fix: Add CA certificates to Docker image

[runabol]

Problem

The current Docker image is built FROM scratch, which includes no CA certificates. This causes all HTTPS requests to fail with:

tls: failed to verify certificate: x509: certificate signed by unknown authority

This happens even against well-known public endpoints like https://example.com, making the CLI unusable for any TLS-enabled OpenFGA deployment when running in Docker.

Solution:

Switch from scratch to gcr.io/distroless/static:nonroot:

FROM gcr.io/distroless/static:nonroot
COPY fga /fga
ENTRYPOINT ["/fga"]

Why distroless?

• Includes CA certificates - enables HTTPS out of the box
• Minimal attack surface - no shell, no package manager, no OS utilities
• Non-root by default - better security posture
• Small image size - only ~2MB larger than scratch
• Recommended by Google for static Go binaries

Steps to reproduce

# GOOS=linux GOARCH=amd64  BUILD_DIR=$PWD make build
# docker build --platform=linux/amd64 -t fgacli -f .goreleaser.Dockerfile .
# docker run --platform=linux/amd64 -it --rm -v $PWD:/workdir fgacli --debug model write --file /workdir/model.fga --store-id=some-store-id --api-url=https://example.com
...
tls: failed to verify certificate: x509: certificate signed by unknown authority
...

Summary by CodeRabbit

• Chores
  • Updated Docker base image to enhance container security and compatibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[linux-foundation-easycla]

• ❌ The email address for the commit (40a80be) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please submit a support request ticket.

[coderabbitai]

Walkthrough

Updated the goreleaser Dockerfile's base image from scratch to gcr.io/distroless/static:nonroot to provide a minimal runtime environment with security hardening, while maintaining the same COPY and ENTRYPOINT directives.

Changes

Cohort / File(s)	Summary
Docker Configuration \.goreleaser\.Dockerfile	Base image changed from scratch to gcr.io/distroless/static:nonroot; ENTRYPOINT line reintroduced with formatting adjustment but no change to execution semantics

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately summarizes the main change—switching the base image to include CA certificates for HTTPS support, which directly addresses the core problem described in the PR objectives.

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dosubot]

Related Documentation

Checked 7 published document(s) in 1 knowledge base(s). No updates required.

^{How did I do? Any feedback?}  

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.goreleaser.Dockerfile (1)

1-1: Excellent fix for the CA certificate issue!

The switch to gcr.io/distroless/static:nonroot correctly addresses the missing CA certificates problem and improves security by running as non-root. This is the recommended base image for static Go binaries.

Consider pinning to a specific digest or versioned tag (e.g., gcr.io/distroless/static:nonroot-amd64@sha256:... or gcr.io/distroless/static:nonroot-20240101) for reproducible builds.

🔎 Example with digest pinning

-FROM gcr.io/distroless/static:nonroot
+FROM gcr.io/distroless/static:nonroot@sha256:<specific-digest>

You can find the latest digest at: https://console.cloud.google.com/gcr/images/distroless/global/static

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4e5a711 and 40a80be.

📒 Files selected for processing (1)

• .goreleaser.Dockerfile

🔇 Additional comments (1)

.goreleaser.Dockerfile (1)

2-3: LGTM!

The COPY and ENTRYPOINT directives are correctly configured for the static Go binary.

[rhamzeh]

@runabol thanks for your PR - would you mind signing the CNCF's CLA above so that we can merge?

[runabol]

@runabol thanks for your PR - would you mind signing the CNCF's CLA above so that we can merge?

I believe this is done now.