fix: Dockerfile was wrong locally + adjust so it's user permissions s…

…coped
betagouv · Feb 21, 2024 · 0af1bcd · 0af1bcd
1 parent b95318d
commit 0af1bcd
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 10 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -167,6 +167,7 @@ jobs:
         if: ${{ !github.event.act && (github.ref_name == 'dev' || github.ref_name == 'main') }}
         uses: docker/build-push-action@v5
         with:
+          context: .
           push: true
           tags: ${{ env.CONTAINER_IMAGE_FOLDER }}/${{ env.APP_NAME }}-${{ github.ref_name }}:${{ github.sha }},${{ env.CONTAINER_IMAGE_FOLDER }}/${{ env.APP_NAME }}-${{ github.ref_name }}:latest
           cache-from: type=gha

diff --git a/Dockerfile b/Dockerfile
@@ -7,27 +7,49 @@ ARG PORT=3000
 
 FROM node:${NODE_VERSION}-alpine
 
-RUN apk add --no-cache 'ruby=${RUBY_VERSION}' 'py3-pip=${PIP_VERSION}'
+ARG RUBY_VERSION
+ARG PIP_VERSION
+ARG PORT
+
+RUN apk add --no-cache \
+  "build-base" \
+  "libffi-dev" \
+  "ruby-dev=${RUBY_VERSION}" \
+  "py3-pip=${PIP_VERSION}"
 RUN apk update
 
+# Restrict the permissions
+
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+
+USER nextjs
+
+WORKDIR /app
+
 # Copy manifest files
 
-COPY "src/bibliothecary/Gemfile" "src/bibliothecary/Gemfile.lock" ./
-COPY "src/semgrep/requirements.txt" ./
+COPY --chown=nextjs:nodejs "src/bibliothecary/Gemfile" "src/bibliothecary/Gemfile.lock" ./
+COPY --chown=nextjs:nodejs "src/semgrep/requirements.txt" ./
 
 # Install tools
+# Note: we did not specify the `bundler` version from the `Gemfile.lock` so it may adjust it accordingly
+# We could have frozen it but it would require to fix the `bundle` version for local development too, which seems overkilled
 
-RUN gem install bundler
-RUN bundle --gemfile Gemfile
+RUN gem install --user-install bundler
 
-RUN pip install -r requirements.txt
+# Docker does not allow injecting command result into an variable environment so doing it manually (ref: https://github.com/moby/moby/issues/29110)
+# ENV GEM_HOME="$(ruby -e 'puts Gem.user_dir')"
+ENV GEM_HOME="/home/nextjs/.local/share/gem/ruby/3.2.0"
+ENV PATH="$GEM_HOME/bin:$PATH"
 
-# Manage the final server build
+RUN bundle --gemfile Gemfile
 
-RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 nextjs
+RUN python3 -m venv ./venv \
+  && source ./venv/bin/activate \
+  && pip install -r requirements.txt
 
-USER nextjs
+# Manage the final server build
 
 COPY --chown=nextjs:nodejs ".next/standalone" ./
 COPY --chown=nextjs:nodejs ".next/static" "./.next/static"