build: refactor Dockerfile for security, performance, and flexibility (#50) All checks were successful release-nightly / release-image (push) Successful in 1m17s
All checks were successful
release-nightly / release-image (push) Successful in 1m17s
- Switch build base image to Alpine and set platform dynamically - Use distroless nonroot image for final stage to enhance security - Add build arguments for VERSION, TARGETOS, and TARGETARCH with defaults - Cache Go module and build dependencies to improve build performance - Remove manual installation of ca-certificates and user creation (handled by base image) - Set nonroot user for running the application - Add healthcheck for the built binary - Add OCI-compliant author and version labels Signed-off-by: appleboy <appleboy.tw@gmail.com> Reviewed-on: #50 Co-authored-by: appleboy <appleboy.tw@gmail.com> Co-committed-by: appleboy <appleboy.tw@gmail.com>
This commit was merged in pull request #50.
This commit is contained in:
41 Dockerfile
41
Dockerfile @@ -1,39 +1,38 @@ | ||||
# syntax=docker/dockerfile:1.4 | ||||
| ||||
# Build stage | ||||
FROM golang:1.24-bullseye AS builder | ||||
FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder | ||||
| ||||
ARG VERSION | ||||
ARG VERSION=dev | ||||
ARG TARGETOS | ||||
ARG TARGETARCH | ||||
| ||||
# Set the working directory | ||||
WORKDIR /app | ||||
| ||||
# Copy go.mod and go.sum files | ||||
COPY go.mod go.sum ./ | ||||
RUN --mount=type=cache,target=/go/pkg/mod \ | ||||
go mod download | ||||
| ||||
# Download dependencies | ||||
RUN go mod download | ||||
| ||||
# Copy the source code | ||||
COPY . . | ||||
| ||||
RUN CGO_ENABLED=0 go build -ldflags="-s -w -X main.Version=${VERSION}" -o gitea-mcp | ||||
RUN --mount=type=cache,target=/go/pkg/mod \ | ||||
--mount=type=cache,target=/root/.cache/go-build \ | ||||
CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} \ | ||||
go build -trimpath -ldflags="-s -w -X main.Version=${VERSION}" -o gitea-mcp | ||||
| ||||
# Final stage | ||||
FROM debian:bullseye-slim | ||||
FROM gcr.io/distroless/static-debian11:nonroot | ||||
| ||||
ENV GITEA_MODE=stdio | ||||
| ||||
WORKDIR /app | ||||
COPY --from=builder --chown=nonroot:nonroot /app/gitea-mcp . | ||||
| ||||
# Install ca-certificates for HTTPS requests | ||||
RUN apt-get update && \ | ||||
apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/* | ||||
USER nonroot:nonroot | ||||
| ||||
# Create a non-root user | ||||
RUN useradd -r -u 1000 -m gitea-mcp | ||||
HEALTHCHECK --interval=30s --timeout=3s \ | ||||
CMD ["/app/gitea-mcp", "healthcheck"] | ||||
| ||||
COPY --from=builder --chown=1000:1000 /app/gitea-mcp . | ||||
LABEL org.opencontainers.image.authors="your-team@example.com" | ||||
LABEL org.opencontainers.image.version="${VERSION}" | ||||
| ||||
# Use the non-root user | ||||
USER gitea-mcp | ||||
| ||||
CMD ["/app/gitea-mcp"] | ||||
CMD ["/app/gitea-mcp"] | ||||
| ||||
Reference in New Issue
Block a user