# syntax=dhi.io/build:2-alpine3.23

contents:
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/community
  packages:
    - nodejs
    - ca-certificates

accounts:
  groups:
    - gid: 65532
      name: node
  users:
    - uid: 65532
      gid: 65532
      name: node
  run-as: node

work-dir: /app

paths:
  - path: /app
    type: directory
    uid: 65532
    gid: 65532
    permissions: 0755

environment:
  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  NODE_ENV: production

# This assumes your application code is injected via multi-stage builds or an overlay
entrypoint:
  - /usr/bin/node
  - index.js

annotations:
  org.opencontainers.image.title: "hardened-nodejs"
  org.opencontainers.image.description: "Secure Node.js runtime image completely free of package managers"