[Container] Simplify container build dependencies

AGENTS.md

@@ -69,7 +69,7 @@ The container setup for Victoria is intentionally designed to balance reliabilit
 
 -   **Prefer the Default Podman Security Profile**: The streamlined `podman run` command above intentionally omits additional security flags that previously caused permission issues on macOS, Linux, and Windows hosts. Do not reintroduce `--userns=keep-id`, `--security-opt`, or `--cap-drop` defaults unless a regression is demonstrated and thoroughly tested across platforms.
 -   **Root-Based Image**: The container image runs as root by default to guarantee mounted volumes remain writable regardless of host UID/GID mappings. Avoid adding a `USER` directive or runtime UID switching logic to the `Containerfile` or entrypoint.
--   **Two-Stage Build Layout**: The `Containerfile` now uses a dedicated builder stage to compile the `crush` binary with Go and a lean runtime stage that carries Python, Helix, and the application code. Keep this separation intact so the final image stays lightweight while still delivering the compiled tooling we depend on. Only adjust the stage boundaries if a regression or dependency change makes it unavoidable.
+-   **Single-Stage Build Layout**: The `Containerfile` installs Go, Python, Helix, and all required build tooling in one stage. This keeps the image straightforward while still compiling the `crush` binary during the build. Avoid reintroducing a separate builder stage unless a future regression or dependency constraint makes it absolutely necessary.
 -   **"Always on Latest" Update Strategy**: The base image is intentionally set to `fedora:latest`. This ensures the container always benefits from the latest security patches. Builds are versioned and stored in the GitHub Container Registry, allowing for easy rollbacks if an update causes issues. Do not pin the base image to a specific version, as this would prevent automatic security updates.
 
 ### Dependencies Explained

Containerfile

@@ -1,33 +1,33 @@
-FROM registry.fedoraproject.org/fedora:latest AS builder
+FROM registry.fedoraproject.org/fedora:latest
 
 ENV PATH="/root/.local/bin:${PATH}" \
     PYTHONUNBUFFERED="1" \
+    PIP_ROOT_USER_ACTION="ignore" \
     GOTOOLCHAIN="auto" \
     GOSUMDB="sum.golang.org" \
-    PIP_ROOT_USER_ACTION="ignore"
+    VICTORIA_HOME="/workspace/Victoria"
 
+# Install runtime and build dependencies plus crush
 RUN dnf -y upgrade && \
-    dnf -y install python3 python3-pip git curl golang helix && \
+    dnf -y install \
+        python3 \
+        python3-pip \
+        python3-devel \
+        git \
+        curl \
+        helix \
+        golang \
+        gcc \
+        gcc-c++ \
+        make \
+        cmake \
+        libffi-devel \
+        openssl-devel \
+        redhat-rpm-config && \
     # Change @latest to a pinned version if we ever need to lock Crush.
     GOBIN=/usr/local/bin go install github.com/charmbracelet/crush@latest && \
     dnf clean all && rm -rf /var/cache/dnf && rm -rf /root/go/pkg/mod
 
-# Final stage - without Go compiler
-FROM registry.fedoraproject.org/fedora:latest
-
-ENV PATH="/root/.local/bin:${PATH}" \
-    PYTHONUNBUFFERED="1" \
-    PIP_ROOT_USER_ACTION="ignore" \
-    VICTORIA_HOME="/workspace/Victoria"
-
-# Copy crush binary from builder
-COPY --from=builder /usr/local/bin/crush /usr/local/bin/crush
-
-# Install runtime dependencies
-RUN dnf -y upgrade && \
-    dnf -y install python3 python3-pip git curl helix && \
-    dnf clean all && rm -rf /var/cache/dnf && rm -rf /root/go/pkg/mod
-
 WORKDIR /workspace
 
 COPY requirements.txt ./