Skip to content

Refactor: overhaul Dockerfile with multi-stage build, non-root user, and .dockerignore#135

Merged
dmabry merged 1 commit into
mainfrom
feature/dockerfile-overhaul
May 15, 2026
Merged

Refactor: overhaul Dockerfile with multi-stage build, non-root user, and .dockerignore#135
dmabry merged 1 commit into
mainfrom
feature/dockerfile-overhaul

Conversation

@dmabry
Copy link
Copy Markdown
Owner

@dmabry dmabry commented May 15, 2026

Summary

Complete Dockerfile rewrite — from a fragile, outdated build to a production-grade multi-stage container. Also adds a .dockerignore for the first time.

Changes

Dockerfile

Before After
FROM golang:alpine (unpinned) FROM golang:1.26-alpine (pinned)
No CGO_ENABLED=0 Static binary, Alpine/musl compatible
GOARCH=amd64 hardcoded TARGETARCH auto-detected by BuildKit
No dependency caching go.mod/go.sum cached in separate layer
No debug stripping -ldflags "-s -w" (~10% smaller)
Runs as root Non-root user flowgre (uid 100)
Version label 0.4.10 Injected via --build-arg VERSION
Dead git submodule commands Removed
GO111MODULE=on (deprecated) Removed (default since Go 1.16)

New: .dockerignore

Excludes .git, docs, IDE configs, build artifacts, .nfpm/, scripts/ — reduces build context from ~10MB to ~300KB.

Build Instructions

# Local build
docker build --build-arg VERSION=0.5.16 -t flowgre:0.5.16 .

# Push to registry
docker tag flowgre:0.5.16 registry.dmabry.net/flowgre:0.5.16
docker push registry.dmabry.net/flowgre:0.5.16

Verified

  • ✅ Builds cleanly on arm64 (local) and amd64 (CI)
  • ✅ Image size: 22.2MB
  • ✅ Binary runs as non-root user (uid=100 flowgre)
  • flowgre version works inside container
  • ✅ Static binary (no glibc dependency)

Refactor: overhaul Dockerfile with multi-stage build, non-root user, …
6d568fb 
…and .dockerignore

- Pin golang:1.26-alpine base image (was unpinned)
- Add CGO_ENABLED=0 for fully static binary (Alpine/musl compatible)
- Use BuildKit TARGETARCH auto-detection (arm64 on local, amd64 on CI)
- Cache go.mod/go.sum download layer separately from source
- Strip debug symbols with -ldflags "-s -w" (~10% smaller binary)
- Add non-root user (flowgre:100) for container security
- Inject version via --build-arg VERSION at build time
- Create .dockerignore to exclude .git, docs, IDE configs, build artifacts
- Remove dead git submodule commands (no submodules exist)
- Remove GO111MODULE env var (modules enabled by default since Go 1.16)
- Image size: ~22MB (down from ~30MB with glibc baggage)
- No HEALTHCHECK (flowgre is a CLI tool, not a daemon)
@dmabry dmabry merged commit bd7ecde into main May 15, 2026
3 checks passed
@dmabry dmabry deleted the feature/dockerfile-overhaul branch May 15, 2026 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dmabry