-
Notifications
You must be signed in to change notification settings - Fork 112
Expand file tree
/
Copy pathDockerfile.prod
More file actions
72 lines (53 loc) · 2.57 KB
/
Dockerfile.prod
File metadata and controls
72 lines (53 loc) · 2.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
FROM node:24-alpine3.23 AS base
WORKDIR /home/rafiki
ENV PNPM_HOME="/pnpm"
ENV PATH="$PNPM_HOME:$PATH"
RUN corepack enable
RUN corepack prepare pnpm@10.33.0 --activate
COPY pnpm-lock.yaml ./
RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
pnpm fetch \
| grep -v "cross-device link not permitted\|Falling back to copying packages from store"
FROM base AS prod-deps
COPY package.json pnpm-workspace.yaml .npmrc ./
COPY packages/auth/knexfile.js ./packages/auth/knexfile.js
COPY packages/auth/package.json ./packages/auth/package.json
COPY packages/token-introspection/package.json ./packages/token-introspection/package.json
RUN pnpm clean
RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
pnpm install \
--recursive \
--prefer-offline \
--frozen-lockfile \
--prod \
| grep -v "cross-device link not permitted\|Falling back to copying packages from store"
FROM base AS builder
COPY package.json pnpm-workspace.yaml .npmrc tsconfig.json tsconfig.build.json ./
COPY packages/auth ./packages/auth
COPY packages/token-introspection ./packages/token-introspection
COPY open-payments-specifications/openapi ./open-payments-specifications/openapi
RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
pnpm install \
--recursive \
--offline \
--frozen-lockfile
RUN pnpm --filter auth build
FROM node:24-alpine3.23 AS runner
RUN adduser -D rafiki
WORKDIR /home/rafiki
COPY --from=prod-deps /home/rafiki/node_modules ./node_modules
COPY --from=prod-deps /home/rafiki/packages/auth/node_modules ./packages/auth/node_modules
COPY --from=prod-deps /home/rafiki/packages/auth/package.json ./packages/auth/package.json
COPY --from=prod-deps /home/rafiki/packages/token-introspection/node_modules ./packages/token-introspection/node_modules
COPY --from=prod-deps /home/rafiki/packages/token-introspection/package.json ./packages/token-introspection/package.json
COPY --from=prod-deps /home/rafiki/packages/auth/knexfile.js ./packages/auth/knexfile.js
COPY --from=builder /home/rafiki/packages/auth/migrations/ ./packages/auth/migrations
COPY --from=builder /home/rafiki/packages/auth/dist ./packages/auth/dist
COPY --from=builder /home/rafiki/packages/token-introspection/dist ./packages/token-introspection/dist
COPY --from=builder /home/rafiki/open-payments-specifications/openapi ./open-payments-specifications/openapi
USER root
# For additional paranoia, we make it so that the Rafiki user has no write access to the packages
RUN chown -R :rafiki /home/rafiki/packages
RUN chmod -R 750 /home/rafiki/packages
USER rafiki
CMD ["node", "/home/rafiki/packages/auth/dist/index.js"]