From e1adc4ee8f5c517f881ccb639cc826f061db887d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=A1clav=20Van=C4=8Dura?= <commit@vancura.dev>
Date: Wed, 22 Jan 2025 12:03:34 +0100
Subject: [PATCH] Actor: Optimize Dockerfile with security and size
 improvements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Combine RUN commands to reduce image layers and overall size.
- Add non-root user `appuser` for improved security.
- Use `--no-install-recommends` flag to minimize installed packages.
- Install only necessary dependencies in a single RUN command.
- Maintain proper cleanup of package lists and caches.

Signed-off-by: Václav Vančura <commit@vancura.dev>
---
 .actor/Dockerfile | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/.actor/Dockerfile b/.actor/Dockerfile
index 1d158b28..98c42ba9 100644
--- a/.actor/Dockerfile
+++ b/.actor/Dockerfile
@@ -1,16 +1,18 @@
 FROM python:3.11-slim-bookworm
 
-RUN apt-get update && apt-get install -y file procps curl gpg
 
-RUN mkdir -p /etc/apt/keyrings && \
+RUN groupadd -r appuser && useradd -r -g appuser -s /sbin/nologin appuser && \
+    \
+    apt-get update && apt-get install -y --no-install-recommends bash curl file git gpg jo jq procps xz-utils && \
+    mkdir -p /etc/apt/keyrings && \
     curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
-    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list
-
-RUN apt-get update && apt-get install -y nodejs bash git jq jo xz-utils && apt-get clean && rm -rf /var/lib/apt/lists/*
-
-RUN pip install --no-cache-dir docling
-
-RUN npm install -g apify-cli && npm cache clean --force
+    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list && \
+    apt-get update && apt-get install -y nodejs && apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    \
+    pip install --no-cache-dir docling && \
+    npm install -g apify-cli && \
+    npm cache clean --force
 
 WORKDIR /app