Actor: Optimize Dockerfile with security and size improvements

- Combine RUN commands to reduce image layers and overall size. - Add non-root user `appuser` for improved security. - Use `--no-install-recommends` flag to minimize installed packages. - Install only necessary dependencies in a single RUN command. - Maintain proper cleanup of package lists and caches. Signed-off-by: Václav Vančura <commit@vancura.dev>
2025-07-30 22:14:37 +00:00 · 2025-01-22 12:03:34 +01:00 · 2025-01-22 12:03:34 +01:00 · e1adc4ee8f
commit e1adc4ee8f
parent 19f612c009
1 changed files with 11 additions and 9 deletions
--- a/.actor/Dockerfile
+++ b/.actor/Dockerfile
@ -1,16 +1,18 @@
 FROM python:3.11-slim-bookworm

-RUN apt-get update && apt-get install -y file procps curl gpg

-RUN mkdir -p /etc/apt/keyrings && \
+RUN groupadd -r appuser && useradd -r -g appuser -s /sbin/nologin appuser && \
+    \
+    apt-get update && apt-get install -y --no-install-recommends bash curl file git gpg jo jq procps xz-utils && \
+    mkdir -p /etc/apt/keyrings && \
    curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
-    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list
-
-RUN apt-get update && apt-get install -y nodejs bash git jq jo xz-utils && apt-get clean && rm -rf /var/lib/apt/lists/*
-
-RUN pip install --no-cache-dir docling
-
-RUN npm install -g apify-cli && npm cache clean --force
+    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list && \
+    apt-get update && apt-get install -y nodejs && apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    \
+    pip install --no-cache-dir docling && \
+    npm install -g apify-cli && \
+    npm cache clean --force

 WORKDIR /app