Speed up scratch image builds with publish-first contexts

devops/docker/Dockerfile.hardened.runtime

@@ -0,0 +1,44 @@
+# syntax=docker/dockerfile:1.7
+# Runtime-only hardened image for publish-first local builds.
+
+ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0-noble
+ARG APP_BINARY=StellaOps.Service
+ARG APP_USER=stella
+ARG APP_UID=10001
+ARG APP_GID=10001
+ARG APP_PORT=8080
+
+FROM ${RUNTIME_IMAGE} AS runtime
+ARG APP_BINARY=StellaOps.Service
+ARG APP_USER=stella
+ARG APP_UID=10001
+ARG APP_GID=10001
+ARG APP_PORT=8080
+
+RUN groupadd -r -g ${APP_GID} ${APP_USER} && \
+    useradd  -r -u ${APP_UID} -g ${APP_GID} -d /var/lib/${APP_USER} ${APP_USER} && \
+    mkdir -p /app /var/lib/${APP_USER} /var/run/${APP_USER} /tmp && \
+    chown -R ${APP_UID}:${APP_GID} /app /var/lib/${APP_USER} /var/run/${APP_USER} /tmp
+
+WORKDIR /app
+COPY --chown=${APP_UID}:${APP_GID} app/ ./
+COPY --chown=${APP_UID}:${APP_GID} healthcheck.sh /usr/local/bin/healthcheck.sh
+
+ENV ASPNETCORE_URLS=http://+:${APP_PORT} \
+    DOTNET_EnableDiagnostics=0 \
+    COMPlus_EnableDiagnostics=0 \
+    APP_BINARY=${APP_BINARY}
+
+RUN chmod 500 /app && \
+    chmod +x /usr/local/bin/healthcheck.sh && \
+    find /app -maxdepth 1 -type f -name '*.dll' -exec chmod 400 {} \; && \
+    find /app -maxdepth 1 -type f -name '*.json' -exec chmod 400 {} \; && \
+    find /app -maxdepth 1 -type f -name '*.pdb' -exec chmod 400 {} \; && \
+    find /app -maxdepth 1 -type d -exec chmod 500 {} \;
+
+USER ${APP_UID}:${APP_GID}
+EXPOSE ${APP_PORT}
+HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
+  CMD /usr/local/bin/healthcheck.sh
+
+ENTRYPOINT ["sh","-c","exec dotnet ./\"$APP_BINARY\".dll"]