Image layers: optimise a real Dockerfile

Take a deliberately bad Dockerfile (your own app or the starter described below) and rewrite it so a routine source edit rebuilds in seconds instead of minutes, the published image drops by at least half, and no secret survives in layer history — proving each step with measurements, not claims.

• Start from a bad Dockerfile: a full base (node:22 or golang), COPY . . before the dependency install, RUN apt-get update and RUN apt-get install as separate instructions, a COPYed build token later removed with rm, no .dockerignore, and a single stage that ships the whole toolchain.
• Capture the baseline: cold build time, warm rebuild time after editing one source file, final image size (docker image ls), and the output of docker history showing layer sizes. Record the warm-rebuild number specifically — that is the cache-thrash symptom.
• Fix instruction order: copy the lockfile/manifest and run the install before COPY . ., so a source edit no longer invalidates the install layer. Re-measure the warm rebuild and confirm the install is now a cache hit.
• Merge RUN apt-get update && apt-get install -y <pkgs> into one instruction so the index refresh and install share a cache key and cannot serve a stale index.
• Convert to a multi-stage build: do the heavy work in a fat builder stage, then COPY --from=builder only the artifacts into a slim final stage (distroless or alpine — justify the choice). Re-measure final image size.
• Add a .dockerignore covering node_modules, .git, *.log, and .env; confirm the build context shrinks (BuildKit reports transferred context size) and that .env no longer lands in the image.
• Remove the secret from history: replace COPY-token-then-rm with a BuildKit secret mount (RUN --mount=type=secret) or confine the token to a discarded builder stage. Prove with docker history (or by unpacking layers) that the token is no longer recoverable from the published image.

• A before/after table: cold build time, warm-rebuild-after-one-edit time, final image size, and transferred build-context size — measured, not estimated.
• The warm rebuild after a one-line source edit no longer re-runs the dependency install (visible as 'CACHED' in build output), and the final image is at least 50% smaller than the single-stage baseline.
• docker history (or layer extraction) on the final image shows no recoverable token and no .env file in any layer.
• A short write-up mapping each change to the mechanism it exploits: cache prefix, RUN-text caching, multi-stage discard, build-context filtering, and immutable-layer secret safety.