From dd291eecb328e31480c4cf03776e130fd976f98f Mon Sep 17 00:00:00 2001
From: actualben <actualben@users.noreply.github.com>
Date: Wed, 21 Jan 2026 10:42:49 +0100
Subject: [PATCH 1/3] add nonroot account to scratch container

---
 Dockerfile | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index cd3a934..c1737b2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,7 @@
 FROM alpine:edge AS dist
 ARG TARGETARCH TARGETOS
+ARG NONROOT_UID=65532
+ARG NONROOT_GID=65532
 
 # hadolint ignore=DL3018
 RUN apk add --no-cache ca-certificates
@@ -8,10 +10,24 @@ RUN apk add --no-cache ca-certificates
 COPY dist/registryproxy_${TARGETOS}_${TARGETARCH}_*/registryproxy* /
 RUN chmod +x /registryproxy;
 
+# create the 'nonroot' account
+RUN set -eux; \
+  etc_build="/build/etc"; \
+  mkdir -p "$etc_build"; \
+  writeto() { output_file=$1; shift; printf '%s\n' "$*" >>"$output_file"; }; \
+  writeto "${etc_build}/passwd"  "nonroot:x:${NONROOT_UID}:${NONROOT_GID}:nonroot:/home/nonroot:/sbin/nologin"; \
+  writeto "${etc_build}/shadow"  "nonroot:*:18313:0:99999:7:::"; \
+  writeto "${etc_build}/group"   "nonroot:x:${NONROOT_GID}:"; \
+  writeto "${etc_build}/gshadow" "nonroot:::"; \
+  :
+
 FROM scratch
 LABEL maintainer="Backplane BV <backplane@users.noreply.github.com>"
 
+COPY --from=dist /build/etc/* /etc/
 COPY --from=dist /etc/ssl /etc/ssl/
 COPY --from=dist /registryproxy /
 
+USER nonroot
+
 ENTRYPOINT [ "/registryproxy" ]

From 2315c29636251d2d5494341dcff0a6514a2c2f85 Mon Sep 17 00:00:00 2001
From: actualben <actualben@users.noreply.github.com>
Date: Wed, 21 Jan 2026 14:14:47 +0100
Subject: [PATCH 2/3] update workflow with standard build args and explicitly
 set provenance: mode=max

---
 .github/workflows/release.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c37cb64..215c787 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -136,9 +136,16 @@ jobs:
         with:
           push: true
           context: .
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: |
+          tags: |-
+            ${{ steps.meta.outputs.tags }}
+          labels: |-
             ${{ steps.meta.outputs.labels }}
+          build-args: |-
+            COMMIT_SHA=${{ github.sha }}
+            GITHUB_TAG=${{ github.ref_name }}
+            GIT_COMMIT=${{ github.sha }}
+            GIT_TAG=${{ github.ref_name }}
+          provenance: mode=max
           platforms: linux/amd64,linux/arm64,linux/arm
           cache-from: type=gha
           cache-to: type=gha,mode=max

From db9dbfc648ab73f9f5fce18d1bb8cd8ba9c657ab Mon Sep 17 00:00:00 2001
From: actualben <actualben@users.noreply.github.com>
Date: Wed, 21 Jan 2026 14:16:43 +0100
Subject: [PATCH 3/3] adding sbom: true to docker build

---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 215c787..9a31c9a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -146,6 +146,7 @@ jobs:
             GIT_COMMIT=${{ github.sha }}
             GIT_TAG=${{ github.ref_name }}
           provenance: mode=max
+          sbom: true
           platforms: linux/amd64,linux/arm64,linux/arm
           cache-from: type=gha
           cache-to: type=gha,mode=max