feat: Second registry, security hardening

- Added second registry
- Added non-root user
- Added supply-chain attestation flags

.drone.yml

@@ -11,6 +11,8 @@ steps:
   - name: build-lts
     image: plugins/docker
     settings:
+      purge: false
+      build_args: --provenance=true --sbom=true
       username:
         from_secret: registry_username
       password:
@@ -20,9 +22,27 @@ steps:
         - lts-alpine
         - lts
       dockerfile: lts/Dockerfile
+  - name: build-lts-astrogd
+    image: plugins/docker
+    depends_on:
+      - build-lts
+    settings:
+      registry: registry.astrogd.cloud
+      build_args: --provenance=true --sbom=true
+      username:
+        from_secret: astrogd_registry_username
+      password:
+        from_secret: astrogd_registry_key
+      repo: registry.astrogd.cloud/pnpm
+      tags:
+        - lts-alpine
+        - lts
+      dockerfile: lts/Dockerfile
   - name: build-latest
     image: plugins/docker
     settings:
+      purge: false
+      build_args: --provenance=true --sbom=true
       username:
         from_secret: registry_username
       password:
@@ -32,6 +52,22 @@ steps:
         - latest-alpine
         - latest
       dockerfile: latest/Dockerfile
+  - name: build-latest-astrogd
+    image: plugins/docker
+    depends_on:
+      - build-latest
+    settings:
+      registry: registry.astrogd.cloud
+      build_args: --provenance=true --sbom=true
+      username:
+        from_secret: astrogd_registry_username
+      password:
+        from_secret: astrogd_registry_key
+      repo: registry.astrogd.cloud/pnpm
+      tags:
+        - latest-alpine
+        - latest
+      dockerfile: latest/Dockerfile
 
 ---
 kind: pipeline
@@ -46,6 +82,8 @@ steps:
   - name: build-lts
     image: plugins/docker
     settings:
+      purge: false
+      build_args: --provenance=true --sbom=true
       username:
         from_secret: registry_username
       password:
@@ -55,9 +93,27 @@ steps:
         - lts-alpine
         - lts
       dockerfile: lts/Dockerfile
+  - name: build-lts-astrogd
+    image: plugins/docker
+    depends_on:
+      - build-lts
+    settings:
+      registry: registry.astrogd.cloud
+      build_args: --provenance=true --sbom=true
+      username:
+        from_secret: astrogd_registry_username
+      password:
+        from_secret: astrogd_registry_key
+      repo: registry.astrogd.cloud/pnpm
+      tags:
+        - lts-alpine
+        - lts
+      dockerfile: lts/Dockerfile
   - name: build-latest
     image: plugins/docker
     settings:
+      purge: false
+      build_args: --provenance=true --sbom=true
       username:
         from_secret: registry_username
       password:
@@ -67,9 +123,25 @@ steps:
         - latest-alpine
         - latest
       dockerfile: latest/Dockerfile
+  - name: build-latest-astrogd
+    image: plugins/docker
+    depends_on:
+      - build-latest
+    settings:
+      registry: registry.astrogd.cloud
+      build_args: --provenance=true --sbom=true
+      username:
+        from_secret: astrogd_registry_username
+      password:
+        from_secret: astrogd_registry_key
+      repo: registry.astrogd.cloud/pnpm
+      tags:
+        - latest-alpine
+        - latest
+      dockerfile: latest/Dockerfile
 
 ---
 kind: signature
-hmac: e751fb83a80f0db2389261287d1d9abd39dbfb0a3abf0984b8c03e92235872d3
+hmac: 4273bd6d4fadc37a81c8efee1273325e1ee914798eb00baf73790d4a100eed62
 
 ...

latest/Dockerfile

@@ -1,5 +1,6 @@
 FROM node:alpine as BASE
 ENV PNPM_HOME="./.pnpm" \
   PATH="$PNPM_HOME:$PATH"
-RUN npm i -g pnpm@latest &&\
+RUN wget -qO- https://get.pnpm.io/install.sh | ENV="$HOME/.shrc" SHELL="$(which sh)" sh - &&\
   apk add --no-cache openssl
+USER node

lts/Dockerfile

@@ -1,5 +1,6 @@
 FROM node:lts-alpine as BASE
 ENV PNPM_HOME="./.pnpm" \
   PATH="$PNPM_HOME:$PATH"
-RUN npm i -g pnpm@latest &&\
+RUN wget -qO- https://get.pnpm.io/install.sh | ENV="$HOME/.shrc" SHELL="$(which sh)" sh - &&\
   apk add --no-cache openssl
+USER node