# Containerization Source of truth: `src/Dockerfile`. ## Build Two-stage build: 1. **build stage** — `mcr.microsoft.com/dotnet/sdk:10.0`, `--platform=$BUILDPLATFORM`. Reads `$TARGETARCH` and runs `dotnet publish -c Release -o /app --os linux --arch $arch` (mapping `amd64 → x64`, otherwise `$TARGETARCH`). 2. **runtime stage** — `mcr.microsoft.com/dotnet/aspnet:10.0`. Copies the published output, exposes port `8080`, sets `ENTRYPOINT ["dotnet", "Azaion.Annotations.dll"]`. ## Build arguments | Arg | Default | Purpose | |-----|---------|---------| | `BUILDPLATFORM` | provided by Buildx | Multi-arch host platform | | `TARGETARCH` | provided by Buildx | Output arch (`amd64` / `arm64`) | | `CI_COMMIT_SHA` | `unknown` | Stamped into `AZAION_REVISION` env at runtime | ## Runtime | Aspect | Value | |--------|-------| | Base image | `mcr.microsoft.com/dotnet/aspnet:10.0` | | Working dir | `/app` | | Exposed port | `8080` (HTTP) | | Entry point | `dotnet Azaion.Annotations.dll` | | Runtime env stamped at build | `AZAION_REVISION = $CI_COMMIT_SHA` | ## Multi-arch Dockerfile is multi-arch capable via Buildx. The current Woodpecker pipeline emits **`arm64` only** (label `platform: arm64`, tag `${BRANCH}-arm`). Producing `amd64` requires an additional pipeline (or extending the existing one to a matrix). ## Image size & caching - Layers: SDK install → `COPY . .` → publish → runtime copy. The final layer is the published `/app` directory only — no SDK in runtime image. - Cache hit on `COPY . .` is wide (entire `src/`); finer caching (e.g., `COPY *.csproj` first, then `dotnet restore`, then sources) is **not configured** — improvement candidate. ## Image labels Set in CI (`.woodpecker/build-arm.yml`), not in the Dockerfile: - `org.opencontainers.image.revision = $CI_COMMIT_SHA` - `org.opencontainers.image.created = $BUILD_DATE` - `org.opencontainers.image.source = $CI_REPO_URL` These follow the OCI standard so the registry surfaces them correctly. ## Open items - Add `amd64` build target if non-ARM hosts are required. - Consider non-root user inside the runtime image (none configured today). - Consider `dotnet restore` cache layer split for faster CI builds.