docker-dotnet/DOCKERHUB.md

# .NET Docker Images

<a href="https://git.openharbor.io/svrnty/docker-dotnet" target="_blank"><img src="https://img.shields.io/badge/Git-Repository-orange?logo=gitea" alt="Git Repository"></a>
<a href="https://wolfi.dev" target="_blank"><img src="https://img.shields.io/badge/Base-Wolfi-purple?logo=linux" alt="Wolfi"></a>

Minimal .NET Docker images for production and CI/CD. Built on [Wolfi](https://wolfi.dev), a security-focused Linux distribution designed for containers. All supported (non-EOL) .NET versions are rebuilt automatically.

## Images

| Version | `runtime` | `runtime-invariant` | `sdk` | Arch |
|---------|-----------|---------------------|-------|------|
| **.NET 10** (LTS) | `runtime-10` `runtime-lts` | `runtime-invariant-10` `runtime-invariant-lts` | `sdk-10` `sdk-lts` | amd64 arm64 |
| **.NET 9** (STS) | `runtime-9` `runtime-sts` | `runtime-invariant-9` `runtime-invariant-sts` | `sdk-9` `sdk-sts` | amd64 arm64 |
| **.NET 8** | `runtime-8` | `runtime-invariant-8` | `sdk-8` | amd64 arm64 |

## Variants

- **runtime** - ASP.NET Core runtime with ICU/globalization support
- **runtime-invariant** - ASP.NET Core runtime without ICU (smallest, invariant mode)
- **sdk** - .NET SDK with bash, git, curl for building apps

## Why Wolfi?

[Wolfi](https://wolfi.dev) is a lightweight Linux distribution built specifically for containers. It provides:

- **Minimal footprint** - Only essential packages, nothing extra
- **Daily security updates** - Patches applied quickly
- **Designed for containers** - No legacy cruft from traditional distros

## Features

- **Lightweight** - Optimized for fast CI/CD pulls
- **Secure** - Built on Wolfi with continuous vulnerability scanning
- **Multi-arch** - Supports both `linux/amd64` and `linux/arm64`
- **Non-root** - Runtime images run as unprivileged user (UID 65532)
- **Supply chain security** - SBOM and SLSA provenance attestations included
- **EOL-aware** - Versions are automatically dropped when they reach end-of-life

## Dockerfile Examples

### Web API

```dockerfile
ARG BUILDPLATFORM
FROM --platform=$BUILDPLATFORM svrnty/dotnet:sdk-10 AS build

WORKDIR /source
COPY . .
WORKDIR /source/MyApp.Api

ARG TARGETARCH
RUN case "$TARGETARCH" in \
      amd64) ARCH=x64 ;; \
      arm64) ARCH=arm64 ;; \
      *) ARCH=$TARGETARCH ;; \
    esac && \
    dotnet publish -a $ARCH --self-contained false -o /app

FROM svrnty/dotnet:runtime-invariant-10 AS final
WORKDIR /app
COPY --from=build /app .
USER 65532
EXPOSE 8080
ENTRYPOINT ["/usr/share/dotnet/dotnet", "MyApp.Api.dll"]
```

### Worker service

```dockerfile
ARG BUILDPLATFORM
FROM --platform=$BUILDPLATFORM svrnty/dotnet:sdk-lts AS build

WORKDIR /source
COPY . .

ARG TARGETARCH
RUN case "$TARGETARCH" in \
      amd64) ARCH=x64 ;; \
      arm64) ARCH=arm64 ;; \
      *) ARCH=$TARGETARCH ;; \
    esac && \
    dotnet publish MyWorker -a $ARCH --self-contained false -o /app

FROM svrnty/dotnet:runtime-invariant-lts AS final
WORKDIR /app
COPY --from=build /app .
USER 65532
ENTRYPOINT ["/usr/share/dotnet/dotnet", "MyWorker.dll"]
```

## CI/CD (Gitea/GitHub Actions)

```yaml
jobs:
  build:
    runs-on: ubuntu-latest
    container:
      image: svrnty/dotnet:sdk-lts
    steps:
      - uses: actions/checkout@v4
      - run: dotnet restore
      - run: dotnet test --no-restore
      - run: dotnet publish -c Release -o /app
```

## Tags

- `<variant>-<major>` - Latest patch for a major version (e.g., `runtime-10`)
- `<variant>-<version>` - Exact version pin (e.g., `runtime-10.0.2`, `sdk-10.0.102`)
- `<variant>-lts` - Floating tag for the highest active LTS
- `<variant>-sts` - Floating tag for the highest active STS

## Automatic Updates

Images are automatically rebuilt when:

- New .NET patch versions are released (daily check)
- Base image security updates are available (weekly rebuild)
- A .NET version reaches EOL, it is automatically excluded

Every build is scanned and includes supply chain attestations (SBOM, SLSA provenance).

## License

MIT