From e94dd26b304d80f7aa7a1458eb501bd35d4ad352 Mon Sep 17 00:00:00 2001
From: appleboy <appleboy.tw@gmail.com>
Date: Fri, 30 May 2025 04:58:24 +0000
Subject: [PATCH] build: refactor Dockerfile for security, performance, and
 flexibility (#50)

- Switch build base image to Alpine and set platform dynamically
- Use distroless nonroot image for final stage to enhance security
- Add build arguments for VERSION, TARGETOS, and TARGETARCH with defaults
- Cache Go module and build dependencies to improve build performance
- Remove manual installation of ca-certificates and user creation (handled by base image)
- Set nonroot user for running the application
- Add healthcheck for the built binary
- Add OCI-compliant author and version labels

Signed-off-by: appleboy <appleboy.tw@gmail.com>

Reviewed-on: https://gitea.com/gitea/gitea-mcp/pulls/50
Co-authored-by: appleboy <appleboy.tw@gmail.com>
Co-committed-by: appleboy <appleboy.tw@gmail.com>
---
 Dockerfile | 41 ++++++++++++++++++++---------------------
 1 file changed, 20 insertions(+), 21 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 1963a0e..d84a422 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,39 +1,38 @@
+# syntax=docker/dockerfile:1.4
+
 # Build stage
-FROM golang:1.24-bullseye AS builder
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder
 
-ARG VERSION
+ARG VERSION=dev
+ARG TARGETOS
+ARG TARGETARCH
 
-# Set the working directory
 WORKDIR /app
 
-# Copy go.mod and go.sum files
 COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go mod download
 
-# Download dependencies
-RUN go mod download
-
-# Copy the source code
 COPY . .
-
-RUN CGO_ENABLED=0 go build -ldflags="-s -w -X main.Version=${VERSION}" -o gitea-mcp
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} \
+    go build -trimpath -ldflags="-s -w -X main.Version=${VERSION}" -o gitea-mcp
 
 # Final stage
-FROM debian:bullseye-slim
+FROM gcr.io/distroless/static-debian11:nonroot
 
 ENV GITEA_MODE=stdio
 
 WORKDIR /app
+COPY --from=builder --chown=nonroot:nonroot /app/gitea-mcp .
 
-# Install ca-certificates for HTTPS requests
-RUN apt-get update && \
-    apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
+USER nonroot:nonroot
 
-# Create a non-root user
-RUN useradd -r -u 1000 -m gitea-mcp
+HEALTHCHECK --interval=30s --timeout=3s \
+  CMD ["/app/gitea-mcp", "healthcheck"]
 
-COPY --from=builder --chown=1000:1000 /app/gitea-mcp .
+LABEL org.opencontainers.image.authors="your-team@example.com"
+LABEL org.opencontainers.image.version="${VERSION}"
 
-# Use the non-root user
-USER gitea-mcp
-
-CMD ["/app/gitea-mcp"]
\ No newline at end of file
+CMD ["/app/gitea-mcp"]