build: refactor Dockerfile for security, performance, and flexibility (#50)

- Switch build base image to Alpine and set platform dynamically - Use distroless nonroot image for final stage to enhance security - Add build arguments for VERSION, TARGETOS, and TARGETARCH with defaults - Cache Go module and build dependencies to improve build performance - Remove manual installation of ca-certificates and user creation (handled by base image) - Set nonroot user for running the application - Add healthcheck for the built binary - Add OCI-compliant author and version labels Signed-off-by: appleboy <appleboy.tw@gmail.com> Reviewed-on: https://gitea.com/gitea/gitea-mcp/pulls/50 Co-authored-by: appleboy <appleboy.tw@gmail.com> Co-committed-by: appleboy <appleboy.tw@gmail.com>
2025-11-03 20:01:50 +00:00 · 2025-05-30 04:58:24 +00:00
parent da49bdeb96
commit e94dd26b30
1 changed files with 20 additions and 21 deletions
--- a/41
+++ b/41
@@ -1,39 +1,38 @@
+# syntax=docker/dockerfile:1.4
+
 # Build stage
-FROM golang:1.24-bullseye AS builder
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder

-ARG VERSION
+ARG VERSION=dev
+ARG TARGETOS
+ARG TARGETARCH

-# Set the working directory
 WORKDIR /app

-# Copy go.mod and go.sum files
 COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go mod download

-# Download dependencies
-RUN go mod download
-
-# Copy the source code
 COPY . .
-
-RUN CGO_ENABLED=0 go build -ldflags="-s -w -X main.Version=${VERSION}" -o gitea-mcp
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} \
+    go build -trimpath -ldflags="-s -w -X main.Version=${VERSION}" -o gitea-mcp

 # Final stage
-FROM debian:bullseye-slim
+FROM gcr.io/distroless/static-debian11:nonroot

 ENV GITEA_MODE=stdio

 WORKDIR /app
+COPY --from=builder --chown=nonroot:nonroot /app/gitea-mcp .

-# Install ca-certificates for HTTPS requests
-RUN apt-get update && \
-    apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
+USER nonroot:nonroot

-# Create a non-root user
-RUN useradd -r -u 1000 -m gitea-mcp
+HEALTHCHECK --interval=30s --timeout=3s \
+  CMD ["/app/gitea-mcp", "healthcheck"]

-COPY --from=builder --chown=1000:1000 /app/gitea-mcp .
+LABEL org.opencontainers.image.authors="your-team@example.com"
+LABEL org.opencontainers.image.version="${VERSION}"

-# Use the non-root user
-USER gitea-mcp
-
-CMD ["/app/gitea-mcp"]
+CMD ["/app/gitea-mcp"]