build(docker): Remove the go dependency by building yq from source

The necessary go version always contains vulnerabilities and is only used for yq.

Dockerfile

@@ -23,6 +23,11 @@ COPY ors-engine /tmp/ors/ors-engine
 RUN mvn -pl '!ors-test-scenarios,!ors-report-aggregation' \
     -q clean package -DskipTests -Dmaven.test.skip=true
 
+FROM docker.io/maven:3.9.9-amazoncorretto-21-alpine AS build-go
+# Setup the target system with the right user and folders.
+RUN apk add --no-cache go && \
+    GO111MODULE=on go install github.com/mikefarah/yq/[email protected]
+
 # build final image, just copying stuff inside
 FROM docker.io/amazoncorretto:21.0.4-alpine3.20 AS publish
 
@@ -36,7 +41,7 @@ ARG ORS_HOME=/home/ors
 ENV LANG='en_US' LANGUAGE='en_US' LC_ALL='en_US'
 
 # Setup the target system with the right user and folders.
-RUN apk update && apk add --no-cache bash=~5 jq=~1 openssl=~3 yq=~4  && \
+RUN apk update && apk add --no-cache bash=~5 jq=~1 openssl=~3 && \
     addgroup ors -g ${GID} && \
     mkdir -p ${ORS_HOME}/logs ${ORS_HOME}/files ${ORS_HOME}/graphs ${ORS_HOME}/elevation_cache  && \
     adduser -D -h ${ORS_HOME} -u ${UID} --system -G ors ors  && \
@@ -48,6 +53,7 @@ RUN apk update && apk add --no-cache bash=~5 jq=~1 openssl=~3 yq=~4  && \
 COPY --chown=ors:ors --from=build /tmp/ors/ors-api/target/ors.jar /ors.jar
 COPY --chown=ors:ors ./$OSM_FILE /heidelberg.test.pbf
 COPY --chown=ors:ors ./docker-entrypoint.sh /entrypoint.sh
+COPY --chown=ors:ors --from=build-go /root/go/bin/yq /bin/yq
 
 # Copy the example config files to the build folder
 COPY --chown=ors:ors ./ors-config.yml /example-ors-config.yml