From a32d8bde3634f44992545b912681c85847087b90 Mon Sep 17 00:00:00 2001
From: Mark Esler <mark.esler@chainguard.dev>
Date: Mon, 14 Apr 2025 12:09:48 -0700
Subject: [PATCH] ci: convert Dockerfile to Wolfi (#667)

---
 Dockerfile | 34 +++++++++++-----------------------
 1 file changed, 11 insertions(+), 23 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index dbfea30f..fce2da34 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,30 +1,18 @@
-FROM python:3.13-slim-bullseye AS build
-
-LABEL org.opencontainers.image.source=https://github.com/woodruffw/zizmor
-
-# Zizmor version to install (set as an argument to pair with zizmor releases)
-ARG ZIZMOR_VERSION
-
-ENV PYTHONUNBUFFERED=1 \
-    PIP_NO_CACHE_DIR=1 \
-    PIP_DISABLE_PIP_VERSION_CHECK=1
-
-RUN set -eux && \
-    apt-get update && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
-RUN pip install zizmor==${ZIZMOR_VERSION} && \
-    which zizmor
-
 # ------------------------------------------------------------------------------
 # Runtime image
 # ------------------------------------------------------------------------------
 
-FROM debian:bullseye-slim
+FROM cgr.dev/chainguard/wolfi-base:latest
 
-# Copy necessary files from build stage
-COPY --from=build /usr/local/bin/zizmor /app/zizmor
+# Wolfi zizmor version to install
+# https://edu.chainguard.dev/open-source/wolfi/apk-version-selection/
+# (set as an argument to pair with zizmor releases)
+ARG ZIZMOR_VERSION
+
+RUN set -eux && \
+    apk update && \
+    apk add zizmor=~${ZIZMOR_VERSION} && \
+    zizmor --version
 
 # Set the entrypoint to zizmor
-ENTRYPOINT ["/app/zizmor"]
+ENTRYPOINT ["/usr/bin/zizmor"]