refactor: Rewrite build workflows

GitHub Actions:
- Bring down runner count from 5 to 2
- Separate frontend and backend build jobs
- Uprev checkout actions to version 6
- Remove unused REGISTRY env variable

Docker:
- Separate Dockerfiles for frontend:
    Dockerfile -> for local development
    Dockerfiles.actions -> for GitHub Actions
  The static flutter web app is compiled on the actions runner directly
  and the assets are copied in multi-arch nginx docker images.
- Run both the images as non root users

Chore:
- Remove unused FastAPI dependencies
- Update existing packages to latest available versions

Author: whyredfire

.github/workflows/build-release.yaml

@@ -6,25 +6,15 @@ on:
   workflow_dispatch:
 
 env:
-  REGISTRY: ghcr.io
   IMAGE_PREFIX: ghcr.io/dk10ws/slcm
 
 jobs:
-  build:
-    name: Build ${{ matrix.service }} (${{ matrix.arch }})
-    strategy:
-      matrix:
-        arch: [amd64, arm64]
-        service: [frontend, backend]
-        include:
-          - arch: amd64
-            runner: ubuntu-latest
-          - arch: arm64
-            runner: ubuntu-24.04-arm
-    runs-on: ${{ matrix.runner }}
+  build-backend:
+    name: Build FastAPI application docker image
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: "web"
 
@@ -38,22 +28,45 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Build and Push ${{ matrix.service }} Docker Image
+      - name: Build and Push backend Docker Image
         uses: docker/build-push-action@v6
         with:
-          context: ${{ matrix.service }}
+          context: backend
           push: true
-          platforms: linux/${{ matrix.arch }}
+          platforms: linux/amd64,linux/arm64
           tags: |
-            ${{ env.IMAGE_PREFIX }}-${{ matrix.service }}:latest-${{ matrix.arch }}
-            ${{ env.IMAGE_PREFIX }}-${{ matrix.service }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.service }}-${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.service }}-${{ matrix.arch }}
+            ${{ env.IMAGE_PREFIX }}-backend:latest
+            ${{ env.IMAGE_PREFIX }}-backend:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-  merge-manifest:
-    needs: build
+  build-frontend:
+    name: Build Flutter Web application docker image
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v6
+        with:
+          ref: "web"
+
+      - name: Cache pub deps
+        uses: actions/cache@v5
+        with:
+          path: ~/.pub-cache
+          key: ${{ runner.os }}-pub-${{ hashFiles('**/pubspec.yaml') }}
+          restore-keys: ${{ runner.os }}-pub-
+
+      - name: Setup Flutter
+        uses: subosito/flutter-action@v2
+        with:
+          channel: stable
+
+      - name: Build web app
+        working-directory: frontend
+        run: |
+          flutter pub get
+          flutter build web
+
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -64,16 +77,15 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Create multi-arch manifests
-        run: |
-          services=("frontend" "backend")
-
-          for service in "${services[@]}"; do
-            echo "Creating manifest for $service..."
-
-            docker buildx imagetools create \
-              -t ${{ env.IMAGE_PREFIX }}-$service:${{ github.sha }} \
-              -t ${{ env.IMAGE_PREFIX }}-$service:latest \
-              ${{ env.IMAGE_PREFIX }}-$service:${{ github.sha }}-amd64 \
-              ${{ env.IMAGE_PREFIX }}-$service:${{ github.sha }}-arm64
-          done
+      - name: Build and Push frontend Docker Image
+        uses: docker/build-push-action@v6
+        with:
+          context: frontend
+          file: frontend/Dockerfile.actions
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            ${{ env.IMAGE_PREFIX }}-frontend:latest
+            ${{ env.IMAGE_PREFIX }}-frontend:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

backend/Dockerfile

@@ -20,13 +20,21 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 # Then, use a final image without uv
 FROM python:3.13-slim-bookworm
 
+# Setup a non-root user
+RUN groupadd --system --gid 999 nonroot \
+    && useradd --system --gid 999 --uid 999 --create-home nonroot
+
 WORKDIR /app
 
 # Copy the application from the builder
-COPY --from=builder --chown=app:app /app /app
+COPY --from=builder --chown=nonroot:nonroot /app /app
 
 # Place executables in the environment at the front of the path
 ENV PATH="/app/.venv/bin:$PATH"
 
+USER nonroot
+
+EXPOSE 8000
+
 # Run the FastAPI application by default
 CMD ["python", "-m", "src.main"]

backend/pyproject.toml

@@ -9,8 +9,9 @@ authors = [
 requires-python = ">=3.13"
 dependencies = [
     "bs4>=0.0.2",
-    "fastapi[standard]>=0.116.1",
-    "requests>=2.32.4",
+    "fastapi>=0.125.0",
+    "httpx>=0.28.1",
+    "uvicorn>=0.38.0",
 ]
 
 [dependency-groups]

backend/uv.lock

@@ -3,7 +3,7 @@ services:
     container_name: slcm-frontend
     build: frontend
     ports:
-      - 80:80
+      - 8080:8080
     restart: unless-stopped
     depends_on:
       - backend

docker-compose-dev.yaml

@@ -3,7 +3,7 @@ services:
     container_name: slcm-frontend
     image: ghcr.io/dk10ws/slcm-frontend:latest
     ports:
-      - 80:80
+      - 8080:8080
     restart: unless-stopped
     depends_on:
       - backend

docker-compose.yaml

@@ -7,9 +7,9 @@ RUN flutter pub get
 RUN flutter build web
 
 
-FROM nginx:alpine-slim AS runner
+FROM nginxinc/nginx-unprivileged:stable-alpine-slim
 
-COPY --from=builder /app/build/web /usr/share/nginx/html
+COPY --chown=nginx:nginx --from=builder /app/build/web /usr/share/nginx/html/
 COPY nginx.conf /etc/nginx/conf.d/default.conf
 
-CMD ["nginx", "-g", "daemon off;"]
+EXPOSE 8080

frontend/Dockerfile

@@ -0,0 +1,6 @@
+FROM nginxinc/nginx-unprivileged:stable-alpine-slim
+
+COPY --chown=nginx:nginx build/web /usr/share/nginx/html/
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+
+EXPOSE 8080

frontend/Dockerfile.actions

@@ -1,5 +1,5 @@
 server {
-    listen 80;
+    listen 8080;
     server_name _;
 
     root /usr/share/nginx/html;