From 6eb64796e4dcf5533eb8c9b9a0b764fc743681c4 Mon Sep 17 00:00:00 2001
From: jholdstock <jholdstock@decred.org>
Date: Sat, 7 Sep 2024 09:33:53 +0100
Subject: [PATCH] rpc: Refresh Docker for generating protobuf files.

- Pull base image by digest, helping to avoid supply chain attacks.
- Use alpine base image instead of debian (245MB vs 837MB).
- Update from golang 1.21.0 to 1.23.1.
- Download specific version of protobuf from GitHub rather than whatever
  version happens to be provided by the base images package manager.
---
 rpc/Dockerfile | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/rpc/Dockerfile b/rpc/Dockerfile
index dd562a1a4..c16e2b062 100644
--- a/rpc/Dockerfile
+++ b/rpc/Dockerfile
@@ -1,8 +1,17 @@
-FROM golang:1.21.0-bookworm
+# The image below is golang:1.23.1-alpine3.20 (linux/amd64)
+# It's pulled by the digest (immutable id) to avoid supply-chain attacks.
+# Maintainer Note:
+#    To update to a new digest, you must first manually pull the new image:
+#    `docker pull golang:<new version>`
+#    Docker will print the digest of the new image after the pull has finished.
+FROM golang@sha256:7ed3ee46b57ffc90cc32b50c7d5f40b2bd452d2dc97e42d6e9da47067f266ef4
 
-RUN apt-get update && apt-get install -y protobuf-compiler
-
-WORKDIR /build/rpc
-CMD ["/bin/bash", "regen.sh"]
+ENV PB_REPO https://github.com/protocolbuffers/protobuf
+ENV PB_VERSION 27.3
 
+RUN wget $PB_REPO/releases/download/v$PB_VERSION/protoc-$PB_VERSION-linux-x86_64.zip
+RUN unzip protoc-$PB_VERSION-linux-x86_64.zip -d $HOME/protobuf
+RUN mv $HOME/protobuf/bin/protoc /usr/local/bin
 
+WORKDIR /build/rpc
+CMD ["./regen.sh"]