3goodsources/Dockerfile at main · johnzilla/3goodsources · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# syntax=docker/dockerfile:1

# Stage 1: Planner - analyze dependencies
FROM lukemathwalker/cargo-chef:latest-rust-1.85 AS planner
WORKDIR /app
COPY Cargo.toml Cargo.lock ./
COPY src/ src/
COPY docs/ docs/
RUN cargo chef prepare --recipe-path recipe.json

# Stage 2: Builder - cache dependencies and build
FROM lukemathwalker/cargo-chef:latest-rust-1.85 AS builder
WORKDIR /app

# Copy recipe from planner
COPY --from=planner /app/recipe.json recipe.json

# Build dependencies (cached layer)
RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
    --mount=type=cache,target=/usr/local/cargo/git,sharing=locked \
    cargo chef cook --release --recipe-path recipe.json

# Copy source code
COPY . .

# Build application with size optimizations
RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
    --mount=type=cache,target=/usr/local/cargo/git,sharing=locked \
    cargo build --release --bin three-good-sources

# Stage 3: Runtime - minimal production image
FROM debian:bookworm-slim AS runtime

# Install CA certificates for HTTPS
RUN apt-get update && \
    apt-get install -y ca-certificates && \
    rm -rf /var/lib/apt/lists/*

# Create non-root user (security best practice)
RUN groupadd -g 1001 appgroup && \
    useradd -u 1001 -g appgroup -m -d /home/appuser appuser

# Copy binary from builder with correct ownership
COPY --from=builder --chown=appuser:appgroup \
    /app/target/release/three-good-sources \
    /usr/local/bin/app

# Copy data files to /data/ (DO App Platform may overlay /app/ at runtime)
COPY --chown=appuser:appgroup registry.json /data/registry.json
COPY --chown=appuser:appgroup audit_log.json /data/audit_log.json
COPY --chown=appuser:appgroup identities.json /data/identities.json
COPY --chown=appuser:appgroup contributions.json /data/contributions.json

# Switch to non-root user
USER appuser

# Document exposed port
EXPOSE 3000

# Default environment variables
ENV REGISTRY_PATH=/data/registry.json
ENV AUDIT_LOG_PATH=/data/audit_log.json
ENV IDENTITIES_PATH=/data/identities.json
ENV CONTRIBUTIONS_PATH=/data/contributions.json

# Run application
ENTRYPOINT ["/usr/local/bin/app"]