build(docker): setup rootless image (#2032) [skip ci]

* build(docker): setup rootless image --------- Signed-off-by: Ludovic Ortega <ludovic.ortega@adminafk.fr>
2025-12-24 02:39:18 -05:00 · 2025-10-14 23:49:57 +03:00
parent a8c7e35f56
commit 0354debd2b
6 changed files with 45 additions and 26 deletions
--- a/49
+++ b/49
@@ -1,15 +1,20 @@
-FROM node:22.20.0-alpine3.22@sha256:cb3143549582cc5f74f26f0992cdef4a422b22128cb517f94173a5f910fa4ee7 AS build_image
-
+FROM node:22.20.0-alpine3.22@sha256:cb3143549582cc5f74f26f0992cdef4a422b22128cb517f94173a5f910fa4ee7 AS base
 ARG SOURCE_DATE_EPOCH
 ARG TARGETPLATFORM
-ARG COMMIT_TAG
 ENV TARGETPLATFORM=${TARGETPLATFORM:-linux/amd64}
-ENV COMMIT_TAG=${COMMIT_TAG}

 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 RUN corepack enable

+COPY . ./app
+WORKDIR /app
+
+FROM base AS prod-deps
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store CI=true pnpm install --prod --frozen-lockfile
+
+FROM base as build
+
 RUN \
  case "${TARGETPLATFORM}" in \
  'linux/arm64' | 'linux/arm/v7') \
@@ -19,34 +24,32 @@ RUN \
  ;; \
  esac

-WORKDIR /app
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store CYPRESS_INSTALL_BINARY=0 pnpm install --frozen-lockfile

-COPY package.json pnpm-lock.yaml postinstall-win.js ./
-RUN CYPRESS_INSTALL_BINARY=0 pnpm install --frozen-lockfile
-
-COPY . ./
 RUN pnpm build

-# remove development dependencies
-RUN pnpm prune --prod --ignore-scripts && \
-  rm -rf src server .next/cache charts gen-docs docs && \
-  touch config/DOCKER && \
-  echo "{\"commitTag\": \"${COMMIT_TAG}\"}" > committag.json
+RUN rm -rf .next/cache

 FROM node:22.20.0-alpine3.22@sha256:cb3143549582cc5f74f26f0992cdef4a422b22128cb517f94173a5f910fa4ee7
+ARG SOURCE_DATE_EPOCH
+ARG COMMIT_TAG
+ENV NODE_ENV=production
+ENV COMMIT_TAG=${COMMIT_TAG}

-ENV PNPM_HOME="/pnpm"
-ENV PATH="$PNPM_HOME:$PATH"
-RUN corepack enable
+RUN apk add --no-cache tzdata
+
+USER node:node

 WORKDIR /app

-RUN apk add --no-cache tzdata tini && rm -rf /tmp/*
+COPY --chown=node:node . .
+COPY --chown=node:node --from=prod-deps /app/node_modules ./node_modules
+COPY --chown=node:node --from=build /app/.next ./.next
+COPY --chown=node:node --from=build /app/dist ./dist

-# copy from build image
-COPY --from=build_image /app ./
-
-ENTRYPOINT [ "/sbin/tini", "--" ]
-CMD [ "pnpm", "start" ]
+RUN touch config/DOCKER && \
+  echo "{\"commitTag\": \"${COMMIT_TAG}\"}" > committag.json

 EXPOSE 5055
+
+CMD [ "npm", "start" ]