Request: remove `git` from being a required dependency

[jwjenkin]

There is currently a critical CVE-2024-32002 with git packages. It's been there for a few weeks, and so we figured we would just run apk del --purge git in our image as the last set because we don't need it running in a prod environment.

However, upon running we were met with:

$ apk del git --purge
 ---> Running in 900da2934c8d
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.19/main: No such file or directory
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.19/community: No such file or directory
World updated, but the following packages are not removed due to:
  git: .wodby-php-run-deps

Based on what I've looked at for the apk-del, the only way to remove it currently is by running:

$ apk del --purge .wodby-php-run-deps
...
(134/134) Purging zstd-libs (1.5.5-r8)
Executing busybox-1.36.1-r15.trigger
Executing fontconfig-2.14.2-r4.trigger
Executing mkfontscale-1.2.2-r4.trigger
OK: 421 MiB in 86 packages

which completely breaks the image.

I suppose my request is to break out the actual run dependencies to their own virtual package, along with any others that are more build than run dependencies. That way, if we don't have a need for them, we can remove and clean up some space (and CVEs).

[jwjenkin]

Closing this, but I would maintain that having git and some other tools as run-deps it a potential issue waiting to happen.