fix: ci

Author: devthejo

.github/workflows/docker-release.yaml

@@ -17,6 +17,20 @@ jobs:
       contents: read
       packages: write
 
+    strategy:
+      fail-fast: false
+      matrix:
+        image:
+          - name: api
+            repository: ghcr.io/socialgouv/no-package-malware-api
+            target: api-runtime
+          - name: app
+            repository: ghcr.io/socialgouv/no-package-malware-app
+            target: app-runtime
+          - name: registry
+            repository: ghcr.io/socialgouv/no-package-malware-registry
+            target: registry-runtime
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
@@ -37,11 +51,11 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Extract metadata (tags, labels) for API image
-        id: meta-api
+      - name: Extract metadata (tags, labels)
+        id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ghcr.io/socialgouv/no-package-malware-api
+          images: ${{ matrix.image.repository }}
           tags: |
             type=schedule
             type=ref,event=branch
@@ -52,52 +66,14 @@ jobs:
             type=sha
             type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
 
-      - name: Extract metadata (tags, labels) for App image
-        id: meta-app
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/socialgouv/no-package-malware-app
-          tags: ${{ steps.meta-api.outputs.tags }}
-
-      - name: Extract metadata (tags, labels) for Registry image
-        id: meta-registry
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/socialgouv/no-package-malware-registry
-          tags: ${{ steps.meta-api.outputs.tags }}
-
-      - name: Build and push API image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: Dockerfile
-          target: api-runtime
-          push: true
-          tags: ${{ steps.meta-api.outputs.tags }}
-          labels: ${{ steps.meta-api.outputs.labels }}
-          build-args: |
-            VERSION=${{ steps.get_tag.outputs.GIT_TAG }}
-
-      - name: Build and push App image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: Dockerfile
-          target: app-runtime
-          push: true
-          tags: ${{ steps.meta-app.outputs.tags }}
-          labels: ${{ steps.meta-app.outputs.labels }}
-          build-args: |
-            VERSION=${{ steps.get_tag.outputs.GIT_TAG }}
-
-      - name: Build and push Registry image
+      - name: Build and push ${{ matrix.image.name }} image
         uses: docker/build-push-action@v6
         with:
           context: .
           file: Dockerfile
-          target: registry-runtime
+          target: ${{ matrix.image.target }}
           push: true
-          tags: ${{ steps.meta-registry.outputs.tags }}
-          labels: ${{ steps.meta-registry.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             VERSION=${{ steps.get_tag.outputs.GIT_TAG }}

Dockerfile

@@ -42,8 +42,10 @@ ENV NODE_ENV=production \
 # Copy built repo and dependencies from builder
 COPY --from=builder /app /app
 
-# Create unprivileged user with numeric UID for Kubernetes policies
-RUN useradd -u 1000 -r -s /usr/sbin/nologin appuser && \
+# Create unprivileged user with numeric UID for Kubernetes policies (if needed)
+RUN if ! id -u 1000 >/dev/null 2>&1; then \
+      useradd -u 1000 -r -s /usr/sbin/nologin appuser; \
+    fi && \
     chown -R 1000:1000 /app
 
 USER 1000
@@ -92,8 +94,10 @@ ENV NODE_ENV=production \
 # Copy built repo and dependencies from builder (includes Verdaccio plugins)
 COPY --from=builder /app /app
 
-# Create unprivileged user with numeric UID for Kubernetes policies
-RUN useradd -u 1001 -r -s /usr/sbin/nologin registry && \
+# Create unprivileged user with numeric UID for Kubernetes policies (if needed)
+RUN if ! id -u 1001 >/dev/null 2>&1; then \
+      useradd -u 1001 -r -s /usr/sbin/nologin registry; \
+    fi && \
     chown -R 1001:1001 /app
 
 USER 1001