feat: migrate to fully distroless ocm image (#1087)

<!-- markdownlint-disable MD041 -->
#### What this PR does / why we need it

Migrates to Distroless which has a few advantages over alpine:

1. Smaller Base Image
2. No Package Manager or Shell that could be used to exploit
vulnerabilities
3. Non-Root user by default

I also remove the latest check in alpine since it only fetched a tag
anyhow and we should pin by digest

#### Which issue(s) this PR fixes
<!--
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
-->

Dockerfile

@@ -1,5 +1,6 @@
 ARG GO_VERSION="1.23"
 ARG ALPINE_VERSION="3.20"
+ARG DISTROLESS_VERSION=debian12:nonroot@sha256:d71f4b239be2d412017b798a0a401c44c3049a3ca454838473a4c32ed076bfea
 
 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build
 
@@ -20,26 +21,21 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     "-s -w -X ocm.software/ocm/api/version.gitVersion=$VERSION -X ocm.software/ocm/api/version.buildDate=$NOW" \
     -o /bin/ocm ./cmds/ocm/main.go
 
-FROM alpine:${ALPINE_VERSION}
+FROM gcr.io/distroless/static-${DISTROLESS_VERSION}
+# pass arg from initial build
+ARG DISTROLESS_VERSION
 
-# Create group and user
-ARG UID=1000
-ARG GID=1000
-RUN addgroup -g "${GID}" ocmGroup && adduser -u "${UID}" ocmUser -G ocmGroup -D
-
-COPY --from=build /bin/ocm /bin/ocm
-COPY --chmod=0755 components/ocmcli/ocm.sh /bin/ocm.sh
+COPY --from=build /bin/ocm /usr/local/bin/ocm
 
 # https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
-LABEL org.opencontainers.image.description="Open Component Model command line interface based on Alpine ${ALPINE_VERSION}"
+LABEL org.opencontainers.image.description="Open Component Model command line interface based on Distroless ${DISTROLESS_VERSION}"
 LABEL org.opencontainers.image.vendor="SAP SE"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
 LABEL org.opencontainers.image.url="https://ocm.software/"
 LABEL org.opencontainers.image.source="https://github.com/open-component-model/ocm"
 LABEL org.opencontainers.image.title="ocm"
 LABEL org.opencontainers.image.documentation="https://github.com/open-component-model/ocm/blob/main/docs/reference/ocm.md"
-LABEL org.opencontainers.image.base.name="alpine:${ALPINE_VERSION}"
+LABEL org.opencontainers.image.base.name="gcr.io/distroless/static-${DISTROLESS_VERSION}"
 
-USER ocmUser
-ENTRYPOINT ["/bin/ocm.sh"]
-CMD ["/bin/ocm"]
+ENTRYPOINT ["/usr/local/bin/ocm"]
+CMD ["version"]

components/ocmcli/Dockerfile

@@ -1,21 +1,17 @@
 # This Dockerfile is used by `make` via the Makefile
 
-ARG ALPINE_VERSION="3.20.2"
-FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION}
-
-# Create group and user
-ARG UID=1000
-ARG GID=1000
-RUN addgroup -g "${GID}" ocmGroup && adduser -u "${UID}" ocmUser -G ocmGroup -D
+ARG DISTROLESS_VERSION=debian12:nonroot@sha256:d71f4b239be2d412017b798a0a401c44c3049a3ca454838473a4c32ed076bfea
+FROM --platform=$BUILDPLATFORM gcr.io/distroless/static-${DISTROLESS_VERSION}
+# pass arg from initial build
+ARG DISTROLESS_VERSION
 
 ARG SUFFIX
 ARG OCM_VERSION
 
-COPY gen/ocmcli/ocmcli.$SUFFIX /bin/ocm
-COPY --chmod=0755 components/ocmcli/ocm.sh /bin/ocm.sh
+COPY gen/ocmcli/ocmcli.$SUFFIX /usr/local/bin/ocm
 
 # https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
-LABEL org.opencontainers.image.description="Open Component Model command line interface based on Alpine ${ALPINE_VERSION}"
+LABEL org.opencontainers.image.description="Open Component Model command line interface based on Distroless ${DISTROLESS_VERSION}"
 LABEL org.opencontainers.image.vendor="SAP SE"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
 LABEL org.opencontainers.image.url="https://ocm.software/"
@@ -24,8 +20,7 @@ LABEL org.opencontainers.image.title="ocm"
 LABEL org.opencontainers.image.version="${OCM_VERSION}"
 LABEL org.opencontainers.image.revision="${OCM_VERSION}"
 LABEL org.opencontainers.image.documentation="https://github.com/open-component-model/ocm/blob/main/docs/reference/ocm.md"
-LABEL org.opencontainers.image.base.name="alpine:${ALPINE_VERSION}"
+LABEL org.opencontainers.image.base.name="gcr.io/distroless/static-${DISTROLESS_VERSION}"
 
-USER ocmUser
-ENTRYPOINT ["/bin/ocm.sh"]
-CMD ["/bin/ocm"]
+ENTRYPOINT ["/usr/local/bin/ocm"]
+CMD ["version"]

components/ocmcli/Makefile

@@ -55,8 +55,6 @@ BUILD_FLAGS := "-s -w \
  -X ocm.software/ocm/api/version.gitCommit=$(COMMIT) \
  -X ocm.software/ocm/api/version.buildDate=$(NOW)"
 
-ALPINE_LATEST_VER=$(shell curl -s https://registry.hub.docker.com/v2/repositories/library/alpine/tags | jq '.results[1].name' | xargs)
-
 .PHONY: build
 build: $(GEN)/build
 
@@ -78,13 +76,11 @@ $(GEN)/image: $(GEN)/.exists Dockerfile $(GEN)/build
 		echo; echo "Building linux instead of darwin as there's no native Docker platform for darwin"; echo; \
 		docker buildx build -t $(IMAGE):$(VERSION) --platform linux/$(PLATFORM_ARCH) --file Dockerfile $(REPO_ROOT) \
 			--build-arg OCM_VERSION=$(EFFECTIVE_VERSION) \
-			--build-arg ALPINE_VERSION=$(ALPINE_LATEST_VER) \
 			--build-arg SUFFIX=$$(echo linux/$(PLATFORM_ARCH) | sed -e s:/:-:g); \
 	else \
 		echo; echo "Building for $(PLATFORM_OS)/$(ARCH)"; echo; \
 		docker buildx build -t $(IMAGE):$(VERSION) --platform $(PLATFORM_OS)/$(PLATFORM_ARCH) --file Dockerfile $(REPO_ROOT) \
 			--build-arg OCM_VERSION=$(EFFECTIVE_VERSION) \
-			--build-arg ALPINE_VERSION=$(ALPINE_LATEST_VER) \
 			--build-arg SUFFIX=$$(echo $(PLATFORM_OS)/$(PLATFORM_ARCH) | sed -e s:/:-:g); \
 	fi
 	@touch $(GEN)/image
@@ -93,13 +89,11 @@ $(GEN)/image: $(GEN)/.exists Dockerfile $(GEN)/build
 image.multi: $(GEN)/image.multi
 
 $(GEN)/image.multi: Dockerfile $(GEN)/build
-	echo "Building with Alpine version: ${ALPINE_LATEST_VER}"
 	for i in $(IMAGE_PLATFORMS); do \
 	tag=$$(echo $$i | sed -e s:/:-:g); \
         echo building platform $$i; \
 	docker buildx build --load -t $(IMAGE):$(VERSION)-$$tag --platform $$i --file Dockerfile $(REPO_ROOT) \
           --build-arg OCM_VERSION=$(EFFECTIVE_VERSION) \
-		  --build-arg ALPINE_VERSION=$(ALPINE_LATEST_VER) \
           --build-arg SUFFIX=$$tag; \
 	done
 	@touch $(GEN)/image.multi