diff --git a/.dockerignore b/.dockerignore index a76fff3..d2208e1 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,4 +1,5 @@ Dockerfile +.dockerignore config.example.json config.json docker-compose.example.yml diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 437ace7..3b0df2d 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -6,6 +6,7 @@ name: Create and publish a Docker image # documentation. on: + workflow_dispatch: push: branches: ["main"] # Publish semver tags as releases. @@ -13,44 +14,47 @@ on: pull_request: branches: ["main"] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + env: REGISTRY: ghcr.io # github.repository as / IMAGE_NAME: ${{ github.repository }} +permissions: + packages: write + jobs: build: runs-on: ubuntu-latest - permissions: - contents: read - packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write steps: - - name: Checkout repository - uses: actions/checkout@v3 + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3.0.0 - # Workaround: https://github.com/docker/build-push-action/issues/461 - - name: Setup Docker buildx - uses: docker/setup-buildx-action@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@v2 + if: !github.event.pull_request + uses: docker/login-action@v3.0.0 with: registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} + username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | @@ -67,8 +71,7 @@ jobs: uses: docker/build-push-action@v4 with: context: . - file: ./Dockerfile - push: ${{ github.event_name != 'pull_request' }} + push: ${{ !github.event.pull_request }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha diff --git a/Dockerfile b/Dockerfile index 0e7961c..e1bec89 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,34 +1,29 @@ -FROM node:20 AS install-packages +# Stage 1: install node packages +FROM node:20-bookworm AS node-modules WORKDIR /app RUN npm install -g pnpm -COPY package.json ./ -COPY pnpm-lock.yaml ./ +COPY package*.json . +COPY pnpm-lock.yaml . ENV NODE_ENV=production RUN pnpm install --prod --frozen-lockfile -# Begin stage 2 +# Stage 2: install apt packages and setup run command -FROM node:20 AS base +FROM node:20-bookworm-slim -RUN apt-get update && apt-get install -y \ - ca-certificates \ - fonts-inconsolata \ - fonts-dejavu \ -&& rm -rf /var/lib/apt/lists/* +ENV NODE_ENV production -# Begin stage 3 (final) - -FROM base AS discord-bot +RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates fonts-inconsolata fonts-dejavu dumb-init && apt-get clean && rm -rf /var/lib/apt/lists/* +USER node WORKDIR /app -COPY . . -COPY --from=install-packages /app/node_modules ./node_modules +COPY --chown=node:node . . +COPY --chown=node:node --from=node-modules /app/node_modules ./node_modules EXPOSE 5000 -ENV NODE_ENV=production -CMD [ "node", "index.js" ] +CMD [ "dumb-init", "node", "index.js" ]