wooo/2026FIFAWorldCup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
52825871f7ff191b8ade42645aebcc61d9fcf5f4
2026FIFAWorldCup/platform/web/Dockerfile
wooo 61878da91d
Some checks failed
2026 World Cup Quant Platform - Production Deployment / Code Quality, Security Gate & Testing (push) Failing after 3m48s
Details
2026 World Cup Quant Platform - Production Deployment / Deploy to Production VM via Gitea CD (push) Has been skipped
Details
fix: restore production build dependencies
2026-06-18 12:38:06 +08:00

61 lines
2.2 KiB
Docker
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# ── stage 1: dependencies ──────────────────────────────────────────────────────
FROM node:22-alpine AS deps
WORKDIR /app
RUN apk add --no-cache openssl
COPY package.json package-lock.json ./
RUN npm ci --legacy-peer-deps
# ── stage 2: build ─────────────────────────────────────────────────────────────
FROM node:22-alpine AS builder
WORKDIR /app
RUN apk add --no-cache openssl
# NOTE: NEXTAUTH_SECRET is a build-time placeholder only — never expose real secrets in ARG/ENV
ENV DATABASE_URL=postgresql://fifa_user:change_me@localhost:5432/fifa2026
ENV NEXTAUTH_SECRET=build-time-placeholder
ENV NEXTAUTH_URL=https://2026fifa.wooo.work
ENV ANALYTICS_BACKEND_URL=http://fifa2026-backend:8000
COPY --from=deps /app/node_modules ./node_modules
COPY . .
RUN npx prisma generate
RUN npm run build
# ── stage 3: runtime (hardened) ────────────────────────────────────────────────
FROM node:22-alpine AS runtime
WORKDIR /app
ENV NODE_ENV=production
ENV PORT=3000
# Install openssl first (needed at runtime)
RUN apk add --no-cache openssl
# Security: create non-root user BEFORE removing shell
RUN addgroup -g 1001 -S nodejs \
&& adduser -S nextjs -u 1001 -G nodejs
COPY --from=builder /app/public ./public
COPY --from=builder /app/.next ./.next
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/package.json ./package.json
COPY --from=builder /app/prisma ./prisma
# Lock down ownership
RUN chown -R nextjs:nodejs /app \
&& chmod -R o-rwx /app
# Security: remove tools that can be used to download/execute malware
# MUST happen AFTER all RUN commands that need a shell
RUN rm -f /usr/bin/wget /usr/bin/curl \
/usr/local/bin/npm /usr/local/bin/npx \
&& true
# Drop all privileges run as nextjs (uid 1001)
USER nextjs
EXPOSE 3000
# Use node directly (not npm) to avoid extra shell processes
CMD ["node", "node_modules/.bin/next", "start", "-p", "3000"]
Reference in New Issue View Git Blame Copy Permalink