Merge branch 'feat/docker_web'

.dockerignore

@@ -0,0 +1,46 @@
+# Prevent leaking host-specific caches/paths into the image
+.dockerignore
+.git
+.gitignore
+.idea
+.vscode
+**/.DS_Store
+build/
+.dart_tool/
+.flutter-plugins
+.flutter-plugins-dependencies
+.packages
+pubspec.lock # keep if you want reproducible, comment out to include
+# Flutter/Platform build outputs
+android/
+ios/
+linux/
+macos/
+windows/
+web/.dart_tool/
+# Tests and dev artifacts (optional, not needed in image build stage)
+test/
+integration_test/
+coverage/
+custom_lint.log
+test_cache/
+unit_test_assets/
+
+# Docs and repo meta to avoid cache busting
+docs/
+**/*.md
+wireframe.assets/
+AGENTS.md
+README.md
+LICENSE
+
+# Packaging artifacts not needed for web image
+AppDir/
+AppRun
+pdf_signature.desktop
+tool/
+*.iml
+*.ipr
+*.iws
+.github/
+.husky/

.github/workflows/docker-publish.yml

@@ -0,0 +1,93 @@
+name: Publish Docker image
+
+on:
+  push:
+    branches: [ "main" ]
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  REGISTRY: docker.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    name: Build and push image
+    runs-on: ubuntu-latest
+    concurrency:
+      group: docker-${{ github.ref }}
+      cancel-in-progress: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU (for multi-arch builds)
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cache Docker layers
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile', 'pubspec.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      # Docker Hub login (active)
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # GHCR login (commented out for future usage)
+      # - name: Log in to GitHub Container Registry
+      #   uses: docker/login-action@v3
+      #   with:
+      #     registry: ghcr.io
+      #     username: ${{ github.actor }}
+      #     password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+          flavor: |
+            latest=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+
+      - name: Move cache
+        if: always()
+        run: |
+          if [ -d /tmp/.buildx-cache-new ]; then
+            rm -rf /tmp/.buildx-cache
+            mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+          else
+            echo "No new cache to move"
+          fi

.gitignore

@@ -125,6 +125,7 @@ devtools_options.yaml
 test/features/*_test.dart
 **/app_localizations*.dart
 .env
+.secrets
 docs/wireframe.assets/*.excalidraw.svg
 docs/wireframe.assets/*.svg
 docs/wireframe.assets/*.png

Dockerfile

@@ -0,0 +1,54 @@
+# syntax=docker/dockerfile:1.7-labs
+## Two-stage build for minimal Flutter web static server (Caddy runtime)
+# Stage 1: Build the Flutter web app
+FROM ghcr.io/cirruslabs/flutter:latest AS build
+
+WORKDIR /app
+
+# Copy pubspec first for better layer caching
+COPY pubspec.* ./
+# Use BuildKit cache for Dart pub cache
+RUN --mount=type=cache,target=/root/.pub-cache \
+	flutter pub get
+
+# Copy the rest of the project
+COPY . .
+
+# Ensure no host caches leak into the container; use BuildKit caches for pub and Flutter
+RUN --mount=type=cache,target=/root/.pub-cache \
+    --mount=type=cache,target=/sdks/flutter/bin/cache \
+    rm -rf .dart_tool build && \
+	flutter pub get && \
+	flutter gen-l10n && \
+	flutter build web --release -O4 --wasm
+
+# Stage 2: Caddy (Alpine) to serve static files with SPA fallback
+FROM caddy:2-alpine AS runtime
+WORKDIR /usr/share/caddy
+# Copy built web assets
+COPY --from=build /app/build/web/ /usr/share/caddy/
+# Write Caddyfile inline (listens on :8080 and SPA fallback)
+ENV PORT=8080
+RUN cat > /etc/caddy/Caddyfile <<'CADDY'
+{
+	admin off
+}
+
+:{$PORT} {
+	root * /usr/share/caddy
+	encode zstd gzip
+	# SPA fallback: serve index.html if file not found
+	try_files {path} /index.html
+	file_server
+}
+CADDY
+# Some platforms (e.g., gVisor/Firecracker like Render) forbid file capabilities; strip and copy to a clean path
+USER root
+RUN apk add --no-cache libcap && \
+	(setcap -r /usr/bin/caddy || true) && \
+	install -m 0755 /usr/bin/caddy /caddy && \
+	apk del libcap
+# Use numeric UID/GID for caddy to avoid passwd lookup issues across platforms
+USER 65532:65532
+EXPOSE 8080
+ENTRYPOINT ["/caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]

README.md

@@ -39,13 +39,33 @@ flutter build windows
 flutter pub run msix:create
 ```
 
-For web
+#### web
+
 ```bash
 flutter build web
+# flutter build web --release -O4 --wasm
 ```
 Open the `index.html` file in the `build/web` directory. Remove the `<base href="/">` to ensure proper routing on GitHub Pages.
 
+##### Docker
+
+To build and run a minimal Docker image serving static Flutter web files:
+
+```bash
+# Build the Docker image
+docker build -t pdf_signature .
+
+# Run the container (serves static files on port 8080)
+docker run --rm -p 8080:8080 pdf_signature
+
+# act push -P ubuntu-latest=catthehacker/ubuntu:act-latest --container-options "--privileged" --env-file .env --secret-file .secrets
+```
+Access your app at [http://localhost:8080](http://localhost:8080)
+
+#### Linux
+
 For Linux
+
 ```bash
 flutter build linux
 cp -r build/linux/x64/release/bundle/ AppDir