self-contained docker build

Author: Hsn723

.circleci/config.yml

@@ -18,6 +18,11 @@ jobs:
     steps:
       - checkout
       - run: make test
+  verify:
+    executor: golang
+    steps:
+      - checkout
+      - run: make verify
   build:
     executor: golang
     working_directory: /work
@@ -64,14 +69,10 @@ jobs:
       - image: docker:stable
     working_directory: /work
     steps:
-      - attach_workspace:
-            at: /tmp/ct-monitor
       - setup_remote_docker:
             docker_layer_caching: false
       - checkout
       - run: |
-          mkdir artifacts
-          cp /tmp/ct-monitor/artifacts/ct-monitor-linux-amd64 artifacts/
           BASENAME="quay.io/hsn723/ct-monitor"
           TAG=$(cat VERSION)
           BRANCH=$(echo $TAG | cut -d '.' -f 1,2)
@@ -87,10 +88,12 @@ workflows:
     jobs:
       - lint
       - test
+      - verify
       - build:
           requires:
             - lint
             - test
+            - verify
           matrix:
             parameters:
               os: [linux]
@@ -106,7 +109,15 @@ workflows:
               only: master
   create-release:
     jobs:
+      - verify:
+          filters:
+            branches:
+              ignore: /.*/
+            tags:
+              only: /^v\d+\.\d+\.\d+$/
       - build:
+          requires:
+            - verify
           matrix:
             parameters:
               os: [linux, darwin, windows]
@@ -126,7 +137,7 @@ workflows:
               only: /^v\d+\.\d+\.\d+$/
       - publish-docker:
           requires:
-              - build
+            - verify
           filters:
             branches:
               ignore: /.*/

Dockerfile

@@ -1,6 +1,18 @@
-FROM quay.io/cybozu/ubuntu:20.04 as certs
+FROM quay.io/cybozu/golang:1.15-focal as build
+ENV CGO_ENABLED=0
+RUN mkdir -p /etc/ct-monitor /var/log/ct-monitor \
+    && chown nobody:nogroup /etc/ct-monitor /var/log/ct-monitor
+COPY . .
+RUN make
 
 FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY artifacts/ct-monitor-linux-amd64 /ct-monitor
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=build /etc/passwd /etc/passwd
+COPY --from=build /etc/group /etc/group
+COPY --from=build --chown=nobody:nogroup /etc/ct-monitor /etc/ct-monitor
+COPY --from=build --chown=nobody:nogroup /var/log/ct-monitor /var/log/ct-monitor
+COPY --from=build /tmp/ct-monitor/artifacts/ct-monitor-linux-amd64 /ct-monitor
+
+USER nobody:nogroup
+
 ENTRYPOINT [ "/ct-monitor" ]

Makefile

@@ -1,7 +1,7 @@
 BUILD_DIR=/tmp/ct-monitor/artifacts
 WORK_DIR=./bin
 VERSION := $(shell cat VERSION)
-LDFLAGS=-ldflags "-X github.com/Hsn723/ct-monitor/cmd.CurrentVersion=${VERSION}"
+LDFLAGS=-ldflags "-w -s -X github.com/Hsn723/ct-monitor/cmd.CurrentVersion=${VERSION}"
 OS ?= linux
 ARCH ?= amd64
 ifeq ($(OS), windows)
@@ -27,6 +27,11 @@ lint: clean setup
 test: clean
 	go test -race -v ./...
 
+.PHONY: verify
+verify:
+	go mod download
+	go mod verify
+
 .PHONY: build
 build: clean setup
 	env GOOS=$(OS) GOARCH=$(ARCH) go build $(LDFLAGS) -o $(BUILD_DIR)/ct-monitor-$(OS)-$(ARCH)$(EXT) .

VERSION

@@ -1 +1 @@
-0.1.0
+0.1.1