chore: refactor Dockerfile for security and efficiency

- Add a `.dockerignore` file to the repo.
- Update various actions in the Docker workflow to new versions.
- Add steps for setting up QEMU and Docker Buildx in the Docker workflow.
- Update build and push step to use a Dockerfile, add a `final` target, and specify `linux/amd64` as the platform.
- Refactor Dockerfile to use a `latest` tag and add the option for a user ID argument.
- Add several directories in the Dockerfile and set permissions.
- Add a lightweight init system to handle signals and reap processes.
- Update file ownership and permissions when copying the bash scripts to the Docker container.
- Add a step to switch the user in the Dockerfile.
- Change the entrypoint of the Dockerfile to use the added lightweight init system `dumb-init`.

Signed-off-by: 陳鈞 <jim60105@gmail.com>

.dockerignore

@@ -0,0 +1,13 @@
+**/LICENSE
+**/*.md
+**/.hadolint.yml
+**/node_modules
+**/*.log
+**/.git
+**/.gitignore
+**/.env
+**/.github
+**/.vscode
+**/bin
+**/obj
+**/dist

.github/workflows/docker_publish.yml

@@ -22,43 +22,50 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          submodules: true
+        uses: actions/checkout@v4
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${{ github.event.repository.name }},ghcr.io/${{ github.repository }}
           flavor: |
             latest=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
             prefix=
             suffix=
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       # Create a Access Token and save it as as Actions secret
       # https://hub.docker.com/settings/security
       # DOCKERHUB_USERNAME
       # DOCKERHUB_TOKEN
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       # Create a Access Token with `read:packages` and `write:packages` scopes
       # CR_PAT
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.CR_PAT }}
 
       - name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
+          file: ./Dockerfile
           push: true
+          target: final
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64

Dockerfile

@@ -1,21 +1,28 @@
-FROM mcr.microsoft.com/azure-cli
+# syntax=docker/dockerfile:1
+ARG UID=1001
 
-# Set the working directory
+FROM mcr.microsoft.com/azure-cli:latest as final
+
+ARG UID
+
+RUN install -d -m 774 -o $UID -g 0 /app && \
+    install -d -m 774 -o $UID -g 0 /.azure
 WORKDIR /app
 
-# Copy the bash script into the container
-COPY azure-uploader.sh .
+ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /bin/dumb-init 
+RUN chmod +x /bin/dumb-init
 
-# Set the script as executable
-RUN chmod +x azure-uploader.sh
+# Copy the bash script into the container
+COPY --chown=$UID:0 --chmod=774 \
+    azure-uploader.sh .
 
 # Set environment variables
 ENV STORAGE_ACCOUNT_NAME=""
 ENV STORAGE_ACCOUNT_KEY=""
 ENV CONTAINER_NAME=""
 ENV DESTINATION_DIRECTORY=""
 
+USER $UID
 VOLUME [ "/sharedvolume" ]
 
-# Execute the script with provided settings
-ENTRYPOINT ["./azure-uploader.sh"]
+ENTRYPOINT [ "dumb-init", "--", "./azure-uploader.sh" ]