oleks/cms-plugins
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8c119efff84ecb2fcda338c4f2c4b5452217e45a
cms-plugins/Dockerfile
T
Oleks 8c119efff8 harden(deploy): apply safe fixes from review report-only items 
- #3 Liveness probe targets full SSR DB-querying / route, coupling pod liveness to SQLite
- #4 Chart values-staging/production.yaml are dead config under Flux; drift trap
- #6 tsconfig includes gitignored emdash-env.d.ts that only the dev server generates
- #7 Dockerfile package-lock glob + npm install fallback can silently build an unlocked image
- #8 Dockerfile creates runtime user without pinning its GID
- #9 entrypoint.sh gates `emdash init` on data.db absence, skipping migrations on PVC reuse
- #10 pullPolicy: Always vs digest pinning
- #11 Dockerfile state symlinks contradict the STATE_DIR contract; Dockerfile does not set ENV STATE_DIR
- #12 astro is a production dependency, so npm prune --omit=dev keeps build-only tooling
- #14 Two ImageUpdateAutomations write back to the same anton-helm-workloads main branch
- #16 memoryCache provider is per-process; correctness depends implicitly on replicas:1
- #17 Root catch-all [slug].astro couples nav links to pages-collection rows + DB hit per unmatched path
- #18 Detail pages render a 200-style body under a 404 status and have no try/catch around getEmDash* calls
- #19 vite allowedHosts hardcodes ddev hostnames (dev-only; no prod impact)
2026-06-02 04:50:54 +03:00

65 lines
2.7 KiB
Docker
Raw Blame History

# syntax=docker/dockerfile:1.7
FROM node:22-bookworm-slim AS deps
WORKDIR /app
RUN apt-get update \
&& apt-get install -y --no-install-recommends python3 make g++ ca-certificates \
&& rm -rf /var/lib/apt/lists/*
COPY app/package.json app/package-lock.json ./
# Lockfile (lockfileVersion 3) is committed; npm ci is reproducible and
# fails if it drifts from package.json. No npm install fallback.
RUN npm ci --include=dev
FROM deps AS build
WORKDIR /app
COPY app/ ./
RUN rm -f data.db data.db-shm data.db-wal && rm -rf uploads
RUN npm run build
# `astro` is a runtime dependency (required by the @astrojs/node standalone
# SSR server), so this prune only drops the two devDependencies
# (@astrojs/check, @types/node). Astro's transitive build tooling
# (vite, esbuild, @astrojs/compiler, rollup plugins) stays in node_modules
# because Astro itself declares them as runtime deps. Slimming those out
# would require verifying the dist/server bundle never imports `astro/*` at
# boot; not attempted here. Image-size tradeoff is accepted for now.
RUN npm prune --omit=dev
FROM node:22-bookworm-slim AS runtime
WORKDIR /app
ENV NODE_ENV=production \
HOST=0.0.0.0 \
PORT=4321
RUN apt-get update \
&& apt-get install -y --no-install-recommends ca-certificates tini \
&& rm -rf /var/lib/apt/lists/* \
&& groupadd --system --gid 1001 emdash \
&& useradd --system --uid 1001 --gid 1001 --home /app emdash \
&& mkdir -p /app/state/uploads \
&& chown -R emdash:emdash /app
COPY --from=build --chown=emdash:emdash /app/package.json ./
COPY --from=build --chown=emdash:emdash /app/node_modules ./node_modules
COPY --from=build --chown=emdash:emdash /app/dist ./dist
COPY --from=build --chown=emdash:emdash /app/seed ./seed
# Persistent state lives in /app/state (single PVC in k3s).
# STATE_DIR is intentionally NOT set here: the Helm chart injects
# STATE_DIR=/app/state (deploy/helm values.yaml), so the running app writes
# directly to /app/state/data.db and /app/state/uploads and these symlinks
# are never traversed. Leaving it unset keeps the image deploy-agnostic so a
# bare `docker run` / DDEV smoke test falls back to the WORKDIR (./data.db).
# The symlinks below only backstop that STATE_DIR-unset fallback
# (astro.config.mjs: `process.env.STATE_DIR ?? "."`), redirecting the default
# emdash paths into the volume — they do not contradict the STATE_DIR contract.
RUN ln -s /app/state/data.db /app/data.db \
&& ln -s /app/state/uploads /app/uploads
COPY --chown=emdash:emdash docker/entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh
USER emdash
EXPOSE 4321
VOLUME ["/app/state"]
ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/entrypoint.sh"]
CMD ["node", "./dist/server/entry.mjs"]
Reference in New Issue View Git Blame Copy Permalink