indifferentketchup
d10d79399b
The container runs as root over uid-1000-owned host repos; git's dubious- ownership guard made every project read as not-a-repo, hiding the git diff panel's Git tab and nulling the branch indicator. Bakes safe.directory='*' into the runtime image. Applied live to the running container too. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
41 lines
1.3 KiB
Docker
41 lines
1.3 KiB
Docker
# syntax=docker/dockerfile:1.7
|
|
|
|
FROM node:20-alpine AS builder
|
|
RUN corepack enable
|
|
WORKDIR /build
|
|
|
|
COPY package.json pnpm-workspace.yaml pnpm-lock.yaml tsconfig.base.json ./
|
|
COPY packages/contracts/package.json ./packages/contracts/
|
|
COPY apps/server/package.json ./apps/server/
|
|
COPY apps/web/package.json ./apps/web/
|
|
|
|
RUN pnpm install --frozen-lockfile
|
|
|
|
# @boocode/contracts must be present before `pnpm build`, which builds it FIRST
|
|
# (root build script) so apps/web can resolve its compiled dist via the exports map.
|
|
COPY packages/contracts ./packages/contracts
|
|
COPY apps/server ./apps/server
|
|
COPY apps/web ./apps/web
|
|
|
|
RUN pnpm build
|
|
|
|
RUN pnpm deploy --filter=@boocode/server --prod --legacy /out/server
|
|
|
|
|
|
FROM node:20-alpine AS runtime
|
|
RUN apk add --no-cache ripgrep git openssh-client
|
|
# The container runs as root but bind-mounts host project repos owned by uid 1000;
|
|
# trust them so git read/write tools (git_status, the git diff panel) work over the mount.
|
|
RUN git config --system --add safe.directory '*'
|
|
RUN mkdir -p /root/.ssh && ssh-keyscan -p 2222 -H 100.114.205.53 git.indifferentketchup.com >> /root/.ssh/known_hosts && chmod 700 /root/.ssh && chmod 600 /root/.ssh/known_hosts
|
|
WORKDIR /app
|
|
|
|
COPY --from=builder /out/server ./
|
|
COPY --from=builder /build/apps/web/dist ./web
|
|
|
|
ENV NODE_ENV=production
|
|
ENV WEB_DIST_PATH=/app/web
|
|
EXPOSE 3000
|
|
|
|
CMD ["node", "dist/index.js"]
|