Merge pull request #631 from cornell-dti/bek76/pnpm-docker

Fix Docker flow to use `pnpm` (+ modernize Docker flow)

Author: YottaYocta

.dockerignore

@@ -2,4 +2,12 @@
 **/node_modules
 build
 *.log
-*.gz
+*.gz
+
+**/.env
+
+.dockerignore
+Dockerfile
+LICENSE
+
+.github

.github/workflows/cd-workflow.yml

@@ -1,17 +1,62 @@
-name: CI Docker Build
+name: CI Docker Build / Push
 
-on: pull_request
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+    tags:
+      - 'v*'
+  pull_request:
+
+permissions:
+  contents: read
+  packages: write
 
 jobs:
-  build:
-    uses: ./.github/workflows/docker-build-push.yml
-    with:
-      push: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
-      tags: |
-        ghcr.io/${{ github.repository_owner }}/${{ github.repository }}:pr-${{ github.event.pull_request.number }}-latest
-        ghcr.io/${{ github.repository_owner }}/${{ github.repository }}:pr-${{ github.event.pull_request.number }}-${{ github.sha }}
-      labels: |
-        org.opencontainers.image.source=${{ github.event.pull_request.html_url }}
-        org.opencontainers.image.title=PR-${{ github.event.pull_request.number }}
-        org.opencontainers.image.description=${{ github.event.pull_request.title }}
-    secrets: inherit
+  build-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=tag
+            type=ref,event=pr
+            type=sha
+
+      - name: Docker build and push
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          context: .
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            REACT_APP_SERVER_URL=${{ secrets.REACT_APP_SERVER_URL }}
+            REACT_APP_CLIENT_ID=${{ secrets.REACT_APP_CLIENT_ID }}
+            REACT_APP_PUBLIC_VAPID_KEY=${{ secrets.REACT_APP_PUBLIC_VAPID_KEY }}
+            REACT_APP_ENCRYPTION_KEY=${{ secrets.REACT_APP_ENCRYPTION_KEY }}
+            REACT_APP_GOOGLE_MAPS_API_KEY=${{ secrets.REACT_APP_GOOGLE_MAPS_API_KEY }}
+            REACT_APP_GOOGLE_MAPS_MAP_ID=${{ secrets.REACT_APP_GOOGLE_MAPS_MAP_ID }}

.github/workflows/ci-container.yml

@@ -1,9 +1,37 @@
 # Base image
-FROM node:16-alpine
-
-# Create a directory for the app
+FROM node:24-alpine AS base
 WORKDIR /app
 
+# pnpm setup
+ENV CI=true
+RUN corepack enable pnpm && \
+  pnpm config set store-dir /pnpm/store && \
+  pnpm config set package-import-method clone-or-copy
+
+# Build stage
+FROM base AS fetch-deps
+COPY pnpm-lock.yaml pnpm-workspace.yaml ./
+RUN pnpm fetch --prod
+
+FROM fetch-deps AS prod-deps
+COPY . .
+RUN pnpm install -r --offline --prod --filter server...
+
+FROM fetch-deps AS build-base
+RUN pnpm fetch
+
+# Build both frontend and server separately for caching
+FROM build-base AS build-server
+COPY . .
+RUN pnpm install -r --offline --filter server...
+# Build with CI=false to avoid treat warnings as errors
+RUN CI=false pnpm run -r --filter server... build
+
+FROM build-base AS build-frontend
+COPY . .
+# TODO: filter only frontend dependencies. until we add a shared package, we need all dependencies
+RUN pnpm install -r --offline
+
 # Read build-time environment variables
 ARG REACT_APP_SERVER_URL
 ENV REACT_APP_SERVER_URL=${REACT_APP_SERVER_URL}
@@ -13,25 +41,23 @@ ARG REACT_APP_PUBLIC_VAPID_KEY
 ENV REACT_APP_PUBLIC_VAPID_KEY=${REACT_APP_PUBLIC_VAPID_KEY}
 ARG REACT_APP_ENCRYPTION_KEY
 ENV REACT_APP_ENCRYPTION_KEY=${REACT_APP_ENCRYPTION_KEY}
+ARG REACT_APP_GOOGLE_MAPS_API_KEY
+ENV REACT_APP_GOOGLE_MAPS_API_KEY=${REACT_APP_GOOGLE_MAPS_API_KEY}
+ARG REACT_APP_GOOGLE_MAPS_MAP_ID
+ENV REACT_APP_GOOGLE_MAPS_MAP_ID=${REACT_APP_GOOGLE_MAPS_MAP_ID}
 
-# Copy package.jsons first to install
-COPY package.json package-lock.json /app/
-COPY frontend/package.json frontend/package-lock.json /app/frontend/
-COPY server/package.json server/package-lock.json /app/server/
-RUN npm install
+# Build with CI=false to avoid treat warnings as errors
+RUN CI=false pnpm run -r --filter frontend... build
 
+FROM base AS prod
 # Copy the frontend and server directories to the app directory
-COPY frontend /app/frontend
-COPY server /app/server
-COPY . .
+COPY --from=prod-deps /app/node_modules /app/node_modules
+COPY --from=prod-deps /app/server/node_modules /app/server/node_modules
 
-# Install dependencies for the frontend and build the app
-WORKDIR /app/frontend
-RUN npm run build
+COPY --from=build-frontend /app/frontend/build /app/frontend/build
 
-# Install dependencies for the server
-WORKDIR /app/server
-RUN npm run build
+COPY --from=build-server /app/server/build /app/server/build
+COPY --from=build-server /app/server/package.json /app/server/package.json
 
 # Set production environment after build
 ENV NODE_ENV=production
@@ -40,4 +66,5 @@ ENV NODE_ENV=production
 EXPOSE 3001
 
 # Start the server
-CMD ["npm", "start"]
+WORKDIR /app/server
+CMD ["pnpm", "start"]

.github/workflows/docker-build-push.yml

@@ -0,0 +1,9 @@
+services:
+  carriage:
+    extends:
+      file: ./docker-compose.yml
+      service: carriage
+    volumes:
+      - './server/config/cornell-idp-test.crt:/app/server/config/cornell-idp-test.crt:ro'
+    env_file:
+      - ./server/.env

Dockerfile

@@ -1,7 +1,18 @@
-version: '3'
-
 services:
   carriage:
+    image: ghcr.io/cornell-dti/carriage-web:${IMAGE_TAG:-latest}
+    restart: always
+    ports:
+      - '3001:3001'
+    build:
+      context: .
+      args:
+        - REACT_APP_SERVER_URL=${REACT_APP_SERVER_URL}
+        - REACT_APP_CLIENT_ID=${REACT_APP_CLIENT_ID}
+        - REACT_APP_PUBLIC_VAPID_KEY=${REACT_APP_PUBLIC_VAPID_KEY}
+        - REACT_APP_ENCRYPTION_KEY=${REACT_APP_ENCRYPTION_KEY}
+        - REACT_APP_GOOGLE_MAPS_API_KEY=${REACT_APP_GOOGLE_MAPS_API_KEY}
+        - REACT_APP_GOOGLE_MAPS_MAP_ID=${REACT_APP_GOOGLE_MAPS_MAP_ID}
     environment:
       - NODE_ENV=production
       - DEBUG=True
@@ -19,14 +30,17 @@ services:
       - DOMAIN=${DOMAIN}
       - OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID}
       - OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
-    build:
-      context: .
-      args:
-        - REACT_APP_SERVER_URL=${REACT_APP_SERVER_URL}
-        - REACT_APP_CLIENT_ID=${REACT_APP_CLIENT_ID}
-        - REACT_APP_PUBLIC_VAPID_KEY=${REACT_APP_PUBLIC_VAPID_KEY}
-        - REACT_APP_ENCRYPTION_KEY=${REACT_APP_ENCRYPTION_KEY}
-    ports:
-      - '3001:3001'
-    image: ghcr.io/cornell-dti/carriage-web:${IMAGE_TAG:-latest}
-    restart: always
+      # auth
+      - SSO_ENABLED=${SSO_ENABLED}
+      - FRONTEND_URL=${FRONTEND_URL}
+      - SAML_ENTRY_POINT=${SAML_ENTRY_POINT}
+      - SAML_CALLBACK_URL=${SAML_CALLBACK_URL}
+      - SAML_ISSUER=${SAML_ISSUER}
+      - SAML_IDP_CERT_PATH=${SAML_IDP_CERT_PATH}
+      - SESSION_SECRET=${SESSION_SECRET}
+      - SESSION_TTL=${SESSION_TTL}
+      - SESSION_STORE_PATH=${SESSION_STORE_PATH}
+      # cornell LDAP
+      - LDAP_URL=${LDAP_URL}
+      - LDAP_USER=${LDAP_USER}
+      - LDAP_PASSWORD=${LDAP_PASSWORD}