chore: cleanup Dockerfile

shinsenter · shinsenter · commit fa51e82dadda · 2025-08-30T20:19:26.000+09:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,52 +1,104 @@
-FROM node:18 AS node
+# syntax=docker/dockerfile:1
+############################################################
+# 1) Base Node environment
+############################################################
+FROM node:18 AS node-base
 
+# Create non-root workspace owned by uid/gid 1000 (keeps permissions consistent across stages)
 RUN mkdir /app && chown 1000:1000 /app
 USER 1000
 WORKDIR /app
 
-FROM node AS build-cli
+############################################################
+# 2) Dependency layer (Yarn cache prefetch)
+############################################################
+FROM node-base AS deps
 ARG TARGETARCH
 
-COPY .yarnrc.yml yarn.lock ./
-COPY --chown=1000:1000 .yarn .yarn
+# Copy only Yarn config + lockfile up front to maximize layer caching
+COPY --link --chown=1000:1000 .yarnrc.yml yarn.lock ./
+COPY --link --chown=1000:1000 .yarn .yarn
+
+# Pre-fetch Yarn cache without installing (fast, deterministic, cacheable)
+# NOTE: BuildKit cache mount keeps the artifact cache across builds.
 RUN yarn fetch
 
-RUN NODE_ARCH=$(if [ "$TARGETARCH" = "amd64" ]; then echo "x64"; elif [ "$TARGETARCH" = "arm" ]; then echo "armv7"; else echo "$TARGETARCH"; fi) && \
-  echo $NODE_ARCH>.nodearch
+# Normalize Docker's TARGETARCH into Node's arch names and persist for later stages
+# amd64 -> x64, arm -> armv7, otherwise pass through (arm64, etc.)
+RUN bash -lc 'case "$TARGETARCH" in \
+  amd64) echo x64 ;; \
+  arm)   echo armv7 ;; \
+  *)     echo "$TARGETARCH" ;; \
+esac > .nodearch'
+
+############################################################
+# 3) CLI build (bundle with ncc, pack with vercel/pkg)
+############################################################
+FROM deps AS build-cli
 
-# prefetch node, see https://github.com/vercel/pkg/issues/292#issuecomment-401353635
+# Prefetch the Node runtime that "pkg" will embed so the next step is faster and stable
+# (See: https://github.com/vercel/pkg/issues/292#issuecomment-401353635)
 RUN touch noop.js && \
-  yarn pkg -t node18-linuxstatic-$(cat .nodearch) noop.js --out=noop && rm -rf noop && \
-  rm noop.js
+    yarn pkg -t node18-linuxstatic-$(cat .nodearch) noop.js --out=noop && \
+    rm -rf noop noop.js
 
-COPY package.json index.js ./
-COPY src src
-RUN yarn build:ncc
-RUN yarn pkg -t node18-linuxstatic-$(cat .nodearch) -o ./dist-bin/dockerfile-x --compress=GZip ./dist/index.js
+# Copy the minimum project sources necessary for building the CLI
+COPY --link --chown=1000:1000 src ./src
+COPY --link --chown=1000:1000 index.js package.json ./
 
+# Build the CLI (ncc) and then produce a single-file static binary via pkg
+RUN yarn build:ncc && \
+    yarn pkg -t node18-linuxstatic-$(cat .nodearch) \
+      -o ./dist-bin/dockerfile-x --compress=GZip ./dist/index.js
+
+############################################################
+# 4) CA certificates for final scratch
+############################################################
 FROM alpine:3 AS certs
-RUN apk --update add ca-certificates
+RUN apk --no-cache add ca-certificates
 
+############################################################
+# 5) Build Go frontend (static binary)
+############################################################
 FROM golang:1.25 AS build-frontend
 ARG TARGETARCH
 WORKDIR /app
-COPY vendor vendor
-COPY go.mod go.sum ./
-COPY pkg pkg
-COPY main.go ./
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -mod vendor -ldflags '-w -extldflags "-static"' -o dist-bin/dockerfile-x-frontend .
 
+# Copy modules first for better caching, then the sources
+COPY --link go.mod go.sum  ./
+COPY --link vendor         ./vendor
+COPY --link pkg            ./pkg
+COPY --link main.go        ./
+
+# Produce a fully-static Linux binary (no CGO, strip symbols)
+# GOARCH is derived from Docker's --platform
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH \
+    go build -mod=vendor -trimpath -buildvcs=false \
+    -ldflags='-s -w -extldflags "-static"' \
+    -o dist-bin/dockerfile-x-frontend .
+
+############################################################
+# 6) Minimal final image
+############################################################
 FROM scratch
 
-# see https://github.com/moby/buildkit/blob/master/frontend/dockerfile/cmd/dockerfile-frontend/Dockerfile
+# BuildKit frontend capabilities (mirrors upstream Dockerfile frontend)
+# Ref: https://github.com/moby/buildkit/blob/master/frontend/dockerfile/cmd/dockerfile-frontend/Dockerfile
 LABEL moby.buildkit.frontend.network.none="true"
 LABEL moby.buildkit.frontend.caps="moby.buildkit.frontend.inputs,moby.buildkit.frontend.subrequests,moby.buildkit.frontend.contexts"
 
-ENTRYPOINT [ "/dockerfile-x-frontend" ]
-ENV PATH=/
-ENV DOCKERFILEX_TMPDIR=/workspace
+# Keep PATH minimal; put binaries at root so ENTRYPOINT can reference them directly
+ENV PATH=/ \
+    DOCKERFILEX_TMPDIR=/workspace
+
+# Run as non-root and default to a writeable working directory
 USER 1000
 WORKDIR /workspace
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=build-frontend /app/dist-bin/ /
-COPY --from=build-cli /app/dist-bin/ /
+
+# Copy only the necessary runtime artifacts
+COPY --link --from=certs          /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --link --from=build-frontend /app/dist-bin/ /
+COPY --link --from=build-cli      /app/dist-bin/ /
+
+# The Go frontend is the entrypoint; the CLI binary is also available in PATH
+ENTRYPOINT ["/dockerfile-x-frontend"]
