Files
go-123pan-pic/Dockerfile
RainySY 13ab2b0364
Some checks failed
Go Build & Release / build (amd64, imagehost-linux-amd64, linux) (push) Has been cancelled
Go Build & Release / build (amd64, imagehost-macos-amd64, darwin) (push) Has been cancelled
Go Build & Release / build (amd64, imagehost-windows-amd64.exe, windows) (push) Has been cancelled
Go Build & Release / build (arm64, imagehost-linux-arm64, linux) (push) Has been cancelled
Go Build & Release / build (arm64, imagehost-macos-arm64, darwin) (push) Has been cancelled
Go Build & Release / docker (push) Has been cancelled
refactor: upgrade Dockerfile to zero-dependency scratch image
2026-04-09 04:14:54 +08:00

39 lines
1.2 KiB
Docker
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# ==== 第一阶段: 编译打包层 ====
FROM golang:alpine AS builder
# 第一时间安装最详尽的根证书与时域数据源,这是最后提取所必须的物质
RUN apk add --no-cache ca-certificates tzdata
# 开启 CGO_ENABLED=0这是逃逸出系统依赖实现真正的静态单文件极限打包的关键
ENV GO111MODULE=on \
CGO_ENABLED=0 \
GOOS=linux \
GOARCH=amd64
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN go build -ldflags="-w -s" -o imagehost ./cmd/main.go
# ==== 第二阶段: 绝对物理真空层 (Scratch) ====
# 既然 Alpine 的组件总能被扫出各种各样的零日陈旧漏洞,那么最好的防御就是不要任何组件系统!
# Scratch 中连 Shell / Bash / busybox 都没有,真正从物理维度杜绝了各类越权注入与 CVE 扫描报警。
FROM scratch
# 从刚才的工厂层提炼出我们的核心支撑数据(时间树与 HTTPS 证书)
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
ENV TZ=Asia/Shanghai
WORKDIR /app
COPY --from=builder /app/imagehost .
EXPOSE 8080
CMD ["./imagehost"]