ci: remove scratch image variant, simplify Dockerfile

Single image target only. No -scratch tags.

Author: hanzo-dev

.github/workflows/release.docker.yml

@@ -24,57 +24,24 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # Default (Debian) image
-      - id: meta-default
+      - id: meta
         uses: docker/metadata-action@v5
         with:
           images: ghcr.io/hanzoai/replicate
           tags: |
             type=ref,event=branch
             type=ref,event=pr
-            type=sha
-            type=sha,format=long
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 
       - uses: docker/build-push-action@v6
         with:
           context: .
-          target: default
           push: true
           provenance: true
           sbom: true
           platforms: ${{ env.PLATFORMS }}
-          tags: ${{ steps.meta-default.outputs.tags }}
-          labels: ${{ steps.meta-default.outputs.labels }}
-          build-args: |
-            REPLICATE_VERSION=${{ env.VERSION }}
-
-      # Hardened (Scratch) image
-      - id: meta-scratch
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/hanzoai/replicate
-          flavor: |
-            latest=auto
-            suffix=-scratch
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=sha
-            type=sha,format=long
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-
-      - uses: docker/build-push-action@v6
-        with:
-          context: .
-          target: hardened
-          push: true
-          provenance: true
-          sbom: true
-          platforms: ${{ env.PLATFORMS }}
-          tags: ${{ steps.meta-scratch.outputs.tags }}
-          labels: ${{ steps.meta-scratch.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             REPLICATE_VERSION=${{ env.VERSION }}

Dockerfile

@@ -28,23 +28,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 	dist/replicate-vfs.a \
 	-lpthread -ldl -lm
 
-# --- Hardened image (Scratch) ---
-FROM alpine:3.21 AS certs
-RUN apk --update add ca-certificates && \
-	echo "nonroot:x:65532:65532:nonroot:/home/nonroot:/sbin/nologin" > /etc/minimal-passwd && \
-	echo "nonroot:x:65532:" > /etc/minimal-group
-
-FROM scratch AS hardened
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY --from=certs /etc/minimal-passwd /etc/passwd
-COPY --from=certs /etc/minimal-group /etc/group
-COPY --from=builder /usr/local/bin/replicate /usr/local/bin/replicate
-USER nonroot:nonroot
-ENTRYPOINT ["/usr/local/bin/replicate"]
-CMD []
-
-# --- Default image (Debian) ---
-FROM debian:bookworm-slim AS default
+FROM debian:bookworm-slim
 
 RUN apt-get update && \
 	apt-get install -y ca-certificates sqlite3 && \