I hardened PipeCD’s codegen image by moving from golang:1.25.2 to a slimmer debian:bookworm-slim runtime while preserving the full toolchain used by tool/codegen/codegen.sh.
The result was a safer, leaner image (about 800MB → 500MB) without breaking protobuf generation or mockgen workflows.
Key implementation points:
- multi-stage build that copies required Go runtime pieces,
- installed protobuf headers/standard
.protodependencies, - preserved cross-arch support and existing plugins.
The patch was reviewed with validation evidence (build, binary availability, compile path checks) and merged.
Links: PR #6461 • Issue #6429