From aa4957063742061187d8386d1124be71499409a6 Mon Sep 17 00:00:00 2001
From: quacumque <quacumque@fastmail.jp>
Date: Mon, 26 May 2025 15:56:09 +0900
Subject: [PATCH 1/2] build: rootless Dockerfile; fix git sha in version

Signed-off-by: quacumque <quacumque@fastmail.jp>
---
 Cargo.lock |  1 -
 Cargo.toml |  3 ---
 Dockerfile | 14 +++++++++-----
 build.rs   | 19 ++++++++++++++-----
 4 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index c544228..257c8ff 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2740,7 +2740,6 @@ dependencies = [
  "url",
  "utoipa",
  "utoipa-scalar",
- "vergen",
 ]
 
 [[package]]
diff --git a/Cargo.toml b/Cargo.toml
index eea72b7..28658c8 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -41,6 +41,3 @@ expect-test = "1.5.0"
 iroha_crypto = { git = "https://github.com/hyperledger-iroha/iroha.git", rev = "v2.0.0-rc.2.0", features = ["rand"] }
 tokio = { version = "1", features = ["process"] }
 
-[build-dependencies]
-vergen = { version = "8.3.1", default-features = false, features = ["cargo"] }
-
diff --git a/Dockerfile b/Dockerfile
index f81c207..289a6ea 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,14 +2,18 @@ FROM rust:alpine3.21 AS builder
 
 WORKDIR /app
 
-RUN apk add musl-dev pkgconfig openssl-dev openssl-libs-static
-
-# NOTE: this disregards `./rust-toolchain.toml`, but it's fine
-COPY Cargo.lock Cargo.toml build.rs ./
+RUN apk add build-base pkgconfig openssl-dev openssl-libs-static git
+COPY Cargo* rust-toolchain.toml build.rs ./
 COPY src src
-RUN cargo fetch
+COPY .git .git
+RUN cargo fetch --locked
 RUN cargo build --release
 
 FROM alpine:3.21
+
 COPY --from=builder /app/target/release/iroha_explorer /usr/local/bin/
+
+RUN adduser --disabled-password --gecos '' explorer
+USER explorer
+
 CMD iroha_explorer serve
diff --git a/build.rs b/build.rs
index 03a664a..5bc5c92 100644
--- a/build.rs
+++ b/build.rs
@@ -1,7 +1,16 @@
+fn emit_git_sha() {
+    let output = std::process::Command::new("git")
+        .args(&["rev-parse", "--short", "HEAD"])
+        .output()
+        .expect("build script is executed with `git` installed and `.git` available");
+
+    let git_hash = String::from_utf8(output.stdout).unwrap();
+    println!("cargo:rustc-env=VERGEN_GIT_SHA={}", git_hash.trim());
+
+    println!("cargo:rerun-if-changed=.git/HEAD");
+    println!("cargo:rerun-if-changed=.git/refs/heads/");
+}
+
 fn main() {
-    vergen::EmitBuilder::builder()
-        .git_sha(true)
-        .cargo_features()
-        .emit()
-        .unwrap();
+    emit_git_sha();
 }

From f3e05db71fe51ba490cbc966f9dc82b5cc1001c3 Mon Sep 17 00:00:00 2001
From: quacumque <quacumque@fastmail.jp>
Date: Tue, 27 May 2025 13:06:59 +0900
Subject: [PATCH 2/2] build(Dockerfile): specify UID and GID

Signed-off-by: quacumque <quacumque@fastmail.jp>
---
 Dockerfile | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 289a6ea..99c4cc2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,7 +13,12 @@ FROM alpine:3.21
 
 COPY --from=builder /app/target/release/iroha_explorer /usr/local/bin/
 
-RUN adduser --disabled-password --gecos '' explorer
+ARG UID=1001
+ARG GID=1001
+
+RUN addgroup -g $GID explorer \
+ && adduser -D -H -u $UID -G explorer explorer
+
 USER explorer
 
 CMD iroha_explorer serve