wooo/2026FIFAWorldCup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5d09f116a10427f4b3e5c8dfd2eba762f5f04dc4
2026FIFAWorldCup/platform/web/Dockerfile
QuantBot aa7e3bba76
Some checks failed
2026 World Cup Quant Platform - Production Deployment / Code Quality & Testing (push) Failing after 1m49s
Details
2026 World Cup Quant Platform - Production Deployment / Deploy to Production VM via Rsync (push) Has been skipped
Details
chore: migrate deployment to Gitea Actions with zero-trust rsync
2026-06-16 19:06:50 +08:00

61 lines
2.2 KiB
Docker
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# ── stage 1: dependencies ──────────────────────────────────────────────────────
FROM node:22-alpine AS deps
WORKDIR /app
RUN apk add --no-cache openssl
COPY package.json ./
RUN npm install --legacy-peer-deps
# ── stage 2: build ─────────────────────────────────────────────────────────────
FROM node:22-alpine AS builder
WORKDIR /app
RUN apk add --no-cache openssl
# NOTE: NEXTAUTH_SECRET is a build-time placeholder only — never expose real secrets in ARG/ENV
ENV DATABASE_URL=postgresql://fifa_user:change_me@localhost:5432/fifa2026
ENV NEXTAUTH_SECRET=build-time-placeholder
ENV NEXTAUTH_URL=https://2026fifa.wooo.work
ENV ANALYTICS_BACKEND_URL=http://fifa2026-backend:8000
COPY --from=deps /app/node_modules ./node_modules
COPY . .
RUN npx prisma generate
RUN npm run build
# ── stage 3: runtime (hardened) ────────────────────────────────────────────────
FROM node:22-alpine AS runtime
WORKDIR /app
ENV NODE_ENV=production
ENV PORT=3000
# Install openssl first (needed at runtime)
RUN apk add --no-cache openssl
# Security: create non-root user BEFORE removing shell
RUN addgroup -g 1001 -S nodejs \
&& adduser -S nextjs -u 1001 -G nodejs
COPY --from=builder /app/public ./public
COPY --from=builder /app/.next ./.next
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/package.json ./package.json
COPY --from=builder /app/prisma ./prisma
# Lock down ownership
RUN chown -R nextjs:nodejs /app \
&& chmod -R o-rwx /app
# Security: remove tools that can be used to download/execute malware
# MUST happen AFTER all RUN commands that need a shell
RUN rm -f /usr/bin/wget /usr/bin/curl \
/usr/local/bin/npm /usr/local/bin/npx \
&& true
# Drop all privileges run as nextjs (uid 1001)
USER nextjs
EXPOSE 3000
# Use node directly (not npm) to avoid extra shell processes
CMD ["node", "node_modules/.bin/next", "start", "-p", "3000"]
Reference in New Issue View Git Blame Copy Permalink