dockerfile: fix hadolint code-scanning findings

Enable pipefail for piped RUN commands

Quote apt package specs with variable expansions

Add --no-install-recommends to package installs

Pin bootstrap apt packages using explicit version patterns

Consolidate consecutive RUN instructions

Author: ihalatci

Dockerfile

@@ -14,14 +14,15 @@ LABEL maintainer="Citus Data https://citusdata.com" \
 ENV CITUS_VERSION ${VERSION}.citus-1
 
 # install Citus
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
-       ca-certificates \
-       curl \
+         ca-certificates=* \
+         curl=* \
     && curl -s https://install.citusdata.com/community/deb.sh | bash \
-    && apt-get install -y postgresql-$PG_MAJOR-citus-14.0=$CITUS_VERSION \
-                          postgresql-$PG_MAJOR-hll=2.19.citus-1 \
-                          postgresql-$PG_MAJOR-topn=2.7.0.citus-1 \
+    && apt-get install -y --no-install-recommends "postgresql-$PG_MAJOR-citus-14.0=$CITUS_VERSION" \
+                                  "postgresql-$PG_MAJOR-hll=2.19.citus-1" \
+                                  "postgresql-$PG_MAJOR-topn=2.7.0.citus-1" \
     && apt-get purge -y --auto-remove curl \
     && rm -rf /var/lib/apt/lists/*
 
@@ -33,10 +34,10 @@ COPY 001-create-citus-extension.sql /docker-entrypoint-initdb.d/
 
 # add health check script
 COPY pg_healthcheck wait-for-manager.sh /
-RUN chmod +x /wait-for-manager.sh
+RUN chmod +x /wait-for-manager.sh \
+    && sed "/unset PGPASSWORD/d" -i /usr/local/bin/docker-entrypoint.sh
 
 # entry point unsets PGPASSWORD, but we need it to connect to workers
 # https://github.com/docker-library/postgres/blob/33bccfcaddd0679f55ee1028c012d26cd196537d/12/docker-entrypoint.sh#L303
-RUN sed "/unset PGPASSWORD/d" -i /usr/local/bin/docker-entrypoint.sh
 
 HEALTHCHECK --interval=4s --start-period=6s CMD ./pg_healthcheck