inc \
-           /opt/google-cloud-sdk/completion.zsh.inc \
-           /opt/google-cloud-sdk/path.bash.inc \
-           /opt/google-cloud-sdk/path.zsh.inc \
+RUN rm -rf \
+        /opt/google-cloud-sdk/.install/.backup \
+        /opt/google-cloud-sdk/.install/.download \
+        /opt/google-cloud-sdk/bin/anthoscli \
+        /opt/google-cloud-sdk/bin/docker-credential-gcloud \
+        /opt/google-cloud-sdk/bin/git-credential-gcloud.sh \
+        /opt/google-cloud-sdk/platform/bundledpythonunix \
+        /opt/google-cloud-sdk/platform/gsutil/third_party/pyasn1* \
+        /opt/google-cloud-sdk/platform/gsutil/third_party/rsa/doc \
+        /opt/google-cloud-sdk/platform/gsutil/third_party/oauth2client/contrib \
+        /opt/google-cloud-sdk/platform/gsutil/third_party/urllib3/dummyserver \
+        /opt/google-cloud-sdk/lib/third_party/grpc \
+        /opt/google-cloud-sdk/lib/googlecloudsdk/api_lib/container/images \
+        /opt/google-cloud-sdk/help \
+        /opt/google-cloud-sdk/data/cli \
+        /opt/google-cloud-sdk/completion.bash.inc \
+        /opt/google-cloud-sdk/completion.zsh.inc \
+        /opt/google-cloud-sdk/path.bash.inc \
+        /opt/google-cloud-sdk/path.zsh.inc \
+        /root/.config/gcloud/logs \
+        /root/.config/gcloud/.last_update_check.json \
+        /root/.config/gcloud/.last_opt_in_prompt.yaml \
+        /root/.config/gcloud/configurations \
     && find /opt/google-cloud-sdk -name "*.pyc" -delete \
     && find /opt/google-cloud-sdk -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true \
-    && find /opt/google-cloud-sdk -name "*.md" -delete \
-    && find /opt/google-cloud-sdk -name "*.txt" -delete \
-    && find /opt/google-cloud-sdk -name "COPYING*" -delete \
-    && find /opt/google-cloud-sdk -name "LICENSE*" -delete \
-    && rm -rf /tmp/gcloud.tar.gz /tmp/google-cloud-sdk
+    && find /opt/google-cloud-sdk \( -name "*.md" -o -name "*.txt" -o -name "COPYING*" -o -name "LICENSE*" \) -delete \
+    && rm -rf /tmp/* /var/tmp/*
+
+# ── runtime ─────────────────────────────────────────────────────────────────
+FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d
 
-ENV PATH="/opt/google-cloud-sdk/bin:${PATH}"
+RUN apk update && apk upgrade --no-cache \
+    && apk add --no-cache ca-certificates git openssh-client curl jq bash python3 \
+    && rm -rf /var/cache/apk/* /tmp/* /var/tmp/*
 
-# Install only essential GKE components and clean up immediately
-RUN gcloud components install gke-gcloud-auth-plugin --quiet && \
-    # Clean up component installation cache and logs
-    rm -rf /root/.config/gcloud/logs \
-           /root/.config/gcloud/.last_update_check.json \
-           /root/.config/gcloud/.last_opt_in_prompt.yaml \
-           /root/.config/gcloud/configurations \
-           /tmp/* /var/tmp/*
+COPY --from=builder /opt/pulumi /opt/pulumi
+COPY --from=builder /opt/google-cloud-sdk /opt/google-cloud-sdk
+
+ENV PATH="/opt/pulumi/bin:/opt/google-cloud-sdk/bin:${PATH}"
 
 WORKDIR /root/
 
-# Copy the pre-built static github-actions binary and optimize it
 COPY ./bin/github-actions ./github-actions
-RUN chmod +x ./github-actions && \
-    # Strip debug symbols if not already done (reduces binary size)
-    strip ./github-actions 2>/dev/null || true && \
-    # Make 'sc' available in PATH for Pulumi local.Command subprocesses
-    # (security pipeline runs: sc image sign, sc image scan, sc sbom generate, etc.)
-    ln -s /root/github-actions /usr/local/bin/sc && \
-    # Remove build tools no longer needed
-    apk del upx binutils && \
-    rm -rf /var/cache/apk/* /tmp/* /var/tmp/*
+RUN chmod +x ./github-actions \
+    && ln -s /root/github-actions /usr/local/bin/sc
+
+RUN pulumi version > /dev/null \
+    && gcloud version > /dev/null \
+    && gcloud components list --filter="name:gke-gcloud-auth-plugin" --format="value(name)" | grep -q gke-gcloud-auth-plugin \
+    && test -L /usr/local/bin/sc && test -x /usr/local/bin/sc
 
-# Verify installations work (but remove verification output to reduce layer size)
-RUN pulumi version > /dev/null && \
-    gcloud version > /dev/null && \
-    gcloud components list --filter="name:gke-gcloud-auth-plugin" --format="value(name)" | grep -q gke-gcloud-auth-plugin && \
-    test -L /usr/local/bin/sc && test -x /usr/local/bin/sc
+LABEL org.opencontainers.image.source="https://github.com/simple-container-com/api" \
+      org.opencontainers.image.licenses="Apache-2.0" \
+      org.opencontainers.image.title="simplecontainer/github-actions" \
+      org.opencontainers.image.description="SC GitHub Actions runner image (staging)"
 
-# Set the entrypoint to use the github-actions binary with absolute path
-# GitHub Actions runner overrides WORKDIR with --workdir /github/workspace
-# so we must use absolute path to avoid "./github-actions: no such file or directory"
+# Absolute path required: GitHub Actions runner overrides WORKDIR with --workdir /github/workspace.
 ENTRYPOINT ["/root/github-actions"]