16930dca70
Dockerfiles: - Merge rustup target add and component add into one chained RUN with || true guard, making it safe if rustfmt/clippy are already present in the base image's default toolchain profile (rust:1.88-slim default profile includes both; the guard is belt-and-suspenders) test.yml: - Add --locked to cargo clippy and cargo test to enforce Cargo.lock during CI, preventing silent dependency upgrades Not addressed (accepted/out of scope): - git in images: already installed in all three Dockerfiles (lines 19, 13, 15 respectively) — reviewer finding was incorrect - HTTP registry: accepted risk for air-gapped self-hosted infrastructure - Image signing (Cosign): no infrastructure in place yet - Hardcoded registry IP: consistent with project-wide pattern
26 lines
877 B
Docker
26 lines
877 B
Docker
# Pre-baked builder for Linux amd64 Tauri releases.
|
|
# All system dependencies are installed once here; CI jobs skip apt-get entirely.
|
|
# Rebuild when: Rust toolchain version changes, webkit2gtk/gtk major version changes,
|
|
# or Node.js major version changes. Tag format: rust<VER>-node<VER>
|
|
FROM rust:1.88-slim
|
|
|
|
RUN apt-get update -qq \
|
|
&& apt-get install -y -qq --no-install-recommends \
|
|
libwebkit2gtk-4.1-dev \
|
|
libssl-dev \
|
|
libgtk-3-dev \
|
|
libayatana-appindicator3-dev \
|
|
librsvg2-dev \
|
|
patchelf \
|
|
pkg-config \
|
|
curl \
|
|
perl \
|
|
jq \
|
|
git \
|
|
&& curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
|
|
&& apt-get install -y --no-install-recommends nodejs \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
RUN rustup target add x86_64-unknown-linux-gnu \
|
|
&& rustup component add rustfmt clippy || true
|