From ce05c0e65f00d5db4520b27fa25b4dbcc274dfa4 Mon Sep 17 00:00:00 2001
From: Maciej Dudkowski <maciej.dudkowski@temporal.io>
Date: Wed, 9 Jul 2025 18:32:41 -0400
Subject: [PATCH 1/2] Updated Dockerfile in preparation for public Docker image

---
 .gitignore      |  3 +++
 CONTRIBUTING.md | 15 +++++++++++++++
 Dockerfile      | 26 +++++++-------------------
 3 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/.gitignore b/.gitignore
index 67040f2e7..14b4adaac 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,9 @@
 /temporal
 /temporal.exe
 
+# Goreleaser output
+/dist
+
 # Used by IDE
 /.idea
 /.vscode
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index a35a33514..122c7140f 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -46,3 +46,18 @@ Note that inclusion of space characters in the value supplied via `-ldflags` is
 Here's an example that adds branch info from a local repo to the version string, and includes a space character:
 
     go build -ldflags "-X 'github.com/temporalio/cli/temporalcli.buildInfo=ServerBranch $(git -C ../temporal rev-parse --abbrev-ref HEAD)'" -o temporal ./cmd/temporal/main.go
+
+## Building Docker image
+
+Docker image build requires [Goreleaser](https://goreleaser.com/) to build the binaries first, although it doesn't use
+Goreleaser for the Docker image itself.
+
+First, run the Goreleaser build:
+
+    goreleaser build --snapshot --clean
+
+Then, run the Docker build using the following command:
+
+    docker build --tag temporalio/temporal:snapshot --platform=<platform> .
+
+Currently only `linux/amd64` and `linux/arm64` platforms are supported.
diff --git a/Dockerfile b/Dockerfile
index 898552833..5e23b62db 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,21 +1,9 @@
-FROM golang:1.24-bookworm AS builder
+FROM --platform=$BUILDARCH scratch AS dist
+COPY ./dist/nix_linux_amd64_v1/temporal /dist/amd64/temporal
+COPY ./dist/nix_linux_arm64/temporal /dist/arm64/temporal
 
-WORKDIR /app
+FROM alpine:3.22
+ARG TARGETARCH
+COPY --from=dist /dist/$TARGETARCH/temporal /usr/local/bin/temporal
 
-# Copy everything
-COPY . ./
-
-# Build
-RUN go build ./cmd/temporal
-
-# Use slim container for running
-FROM debian:bookworm-slim
-RUN set -x && apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
-    ca-certificates && \
-    rm -rf /var/lib/apt/lists/*
-
-# Copy binary
-COPY --from=builder /app/temporal /app/temporal
-
-# Set CLI as primary entrypoint
-ENTRYPOINT ["/app/temporal"]
+ENTRYPOINT ["temporal"]

From 9d825b291b5d6686dac4f55e78ececeb21a57386 Mon Sep 17 00:00:00 2001
From: Maciej Dudkowski <maciej.dudkowski@temporal.io>
Date: Thu, 10 Jul 2025 11:29:33 -0400
Subject: [PATCH 2/2] Added ca-certificates and created user account in
 Dockerfile

---
 Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 5e23b62db..05c3938a3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,6 +4,9 @@ COPY ./dist/nix_linux_arm64/temporal /dist/arm64/temporal
 
 FROM alpine:3.22
 ARG TARGETARCH
+RUN apk add --no-cache ca-certificates
 COPY --from=dist /dist/$TARGETARCH/temporal /usr/local/bin/temporal
+RUN adduser -u 1000 -D temporal
+USER temporal
 
 ENTRYPOINT ["temporal"]