- Add go vet and go test steps to CI workflow - Update Dockerfile and CI build commands to target ./src - Comment out build jobs for Linux and Windows - Fix build paths across the workflow configuration
42 lines
1.2 KiB
Docker
42 lines
1.2 KiB
Docker
# Production-hardened Dockerfile for auth-proxy
|
|
#
|
|
# We use a multi-stage build to keep the final image small.
|
|
# The build stage compiles the binary, and the runtime stage copies
|
|
# only the binary and the required configuration.
|
|
|
|
FROM docker.iranserver.com/golang:1.26-alpine AS builder
|
|
WORKDIR /app
|
|
|
|
RUN /usr/local/go/bin/go env -w GOPROXY=https://go.iranserver.com/repository/go/ \
|
|
&& /usr/local/go/bin/go env -w GOSUMDB=off
|
|
|
|
COPY go.mod go.sum ./
|
|
RUN go mod download
|
|
COPY . .
|
|
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o auth-proxy ./src
|
|
|
|
# Runtime stage
|
|
FROM docker.iranserver.com/alpine:3.23
|
|
WORKDIR /app
|
|
|
|
# Create a non-root user (security best practice).
|
|
RUN addgroup -S auth-proxy && adduser -S auth-proxy -G auth-proxy
|
|
|
|
# Copy the binary from the builder stage.
|
|
COPY --from=builder /app/auth-proxy .
|
|
|
|
# Create directories for config and data.
|
|
RUN mkdir -p /config /data
|
|
|
|
# Set ownership so the non-root user can write to /data but not /config.
|
|
RUN chown -R auth-proxy:auth-proxy /data && chown auth-proxy:auth-proxy /config
|
|
|
|
# Switch to the non-root user.
|
|
USER auth-proxy
|
|
|
|
# Expose the HTTP port.
|
|
EXPOSE 8080
|
|
|
|
# Start the service.
|
|
ENTRYPOINT ["/app/auth-proxy"]
|
|
CMD [] |