-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
73 lines (57 loc) · 2.78 KB
/
Dockerfile
File metadata and controls
73 lines (57 loc) · 2.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# syntax=docker/dockerfile:1.7
# Build stage: compile goresearch as a static binary
# Pinned base image for reproducibility (update digest deliberately when upgrading)
FROM --platform=$BUILDPLATFORM golang:1.24-bookworm@sha256:2679c15c940573aded505b2f2fbbd4e718b5172327aae3ab9f43a10a5c700dfc AS build
ARG VERSION=0.0.0
ARG COMMIT=dev
ARG DATE=1970-01-01T00:00:00Z
WORKDIR /src
# Enable Go modules and caching
COPY go.mod go.sum ./
RUN --mount=type=cache,target=/go/pkg/mod \
go mod download
# Copy the rest of the source
COPY . .
# Build the CLI (multi-arch via TARGETOS/TARGETARCH)
# TARGETOS/TARGETARCH are provided by BuildKit automatically
RUN --mount=type=cache,target=/go/pkg/mod \
--mount=type=cache,target=/root/.cache/go-build \
CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \
go build -trimpath -ldflags "-s -w -X 'github.com/hyperifyio/goresearch/internal/app.BuildVersion=${VERSION}' -X 'github.com/hyperifyio/goresearch/internal/app.BuildCommit=${COMMIT}' -X 'github.com/hyperifyio/goresearch/internal/app.BuildDate=${DATE}'" \
-o /out/goresearch ./cmd/goresearch
# Runtime stage: non-root, minimal image with certs
FROM gcr.io/distroless/static-debian12:nonroot@sha256:cdf4daaf154e3e27cfffc799c16f343a384228f38646928a1513d925f473cb46
# OCI labels for provenance
ARG VERSION=0.0.0
ARG COMMIT=dev
ARG DATE=1970-01-01T00:00:00Z
LABEL org.opencontainers.image.title="goresearch" \
org.opencontainers.image.description="Generate validated, citation-rich research reports from a single Markdown brief." \
org.opencontainers.image.url="https://github.com/hyperifyio/goresearch" \
org.opencontainers.image.source="https://github.com/hyperifyio/goresearch" \
org.opencontainers.image.version="$VERSION" \
org.opencontainers.image.revision="$COMMIT" \
org.opencontainers.image.created="$DATE"
WORKDIR /app
# Copy binary
COPY --from=build /out/goresearch /usr/local/bin/goresearch
# Provide a tiny healthcheck input inside the image
# Keep content minimal to exercise dry-run path without network calls.
COPY <<'EOF' /app/healthcheck.md
# Healthcheck Topic
Audience: engineers
Tone: terse
Target length: 10 words
Key questions: hello world
EOF
# Writable volumes for reports and cache
VOLUME ["/app/reports", "/app/.goresearch-cache"]
# Default non-secret environment can be overridden at runtime. Do not bake
# secrets like API keys into the image.
ENV SEARX_URL="http://searxng:8080"
# Healthcheck: quick dry-run that must exit 0 on success
HEALTHCHECK --interval=30s --timeout=5s --retries=3 CMD ["/usr/local/bin/goresearch", "-dry-run", "-input", "/app/healthcheck.md", "-output", "/tmp/health-report.md", "-searx.url", "${SEARX_URL}"]
# Non-root entrypoint
USER nonroot:nonroot
ENTRYPOINT ["/usr/local/bin/goresearch"]
# No default CMD; supply flags/env at runtime