build: Upgrade Go version to 1.25.7 and switch Docker final image to scratch. (#5)

mayurkr · web-flow · commit 49335f909ea5 · 2026-03-03T18:04:06.000+05:30
* build: Upgrade Go version to 1.25.7 and switch Docker final image to scratch.

* Remove copying of timezone data and passwd file from the builder stage in Dockerfile.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.25.3-alpine AS builder
+FROM golang:1.25.7-alpine AS builder
 ARG TARGETOS
 ARG TARGETARCH
 ARG VERSION=dev
@@ -8,9 +8,6 @@ ARG BUILD_DATE=unknown
 
 WORKDIR /workspace
 
-# Install ca-certificates for HTTPS calls in the final image
-RUN apk add --no-cache ca-certificates
-
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
@@ -21,16 +18,19 @@ RUN go mod download
 COPY . .
 
 # Build with version info injected via ldflags
+# CGO_ENABLED=0 produces a fully static binary — no libc/OS dependencies
 RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build \
     -ldflags="-s -w \
     -X github.com/aotanami/aotanami/internal/version.Version=${VERSION} \
     -X github.com/aotanami/aotanami/internal/version.Commit=${COMMIT} \
     -X github.com/aotanami/aotanami/internal/version.Date=${BUILD_DATE}" \
     -a -o manager cmd/main.go
 
-# Use distroless as minimal base image
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static-debian12:nonroot
+# ── Final stage: scratch (zero OS packages = zero OS CVEs) ──────────────────
+# Since the binary is statically compiled (CGO_ENABLED=0), we don't need any
+# OS libraries. Using scratch instead of distroless eliminates ALL OS-level
+# vulnerabilities from the image scan.
+FROM scratch
 
 # OCI Image Spec labels
 # https://github.com/opencontainers/image-spec/blob/main/annotations.md
@@ -42,6 +42,10 @@ LABEL org.opencontainers.image.vendor="Zelyo AI"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
 LABEL org.opencontainers.image.documentation="https://github.com/aotanami/aotanami/tree/main/docs"
 
+# Copy CA certificates for TLS (Aotanami makes HTTPS calls to LLM APIs)
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+# Copy the statically-linked binary
 WORKDIR /
 COPY --from=builder /workspace/manager .
 USER 65532:65532
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/aotanami/aotanami
 
-go 1.25.3
+go 1.25.7
 
 require (
 	github.com/onsi/ginkgo/v2 v2.27.2
