fix: bake version into Docker image at build time

- Add VERSION build arg to Dockerfile
- Pass --build-arg VERSION in release workflow
- Remove VERSION env override from docker-compose files
- Version is now immutable inside the image, no runtime env var needed

.gitea/workflows/release.yml

@@ -16,7 +16,7 @@ jobs:
         run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.cqre.net -u ${{ github.actor }} --password-stdin 2>&1 | grep -v "WARNING! Your credentials are stored unencrypted"
 
       - name: Build Docker image
-        run: docker build ./backend --tag git.cqre.net/cqrenet/aoc-backend:${{ gitea.ref_name }}
+        run: docker build ./backend --build-arg VERSION=${{ gitea.ref_name }} --tag git.cqre.net/cqrenet/aoc-backend:${{ gitea.ref_name }}
 
       - name: Push Docker image
         run: docker push git.cqre.net/cqrenet/aoc-backend:${{ gitea.ref_name }}

backend/Dockerfile

@@ -1,5 +1,9 @@
 FROM python:3.11-slim
 
+# Bake the version into the image at build time
+ARG VERSION=unknown
+ENV VERSION=${VERSION}
+
 # Security: run as non-root
 RUN groupadd -r aoc && useradd -r -g aoc aoc
 

docker-compose.prod.yml

@@ -26,7 +26,6 @@ services:
     env_file:
       - .env
     environment:
-      VERSION: ${AOC_VERSION:-latest}
       MONGO_URI: mongodb://${MONGO_ROOT_USERNAME}:${MONGO_ROOT_PASSWORD}@mongo:27017/
     depends_on:
       mongo:

docker-compose.yml

@@ -20,7 +20,6 @@ services:
     env_file:
       - .env
     environment:
-      VERSION: ${AOC_VERSION:-dev}
       MONGO_URI: mongodb://${MONGO_ROOT_USERNAME}:${MONGO_ROOT_PASSWORD}@mongo:${MONGO_PORT}/
     depends_on:
       - mongo