ARG DEBIAN_HASH=b91baba9c2cae5edbe3b0ff50ae8f05157e3ae6f018372dcfc3aba224acb392b ARG BUILD_ENV=pin FROM debian@sha256:${DEBIAN_HASH} AS build_base FROM build_base AS build_pin ARG DEBIAN_RELEASE=bookworm ARG REQUIRED_PACKAGES="git ruby ruby-dev ruby-bundler media-types" ONBUILD RUN \ export date=$(date +"%Y%m%dT000000Z") \ && export url=http://snapshot.debian.org/archive/debian \ && export rel=${DEBIAN_RELEASE} \ && echo "deb [trusted=yes] ${url}/${date} ${rel} main" \ > apt-sources.list \ && echo "deb [trusted=yes] ${url}-security/${date} ${rel}-security main" \ > apt-sources.list \ && echo "deb [trusted=yes] ${url}/${date} ${rel}-updates main" \ > apt-sources.list ONBUILD RUN \ apt-get update \ && apt-get install \ -y \ --download-only \ dpkg-dev bzip2 ${REQUIRED_PACKAGES} \ && ( cd /var/cache/apt/archives \ && find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \ | sed 's/.\///g' \ | LC_ALL=C sort \ ) > apt-hashes.list \ && echo "Pinned APT packages:" \ && cat apt-hashes.list ONBUILD RUN \ for deb in /var/cache/apt/archives/*.deb; do \ package=$(dpkg-deb -f $deb Package); \ version=$(dpkg --info ${deb} | grep "^ Version: " | sed 's/^ Version: //g'); \ echo "${package}=${version}" >> apt-pins.list; \ done \ && mkdir apt-packages \ && mv /var/cache/apt/archives/*.deb apt-packages \ && apt-get install -y bzip2 dpkg-dev \ && dpkg-scanpackages apt-packages | bzip2 > apt-packages/Packages.bz2 FROM build_base AS build_fetch ONBUILD COPY apt-hashes.list . ONBUILD COPY apt-sources.list . ONBUILD COPY apt-pins.list . ONBUILD RUN \ rm -f /etc/apt/sources.list.d/* \ && mv apt-sources.list /etc/apt/sources.list \ && apt update -o Acquire::Check-Valid-Until=false \ && apt-get install \ --download-only \ --allow-downgrades \ -o Acquire::Check-Valid-Until=false \ -y $(cat apt-pins.list) \ && cd /var/cache/apt/archives \ && find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \ | sed 's/.\///g' \ | LC_ALL=C sort \ ) > apt-hashes-compare.list \ && diff apt-hashes.list apt-hashes-compare.list \ && mkdir apt-packages \ && mv /var/cache/apt/archives/*.deb apt-packages \ && dpkg-scanpackages apt-packages | bzip2 > apt-packages/Packages.bz2 FROM build_base AS build_reproduce ONBUILD COPY apt-hashes.list . ONBUILD COPY apt-sources.list . ONBUILD COPY apt-pins.list . ONBUILD COPY apt-packages . FROM build_${BUILD_ENV} as build RUN \ rm -f /etc/apt/sources.list.d/* \ && echo "deb [trusted=yes] file:///. apt-packages/" > /etc/apt/sources.list \ && apt update -o Acquire::Check-Valid-Until=false \ && apt-get install \ --allow-downgrades \ -y $(cat apt-pins.list) FROM build as build-httpd ARG BUSYBOX_REPO=https://git.busybox.net/busybox ARG BUSYBOX_HASH=1a64f6a20aaf6ea4dbba68bbfa8cc1ab7e5c57c4 # 1.36.1 RUN \ git clone https://git.busybox.net/busybox \ && git -C busybox checkout ${BUSYBOX_HASH} \ && git -C busybox rev-parse --verify HEAD | grep -q ${BUSYBOX_HASH} || { \ echo 'Error: Git ref/branch collision.'; exit 1; \ } COPY config/busybox.config busybox/.config RUN \ echo "building busybox httpd" \ && cd busybox \ && make \ && bash make_single_applets.sh \ && mv busybox_HTTPD ../httpd FROM build as build-site RUN mkdir build WORKDIR build COPY . . RUN bundle install RUN jekyll build FROM build as build-rootfs RUN mkdir -p rootfs/etc \ && echo "nogroup:*:100:nobody" > rootfs/etc/group \ && echo "nobody:*:100:100:::" > rootfs/etc/passwd FROM scratch COPY --from=build-rootfs --chown=100:100 rootfs / COPY --from=build-site build/_site static COPY --from=build-httpd httpd . USER 100:100 EXPOSE 8080 WORKDIR static ENTRYPOINT ["/httpd"] CMD ["-f","-v"]