Use distroless/static image instead of distroless/base since glibc is not used

[vilmosmartinek]

Description of your changes

This pull request changes the base image of the function to gcr.io/distroless/static-debian12:nonroot.

Fixes #48

I have:

• Read and followed Crossplane's contribution process.
  - [ ] Added or updated unit tests for my change.

[jbw976]

ah nice @vilmosmartinek, this looks like a good improvement to make. Thank you for taking the initiative to do so 🙇‍♂️ - it's actually particularly on my mind as I just finished writing up the security self-assessment in crossplane/crossplane#6143 😉

I see that you've opened similar PRs across a few other function repos and also the template repo (crossplane/function-template-go#88), thank you for being thorough.

Let's see if we can get these all merged and new versions of the functions published.

Were you able to do some local testing already to build with this change and verify the function works well still? I don't think there's much in the way of e2e tests here that would test that automatically...

[vilmosmartinek]

ah nice @vilmosmartinek, this looks like a good improvement to make. Thank you for taking the initiative to do so 🙇‍♂️ - it's actually particularly on my mind as I just finished writing up the security self-assessment in crossplane/crossplane#6143 😉

Thank you for taking the time to review my PRs! I appreciate your kind words. I also had a chance to check out the security self-assessment you wrote in crossplane/crossplane#6143, and I must say it is very well done. Great work!

One note, you mention the Responsible Disclosures Process defined in the security
policy. It might make sense to put a link to this policy in all the Crossplane-related repositories (providers, functions, etc.) — similarly to how all these use the same contribution guideline.

Were you able to do some local testing already to build with this change and verify the function works well still? I don't think there's much in the way of e2e tests here that would test that automatically...

We have a couple of Crossplane Functions built in-house that are already using the distroless/static image as base, and I also did local testing for the upbound/function-cidr#44 PR.

I can make a similar "smoke test" here as well by rendering the example composition.

[vilmosmartinek]

As a smoke test I've rendered the example in this repository using freshly built images of both function-go-templating and function-auto-ready.

• Output:

  ---
  apiVersion: example.crossplane.io/v1
  kind: XR
  metadata:
    name: example-xr
  status:
    conditions:
    - lastTransitionTime: "2024-01-01T00:00:00Z"
      message: 'Unready resources: bucket'
      reason: Creating
      status: "False"
      type: Ready
  ---
  apiVersion: s3.aws.upbound.io/v1beta1
  kind: Bucket
  metadata:
    annotations:
      crossplane.io/composition-resource-name: bucket
    generateName: example-xr-
    labels:
      crossplane.io/composite: example-xr
    ownerReferences:
    - apiVersion: example.crossplane.io/v1
      blockOwnerDeletion: true
      controller: true
      kind: XR
      name: example-xr
      uid: ""
  spec:
    forProvider:
      region: us-east-2

• Logs from function-go-templating:

  2024-12-04T11:34:44.347Z        INFO    fn/fn.go:56     Running Function        {"tag": ""}
  2024-12-04T11:34:44.349Z        DEBUG   fn/fn.go:72     template        {"template": "apiVersion: s3.aws.upbound.io/v1beta1\nkind: Bucket\nmetadata:\n  annotations:\n    gotemplating.fn.crossplane.io/composition-resource-name: bucket\nspec:\n  forProvider:\n    region: {{ .observed.composite.resource.spec.region }}\n"}
  2024-12-04T11:34:44.349Z        DEBUG   fn/fn.go:86     constructed request map {"request": {"context":{},"desired":{},"input":{"apiVersion":"gotemplating.fn.crossplane.io/v1beta1","inline":{"template":"apiVersion: s3.aws.upbound.io/v1beta1\nkind: Bucket\nmetadata:\n  annotations:\n    gotemplating.fn.crossplane.io/composition-resource-name: bucket\nspec:\n  forProvider:\n    region: {{ .observed.composite.resource.spec.region }}\n"},"kind":"GoTemplate","source":"Inline"},"observed":{"composite":{"resource":{"apiVersion":"example.crossplane.io/v1","kind":"XR","metadata":{"name":"example-xr"},"spec":{"region":"us-east-2"}}}}}}
  2024-12-04T11:34:44.349Z        DEBUG   fn/fn.go:95     rendered manifests      {"manifests": "apiVersion: s3.aws.upbound.io/v1beta1\nkind: Bucket\nmetadata:\n  annotations:\n    gotemplating.fn.crossplane.io/composition-resource-name: bucket\nspec:\n  forProvider:\n    region: us-east-2\n"}
  2024-12-04T11:34:44.350Z        DEBUG   fn/fn.go:264    desired composite resource      {"desiredComposite:": {"Resource":{},"ConnectionDetails":{}}}
  2024-12-04T11:34:44.350Z        DEBUG   fn/fn.go:265    constructed desired composed resources  {"desiredComposed:": {"bucket":{"Resource":{"apiVersion":"s3.aws.upbound.io/v1beta1","kind":"Bucket","metadata":{"annotations":{}},"spec":{"forProvider":{"region":"us-east-2"}}},"Ready":""}}}
  2024-12-04T11:34:44.350Z        INFO    fn/fn.go:281    Successfully composed desired resources {"source": "Inline", "count": 1}
  

• Logs from function-auto-ready:

  2024-12-04T11:34:44.354Z        INFO    fn/fn.go:27     Running Function        {"tag": ""}
  2024-12-04T11:34:44.355Z        DEBUG   fn/fn.go:54     Found desired resources {"count": 1}
  2024-12-04T11:34:44.355Z        DEBUG   fn/fn.go:65     Ignoring desired resource that does not appear in observed resources    {"xr-apiversion": "example.crossplane.io/v1", "xr-kind": "XR", "xr-name": "example-xr", "composed-resource-name": "bucket"}
  

@jbw976 Let me know if you can think of anything else I can / should test!