-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
100 lines (79 loc) · 2.95 KB
/
Dockerfile
File metadata and controls
100 lines (79 loc) · 2.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# syntax=docker/dockerfile:1.4
# Build stage
# Using node:22.1.0-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
# Pinned to AMD64-specific SHA256 digest for supply chain security and deterministic builds
# To update: docker pull --platform linux/amd64 node:22.1.0-alpine && docker inspect --format='{{index .RepoDigests 0}}' node:22.1.0-alpine
FROM node:22.1.0-alpine@sha256:487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8 AS builder
# Set build-time variables for reproducibility
ARG NODE_ENV=development
ARG BUILD_VERSION=dev
ARG BUILD_DATE=unknown
ARG VCS_REF=unknown
ARG PORT=3081
# Set environment variables
ENV NODE_ENV=${NODE_ENV} \
NODE_VERSION=22.1.0
# Set build-time labels
LABEL org.opencontainers.image.created=${BUILD_DATE} \
org.opencontainers.image.version=${BUILD_VERSION} \
org.opencontainers.image.revision=${VCS_REF}
# Set consistent timezone and locale
ENV TZ=UTC \
LANG=C.UTF-8
# Create app directory
WORKDIR /usr/src/app
# Install build dependencies
RUN --mount=type=cache,target=/var/cache/apk \
apk add --no-cache \
python3 \
make \
g++ \
gcc \
linux-headers
# Copy dependency files
COPY package.json package-lock.json ./
# Install dependencies with cache mount
RUN --mount=type=cache,target=/usr/src/app/.npm-cache \
npm ci --cache /usr/src/app/.npm-cache && \
npm cache clean --force && \
rm -rf /usr/src/app/.npm-cache/*
# Copy source code
COPY . .
# Build TypeScript code with deterministic output
RUN npm run build
# Production stage
# Using node:22.1.0-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
# Pinned to AMD64-specific SHA256 digest for supply chain security and deterministic builds
FROM node:22.1.0-alpine@sha256:487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8 AS production
# Declare build arguments in production stage
ARG PORT=3081
ARG NODE_ENV=development
# Set build-time labels
LABEL org.opencontainers.image.created=${BUILD_DATE} \
org.opencontainers.image.version=${BUILD_VERSION} \
org.opencontainers.image.revision=${VCS_REF}
# Set runtime environment
ENV NODE_ENV=${NODE_ENV} \
PORT=${PORT} \
TZ=UTC \
LANG=C.UTF-8
WORKDIR /usr/src/app
# Create non-root user, certificate directory and logs directory
RUN addgroup -S bitgo && \
adduser -S bitgo -G bitgo && \
mkdir -p /app/certs && \
mkdir -p /usr/src/app/logs && \
chown -R bitgo:bitgo /app/certs && \
chown -R bitgo:bitgo /usr/src/app && \
chmod 750 /app/certs && \
chmod 750 /usr/src/app/logs
# Copy only necessary files from builder
COPY --from=builder --chown=bitgo:bitgo /usr/src/app/dist ./dist
COPY --from=builder --chown=bitgo:bitgo /usr/src/app/node_modules ./node_modules
COPY --from=builder --chown=bitgo:bitgo /usr/src/app/bin ./bin
COPY --from=builder --chown=bitgo:bitgo /usr/src/app/package.json .
USER bitgo
# Expose port from build arg
EXPOSE ${PORT}
# Start the application using the binary
CMD ["./bin/advanced-wallet-manager"]