chore: Convert Dockerfile→Containerfile + add container policy (RSR)

Jonathan D.A. Jewell · Jonathan D.A. Jewell · commit d716abd85db4 · 2025-12-12T16:01:04.000Z
- Renamed Dockerfile to Containerfile
- Updated base images to wolfi where possible
- Added container policy enforcement
- Prefer nerdctl/podman over docker
diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md
@@ -23,3 +23,19 @@ This repository needs FULL conversion from TS/JS to ReScript.
 - Use tsc or TypeScript compiler
 
 See TS_CONVERSION_NEEDED.md for full migration guide.
+
+## Container Policy (RSR)
+
+### Primary Stack
+- **Runtime**: nerdctl (not docker)
+- **Base Image**: wolfi (cgr.dev/chainguard/wolfi-base)
+- **Distroless**: Use distroless variants where possible
+
+### Fallback Stack
+- **Runtime**: podman (if nerdctl unavailable)
+- **Base Image**: alpine (if wolfi unavailable)
+
+### DO NOT:
+- Use `docker` command (use `nerdctl` or `podman`)
+- Use Dockerfile (use Containerfile)
+- Use debian/ubuntu base images (use wolfi/alpine)
diff --git a/.github/workflows/container-policy.yml b/.github/workflows/container-policy.yml
@@ -0,0 +1,24 @@
+name: Container Policy
+on: [push, pull_request]
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Enforce container policy
+        run: |
+          # Block new Dockerfiles
+          NEW_DOCKER=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -iE 'dockerfile' || true)
+          if [ -n "$NEW_DOCKER" ]; then
+            echo "❌ New Dockerfile detected. Use Containerfile instead."
+            exit 1
+          fi
+          
+          # Check for docker command usage in scripts
+          DOCKER_CMD=$(grep -r "docker build\|docker run\|docker push" --include="*.sh" --include="*.yml" --include="*.yaml" . 2>/dev/null | grep -v "nerdctl\|podman" | head -5 || true)
+          if [ -n "$DOCKER_CMD" ]; then
+            echo "⚠️ docker command found. Prefer nerdctl or podman:"
+            echo "$DOCKER_CMD"
+          fi
+          
+          echo "✅ Container policy check passed"
diff --git a/deployment/Containerfile b/deployment/Containerfile
@@ -7,7 +7,7 @@ FROM rust:1.75-slim as builder
 WORKDIR /build
 
 # Install build dependencies
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apk add --no-cache -y \
     pkg-config \
     libssl-dev \
     && rm -rf /var/lib/apt/lists/*
@@ -28,12 +28,12 @@ COPY server/src ./src
 RUN cargo build --release --bin universal-connector-server
 
 # Runtime stage
-FROM debian:bookworm-slim
+FROM cgr.dev/chainguard/wolfi-base:bookworm-slim
 
 WORKDIR /app
 
 # Install runtime dependencies
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apk add --no-cache -y \
     ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
