migrate to distroless base for production container (#30)

Dockerfile

@@ -1,8 +1,8 @@
 # -*- coding: utf-8 -*-
 # vim: ft=Dockerfile
 
-# container - builder
-FROM golang:1.19.10-alpine AS build
+### container - builder
+FROM golang:1.19.10-bullseye AS build
 LABEL maintainer="mindhunter86 <[email protected]>"
 
 ARG GOAPP_MAIN_VERSION="devel"
@@ -11,30 +11,27 @@ ARG GOAPP_MAIN_BUILDTIME="N/A"
 ENV MAIN_VERSION=$GOAPP_MAIN_VERSION
 ENV MAIN_BUILDTIME=$GOAPP_MAIN_BUILDTIME
 
+ENV DEBIAN_FRONTEND=noninteractive
+
 # hadolint/hadolint - DL4006
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 WORKDIR /usr/sources/alice
 COPY . .
 
-ENV CGO_ENABLED=0
-ENV GOOS=linux
-ENV GOARCH=amd64
-
-# skipcq: DOK-DL3018 i'm a badboy, disable this shit
+# skipcq: DOK-DL3008 pinning version for upx is not required
 RUN echo "ready" \
-  && go build -trimpath -ldflags="-s -w -X 'main.version=$MAIN_VERSION' -X 'main.buildtime=$MAIN_BUILDTIME'" -o alice cmd/alice/main.go cmd/alice/flags.go \
-  && apk add --no-cache upx \
-  && upx -9 -k alice \
-  && echo "nobody:x:65534:65534:nobody:/usr/local/bin:/bin/false" > etc_passwd
+  && CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X 'main.version=$MAIN_VERSION' -X 'main.buildtime=$MAIN_BUILDTIME'" -o alice cmd/alice/main.go cmd/alice/flags.go \
+  && apt-get update && apt-get install --no-install-recommends -y upx-ucl \
+  && upx -9 -k alice
 
 
-# container - runner
-FROM scratch
+### container - runner
+###   for image debuging use tag :debug
+FROM gcr.io/distroless/static-debian11:latest-amd64
 LABEL maintainer="mindhunter86 <[email protected]>"
 
 WORKDIR /usr/local/bin/
-COPY --from=build /usr/sources/alice/etc_passwd /etc/passwd
 COPY --from=build --chmod=0555 /usr/sources/alice/alice alice
 
 USER nobody