From 11fd87411da2f1543b5bf6c972fe4572bc0e20c9 Mon Sep 17 00:00:00 2001
From: Tomas Kracmar <tomas.kracmar@cqre.net>
Date: Mon, 20 Apr 2026 17:24:20 +0200
Subject: [PATCH] fix: bake version into Docker image at build time

- Add VERSION build arg to Dockerfile
- Pass --build-arg VERSION in release workflow
- Remove VERSION env override from docker-compose files
- Version is now immutable inside the image, no runtime env var needed
---
 .gitea/workflows/release.yml | 2 +-
 backend/Dockerfile           | 4 ++++
 docker-compose.prod.yml      | 1 -
 docker-compose.yml           | 1 -
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 39cb4ef..d5cdac4 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -16,7 +16,7 @@ jobs:
         run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.cqre.net -u ${{ github.actor }} --password-stdin 2>&1 | grep -v "WARNING! Your credentials are stored unencrypted"
 
       - name: Build Docker image
-        run: docker build ./backend --tag git.cqre.net/cqrenet/aoc-backend:${{ gitea.ref_name }}
+        run: docker build ./backend --build-arg VERSION=${{ gitea.ref_name }} --tag git.cqre.net/cqrenet/aoc-backend:${{ gitea.ref_name }}
 
       - name: Push Docker image
         run: docker push git.cqre.net/cqrenet/aoc-backend:${{ gitea.ref_name }}
diff --git a/backend/Dockerfile b/backend/Dockerfile
index dab051b..c3b851f 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -1,5 +1,9 @@
 FROM python:3.11-slim
 
+# Bake the version into the image at build time
+ARG VERSION=unknown
+ENV VERSION=${VERSION}
+
 # Security: run as non-root
 RUN groupadd -r aoc && useradd -r -g aoc aoc
 
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index d6f332e..4a65383 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -26,7 +26,6 @@ services:
     env_file:
       - .env
     environment:
-      VERSION: ${AOC_VERSION:-latest}
       MONGO_URI: mongodb://${MONGO_ROOT_USERNAME}:${MONGO_ROOT_PASSWORD}@mongo:27017/
     depends_on:
       mongo:
diff --git a/docker-compose.yml b/docker-compose.yml
index ca58875..3ecde35 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,7 +20,6 @@ services:
     env_file:
       - .env
     environment:
-      VERSION: ${AOC_VERSION:-dev}
       MONGO_URI: mongodb://${MONGO_ROOT_USERNAME}:${MONGO_ROOT_PASSWORD}@mongo:${MONGO_PORT}/
     depends_on:
       - mongo