11FROM nginx@sha256:b6653fca400812e81569f9be762ae315db685bc30b12ddcdc8616c63a227d3ca
22
3- COPY pinned-packages.txt /tmp/
4-
5- RUN set -e; \
3+ RUN --mount=type=bind,source=pinned-packages.txt,target=/tmp/pinned-packages.txt,ro \
4+ set -e; \
65 # Create a sources.list file pointing to a specific snapshot
76 echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20250411T024939Z bookworm main' > /etc/apt/sources.list && \
87 echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20250411T024939Z bookworm-security main' >> /etc/apt/sources.list && \
@@ -28,7 +27,7 @@ RUN set -e; \
2827 curl \
2928 jq \
3029 coreutils && \
31- rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache /tmp/pinned-packages.txt
30+ rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache
3231
3332RUN mkdir -p \
3433 /etc/letsencrypt \
@@ -37,11 +36,29 @@ RUN mkdir -p \
3736 /etc/nginx/conf.d \
3837 /var/log/nginx
3938
40- COPY ./scripts /scripts/
41- RUN chmod +x /scripts/*.sh /scripts/*.py
39+ # Install scripts with deterministic permissions via bind mount
40+ RUN --mount=type=bind,source=scripts,target=/tmp/scripts,ro \
41+ /bin/bash -o pipefail -c 'set -euo pipefail; \
42+ rm -rf /scripts && mkdir -p /scripts && chmod 755 /scripts && \
43+ cd /tmp/scripts && \
44+ find . -type d -print0 | while IFS= read -r -d "" dir; do \
45+ rel="${dir#./}"; \
46+ [[ -z "$rel" ]] && continue; \
47+ install -d -m 755 "/scripts/$rel"; \
48+ done && \
49+ find . -type f -print0 | while IFS= read -r -d "" file; do \
50+ rel="${file#./}"; \
51+ perm=644; \
52+ case "$rel" in \
53+ *.sh) perm=755 ;; \
54+ *.py) case "$rel" in */*) perm=644 ;; *) perm=755 ;; esac ;; \
55+ esac; \
56+ install -m "$perm" "$file" "/scripts/$rel"; \
57+ done'
58+
4259ENV PATH="/scripts:$PATH"
4360ENV PYTHONPATH="/scripts"
44- COPY .GIT_REV /etc/
61+ COPY --chmod=666 .GIT_REV /etc/
4562
4663ENTRYPOINT ["/scripts/entrypoint.sh" ]
4764CMD ["nginx" , "-g" , "daemon off;" ]
0 commit comments