feat(docker): add distroless-based Docker image variant

[davinkevin]

Summary

• Add a new pgsty/minio:<tag>-distroless image using gcr.io/distroless/static-debian13 for minimal attack surface (no shell, no package manager, no glibc)
• Publishes multi-arch (amd64/arm64) images via GoReleaser alongside the existing UBI-micro images
• New tags: pgsty/minio:<tag>-distroless and pgsty/minio:latest-distroless

Changes

• Dockerfile.distroless — new multi-stage Dockerfile based on distroless/static-debian13
• .github/goreleaser.yml — add distroless docker builds and manifests
• .github/workflows/test-release.yml — trigger on Dockerfile.distroless changes

[11notes]

Just as a friendly input as someone who maintains a rootless/distroless minio image. The distroless image should be the default, not an additional tag. Give users the best option from the start, not as an option they might miss.

[teian]

really good input and I would also like to have the abillity to use alpine based images. that would be a awesome addition!

[11notes]

@teian consider this article why distroless is better.

[teian]

I agree distroless is awesome but there are use cases which differ and therefore if it is not too much of a hassle it is still nice to have. Didn't want to discredit your effort/input :)

[11notes]

... but there are use cases ...

I’ve never come across such a use case, can you make an example where you need an image with a shell for MinIO?

[teian]

Sure I can but I think my usecase does not align with your security vision therefore it does not make sense to further discuss this here. As I said before I like your proposal so I'm all for merging this :)