feat(build): 全面优化打包流程，Docker 镜像自动发布到 GHCR

Docker 优化：
- Dockerfile 层缓存（requirements/lockfile 先复制再安装）
- ARG 可配置镜像源，国际用户可覆盖为默认源
- 前端 Dockerfile 改用 corepack + frozen-lockfile
- 精简 .dockerignore，排除 .git 和 Tauri 构建产物

CI/CD 优化：
- docker-build 自动推送到 GHCR，支持 amd64/arm64 双架构
- 桌面端 CI 增加 pip/pnpm/cargo 缓存，升级 actions 版本
- Python 版本对齐为 3.11，增加 Linux 构建矩阵
- build.sh 加 -y 覆盖标志

文档更新：
- README Docker 部署简化为 docker pull + docker run

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/workflows/docker-build.yml

@@ -1,76 +1,73 @@
-name: Build Complete Docker Image
+name: Build and Publish Docker Image
 
 on:
   push:
     tags:
-      - 'v*'  # 在推送 tag 时触发 (如 v1.0.0)
+      - 'v*'
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-  build:
+  build-and-push:
     runs-on: ubuntu-latest
-    
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout Code
         uses: actions/checkout@v4
 
-      - name: Extract Version from Tag
-        id: get_version
-        run: |
-          # 获取 tag 名称 (如 refs/tags/v1.0.0 -> v1.0.0)
-          VERSION=${GITHUB_REF#refs/tags/}
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-          echo "Tag version: $VERSION"
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Build Docker Image
-        run: |
-          VERSION="${{ steps.get_version.outputs.version }}"
-          IMAGE_NAME="bilinote:${VERSION}"
-          
-          echo "Building image: ${IMAGE_NAME}"
-          
-          # 构建镜像
-          docker build -f Dockerfile.complete -t ${IMAGE_NAME} .
-          
-          # 保存镜像为 tar 文件
-          docker save ${IMAGE_NAME} -o bilinote-${VERSION}.tar
-          
-          # 显示镜像信息
-          echo "Image built successfully!"
-          docker images bilinote:${VERSION}
-
-      - name: Upload Docker Image Artifact
-        uses: actions/upload-artifact@v4
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
         with:
-          name: bilinote-${{ steps.get_version.outputs.version }}
-          path: bilinote-${{ steps.get_version.outputs.version }}.tar
-          retention-days: 90
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,prefix=
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and Push Docker Image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile.complete
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          platforms: linux/amd64,linux/arm64
 
       - name: Generate Usage Instructions
         run: |
-          VERSION="${{ steps.get_version.outputs.version }}"
           echo "=========================================="
-          echo "Docker Image Build Complete!"
+          echo "Docker Image Published!"
           echo "=========================================="
           echo ""
-          echo "Image Name: bilinote:${VERSION}"
-          echo "Artifact: bilinote-${VERSION}.tar"
+          echo "Pull the image:"
+          echo "  docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
           echo ""
-          echo "To use this Docker image:"
-          echo "1. Download the artifact from this workflow run"
-          echo "2. Load the image:"
-          echo "   docker load < bilinote-${VERSION}.tar"
-          echo "3. Run the container:"
-          echo "   docker run -d -p 80:80 --name bilinote bilinote:${VERSION}"
+          echo "Run the container:"
+          echo "  docker run -d -p 80:80 \\"
+          echo "    -v bilinote-data:/app/backend/data \\"
+          echo "    --name bilinote \\"
+          echo "    ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
           echo ""
-          echo "Or with environment variables:"
-          echo "   docker run -d -p 80:80 \\"
-          echo "     -e BACKEND_PORT=8483 \\"
-          echo "     -e BACKEND_HOST=0.0.0.0 \\"
-          echo "     -v /path/to/data:/app/backend/data \\"
-          echo "     --name bilinote bilinote:${VERSION}"
-          echo ""
-          echo "Access the application at: http://localhost:80"
+          echo "Access the application at: http://localhost"
           echo "=========================================="

.github/workflows/main.yml

@@ -6,25 +6,38 @@ on:
     tags:
       - 'v*' # 发布 tag 时触发
   workflow_dispatch:
+
 jobs:
   build:
     strategy:
       matrix:
-        platform: [macos-latest, windows-latest]
+        include:
+          - platform: macos-latest
+          - platform: ubuntu-22.04
+          - platform: windows-latest
 
     runs-on: ${{ matrix.platform }}
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      # 设置 Python 环境
+      # Linux 系统依赖（Tauri 需要）
+      - name: Install Linux Dependencies
+        if: matrix.platform == 'ubuntu-22.04'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
+
+      # 设置 Python 环境（带 pip 缓存）
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
-          python-version: '3.10'
+          python-version: '3.11'
+          cache: 'pip'
+          cache-dependency-path: backend/requirements.txt
 
-      # 安装 Python 依赖并执行你的 build.sh
+      # 安装 Python 依赖并执行构建
       - name: Install Python dependencies & Build backend
         shell: bash
         run: |
@@ -38,30 +51,57 @@ jobs:
             ./backend/build.sh
           fi
 
-      # 设置 Node 环境 + 安装前端依赖
+      # 设置 pnpm
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 'latest'
+
+      # 设置 Node 环境（带 pnpm 缓存）
       - name: Set up Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '20'
+          cache: 'pnpm'
+          cache-dependency-path: BillNote_frontend/pnpm-lock.yaml
 
-      - name: Enable Corepack + Install pnpm
+      - name: Install frontend dependencies
         working-directory: BillNote_frontend
-        run: |
-          corepack enable
-          pnpm install 
+        run: pnpm install --frozen-lockfile
 
       # 设置 Rust 环境
       - name: Set up Rust
         uses: dtolnay/rust-toolchain@stable
 
+      # Cargo 缓存
+      - name: Cache Cargo
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            BillNote_frontend/src-tauri/target/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('BillNote_frontend/src-tauri/Cargo.lock') }}
+          restore-keys: ${{ runner.os }}-cargo-
+
       # 打包 Tauri 应用
       - name: Build Tauri App
         working-directory: BillNote_frontend
         run: pnpm tauri build
 
-      # 可选：上传构建产物
+      # 生成 SHA256 校验和
+      - name: Generate Checksums
+        shell: bash
+        run: |
+          cd BillNote_frontend/src-tauri/target/release/bundle/
+          find . -type f \( -name "*.dmg" -o -name "*.msi" -o -name "*.deb" -o -name "*.AppImage" \) -exec sha256sum {} \; > checksums.sha256 || true
+
+      # 上传构建产物
       - name: Upload Desktop Bundle
         uses: actions/upload-artifact@v4
         with:
           name: app-${{ matrix.platform }}
-          path: BillNote_frontend/src-tauri/target/release/bundle/
+          path: |
+            BillNote_frontend/src-tauri/target/release/bundle/