5.3.2.2 Final Artifact Copy

Final artifact copy is the COPY --from instruction (or instructions) in a multi-stage Dockerfile that actually transfers the builder stage's finished output into the final stage, representing the single point of connection between everything that happened in the build process and what actually ends up in the runnable image.

The Basic Copy Pattern

A COPY --from instruction references an earlier stage by name and copies a specific path from it into the current stage.

FROM golang:1.22 AS builder
RUN go build -o /out/app .

FROM scratch
COPY --from=builder /out/app /app

Copying Multiple Artifacts From the Same Stage

A final stage can copy several distinct artifacts from the same builder stage, if more than one output is actually needed at runtime.

COPY --from=builder /out/app /app
COPY --from=builder /out/migrations /migrations
COPY --from=builder /out/config.yaml /config.yaml

Copying From Multiple Different Stages

A final stage isn't limited to copying from a single builder stage; artifacts from several distinct earlier stages can all be brought together into the same final image.

FROM node:20 AS frontend-builder
RUN npm run build

FROM golang:1.22 AS backend-builder
RUN go build -o server .

FROM alpine
COPY --from=frontend-builder /app/dist /static
COPY --from=backend-builder /app/server /server

Setting Ownership During the Copy

The --chown flag can be combined with --from to set appropriate ownership on the copied artifact at the same time, useful when the final stage runs as a non-root user.

COPY --from=builder --chown=appuser:appuser /out/app /app

Why Final Artifact Copy Matters

This instruction is the precise boundary where a multi-stage build's careful separation of build-time and run-time concerns is realized in practice — getting it exactly right (copying only what's needed, with correct ownership) determines whether the final image actually achieves its intended minimalism and security posture.