-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
67 lines (54 loc) · 3.49 KB
/
Dockerfile
File metadata and controls
67 lines (54 loc) · 3.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# syntax=docker/dockerfile:1
# ── Cross-compilation helper ────────────────────────────────────────────────────
# xx (https://github.com/tonistiigi/xx) provides xx-go, xx-apt-get, and xx-verify.
# xx-go sets GOOS/GOARCH/CC automatically for the target platform so the builder
# stays on --platform=$BUILDPLATFORM (native amd64 on GHA) with no QEMU needed.
FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:c64defb9ed5a91eacb37f96ccc3d4cd72521c4bd18d5442905b95e2226b0e707 AS xx
# ── Build ──────────────────────────────────────────────────────────────────────
# CGO_ENABLED=1 is required: mattn/go-sqlite3 and sqlite-vec use CGO.
# Debian (bookworm) is used instead of Alpine: sqlite-vec.c references BSD-compat
# u_int*_t types (u_int8_t, u_int16_t, u_int64_t) that glibc defines but musl omits.
# -tags "netgo osusergo" replaces glibc DNS and user-lookup with pure-Go
# implementations — required for fully static glibc binaries.
# -extldflags="-static" statically links C deps (sqlite3, sqlite-vec).
FROM --platform=$BUILDPLATFORM golang:1.26-bookworm AS builder
# Copy xx helpers into the builder.
# COPY --from=xx / / is the canonical pattern — xx is built FROM scratch and
# globbing /usr/local/bin/xx-* fails in BuildKit on scratch-based images.
COPY --from=xx / /
ARG TARGETPLATFORM
# clang + lld: cross-compiler that works for all target architectures.
# xx-apt-get configures Debian multiarch and installs the target-architecture
# cross-toolchain (gcc-aarch64-linux-gnu for arm64) and libsqlite3 headers.
RUN apt-get update && apt-get install -y --no-install-recommends clang lld \
&& rm -rf /var/lib/apt/lists/*
RUN xx-apt-get install -y --no-install-recommends gcc libsqlite3-dev
WORKDIR /build
# Download dependencies as a separate layer — only reruns when go.mod/go.sum change.
COPY go.mod go.sum ./
RUN go mod download
# Copy only the Go source directories needed for the build.
# Explicit paths prevent sensitive files (env vars, keys, docs) from
# entering the build context even if .dockerignore is misconfigured.
# -ldflags="-s -w" strips debug info and DWARF tables (smaller binary).
# -extldflags="-static" statically links C deps (sqlite3, sqlite-vec).
# -trimpath removes local build paths from stack traces.
COPY cmd/ cmd/
COPY internal/ internal/
RUN CGO_ENABLED=1 xx-go build \
-tags "netgo osusergo" \
-ldflags="-s -w -extldflags=-static" -trimpath -o /hatch ./cmd/hatch/ && \
xx-verify --static /hatch
# ── Runtime ────────────────────────────────────────────────────────────────────
# distroless/static-debian12:nonroot
# - no shell or package manager (minimal attack surface)
# - includes CA certificates (required for LLM API calls)
# - runs as uid 65532 (nonroot) with /home/nonroot home directory
FROM gcr.io/distroless/static-debian12:nonroot
# Explicit USER directive — distroless:nonroot defaults to uid 65532 but
# declaring it here satisfies static analysis tools (e.g. SonarQube S6471).
USER nonroot
COPY --from=builder /hatch /hatch
# SSH server (Milestone 6) and HTTP dashboard (Milestone 8).
EXPOSE 2222 8080
ENTRYPOINT ["/hatch"]