From a4ac4e1e1cfae0c42cedeaff35747072072d50a3 Mon Sep 17 00:00:00 2001
From: Timothy Miller <github@t4stack.com>
Date: Tue, 10 Mar 2026 02:04:30 -0400
Subject: [PATCH] Use scratch release image and optimize build

Narrow tokio features to rt-multi-thread, macros, time and signal.
Add release profile to reduce binary size:
opt-level = s, lto = true, codegen-units = 1, strip = true, panic =
abort
Update Cargo.lock to remove unused deps and adjust Dockerfile to copy
CA certs from builder and set ENTRYPOINT for the release image
Use scratch base image and optimize release build

Add linux/ppc64le support in CI and build script
Switch Docker release stage to scratch, copy CA certificates from the
builder and use an explicit ENTRYPOINT for the binary
Tighten Cargo release profile (opt-level="s", lto, codegen-units=1,
strip, panic="abort") and reduce Tokio features to shrink the binary
Update README to reflect image size and supported platforms
---
 .github/workflows/image.yml |  2 +-
 Cargo.lock                  | 48 -------------------------------------
 Cargo.toml                  |  9 ++++++-
 Dockerfile                  |  8 +++----
 README.md                   |  6 ++---
 scripts/docker-build-all.sh |  2 +-
 6 files changed, 17 insertions(+), 58 deletions(-)

diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
index d30c25c..38065c0 100644
--- a/.github/workflows/image.yml
+++ b/.github/workflows/image.yml
@@ -51,7 +51,7 @@ jobs:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64,linux/arm64,linux/ppc64le
           labels: |
             org.opencontainers.image.source=${{ github.event.repository.html_url }}
             org.opencontainers.image.created=${{ steps.meta.outputs.created }}
diff --git a/Cargo.lock b/Cargo.lock
index 500d383..64c05aa 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -652,15 +652,6 @@ version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6373607a59f0be73a39b6fe456b8192fcc3585f602af20751600e974dd455e77"
 
-[[package]]
-name = "lock_api"
-version = "0.4.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
-dependencies = [
- "scopeguard",
-]
-
 [[package]]
 name = "log"
 version = "0.4.29"
@@ -715,29 +706,6 @@ version = "1.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
 
-[[package]]
-name = "parking_lot"
-version = "0.12.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
-dependencies = [
- "lock_api",
- "parking_lot_core",
-]
-
-[[package]]
-name = "parking_lot_core"
-version = "0.9.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
-dependencies = [
- "cfg-if",
- "libc",
- "redox_syscall",
- "smallvec",
- "windows-link",
-]
-
 [[package]]
 name = "percent-encoding"
 version = "2.3.2"
@@ -882,15 +850,6 @@ dependencies = [
  "getrandom 0.3.4",
 ]
 
-[[package]]
-name = "redox_syscall"
-version = "0.5.18"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
-dependencies = [
- "bitflags",
-]
-
 [[package]]
 name = "regex"
 version = "1.12.3"
@@ -1038,12 +997,6 @@ version = "1.0.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"
 
-[[package]]
-name = "scopeguard"
-version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
-
 [[package]]
 name = "serde"
 version = "1.0.228"
@@ -1247,7 +1200,6 @@ dependencies = [
  "bytes",
  "libc",
  "mio",
- "parking_lot",
  "pin-project-lite",
  "signal-hook-registry",
  "socket2",
diff --git a/Cargo.toml b/Cargo.toml
index cce2533..b1cbb85 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -9,13 +9,20 @@ license = "GPL-3.0"
 reqwest = { version = "0.12", features = ["json", "rustls-tls"], default-features = false }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-tokio = { version = "1", features = ["full"] }
+tokio = { version = "1", features = ["rt-multi-thread", "macros", "time", "signal"] }
 regex = "1"
 chrono = { version = "0.4", features = ["clock"] }
 url = "2"
 idna = "1"
 if-addrs = "0.13"
 
+[profile.release]
+opt-level = "s"
+lto = true
+codegen-units = 1
+strip = true
+panic = "abort"
+
 [dev-dependencies]
 tempfile = "3.26.0"
 wiremock = "0.6"
diff --git a/Dockerfile b/Dockerfile
index 71fd7cb..f840a96 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,7 +7,7 @@ COPY src ./src
 RUN cargo build --release
 
 # ---- Release ----
-FROM alpine:latest AS release
-RUN apk add --no-cache ca-certificates
-COPY --from=builder /build/target/release/cloudflare-ddns /usr/local/bin/cloudflare-ddns
-CMD ["cloudflare-ddns", "--repeat"]
+FROM scratch AS release
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /build/target/release/cloudflare-ddns /cloudflare-ddns
+ENTRYPOINT ["/cloudflare-ddns", "--repeat"]
diff --git a/README.md b/README.md
index 64382ee..e1030d9 100755
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@ A feature-complete dynamic DNS client for Cloudflare, written in Rust. Configure
 - 🎨 **Pretty output with emoji** — Configurable emoji and verbosity levels
 - 🔒 **Zero-log IP detection** — Uses Cloudflare's [cdn-cgi/trace](https://www.cloudflare.com/cdn-cgi/trace) by default
 - 🏠 **CGNAT-aware local detection** — Filters out shared address space (100.64.0.0/10) and private ranges
-- 🤏 **Tiny static binary** — Small Docker image, zero runtime dependencies
+- 🤏 **Tiny static binary** — ~3.5 MB Docker image built from scratch, zero runtime dependencies
 
 ## 🚀 Quick Start
 
@@ -289,13 +289,13 @@ The binary is at `target/release/cloudflare-ddns`.
 # Single architecture (linux/amd64)
 ./scripts/docker-build.sh
 
-# Multi-architecture (linux/amd64, linux/arm64, linux/arm/v7)
+# Multi-architecture (linux/amd64, linux/arm64, linux/ppc64le)
 ./scripts/docker-build-all.sh
 ```
 
 ## 💻 Supported Platforms
 
-- 🐳 [Docker](https://docs.docker.com/get-docker/) (amd64, arm64, arm/v7)
+- 🐳 [Docker](https://docs.docker.com/get-docker/) (amd64, arm64, ppc64le)
 - 🐙 [Docker Compose](https://docs.docker.com/compose/install/)
 - ☸️ [Kubernetes](https://kubernetes.io/docs/tasks/tools/)
 - 🐧 [Systemd](https://www.freedesktop.org/wiki/Software/systemd/)
diff --git a/scripts/docker-build-all.sh b/scripts/docker-build-all.sh
index 0cd1507..ef7d83f 100755
--- a/scripts/docker-build-all.sh
+++ b/scripts/docker-build-all.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 BASH_DIR=$(dirname $(realpath "${BASH_SOURCE}"))
-docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 --tag timothyjmiller/cloudflare-ddns:latest ${BASH_DIR}/../
+docker buildx build --platform linux/amd64,linux/arm64,linux/ppc64le --tag timothyjmiller/cloudflare-ddns:latest ${BASH_DIR}/../