-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile.shadow
More file actions
74 lines (60 loc) · 2.66 KB
/
Dockerfile.shadow
File metadata and controls
74 lines (60 loc) · 2.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# syntax=docker/dockerfile:1.7
#
# Dockerfile.shadow — tailnet-only mirror of jesssullivan.github.io.
#
# Multi-stage build:
# 1. node:22-bookworm-slim with chromium installed (for the mermaid
# prerender step in `npm run build`'s prebuild chain).
# 2. nginxinc/nginx-unprivileged:alpine serving the SvelteKit
# adapter-static `build/` output on port 8080.
#
# Triggered by .github/workflows/shadow-image.yml on shadow-deploy/* branches.
# See ~/git/jesssullivan-infra/docs/jesssullivan-blog-shadow.md for the full
# deploy contract.
FROM node:22-bookworm-slim AS builder
WORKDIR /build
# NODE_ENV is intentionally NOT set to "production" here. The build needs
# devDependencies (tsx, vite, svelte-check, etc.); npm install omits them
# under NODE_ENV=production. The runtime stage is plain nginx and doesn't
# read NODE_ENV anyway.
ENV DEBIAN_FRONTEND=noninteractive \
PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true \
PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium \
CI=true
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
chromium \
ca-certificates \
fonts-liberation \
fonts-noto-color-emoji \
&& rm -rf /var/lib/apt/lists/*
COPY package.json package-lock.json ./
COPY packages/ ./packages/
# `npm install` rather than `npm ci`: tolerates lockfile lag against upstream
# transitive deps that have re-published since the committed lock was
# generated (npm ci's strict consistency check has been triggering on
# yaml@2.8.3 / @emnapi@1.10.0 entries that aren't yet in the committed
# lock). Layer-level reproducibility comes from the Docker cache; the
# committed lock continues to gate the blog repo's GH Actions CI which uses
# the canonical npm ci path.
RUN npm install --no-audit --no-fund --no-save
COPY . .
RUN npm run build
# --------------------------------------------------------------------------
FROM nginxinc/nginx-unprivileged:alpine AS runtime
USER root
COPY nginx.conf.shadow /etc/nginx/conf.d/default.conf
RUN apk upgrade --no-cache nghttp2-libs \
&& installed="$(apk info -v nghttp2-libs | sed 's/^nghttp2-libs-//')" \
&& fixed_min="1.68.1-r0" \
&& if [ "$(apk version -t "${installed}" "${fixed_min}")" = "<" ]; then \
echo "nghttp2-libs ${installed} is below fixed minimum ${fixed_min}" >&2; \
exit 1; \
fi \
&& rm -f /etc/nginx/conf.d/default.conf.bak
USER nginx
COPY --from=builder --chown=nginx:nginx /build/build /usr/share/nginx/html
EXPOSE 8080
LABEL org.opencontainers.image.title="jesssullivan.github.io shadow" \
org.opencontainers.image.description="Tailnet-only mirror of jesssullivan.github.io static build" \
org.opencontainers.image.licenses="CC0-1.0"