goreleaser/Dockerfile

FROM golang:1.23.0-alpine@sha256:d0b31558e6b3e4cc59f6011d79905835108c919143ebecc58f35965bf79948f4

RUN apk add --no-cache bash \
	curl \
	docker-cli \
	docker-cli-buildx \
	git \
	gpg \
	mercurial \
	make \
	openssh-client \
	build-base \
	tini

# install cosign
COPY --from=gcr.io/projectsigstore/cosign:v2.4.0@sha256:9d50ceb15f023eda8f58032849eedc0216236d2e2f4cfe1cdf97c00ae7798cfe /ko-app/cosign /usr/bin/cosign

# install syft
RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/v0.84.1/install.sh | sh -s -- -b /usr/local/bin

ENTRYPOINT ["/sbin/tini", "--", "/entrypoint.sh"]
CMD [ "-h" ]

COPY scripts/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

COPY goreleaser_*.apk /tmp/
RUN apk add --no-cache --allow-untrusted /tmp/goreleaser_*.apk
chore(deps): bump golang from 1.22.6-alpine to 1.23.0-alpine (#5076) Bumps golang from 1.22.6-alpine to 1.23.0-alpine. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang&package-manager=docker&previous-version=1.22.6-alpine&new-version=1.23.0-alpine)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2024-08-14 09:44:19 -03:00			`FROM golang:1.23.0-alpine@sha256:d0b31558e6b3e4cc59f6011d79905835108c919143ebecc58f35965bf79948f4`
Optimized Dockerfile layers and added fingerprint checking Layers are now cleaned up and ordered in a way to minimize breaking of the cache. Additional Docker key fingerprint checking has been added to ensure that we get the eky we are expecting from Docker website. 2018-11-27 08:49:25 -06:00
fix: convert docker images to Alpine (#884) This should signifficantly reduce the image size of the Docker images needed to use Goreleaser Resolves #882 2018-11-29 12:40:04 -06:00			`RUN apk add --no-cache bash \`
feat: use go 1.17 (#2408) * feat: use go 1.17 Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: go mod tidy Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * test: fix failing test Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * ci: increase lint timeout Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * ci: increase lint timeout Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2021-08-24 20:49:11 -03:00			`curl \`
			`docker-cli \`
			`docker-cli-buildx \`
			`git \`
feat: adds gpg to Docker image for signing of artifacts (#2905) 2022-02-13 17:37:38 +01:00			`gpg \`
feat: use go 1.17 (#2408) * feat: use go 1.17 Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: go mod tidy Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * test: fix failing test Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * ci: increase lint timeout Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * ci: increase lint timeout Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2021-08-24 20:49:11 -03:00			`mercurial \`
			`make \`
feat: adds openssh-client to docker images (#3077) closes #3076 Signed-off-by: Carlos A Becker <caarlos0@gmail.com> 2022-04-29 09:32:24 -03:00			`openssh-client \`
feat(docker): install tini to handle Ctrl+C (#2501) https://github.com/krallin/tini/issues/8 Signed-off-by: Artur Troian <troian.ap@gmail.com> 2021-09-21 21:17:42 -04:00			`build-base \`
			`tini`
Optimized Dockerfile layers and added fingerprint checking Layers are now cleaned up and ordered in a way to minimize breaking of the cache. Additional Docker key fingerprint checking has been added to ensure that we get the eky we are expecting from Docker website. 2018-11-27 08:49:25 -06:00
feat: add cosign tool in the goreleaser image (#2542) Signed-off-by: Carlos Panato <ctadeu@gmail.com> 2021-11-18 13:54:54 +01:00			`# install cosign`
chore(deps): upgrade cosign to 2.4.0 (#5099) goreleaser currently uses `cosign` `v2.1.1`, this change switches it to `v2.4.0`. While there may be other useful updates, I'd like this update to workaround a bug which I'm experiencing: https://github.com/sigstore/cosign/issues/3614#issuecomment-2012521670, and which is solved by upgrading the `cosign` version. 2024-08-23 15:53:45 +02:00			`COPY --from=gcr.io/projectsigstore/cosign:v2.4.0@sha256:9d50ceb15f023eda8f58032849eedc0216236d2e2f4cfe1cdf97c00ae7798cfe /ko-app/cosign /usr/bin/cosign`
feat: add cosign tool in the goreleaser image (#2542) Signed-off-by: Carlos Panato <ctadeu@gmail.com> 2021-11-18 13:54:54 +01:00
feat: adds syft to docker image (#4182) <!-- Hi, thanks for contributing! Please make sure you read our CONTRIBUTING guide. Also, add tests and the respective documentation changes as well. --> <!-- If applied, this commit will... --> As discussed in #4176, this PR adds syft to the Docker image. <!-- Why is this change being made? --> As mentioned in #4176, it simplifies CI when SBOM generation is needed. <!-- # Provide links to any relevant tickets, URLs or other resources --> I tried to test by running `task goreleaser` in my dev environment. The amd64 image has been built properly and syft is available: ``` docker run --rm -it --entrypoint="" goreleaser/goreleaser:v1.19.2-amd64 sh /go # syft --version syft 0.84.1 ``` However I couldn't test other platforms since I got unrelated errors when it tried to build the arm64 image. 2023-07-12 14:47:37 +02:00			`# install syft`
			`RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/v0.84.1/install.sh \| sh -s -- -b /usr/local/bin`

feat(docker): install tini to handle Ctrl+C (#2501) https://github.com/krallin/tini/issues/8 Signed-off-by: Artur Troian <troian.ap@gmail.com> 2021-09-21 21:17:42 -04:00			`ENTRYPOINT ["/sbin/tini", "--", "/entrypoint.sh"]`
feat: docker in docker support (#785) * feat: docker in docker support * fix: pr comments 2018-09-04 15:19:01 +03:00			`CMD [ "-h" ]`
Optimized Dockerfile layers and added fingerprint checking Layers are now cleaned up and ordered in a way to minimize breaking of the cache. Additional Docker key fingerprint checking has been added to ensure that we get the eky we are expecting from Docker website. 2018-11-27 08:49:25 -06:00
fix: improvements on docker extra_files 2018-12-16 11:11:01 -02:00			`COPY scripts/entrypoint.sh /entrypoint.sh`
Optimized Dockerfile layers and added fingerprint checking Layers are now cleaned up and ordered in a way to minimize breaking of the cache. Additional Docker key fingerprint checking has been added to ensure that we get the eky we are expecting from Docker website. 2018-11-27 08:49:25 -06:00			`RUN chmod +x /entrypoint.sh`
fix: improvements on docker extra_files 2018-12-16 11:11:01 -02:00
feat: allow to use nfpm packages in the docker pipe (#2003) * feat: copy nfpms to docker image too Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * test: wip Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: logs Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * test: fixes Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * test: improving Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * docs: deprecations and docker improvements Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: revert .goreleaser.yml changes Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * test: fix Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * docs: fix syntax Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * docs: fixed deprecation warnings Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * test: fix Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * test: coverage Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * test: add one more test case Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * test: fix Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * test: fix Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> 2021-01-07 16:21:12 -03:00			`COPY goreleaser_*.apk /tmp/`
fix: apk add --no-cache (#2672) 2021-11-17 15:00:10 -03:00			`RUN apk add --no-cache --allow-untrusted /tmp/goreleaser_*.apk`