Restructure Docker image from scratch

Author: mottljan1

.dockleignore

@@ -0,0 +1,6 @@
+# [Enable Content trust for Docker] - We don't really need this much because only we both publish and pull
+# this image and pin the version so we can't accidentally pull unknown malicious image.
+CIS-DI-0005
+
+# [Add HEALTHCHECK instruction to the container image] - Does not make sense for our CI image.
+CIS-DI-0006

.github/actions/common-preflight-check/action.yml

@@ -9,6 +9,16 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+      with:
+        version: "v0.31.1"
+
+    - name: Set up Docker Compose
+      uses: docker/setup-compose-action@v1
+      with:
+        version: "v5.0.2"
+
     - name: Build image
       shell: bash
       env:

.github/workflows/pull_request.yml

@@ -20,8 +20,8 @@ jobs:
       - name: Login
         uses: ./.github/actions/login
         with:
-          user-name: ${{ secrets.DOCKER_HUB_USERNAME }}
-          token: ${{ secrets.DOCKER_HUB_TOKEN }}
+          user-name: ${{ vars.DOCKER_HUB_TEST_USERNAME }}
+          token: ${{ vars.DOCKER_HUB_TEST_TOKEN }}
 
       - name: Preflight checks
         uses: ./.github/actions/common-preflight-check

CHANGELOG.MD

@@ -1,9 +1,28 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v3.0.0] - 2026-02-17
+### Changed
+- Complete rewrite of Dockerfile using multi-stage build architecture (separate stages for Java, Android SDK, Danger, Git LFS)
+- Danger JS installation now runs as `nonroot` user to reduce attack surface
+- Node.js installed from system apt packages instead of via nvm
+- Updated Android cmdline-tools to 14742923, platform to 36, build-tools to 36.1.0
+
+### Added
+- Checksum verification for all downloaded artifacts (Java, Kotlin compiler, danger-kotlin)
+- Integration of shai-hulud supply chain attack detector for npm packages
+- npm scripts disabled globally to prevent supply chain attacks
+- Final image runs as `nonroot` user
+
+### Removed
+- Flutter support
+- nvm and Node.js version management
+- Google Cloud CLI
+- Privilege escalation binaries from final image (`su`, `apt`, `apt-get`, `apt-cache`, `dpkg`, `unix_chkpwd`)
+
 ## [v2.8.0] - 2025-12-04
 ### Changed
 - Update danger kotlin to 1.3.4