update docker build and github workflow

.dockerignore

@@ -1,4 +1,5 @@
 Dockerfile
+.dockerignore
 config.example.json
 config.json
 docker-compose.example.yml

.github/workflows/docker-publish.yml

@@ -6,51 +6,55 @@ name: Create and publish a Docker image
 # documentation.
 
 on:
+  workflow_dispatch:
   push:
     branches: ["main"]
     # Publish semver tags as releases.
     tags: ["v*.*.*"]
   pull_request:
     branches: ["main"]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  packages: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
-      id-token: write
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/[email protected]
 
-      # Workaround: https://github.com/docker/build-push-action/issues/461
-      - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/[email protected]
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        if: !github.event.pull_request
+        uses: docker/login-action@v3.0.0
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
+          username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       # Extract metadata (tags, labels) for Docker
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -67,8 +71,7 @@ jobs:
         uses: docker/build-push-action@v4
         with:
           context: .
-          file: ./Dockerfile
-          push: ${{ github.event_name != 'pull_request' }}
+          push: ${{ !github.event.pull_request }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha

Dockerfile

@@ -1,34 +1,29 @@
-FROM node:20 AS install-packages
+# Stage 1: install node packages
+FROM node:20-bookworm AS node-modules
 
 WORKDIR /app
 
 RUN npm install -g pnpm
 
-COPY package.json ./
-COPY pnpm-lock.yaml ./
+COPY package*.json .
+COPY pnpm-lock.yaml .
 
 ENV NODE_ENV=production
 RUN pnpm install --prod --frozen-lockfile
 
-# Begin stage 2
+# Stage 2: install apt packages and setup run command
 
-FROM node:20 AS base
+FROM node:20-bookworm-slim
 
-RUN apt-get update && apt-get install -y \
-   ca-certificates \
-   fonts-inconsolata \
-   fonts-dejavu \
-&& rm -rf /var/lib/apt/lists/*
+ENV NODE_ENV production
 
-# Begin stage 3 (final)
-
-FROM base AS discord-bot
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates fonts-inconsolata fonts-dejavu dumb-init && apt-get clean && rm -rf /var/lib/apt/lists/*
 
+USER node
 WORKDIR /app
 
-COPY . .
-COPY --from=install-packages /app/node_modules ./node_modules
+COPY --chown=node:node . .
+COPY --chown=node:node --from=node-modules /app/node_modules ./node_modules
 
 EXPOSE 5000
-ENV NODE_ENV=production
-CMD [ "node", "index.js" ]
+CMD [ "dumb-init", "node", "index.js" ]