From 1dd71a2e238353a9169e492ffe16888d9369212e Mon Sep 17 00:00:00 2001
From: insleker <bkinnightskytw@gmail.com>
Date: Thu, 4 Sep 2025 15:41:32 +0800
Subject: [PATCH 1/3] feat: add docker web image support

---
 .dockerignore | 25 +++++++++++++++++++++++++
 Dockerfile    | 39 +++++++++++++++++++++++++++++++++++++++
 README.md     | 20 +++++++++++++++++++-
 3 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 .dockerignore
 create mode 100644 Dockerfile

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..6216772
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,25 @@
+# Prevent leaking host-specific caches/paths into the image
+.dockerignore
+.git
+.gitignore
+.idea
+.vscode
+**/.DS_Store
+build/
+.dart_tool/
+.flutter-plugins
+.flutter-plugins-dependencies
+.packages
+pubspec.lock # keep if you want reproducible, comment out to include
+# Flutter/Platform build outputs
+android/
+ios/
+linux/
+macos/
+windows/
+web/.dart_tool/
+# Tests and dev artifacts (optional, not needed in image build stage)
+test/
+integration_test/
+coverage/
+custom_lint.log
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..295fbf0
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,39 @@
+## Two-stage build for minimal Flutter web static server (Caddy runtime)
+# Stage 1: Build the Flutter web app
+FROM ghcr.io/cirruslabs/flutter:latest AS build
+
+WORKDIR /app
+
+# Copy pubspec first for better layer caching
+COPY pubspec.* ./
+RUN flutter pub get
+
+# Copy the rest of the project
+COPY . .
+
+# Ensure no host caches leak into the container
+RUN rm -rf .dart_tool build && \
+	flutter pub get && \
+	flutter gen-l10n && \
+	flutter build web --release -O4 --wasm
+
+# Stage 2: Caddy (Alpine) to serve static files with SPA fallback
+FROM caddy:2-alpine AS runtime
+WORKDIR /usr/share/caddy
+# Copy built web assets
+COPY --from=build /app/build/web/ /usr/share/caddy/
+# Write Caddyfile inline (listens on :8080 and SPA fallback)
+RUN cat > /etc/caddy/Caddyfile <<'CADDY'
+{
+	admin off
+}
+
+:8080 {
+	root * /usr/share/caddy
+	encode zstd gzip
+	# SPA fallback: serve index.html if file not found
+	try_files {path} /index.html
+	file_server
+}
+CADDY
+EXPOSE 8080
diff --git a/README.md b/README.md
index 07b3e59..df371c9 100644
--- a/README.md
+++ b/README.md
@@ -39,13 +39,31 @@ flutter build windows
 flutter pub run msix:create
 ```
 
-For web
+#### web
+
 ```bash
 flutter build web
+# flutter build web --release -O4 --wasm
 ```
 Open the `index.html` file in the `build/web` directory. Remove the `<base href="/">` to ensure proper routing on GitHub Pages.
 
+##### Docker
+
+To build and run a minimal Docker image serving static Flutter web files:
+
+```bash
+# Build the Docker image
+docker build -t pdf_signature .
+
+# Run the container (serves static files on port 8080)
+docker run --rm -p 8080:8080 pdf_signature
+```
+Access your app at [http://localhost:8080](http://localhost:8080)
+
+#### Linux
+
 For Linux
+
 ```bash
 flutter build linux
 cp -r build/linux/x64/release/bundle/ AppDir

From bec3f38cc5e44e3634f385f0442d27c286031e9f Mon Sep 17 00:00:00 2001
From: insleker <bkinnightskytw@gmail.com>
Date: Thu, 4 Sep 2025 18:04:15 +0800
Subject: [PATCH 2/3] feat: refine dockerfile to deploy on host service
 provider

---
 .dockerignore | 21 +++++++++++++++++++++
 Dockerfile    | 23 +++++++++++++++++++----
 2 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index 6216772..7c651e1 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -23,3 +23,24 @@ test/
 integration_test/
 coverage/
 custom_lint.log
+test_cache/
+unit_test_assets/
+
+# Docs and repo meta to avoid cache busting
+docs/
+**/*.md
+wireframe.assets/
+AGENTS.md
+README.md
+LICENSE
+
+# Packaging artifacts not needed for web image
+AppDir/
+AppRun
+pdf_signature.desktop
+tool/
+*.iml
+*.ipr
+*.iws
+.github/
+.husky/
diff --git a/Dockerfile b/Dockerfile
index 295fbf0..73815ee 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.7-labs
 ## Two-stage build for minimal Flutter web static server (Caddy runtime)
 # Stage 1: Build the Flutter web app
 FROM ghcr.io/cirruslabs/flutter:latest AS build
@@ -6,13 +7,17 @@ WORKDIR /app
 
 # Copy pubspec first for better layer caching
 COPY pubspec.* ./
-RUN flutter pub get
+# Use BuildKit cache for Dart pub cache
+RUN --mount=type=cache,target=/root/.pub-cache \
+	flutter pub get
 
 # Copy the rest of the project
 COPY . .
 
-# Ensure no host caches leak into the container
-RUN rm -rf .dart_tool build && \
+# Ensure no host caches leak into the container; use BuildKit caches for pub and Flutter
+RUN --mount=type=cache,target=/root/.pub-cache \
+    --mount=type=cache,target=/sdks/flutter/bin/cache \
+    rm -rf .dart_tool build && \
 	flutter pub get && \
 	flutter gen-l10n && \
 	flutter build web --release -O4 --wasm
@@ -23,12 +28,13 @@ WORKDIR /usr/share/caddy
 # Copy built web assets
 COPY --from=build /app/build/web/ /usr/share/caddy/
 # Write Caddyfile inline (listens on :8080 and SPA fallback)
+ENV PORT=8080
 RUN cat > /etc/caddy/Caddyfile <<'CADDY'
 {
 	admin off
 }
 
-:8080 {
+:{$PORT} {
 	root * /usr/share/caddy
 	encode zstd gzip
 	# SPA fallback: serve index.html if file not found
@@ -36,4 +42,13 @@ RUN cat > /etc/caddy/Caddyfile <<'CADDY'
 	file_server
 }
 CADDY
+# Some platforms (e.g., gVisor/Firecracker like Render) forbid file capabilities; strip and copy to a clean path
+USER root
+RUN apk add --no-cache libcap && \
+	(setcap -r /usr/bin/caddy || true) && \
+	install -m 0755 /usr/bin/caddy /caddy && \
+	apk del libcap
+# Use numeric UID/GID for caddy to avoid passwd lookup issues across platforms
+USER 65532:65532
 EXPOSE 8080
+ENTRYPOINT ["/caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]

From d5d5ab9a908070a644d8d447827c9fdd90cd5b8b Mon Sep 17 00:00:00 2001
From: insleker <bkinnightskytw@gmail.com>
Date: Thu, 4 Sep 2025 21:23:44 +0800
Subject: [PATCH 3/3] chore: support github action to push to docker.io

---
 .github/workflows/docker-publish.yml | 93 ++++++++++++++++++++++++++++
 .gitignore                           |  1 +
 README.md                            |  2 +
 3 files changed, 96 insertions(+)
 create mode 100644 .github/workflows/docker-publish.yml

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
new file mode 100644
index 0000000..d467e89
--- /dev/null
+++ b/.github/workflows/docker-publish.yml
@@ -0,0 +1,93 @@
+name: Publish Docker image
+
+on:
+  push:
+    branches: [ "main" ]
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  REGISTRY: docker.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    name: Build and push image
+    runs-on: ubuntu-latest
+    concurrency:
+      group: docker-${{ github.ref }}
+      cancel-in-progress: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU (for multi-arch builds)
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cache Docker layers
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile', 'pubspec.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      # Docker Hub login (active)
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # GHCR login (commented out for future usage)
+      # - name: Log in to GitHub Container Registry
+      #   uses: docker/login-action@v3
+      #   with:
+      #     registry: ghcr.io
+      #     username: ${{ github.actor }}
+      #     password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+          flavor: |
+            latest=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+
+      - name: Move cache
+        if: always()
+        run: |
+          if [ -d /tmp/.buildx-cache-new ]; then
+            rm -rf /tmp/.buildx-cache
+            mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+          else
+            echo "No new cache to move"
+          fi
diff --git a/.gitignore b/.gitignore
index c8cd119..d30f692 100644
--- a/.gitignore
+++ b/.gitignore
@@ -125,6 +125,7 @@ devtools_options.yaml
 test/features/*_test.dart
 **/app_localizations*.dart
 .env
+.secrets
 docs/wireframe.assets/*.excalidraw.svg
 docs/wireframe.assets/*.svg
 docs/wireframe.assets/*.png
diff --git a/README.md b/README.md
index df371c9..d64fffb 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,8 @@ docker build -t pdf_signature .
 
 # Run the container (serves static files on port 8080)
 docker run --rm -p 8080:8080 pdf_signature
+
+# act push -P ubuntu-latest=catthehacker/ubuntu:act-latest --container-options "--privileged" --env-file .env --secret-file .secrets
 ```
 Access your app at [http://localhost:8080](http://localhost:8080)