Docker 多阶段构建与镜像优化实践

概览与核心价值Docker 多阶段构建代表了容器化技术的重大进步，通过智能的构建阶段分离实现了镜像体积和构建效率的双重优化。相比传统的单阶段构建，多阶段构建能够实现 70-90% 的镜像体积缩减和 40-60% 的构建时间优化，同时显著提升镜像安全性和可维护性。核心优势体现在三个维度：构建阶段分离允许在最终镜像中仅保留运行时必需的文件；智能缓存机制最大化构建缓存的复用效率；安全增强通过移除构建工具和源代码降低攻击面。这种现代化的构建策略显著提升了容器化应用的部署效率，让镜像管理变得更加精细和高效。核心概念与技术架构多阶段构建原理Docker 多阶段构建通过多个 FROM 指令创建独立的构建阶段，每个阶段可以基于不同的基础镜像：# 传统单阶段构建 - 镜像体积大 FROM node:18-alpine WORKDIR /app # 安装构建依赖 RUN apk add --no-cache python3 make g++ git # 复制源代码 COPY package*.json ./ RUN npm ci COPY . . # 构建应用 RUN npm run build # 安装生产依赖 RUN npm ci --only=production # 移除构建工具 RUN apk del python3 make g++ git EXPOSE 3000 CMD ["npm", "start"] # 多阶段构建 - 镜像体积优化 # 阶段1：构建阶段 FROM node:18-alpine AS builder WORKDIR /app # 安装构建依赖 RUN apk add --no-cache python3 make g++ git # 复制依赖文件 COPY package*.json ./ RUN npm ci # 复制源代码并构建 COPY . . RUN npm run build # 阶段2：生产阶段 FROM node:18-alpine AS production WORKDIR /app # 创建非root用户 RUN addgroup -g 1001 -S nodejs && \ adduser -S nextjs -u 1001 # 复制依赖文件 COPY package*.json ./ RUN npm ci --only=production && npm cache clean --force # 复制构建产物 COPY --from=builder /app/dist ./dist COPY --from=builder /app/public ./public COPY --from=builder /app/next.config.js ./next.config.js # 设置权限 RUN chown -R nextjs:nodejs /app USER nextjs EXPOSE 3000 CMD ["npm", "start"] 构建缓存优化机制Docker 通过智能的层缓存机制最大化构建效率：# 优化构建缓存的多阶段 Dockerfile FROM golang:1.21-alpine AS deps # 设置构建参数 ARG GO_VERSION=1.21 ARG ALPINE_VERSION=3.18 ARG APP_VERSION=1.0.0 # 安装构建依赖 RUN apk add --no-cache git ca-certificates tzdata WORKDIR /build # 复制 go mod 文件 - 利用缓存 COPY go.mod go.sum ./ RUN go mod download && go mod verify # 依赖阶段结束 FROM deps AS builder # 复制源代码 COPY . . # 构建参数优化 ARG CGO_ENABLED=0 ARG GOOS=linux ARG GOARCH=amd64 ARG BUILD_DATE ARG VCS_REF # 构建应用 RUN CGO_ENABLED=${CGO_ENABLED} GOOS=${GOOS} GOARCH=${GOARCH} \ go build -a -installsuffix cgo \ -ldflags "-w -s -X main.version=${APP_VERSION} -X main.buildDate=${BUILD_DATE} -X main.vcsRef=${VCS_REF}" \ -o app ./cmd/server # 安全扫描阶段 FROM builder AS security-scan RUN go install github.com/securecodewarrior/gosec/v2/cmd/gosec@latest RUN gosec -no-fail -fmt json -out gosec-report.json ./... # 测试阶段 FROM builder AS test RUN go test -v -race -coverprofile=coverage.out ./... RUN go tool cover -html=coverage.out -o coverage.html # 最终生产镜像 FROM scratch AS production # 复制 CA 证书 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ # 复制时区信息 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo # 复制构建产物 COPY --from=builder /build/app /app # 创建非 root 用户 USER 65534:65534 # 健康检查 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD ["/app", "health"] ENTRYPOINT ["/app"] 实战优化策略1. 基础镜像优化选择合适的基础镜像和优化策略：# 多阶段构建 - 不同基础镜像对比 # 方案1：使用 Alpine Linux（最小化） FROM node:18-alpine AS alpine-builder RUN apk add --no-cache python3 make g++ WORKDIR /app COPY package*.json ./ RUN npm ci COPY . . RUN npm run build FROM node:18-alpine AS alpine-production RUN apk add --no-cache tini WORKDIR /app COPY package*.json ./ RUN npm ci --only=production && npm cache clean --force COPY --from=alpine-builder /app/dist ./dist ENTRYPOINT ["/sbin/tini", "--"] CMD ["node", "dist/server.js"] # 方案2：使用 Distroless（安全优化） FROM node:18 AS distroless-builder WORKDIR /app COPY package*.json ./ RUN npm ci COPY . . RUN npm run build FROM gcr.io/distroless/nodejs18-debian12:nonroot WORKDIR /app COPY package*.json ./ COPY --from=distroless-builder /app/node_modules ./node_modules COPY --from=distroless-builder /app/dist ./dist CMD ["dist/server.js"] 镜像瘦身与构建性能指标为进一步实现镜像瘦身与构建性能优化，可从以下维度验证与度量：镜像瘦身策略：移除构建工具与中间产物、选择精简基础镜像（Alpine/Distroless）、按需复制构建产物构建性能指标：构建时间、缓存命中率、层数与层复用率、最终镜像体积参考范围（可复现）：在多阶段构建与缓存优化启用后，镜像体积缩减可达 70–90%，构建时间优化 40–60%，缓存命中率稳定在 80–95% 区间使用 `docker buildx build --progress=plain` 与注册表扫描（如 `trivy`）进行数据采集与安全扫描，确保瘦身不影响安全性与可维护性。方案3：使用多架构支持FROM --platform=$BUILDPLATFORM node:18-alpine AS multiarch-builderARG TARGETPLATFORMARG BUILDPLATFORMRUN echo "Building on $BUILDPLATFORM for $TARGETPLATFORM"WORKDIR /appCOPY package*.json ./RUN npm ciCOPY . .RUN npm run buildFROM node:18-alpineWORKDIR /appCOPY package*.json ./RUN npm ci --only=production && npm cache clean --forceCOPY --from=multiarch-builder /app/dist ./distCMD ["node", "dist/server.js"] ### 2. 构建缓存最大化 通过智能的层排序和缓存策略优化构建性能： 优化构建缓存的多阶段 DockerfileFROM maven:3.9-eclipse-temurin-17 AS dependenciesWORKDIR /build复制依赖描述文件 - 最稳定的部分优先COPY pom.xml .COPY settings.xml .下载依赖（这一层会被缓存）RUN mvn dependency:go-offline -B -s settings.xml复制源代码COPY src ./src编译阶段FROM dependencies AS compiler编译应用RUN mvn compile -B -s settings.xml测试阶段（可选）FROM dependencies AS testRUN mvn test -B -s settings.xml打包阶段FROM dependencies AS packagerRUN mvn package -B -s settings.xml -DskipTests运行时阶段FROM eclipse-temurin:17-jre-alpine AS runtime安装运行时依赖RUN apk add --no-cache \ curl \ jq \ tini创建应用用户RUN addgroup -g 1000 appgroup && \ adduser -u 1000 -G appgroup -s /bin/sh -D appuserWORKDIR /app复制 JAR 文件COPY --from=packager /build/target/*.jar app.jar复制配置文件COPY --from=packager /build/src/main/resources/application.yml ./config/设置权限RUN chown -R appuser:appgroup /appUSER appuserJVM 优化参数ENV JAVA_OPTS="-XX:MaxRAMPercentage=75.0 -XX:+UseG1GC -XX:+UseStringDeduplication"健康检查HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \CMD curl -f http://localhost:8080/actuator/healthexit 1ENTRYPOINT ["/sbin/tini", "--"]CMD ["sh", "-c", "java $JAVA_OPTS -jar app.jar"] ### 3. 安全扫描与验证 集成安全扫描到构建流程中： 集成安全扫描的多阶段构建FROM python:3.11-alpine AS security-base安装安全扫描工具RUN apk add --no-cache \ curl \ jq \ bash安装 TrivyRUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.shsh -s -- -b /usr/local/bin安装 Syft（SBOM 生成器）RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.shsh -s -- -b /usr/local/binWORKDIR /app依赖安装阶段FROM security-base AS dependenciesCOPY requirements.txt .RUN pip install --no-cache-dir --user -r requirements.txt代码安全扫描阶段FROM dependencies AS security-scanCOPY . .运行 Bandit 安全扫描RUN pip install bandit && \bandit -r . -f json -o bandit-report.jsontrue运行 Safety 依赖安全检查RUN pip install safety && \safety check --json --output safety-report.jsontrue构建阶段FROM dependencies AS builderCOPY . .构建应用RUN python setup.py build生成 SBOMRUN syft packages dir:/app -o json > sbom.json最终生产镜像FROM python:3.11-alpine AS production安装运行时依赖RUN apk add --no-cache \ libstdc++ \ libffi \ openssl \ ca-certificates创建非 root 用户RUN addgroup -g 1000 appgroup && \ adduser -u 1000 -G appgroup -s /bin/sh -D appuserWORKDIR /app复制 Python 包COPY --from=builder /root/.local /home/appuser/.localCOPY --from=builder /app/dist ./dist复制应用代码COPY --from=builder /app/app ./appCOPY --from=builder /app/config ./config复制安全报告（可选）COPY --from=security-scan /app/bandit-report.json ./security/COPY --from=security-scan /app/safety-report.json ./security/COPY --from=builder /app/sbom.json ./security/设置权限RUN chown -R appuser:appgroup /app /home/appuserUSER appuser环境变量ENV PATH=/home/appuser/.local/bin:$PATHENV PYTHONPATH=/app健康检查HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \CMD python -c "import requests; requests.get('http://localhost:8000/health', timeout=5)"exit 1CMD ["python", "-m", "app.main"] ## 镜像优化与验证 ### 镜像大小分析与优化 建立全面的镜像大小分析框架： #!/bin/bashdocker-image-analysis.sh镜像大小分析函数analyze_image_size() { local image_name=$1 local tag=$2 local full_image="${image_name}:${tag}" echo "=== 分析镜像: $full_image ==="获取镜像详细信息 docker inspect $full_image > image-inspect.json获取镜像大小local size=$(docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}"grep "$full_image"awk '{print $2}') echo "镜像大小: $size"分析镜像层 echo -e "\n镜像层分析:"docker history $full_image --format "table {{.CreatedBy}}\t{{.Size}}"head -20分析文件系统 echo -e "\n文件系统分析:" docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \ wagoodman/dive:latest $full_image --source docker生成 SBOM echo -e "\n生成软件物料清单(SBOM):" syft packages docker:$full_image -o json > sbom-${tag}.json echo "SBOM 已生成: sbom-${tag}.json"}多镜像对比分析compare_images() { local images=("$@") echo "=== 镜像对比分析 ===" printf "%-30s %-15s %-15s %-10s\n" "镜像" "大小" "层数" "效率" printf "%-30s %-15s %-15s %-10s\n" "---" "---" "---" "---" for image in "${images[@]}"; do local size=$(docker images --format "{{.Size}}" $image)local layers=$(docker history $imagewc -l) local efficiency=$(docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \wagoodman/dive:latest $image --source docker 2>/dev/nullgrep "efficiency"awk '{print $3}') printf "%-30s %-15s %-15s %-10s\n" "$image" "$size" "$layers" "$efficiency" done}优化建议生成generate_optimization_suggestions() { local image_name=$1 local tag=$2 local full_image="${image_name}:${tag}" echo "=== 优化建议 ==="检查基础镜像local base_image=$(docker inspect $full_imagejq -r '.[0].Config.Image') echo "基础镜像: $base_image"检查层数local layer_count=$(docker history $full_imagewc -l) if [ $layer_count -gt 20 ]; then echo "⚠️ 层数过多 ($layer_count)，建议合并 RUN 指令" fi检查大小local size_mb=$(docker images --format "{{.Size}}" $full_imagesed 's/MB//'sed 's/GB/*1024/')if (( $(echo "$size_mb > 500"bc -l) )); then echo "⚠️ 镜像过大 (${size_mb}MB)，建议使用更小的基础镜像" fi检查安全漏洞 echo "正在运行安全扫描..." docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \ aquasec/trivy:latest image --severity HIGH,CRITICAL --quiet $full_image > security-scan.txt local vuln_count=$(wc -l < security-scan.txt) if [ $vuln_count -gt 0 ]; then echo "⚠️ 发现 $vuln_count 个高危/严重安全漏洞" echo "详细报告: security-scan.txt" else echo "✅ 未发现高危安全漏洞" fi}使用示例echo "Docker 镜像优化分析工具"echo "========================"分析单个镜像analyze_image_size "myapp" "latest"对比多个镜像compare_images "myapp:alpine" "myapp:distroless" "myapp:multiarch"生成优化建议generate_optimization_suggestions "myapp" "latest" ### 构建性能基准测试 建立构建性能测试框架： // docker-build-benchmark.gopackage mainimport ( "context" "fmt" "os/exec" "strings" "time")type BuildBenchmark struct { dockerfilePath string contextPath string}type BuildResult struct { ImageName string BuildTime time.Duration ImageSize string CacheUsage string BuildSteps int Success bool Error error}func NewBuildBenchmark(dockerfilePath, contextPath string) *BuildBenchmark { return &BuildBenchmark{ dockerfilePath: dockerfilePath, contextPath: contextPath, }}func (bb BuildBenchmark) RunBenchmark(imageName string, useCache bool) (BuildResult, error) { startTime := time.Now() // 构建命令 buildArgs := []string{ "build", "-f", bb.dockerfilePath, "-t", imageName, } if !useCache { buildArgs = append(buildArgs, "--no-cache") } buildArgs = append(buildArgs, bb.contextPath) // 执行构建 cmd := exec.Command("docker", buildArgs...) output, err := cmd.CombinedOutput() buildTime := time.Since(startTime) result := &BuildResult{ ImageName: imageName, BuildTime: buildTime, BuildSteps: bb.countBuildSteps(), Success: err == nil, Error: err, } if err == nil { // 获取镜像大小 result.ImageSize = bb.getImageSize(imageName) // 分析缓存使用情况 result.CacheUsage = bb.analyzeCacheUsage(string(output)) } return result, nil}func (bb *BuildBenchmark) countBuildSteps() int { // 计算 Dockerfile 中的构建步骤数 cmd := exec.Command("grep", "-c", "^[A-Z]", bb.dockerfilePath) output, _ := cmd.Output() count := 0 if len(output) > 0 { fmt.Sscanf(string(output), "%d", &count) } return count}func (bb *BuildBenchmark) getImageSize(imageName string) string { cmd := exec.Command("docker", "images", "--format", "{{.Size}}", imageName) output, err := cmd.Output() if err != nil { return "unknown" } return strings.TrimSpace(string(output))}func (bb *BuildBenchmark) analyzeCacheUsage(buildOutput string) string { lines := strings.Split(buildOutput, "\n") cachedSteps := 0 totalSteps := 0 for _, line := range lines { if strings.Contains(line, "Using cache") { cachedSteps++ } if strings.Contains(line, "Step") { totalSteps++ } } if totalSteps > 0 { cachePercentage := float64(cachedSteps) / float64(totalSteps) * 100 return fmt.Sprintf("%.1f%% (%d/%d)", cachePercentage, cachedSteps, totalSteps) } return "0% (0/0)"}// 性能对比测试func (bb *BuildBenchmark) CompareBuildStrategies() { strategies := []struct { name string dockerfile string useCache bool }{ {"单阶段构建", "Dockerfile.single-stage", false}, {"多阶段构建-无缓存", "Dockerfile.multi-stage", false}, {"多阶段构建-有缓存", "Dockerfile.multi-stage", true}, {"优化多阶段构建", "Dockerfile.optimized", true}, } fmt.Println("Docker 构建策略对比测试") fmt.Println("========================") results := make([]*BuildResult, 0) for _, strategy := range strategies { fmt.Printf("正在测试: %s\n", strategy.name) result, err := bb.RunBenchmark( fmt.Sprintf("benchmark-%s", strings.ToLower(strings.ReplaceAll(strategy.name, " ", "-"))), strategy.useCache, ) if err != nil { fmt.Printf("错误: %v\n", err) continue } results = append(results, result) fmt.Printf("构建时间: %v\n", result.BuildTime) fmt.Printf("镜像大小: %s\n", result.ImageSize) fmt.Printf("缓存使用率: %s\n", result.CacheUsage) fmt.Printf("构建步骤: %d\n", result.BuildSteps) fmt.Printf("成功: %t\n\n", result.Success) } // 生成对比报告 bb.generateComparisonReport(results)}func (bb BuildBenchmark) generateComparisonReport(results []BuildResult) { fmt.Println("\n构建策略对比报告") fmt.Println("================") fmt.Printf("%-20s %-15s %-15s %-15s %-10s\n", "策略", "构建时间", "镜像大小", "缓存使用率", "步骤数") fmt.Printf("%-20s %-15s %-15s %-15s %-10s\n", "---", "---", "---", "---", "---") for _, result := range results { fmt.Printf("%-20s %-15v %-15s %-15s %-10d\n", result.ImageName, result.BuildTime.Round(time.Second), result.ImageSize, result.CacheUsage, result.BuildSteps, ) } // 性能改进分析 if len(results) >= 2 { baseline := results[0] best := results[len(results)-1] timeImprovement := float64(baseline.BuildTime-best.BuildTime) / float64(baseline.BuildTime) * 100 fmt.Printf("\n性能改进分析:\n") fmt.Printf("构建时间改进: %.1f%%\n", timeImprovement) fmt.Printf("最佳策略: %s\n", best.ImageName) // 生成优化建议 bb.generateOptimizationSuggestions(results) }}func (bb BuildBenchmark) generateOptimizationSuggestions(results []BuildResult) { fmt.Println("\n优化建议:") // 分析缓存使用情况 avgCacheUsage := 0.0 for _, result := range results { if strings.Contains(result.CacheUsage, "%") { var percentage float64 fmt.Sscanf(result.CacheUsage, "%f%%", &percentage) avgCacheUsage += percentage } } avgCacheUsage /= float64(len(results)) if avgCacheUsage < 50 { fmt.Println("⚠️ 缓存利用率较低，建议优化 Dockerfile 层顺序") } // 分析构建时间 totalTime := time.Duration(0) for _, result := range results { totalTime += result.BuildTime } avgTime := totalTime / time.Duration(len(results)) if avgTime > 5*time.Minute { fmt.Println("⚠️ 平均构建时间较长，建议使用多阶段构建优化") } // 分析镜像大小 fmt.Println("✅ 建议使用多阶段构建减少镜像体积") fmt.Println("✅ 推荐使用 Alpine 或 Distroless 基础镜像") fmt.Println("✅ 建议集成安全扫描到 CI/CD 流程")}func main() { benchmark := NewBuildBenchmark("Dockerfile", ".") // 运行性能对比测试 benchmark.CompareBuildStrategies() // 运行单个镜像基准测试 fmt.Println("\n运行单个镜像性能测试...") result, err := benchmark.RunBenchmark("myapp:latest", true) if err != nil { panic(err) } fmt.Printf("构建时间: %v\n", result.BuildTime) fmt.Printf("镜像大小: %s\n", result.ImageSize) fmt.Printf("缓存使用率: %s\n", result.CacheUsage)} ## 最佳实践与工程建议 ### 1. 分层构建策略 建立标准化的多阶段构建模板： 标准多阶段构建模板syntax=docker/dockerfile:1.4参数定义ARG GO_VERSION=1.21ARG ALPINE_VERSION=3.18ARG APP_VERSION=1.0.0依赖阶段FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS deps安装构建依赖RUN apk add --no-cache git ca-certificates tzdataWORKDIR /build复制依赖文件COPY go.mod go.sum ./RUN go mod download && go mod verify构建阶段FROM deps AS builder复制源代码COPY . .构建参数ARG CGO_ENABLED=0ARG GOOS=linuxARG GOARCH=amd64ARG BUILD_DATEARG VCS_REF构建应用RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache/go-build \ CGO_ENABLED=${CGO_ENABLED} GOOS=${GOOS} GOARCH=${GOARCH} \ go build -a -installsuffix cgo \ -ldflags "-w -s -X main.version=${APP_VERSION} -X main.buildDate=${BUILD_DATE} -X main.vcsRef=${VCS_REF}" \ -o app ./cmd/server测试阶段FROM builder AS testRUN go test -v -race -coverprofile=coverage.out ./...RUN go tool cover -html=coverage.out -o coverage.html安全扫描阶段FROM builder AS security-scanRUN go install github.com/securecodewarrior/gosec/v2/cmd/gosec@latestRUN gosec -no-fail -fmt json -out gosec-report.json ./...最终生产镜像FROM scratch AS production标签信息LABEL maintainer="[email protected]" \ version="${APP_VERSION}" \ build-date="${BUILD_DATE}" \ vcs-ref="${VCS_REF}" \ description="Production ready Go application"复制 CA 证书和时区COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo复制构建产物COPY --from=builder /build/app /app创建非 root 用户USER 65534:65534健康检查HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD ["/app", "health"]ENTRYPOINT ["/app"] ### 2. CI/CD 集成优化 建立完整的 CI/CD 构建流水线： .github/workflows/docker-build.ymlname: Docker Build and Deployon: push: branches: [ main, develop ] pull_request: branches: [ main ]env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }}jobs: build-and-test: runs-on: ubuntu-latest permissions: contents: read packages: write security-events: write steps:name: Checkout code uses: actions/checkout@v4 with: fetch-depth: 0name: Set up Docker Buildx uses: docker/setup-buildx-action@v3name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }}name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}tags: type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=sha,prefix={{branch}}-name: Build and push Docker image uses: docker/build-push-action@v5 with: context: . file: ./Dockerfile push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} platforms: linux/amd64,linux/arm64 cache-from: type=gha cache-to: type=gha,mode=maxbuild-args: BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} VCS_REF=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} APP_VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} format: 'sarif' output: 'trivy-results.sarif'name: Upload Trivy scan results uses: github/codeql-action/upload-sarif@v2 with: sarif_file: 'trivy-results.sarif'name: Generate SBOM uses: anchore/sbom-action@v0 with: image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} format: spdx-json output-file: sbom.spdx.jsonname: Upload SBOM uses: actions/upload-artifact@v3 with: name: sbom path: sbom.spdx.json performance-test: needs: build-and-test runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps:name: Checkout code uses: actions/checkout@v4name: Set up Go uses: actions/setup-go@v4 with: go-version: '1.21'name: Run build performance testrun: cd scripts go run docker-build-benchmark.goname: Upload performance results uses: actions/upload-artifact@v3 with: name: build-performance path: build-performance-report.txt deploy: needs: build-and-test runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' steps:name: Deploy to stagingrun: echo "Deploying to staging environment..."添加部署逻辑name: Run integration testsrun: echo "Running integration tests..."添加集成测试逻辑name: Deploy to production if: success()run: echo "Deploying to production environment..."添加生产部署逻辑 通过以上系统化的多阶段构建策略和镜像优化实践，Docker 镜像可以实现：镜像体积缩减 70-90%，构建时间优化 40-60%，安全漏洞减少 60-80%，构建缓存利用率 > 85%。关键指标包括：镜像大小 < 100MB，构建时间 < 2分钟，安全扫描通过率 > 95%，多架构支持覆盖率 100%。