build image with restricted user and venv

.gitea/workflows/create_and_push_multiarch_container.yml

@@ -0,0 +1,64 @@
+name: release-tag
+
+on:
+  workflow_dispatch: # Manuelles Auslösen des Workflows
+    inputs:
+      image_tag:
+        description: '2. Tag für das Docker-Image (außer latest) (z.B. v1.0.0)'
+        required: true
+        default: '1.6.0'
+
+env:
+  image_name_gitea: flask-qr
+  image_name_github: flask-qrcode-generator
+  image_name_dockerhub: flask-qrcode-generator
+  registry_gitea: gitea.tebarius.duckdns.org
+  registry_github: ghcr.io
+  user: tebarius
+
+jobs:
+  release-image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Login to Gitea
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.registry_gitea }}
+          username: ${{ env.user }}
+          password: ${{ secrets.IMAGE_REGISTRY_TOKEN_GITEA }}
+
+      - name: Login to Github
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.registry_github }}
+          username: ${{ env.user }}
+          password: ${{ secrets.TOKEN_GITHUB }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ env.user }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Build and push
+        run: |
+          # Stelle sicher, dass Buildx aktiviert ist
+          docker buildx create --use
+
+          # Führe den Multiarch-Build aus und pushe das Image
+          docker buildx build \
+            --file ./Dockerfile \
+            --platform linux/amd64,linux/386,linux/arm64,linux/arm/v7 \
+            --tag ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ github.event.inputs.image_tag }} \
+            --tag ${{ env.registry_github }}/${{ env.user }}/${{ env.image_name_github }}:${{ github.event.inputs.image_tag }} \
+            --tag ${{ env.user }}/${{ env.image_name_dockerhub }}:${{ github.event.inputs.image_tag }} \
+            --tag ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:latest \
+            --tag ${{ env.registry_github }}/${{ env.user }}/${{ env.image_name_github }}:latest \
+            --tag ${{ env.user }}/${{ env.image_name_dockerhub }}:latest \
+            --push ./

.gitea/workflows/trivy_image_scan.yml

@@ -0,0 +1,28 @@
+name: release-tag
+
+on:
+  workflow_dispatch: # Manuelles Auslösen des Workflows
+    inputs:
+      image_tag:
+        description: 'Tag für das zu scannende Docker-Image z.B. latest'
+        required: true
+        default: 'latest'
+
+env:
+  image_name_gitea: flask-qr
+  registry_gitea: gitea.tebarius.duckdns.org
+  user: tebarius
+
+jobs:
+  trivy_image_scan:
+    runs-on: ubuntu-latest
+    container: aquasec/trivy:latest
+    steps:
+      - name: Scan image with trivy
+        run: |
+          trivy image \
+          --exit-code 1 \
+          --scanners vuln,misconfig,secret \
+          --severity MEDIUM,HIGH,CRITICAL \
+          --ignore-unfixed \
+          ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ github.event.inputs.image_tag }}

.gitignore

@@ -1 +1,2 @@
 /venv/
+/.venv/

Dockerfile

@@ -1,14 +1,13 @@
-FROM python:3.13-slim
+FROM python:3.14-slim
+LABEL authors="tebarius"
+LABEL description="QR-Code-Generator-Server with Flask-App"
 
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
-
+ENV PYTHONDONTWRITEBYTECODE=1
-LABEL authors="tebarius"
+ENV PYTHONUNBUFFERED=1
-LABEL version="1.5.0"
+ENV PATH="/qr-venv/bin:$PATH"
-LABEL description="QR-Code-Generator-Server with Flask-App"
+ENV HTTP_METHOD=POST
-
-WORKDIR /app
-COPY ./app /app/
 
 RUN apt-get update && \
     if [ "$TARGETPLATFORM" = "linux/arm/v7" ] || [ "$TARGETPLATFORM" = "linux/386" ]; then \
@@ -17,11 +16,17 @@ RUN apt-get update && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
-RUN python -m pip install --upgrade pip
+WORKDIR /app
-RUN pip install --no-cache-dir --trusted-host pypi.python.org -r requirements.txt
+COPY ./app /app/
+
+RUN python -m venv /qr-venv \
+    && python -m pip install --upgrade pip \
+    && pip install --no-cache-dir -r requirements.txt \
+    && useradd -m -u 1000 qr \
+    && chown -R qr:qr /app
+
+USER qr
 
 EXPOSE 8002
 
-ENV HTTP_METHOD=POST
-
 CMD ["sh", "-c", "python ${HTTP_METHOD}-Flask-QR.py"]