Dockerfile.alpine.runtime

ARG BUILDER_IMAGE="andriykalashnykov/go-face-recognition:latest-builder"

FROM ${BUILDER_IMAGE} AS builder

# https://hub.docker.com/_/alpine/tags
FROM alpine:3.24.1@sha256:28bd5fe8b56d1bd048e5babf5b10710ebe0bae67db86916198a6eec434943f8b AS runtime

# Re-declare so the ARG is in scope for LABEL interpolation after the FROM.
ARG BUILDER_IMAGE
LABEL org.opencontainers.image.title="go-face-recognition (alpine runtime over local builder)" \
      org.opencontainers.image.description="Minimal alpine runtime slice copying the statically-linked binary + test data out of a locally-built builder image. Default source: andriykalashnykov/go-face-recognition:latest-builder produced by Dockerfile.ubuntu.builder. Runs as non-root UID 10001 for K8s restricted pod security." \
      org.opencontainers.image.source="https://github.com/AndriyKalashnykov/go-face-recognition" \
      org.opencontainers.image.licenses="MIT" \
      org.opencontainers.image.base.name="docker.io/library/alpine:3.23.3" \
      io.artifacthub.package.readme-url="https://raw.githubusercontent.com/AndriyKalashnykov/go-face-recognition/main/README.md"

# Pick up security patches published between alpine image cuts (matches the
# primary runtime stage in Dockerfile.go-face). Non-root numeric UID is
# required for K8s restricted pod security (runAsNonRoot: true,
# allowPrivilegeEscalation: false).
RUN apk --no-cache upgrade && \
    addgroup -g 10001 -S app && \
    adduser -u 10001 -S -G app app

WORKDIR /app

COPY --from=builder /app/cmd/main .
COPY --from=builder /app/fonts fonts/
# images/ must be writable because the binary saves result.jpg back into it.
COPY --chown=10001:10001 --from=builder /app/images/ images/
COPY --from=builder /app/models/ models/
COPY --from=builder /app/persons/ persons/

USER 10001

# Keep the container running so `make image-run` / `docker exec` work.
# Override with `--entrypoint /app/main` to execute the classification
# pipeline against the baked-in test data.
CMD ["tail", "-f", "/dev/null"]