gogs/Dockerfile.next

FROM golang:alpine3.23 AS binarybuilder
RUN apk --no-cache --no-progress add --virtual \
  build-deps \
  build-base \
  git \
  linux-pam-dev

WORKDIR /gogs.io/gogs
COPY . .

RUN ./docker/build/install-task.sh
RUN TAGS="cert pam" task build

FROM alpine:3.23

# Create git user and group with fixed UID/GID at build time for better K8s security context support.
# Using 1000:1000 as it's a common non-root UID/GID that works well with most volume permission setups.
ARG GOGS_UID=1000
ARG GOGS_GID=1000
RUN addgroup -g ${GOGS_GID} -S git && \
    adduser -u ${GOGS_UID} -G git -H -D -g 'Gogs Git User' -h /data/git -s /bin/sh git

RUN apk --no-cache --no-progress add \
  bash \
  ca-certificates \
  curl \
  git \
  linux-pam \
  openssh-keygen

ENV GOGS_CUSTOM=/data/gogs

WORKDIR /app/gogs
COPY --from=binarybuilder /gogs.io/gogs/.bin/gogs .
COPY docker-next/start.sh .
RUN chmod +x start.sh && \
    mkdir -p /data && \
    ln -s /data/git /home/git && \
    chown -R git:git /app/gogs /data

# Configure Docker Container
VOLUME ["/data", "/backup"]
EXPOSE 22 3000
HEALTHCHECK CMD (curl --noproxy localhost -o /dev/null -sS http://localhost:3000/healthcheck) || exit 1

# Run as non-root user by default for better K8s security context support.
USER git:git

ENTRYPOINT ["/app/gogs/start.sh"]
CMD ["/app/gogs/gogs", "web"]