From 30bcf0a56494f714d4c1255d2eba2b0738676d8b Mon Sep 17 00:00:00 2001 From: Ruslan Semagin Date: Thu, 19 Feb 2026 09:37:12 +0300 Subject: [PATCH] build: pin base images and improve Docker setup - Pin golang and alpine images by sha256 for reproducible builds - Remove unnecessary wget package (use BusyBox wget) - Reduce runtime image size - Improve docker-compose config handling via PICOCLAW_CONFIG_FILE - Minor Dockerfile cleanup --- .gitignore | 2 ++ Dockerfile | 28 +++++++++++++++++++--------- docker-compose.yml | 4 ++-- 3 files changed, 23 insertions(+), 11 deletions(-) diff --git a/.gitignore b/.gitignore index ce30d749e..a155a2dc2 100644 --- a/.gitignore +++ b/.gitignore @@ -44,3 +44,5 @@ tasks/ # Added by goreleaser init: dist/ + +vendor/ diff --git a/Dockerfile b/Dockerfile index 0360cfda6..d02723544 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,13 @@ # ============================================================ # Stage 1: Build the picoclaw binary # ============================================================ -FROM golang:1.26.0-alpine AS builder +FROM golang:1.26.0-alpine3.23@sha256:d4c4845f5d60c6a974c6000ce58ae079328d03ab7f721a0734277e69905473e5 AS builder -RUN apk add --no-cache git make +RUN apk add --no-cache git make ca-certificates \ + && addgroup -S picoclaw \ + && adduser --uid 1000 --shell /bin/false -S picoclaw -G picoclaw \ + && grep picoclaw /etc/passwd > /etc/passwd_picoclaw \ + && grep picoclaw /etc/group > /etc/group_picoclaw WORKDIR /src @@ -18,26 +22,32 @@ RUN make build # ============================================================ # Stage 2: Minimal runtime image # ============================================================ -FROM alpine:3.23 +FROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 -RUN apk add --no-cache ca-certificates tzdata curl +RUN apk add --no-cache tzdata + +COPY --from=builder /etc/passwd_picoclaw /etc/passwd +COPY --from=builder /etc/group_picoclaw /etc/group +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt + +RUN mkdir -p /home/picoclaw && chown picoclaw:picoclaw /home/picoclaw # Health check +# BusyBox (Alpine default) already provides wget, no extra package needed +# Consider replacing with application-level health command in the future. HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD wget -q --spider http://localhost:18790/health || exit 1 # Copy binary -COPY --from=builder /src/build/picoclaw /usr/local/bin/picoclaw - -# Create non-root user and group -RUN addgroup -g 1000 picoclaw && \ - adduser -D -u 1000 -G picoclaw picoclaw +COPY --from=builder --chown=picoclaw:picoclaw /src/build/picoclaw /usr/local/bin/picoclaw # Switch to non-root user USER picoclaw +ENV HOME=/home/picoclaw # Run onboard to create initial directories and config RUN /usr/local/bin/picoclaw onboard ENTRYPOINT ["picoclaw"] + CMD ["gateway"] diff --git a/docker-compose.yml b/docker-compose.yml index 32e8ee339..45b018dba 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,7 +11,7 @@ services: profiles: - agent volumes: - - ./config/config.json:/home/picoclaw/.picoclaw/config.json:ro + - "${PICOCLAW_CONFIG_FILE:-./config/config.json}:/home/picoclaw/.picoclaw/config.json:ro" - picoclaw-workspace:/home/picoclaw/.picoclaw/workspace entrypoint: ["picoclaw", "agent"] stdin_open: true @@ -31,7 +31,7 @@ services: - gateway volumes: # Configuration file - - ./config/config.json:/home/picoclaw/.picoclaw/config.json:ro + - "${PICOCLAW_CONFIG_FILE:-./config/config.json}:/home/picoclaw/.picoclaw/config.json:ro" # Persistent workspace (sessions, memory, logs) - picoclaw-workspace:/home/picoclaw/.picoclaw/workspace command: ["gateway"]