S allius/issue216 (#235)

* improve docker run

- establish multistage Dockerfile
- build a python wheel for all needed packages
- remove unneeded tools like apk for runtime

* pin versions, fix hadolint warnings

* merge from dev-0.12

---------

Co-authored-by: Michael Metz <michael.metz@siemens.com>

app/Dockerfile

@@ -5,13 +5,12 @@ ARG GID=1000
 #
 # first stage for our base image
 FROM python:3.13-alpine AS base
-USER root
 
-COPY --chmod=0700 ./hardening_base.sh .
+COPY --chmod=0700 ./hardening_base.sh /
 RUN apk upgrade --no-cache && \
-    apk add --no-cache su-exec	&& \
-    ./hardening_base.sh && \
-    rm ./hardening_base.sh
+    apk add --no-cache su-exec=0.2-r3	&& \
+    /hardening_base.sh && \
+    rm /hardening_base.sh
 
 #
 # second stage for building wheels packages
@@ -19,8 +18,8 @@ FROM base AS builder
 
 # copy the dependencies file to the root dir and install requirements
 COPY ./requirements.txt /root/
-RUN apk add --no-cache build-base && \
-    python -m pip install --no-cache-dir -U pip wheel && \
+RUN apk add --no-cache build-base=0.5-r3 && \
+    python -m pip install --no-cache-dir pip==24.3.1 wheel==0.45.1 && \
     python -OO -m pip wheel --no-cache-dir --wheel-dir=/root/wheels -r /root/requirements.txt
 
 
@@ -50,9 +49,9 @@ VOLUME ["/home/$SERVICE_NAME/log", "/home/$SERVICE_NAME/config"]
 # and unistall python packages and alpine package manger to reduce attack surface
 COPY --from=builder /root/wheels /root/wheels
 COPY --chmod=0700 ./hardening_final.sh .
-RUN python -m pip install --no-cache --no-index /root/wheels/* && \
+RUN python -m pip install --no-cache-dir --no-cache --no-index /root/wheels/* && \
     rm -rf /root/wheels && \
-    python -m pip uninstall --yes setuptools wheel pip && \
+    python -m pip uninstall --yes wheel pip && \
     apk --purge del apk-tools && \
     ./hardening_final.sh && \
     rm ./hardening_final.sh