TehRiehlDeal
4c84d2fb96
CI / test (push) Successful in 31s
CI / lint (push) Successful in 27s
CI / secrets-scan (push) Successful in 5s
CI / vuln-scan (push) Successful in 13s
CI / sast (push) Successful in 9s
CI / build-images (push) Successful in 1m51s
CI / image-scan (push) Successful in 44s
CI / push (push) Successful in 32s
The deployed backend was crashing at startup with `Node.js 20 detected without native WebSocket support` from @supabase/realtime-js. Native WebSocket landed in Node 22.4 — bumping the base image is cleaner than shimming `ws` as a transport (no extra dep, no constructor wrapper). Bumped in three places to keep everything aligned: - tehriehlbudget-backend/Dockerfile (runtime + build stages) - tehriehlbudget-frontend/Dockerfile (build stage; nginx runtime unaffected) - .gitea/workflows/ci.yml (test + lint jobs use the same Node) @types/node is already on ^22.10.7, so no type-side changes needed. Bump backend and frontend to 0.1.6 (frontend forced by per-service push gate; no functional change). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
39 lines
2.0 KiB
Docker
39 lines
2.0 KiB
Docker
# syntax=docker/dockerfile:1.7
|
|
ARG NODE_VERSION=22
|
|
|
|
FROM node:${NODE_VERSION}-alpine AS deps
|
|
RUN corepack enable && corepack prepare pnpm@9 --activate
|
|
WORKDIR /repo
|
|
COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./
|
|
COPY tehriehlbudget-backend/package.json tehriehlbudget-backend/
|
|
COPY tehriehlbudget-frontend/package.json tehriehlbudget-frontend/
|
|
RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
|
|
pnpm install --frozen-lockfile --filter tehriehlbudget-frontend...
|
|
|
|
FROM deps AS build
|
|
WORKDIR /repo
|
|
COPY tehriehlbudget-frontend/ tehriehlbudget-frontend/
|
|
# Build with no VITE_* env: import.meta.env values resolve to "" so the bundle
|
|
# carries no compile-time secrets. window.__RUNTIME_CONFIG__ supplies them.
|
|
RUN pnpm --filter tehriehlbudget-frontend run build
|
|
|
|
FROM nginxinc/nginx-unprivileged:1.27-alpine AS runtime
|
|
USER root
|
|
# Pull current Alpine package patches before adding anything else. The
|
|
# base image lags behind upstream Alpine's security backports (openssl,
|
|
# libxml2, libpng, musl, etc. were all flagged HIGH/CRITICAL on the
|
|
# stock 3.21.3 packages). `apk upgrade` picks up the fixed -r versions
|
|
# without bumping the nginx version itself.
|
|
RUN apk upgrade --no-cache && apk add --no-cache gettext
|
|
COPY --from=build --chown=nginx:nginx /repo/tehriehlbudget-frontend/dist /usr/share/nginx/html
|
|
COPY --chown=nginx:nginx tehriehlbudget-frontend/nginx.conf /etc/nginx/conf.d/default.conf
|
|
COPY --chown=nginx:nginx tehriehlbudget-frontend/docker-entrypoint.sh /docker-entrypoint.d/40-render-config.sh
|
|
RUN chmod +x /docker-entrypoint.d/40-render-config.sh
|
|
USER nginx
|
|
EXPOSE 8080
|
|
# nginx-unprivileged can't bind privileged ports; the image listens on 8080,
|
|
# so a healthcheck targeting :80 will always fail. Bake in a sensible default
|
|
# that any orchestrator (compose, k8s, Portainer) inherits unless overridden.
|
|
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
|
|
CMD wget -qO /dev/null http://127.0.0.1:8080/ || exit 1
|