更新Dockerfile以优化前后端构建流程，添加必要的配置文件复制，调整用户权限，增强安全性。同时更新.gitignore以排除新生成的文件和目录。

.dockerignore

@@ -1,6 +1,7 @@
 # Git
 .git
 .gitignore
+.gitattributes
 
 # IDE
 .vscode
@@ -8,10 +9,12 @@
 *.swp
 *.swo
 *~
+.cursor/
 
 # OS
 .DS_Store
 Thumbs.db
+desktop.ini
 
 # Logs
 *.log
@@ -19,9 +22,10 @@ logs/
 data/logs/
 data/server.log
 
-# Database
+# Database and runtime data
 data/data.db
 data/stats.json
+data/
 
 # Build artifacts
 random-api-go.exe
@@ -29,8 +33,16 @@ random-api-go
 random-api-test
 *.exe
 
+# Node.js build artifacts (will be rebuilt in Docker)
+web/node_modules/
+web/.next/
+web/out/
+web/.turbo/
+
 # Go
 vendor/
+*.test
+*.prof
 
 # Docker
 docker-compose*.yml
@@ -40,8 +52,17 @@ test-build.sh
 *.md
 DOCKER_DEPLOYMENT.md
 
+# Environment and config
+.env*
+!.env.example
+
+# GitHub
+.github/
+
 # Misc
-.env
-.env.local
-.env.example
+*.tmp
+*.temp
+.cache/
+
+# README
 README.md 

.github/workflows/docker.yml

@@ -33,12 +33,18 @@ jobs:
         uses: actions/setup-go@v4
         with:
           go-version: '1.23'
+          cache: true
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+        with:
+          driver-opts: |
+            network=host
+          buildkitd-flags: |
+            --allow-insecure-entitlement network.host
 
       - name: Login to Docker Hub
         uses: docker/login-action@v3
@@ -46,16 +52,30 @@ jobs:
           username: woodchen
           password: ${{ secrets.ACCESS_TOKEN }}
 
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: woodchen/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha,prefix={{branch}}-
+            type=raw,value=latest,enable={{is_default_branch}}
+
       - name: Build and push multi-arch image
         uses: docker/build-push-action@v5
         with:
           context: .
           file: Dockerfile
           push: true
-          tags: woodchen/${{ env.IMAGE_NAME }}:latest
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64,linux/arm64
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          build-args: |
+            BUILDKIT_INLINE_CACHE=1
 
       - name: Execute deployment commands
         uses: appleboy/ssh-action@master

Dockerfile

@@ -3,14 +3,26 @@ FROM node:20-alpine AS frontend-builder
 
 WORKDIR /app/web
 
-# 复制前端依赖文件
+# 复制前端依赖文件（优先缓存依赖层）
 COPY web/package*.json ./
 
 # 安装前端依赖（包括开发依赖，构建需要）
-RUN npm ci
+RUN npm ci --prefer-offline --no-audit --progress=false
 
-# 复制前端源代码
-COPY web/ ./
+# 复制前端配置文件
+COPY web/next.config.ts ./
+COPY web/tsconfig.json ./
+COPY web/postcss.config.mjs ./
+COPY web/components.json ./
+COPY web/eslint.config.mjs ./
+COPY web/next-env.d.ts ./
+
+# 复制前端源代码目录
+COPY web/app ./app
+COPY web/components ./components
+COPY web/lib ./lib
+COPY web/types ./types
+COPY web/public ./public
 
 # 构建前端静态文件
 RUN npm run build
@@ -21,27 +33,31 @@ FROM golang:1.23-alpine AS backend-builder
 WORKDIR /app
 
 # 安装必要的工具
-RUN apk add --no-cache git
+RUN apk add --no-cache git ca-certificates tzdata
 
-# 复制 go.mod 和 go.sum 文件
+# 复制 go.mod 和 go.sum 文件（优先缓存依赖层）
 COPY go.mod go.sum ./
 
 # 下载依赖
-RUN go mod download
+RUN go mod download && go mod verify
 
 # 复制后端源代码
 COPY . .
 
 # 构建后端应用
-RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o random-api .
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build \
+    -ldflags='-w -s -extldflags "-static"' \
+    -a -installsuffix cgo \
+    -o random-api .
 
 # 运行阶段
 FROM alpine:latest
 
 # 安装必要的工具
-RUN apk --no-cache add ca-certificates tzdata tini
+RUN apk --no-cache add ca-certificates tzdata tini && \
+    adduser -D -s /bin/sh appuser
 
-WORKDIR /root/
+WORKDIR /app
 
 # 从后端构建阶段复制二进制文件
 COPY --from=backend-builder /app/random-api .
@@ -49,8 +65,12 @@ COPY --from=backend-builder /app/random-api .
 # 从前端构建阶段复制静态文件
 COPY --from=frontend-builder /app/web/out ./web/out
 
-# 创建必要的目录
-RUN mkdir -p /root/data/logs
+# 创建必要的目录并设置权限
+RUN mkdir -p /app/data/logs && \
+    chown -R appuser:appuser /app
+
+# 切换到非root用户
+USER appuser
 
 # 暴露端口
 EXPOSE 5003