bring fix/remove-root-access-when-building-docker-img Dockerfile changes

Author: AdriaCarrera

Dockerfile

@@ -1,31 +1,45 @@
-# CONTAINER FOR BUILDING BINARY
-FROM --platform=${BUILDPLATFORM} golang:1.24.4 AS build
+# ================================
+# STAGE 1: Build binary
+# ================================
+FROM --platform=${BUILDPLATFORM} golang:1.24.4-alpine AS builder
+
+# Install build dependencies
+RUN apk add --no-cache gcc musl-dev make sqlite-dev
 
 WORKDIR /app
 
-# INSTALL DEPENDENCIES
+# Download Go dependencies
 COPY go.mod go.sum ./
 RUN go mod download
 
-# BUILD BINARY
+# Copy source and build
 COPY . .
-RUN make build-aggkit build-tools
-
-# CONTAINER FOR RUNNING BINARY
-FROM --platform=${BUILDPLATFORM} debian:bookworm-slim
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-    ca-certificates \
-    sqlite3 \
-    procps \
-    libssl-dev && \
-    rm -rf /var/lib/apt/lists/*
-COPY --from=build /app/target/aggkit /usr/local/bin/
-
-# ADD NON-ROOT USER
-RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser
+
+# Compile binary
+RUN make build-aggkit
+
+# ================================
+# STAGE 2: Final runtime image
+# ================================
+FROM alpine:3.22
+
+# Install runtime dependencies and remove shell
+RUN apk add --no-cache sqlite-libs ca-certificates
+
+# Add non-root user with home and nologin shell
+RUN addgroup appgroup && \
+    adduser -D -G appgroup -h /home/appuser -s /sbin/nologin appuser && \
+    mkdir -p /home/appuser && \
+    chown -R appuser:appgroup /home/appuser
+
+# Set the working directory and user
+# This ensures that the application runs as a non-root user
+WORKDIR /home/appuser
 USER appuser
 
+# Copy the built binary from the builder stage
+COPY --from=builder /app/target/aggkit /usr/local/bin/aggkit
+
 EXPOSE 5576/tcp
 
 ENTRYPOINT ["/usr/local/bin/aggkit"]