build: pin base images and improve Docker setup#467
build: pin base images and improve Docker setup#467pixel365 wants to merge 3 commits intosipeed:mainfrom
Conversation
- Pin golang and alpine images by sha256 for reproducible builds - Remove unnecessary wget package (use BusyBox wget) - Reduce runtime image size - Improve docker-compose config handling via PICOCLAW_CONFIG_FILE - Minor Dockerfile cleanup
nikolasdehor
left a comment
There was a problem hiding this comment.
Solid Docker hardening. Image pinning with SHA256 digests is great for reproducible builds and supply chain security. Moving user creation to the builder stage and copying passwd/group is a clean pattern that avoids installing shadow in the runtime image. Removing curl in favor of BusyBox wget reduces attack surface.
The PICOCLAW_CONFIG_FILE env var in docker-compose is a nice UX touch. LGTM.
nikolasdehor
left a comment
There was a problem hiding this comment.
Solid improvement to the Docker setup. The sha256 pinning, non-root user, and image size reduction are all good practices.
A few observations:
-
/etc/passwdoverwrite —COPY --from=builder /etc/passwd_picoclaw /etc/passwdreplaces the entire/etc/passwdin the runtime image, removingroot,nobody, and other system users. This can break processes that need to resolve UIDs (e.g.,crond,syslogd, or anythingsu/setuid). A safer approach is toCOPY --from=builderthe passwd/group files under a different name and thencat >> /etc/passwdto append, or just run theadduserin Stage 2 directly (it's a single layer either way). -
vendor/in.gitignore— This is fine if the project doesn't vendor dependencies, but worth noting in the PR description since it's a separate concern from Docker changes. -
The
PICOCLAW_CONFIG_FILEenv var in docker-compose is a nice touch for flexibility.
Minor point on (1) aside, LGTM. The overall direction is correct and the size reduction from ~48MB to ~39MB is meaningful.
📝 Description
Improve Docker image reproducibility and reduce runtime size.
golangandalpinebase images by sha256 to ensure deterministic builds.wgetinstallation (use BusyBox-provided wget).PICOCLAW_CONFIG_FILEvariable for docker-compose to allow flexible config mounting.No application logic changes.
🗣️ Type of Change
🤖 AI Code Generation
🔗 Related Issue
N/A
📚 Technical Context (Skip for Docs)
🧪 Test Environment
📸 Evidence (Optional)
Click to view Logs/Screenshots
PICOCLAW_CONFIG_FILE☑️ Checklist