alex/voyage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ci): lowercase GHCR owner tags and harden frontend runtime image

Browse Source
This commit is contained in:
alex
2026-03-07 21:18:21 +00:00
parent 7cf1b783ae
commit f11a5051c6
10 changed files with 111 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.github/workflows/backend-beta.yml vendored
View File

@@ -34,6 +34,15 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
- name: Set lower case owner name
id: repo_owner
run: |
LOWER_OWNER="${OWNER,,}"
echo "REPO_OWNER=${LOWER_OWNER}" >>"$GITHUB_ENV"
echo "repo_owner=${LOWER_OWNER}" >>"$GITHUB_OUTPUT"
env:
OWNER: "${{ github.repository_owner }}"
- name: Build and push beta Docker image with BuildKit cache - name: Build and push beta Docker image with BuildKit cache
uses: docker/build-push-action@v5 uses: docker/build-push-action@v5
with: with:
@@ -41,12 +50,12 @@ jobs:
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64
push: true push: true
tags: | tags: |
ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:beta ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:beta
cache-from: | cache-from: |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:buildcache type=registry,ref=ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:buildcache
type=local,src=/tmp/.buildx-cache type=local,src=/tmp/.buildx-cache
cache-to: | cache-to: |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:buildcache,mode=max type=registry,ref=ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:buildcache,mode=max
type=local,dest=/tmp/.buildx-cache,mode=max type=local,dest=/tmp/.buildx-cache,mode=max
env: env:
DOCKER_BUILDKIT: 1 DOCKER_BUILDKIT: 1

15
.github/workflows/backend-latest.yml vendored
View File

@@ -36,6 +36,15 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
- name: Set lower case owner name
id: repo_owner
run: |
LOWER_OWNER="${OWNER,,}"
echo "REPO_OWNER=${LOWER_OWNER}" >>"$GITHUB_ENV"
echo "repo_owner=${LOWER_OWNER}" >>"$GITHUB_OUTPUT"
env:
OWNER: "${{ github.repository_owner }}"
- name: Build and push latest Docker image with BuildKit cache - name: Build and push latest Docker image with BuildKit cache
uses: docker/build-push-action@v5 uses: docker/build-push-action@v5
with: with:
@@ -43,12 +52,12 @@ jobs:
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64
push: true push: true
tags: | tags: |
ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:latest ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:latest
cache-from: | cache-from: |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:buildcache type=registry,ref=ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:buildcache
type=local,src=/tmp/.buildx-cache type=local,src=/tmp/.buildx-cache
cache-to: | cache-to: |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:buildcache,mode=max type=registry,ref=ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:buildcache,mode=max
type=local,dest=/tmp/.buildx-cache,mode=max type=local,dest=/tmp/.buildx-cache,mode=max
env: env:
DOCKER_BUILDKIT: 1 DOCKER_BUILDKIT: 1

15
.github/workflows/backend-release.yml vendored
View File

@@ -31,6 +31,15 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
- name: Set lower case owner name
id: repo_owner
run: |
LOWER_OWNER="${OWNER,,}"
echo "REPO_OWNER=${LOWER_OWNER}" >>"$GITHUB_ENV"
echo "repo_owner=${LOWER_OWNER}" >>"$GITHUB_OUTPUT"
env:
OWNER: "${{ github.repository_owner }}"
- name: Build and push release Docker image with BuildKit cache - name: Build and push release Docker image with BuildKit cache
uses: docker/build-push-action@v5 uses: docker/build-push-action@v5
with: with:
@@ -38,12 +47,12 @@ jobs:
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64
push: true push: true
tags: | tags: |
ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
cache-from: | cache-from: |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:buildcache type=registry,ref=ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:buildcache
type=local,src=/tmp/.buildx-cache type=local,src=/tmp/.buildx-cache
cache-to: | cache-to: |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:buildcache,mode=max type=registry,ref=ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:buildcache,mode=max
type=local,dest=/tmp/.buildx-cache,mode=max type=local,dest=/tmp/.buildx-cache,mode=max
env: env:
DOCKER_BUILDKIT: 1 DOCKER_BUILDKIT: 1

7
.github/workflows/cdn-beta.yml vendored
View File

@@ -34,9 +34,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
- name: set lower case owner name - name: Set lower case owner name
id: repo_owner
run: | run: |
echo "REPO_OWNER=${OWNER,,}" >>${GITHUB_ENV} LOWER_OWNER="${OWNER,,}"
echo "REPO_OWNER=${LOWER_OWNER}" >>"$GITHUB_ENV"
echo "repo_owner=${LOWER_OWNER}" >>"$GITHUB_OUTPUT"
env: env:
OWNER: "${{ github.repository_owner }}" OWNER: "${{ github.repository_owner }}"

7
.github/workflows/cdn-latest.yml vendored
View File

@@ -34,9 +34,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
- name: set lower case owner name - name: Set lower case owner name
id: repo_owner
run: | run: |
echo "REPO_OWNER=${OWNER,,}" >>${GITHUB_ENV} LOWER_OWNER="${OWNER,,}"
echo "REPO_OWNER=${LOWER_OWNER}" >>"$GITHUB_ENV"
echo "repo_owner=${LOWER_OWNER}" >>"$GITHUB_OUTPUT"
env: env:
OWNER: "${{ github.repository_owner }}" OWNER: "${{ github.repository_owner }}"

7
.github/workflows/cdn-release.yml vendored
View File

@@ -31,9 +31,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
- name: set lower case owner name - name: Set lower case owner name
id: repo_owner
run: | run: |
echo "REPO_OWNER=${OWNER,,}" >>${GITHUB_ENV} LOWER_OWNER="${OWNER,,}"
echo "REPO_OWNER=${LOWER_OWNER}" >>"$GITHUB_ENV"
echo "repo_owner=${LOWER_OWNER}" >>"$GITHUB_OUTPUT"
env: env:
OWNER: "${{ github.repository_owner }}" OWNER: "${{ github.repository_owner }}"

15
.github/workflows/frontend-beta.yml vendored
View File

@@ -34,6 +34,15 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
- name: Set lower case owner name
id: repo_owner
run: |
LOWER_OWNER="${OWNER,,}"
echo "REPO_OWNER=${LOWER_OWNER}" >>"$GITHUB_ENV"
echo "repo_owner=${LOWER_OWNER}" >>"$GITHUB_OUTPUT"
env:
OWNER: "${{ github.repository_owner }}"
- name: Build and push beta Docker image with BuildKit cache - name: Build and push beta Docker image with BuildKit cache
uses: docker/build-push-action@v5 uses: docker/build-push-action@v5
with: with:
@@ -41,12 +50,12 @@ jobs:
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64
push: true push: true
tags: | tags: |
ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:beta ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:beta
cache-from: | cache-from: |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:buildcache type=registry,ref=ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:buildcache
type=local,src=/tmp/.buildx-cache type=local,src=/tmp/.buildx-cache
cache-to: | cache-to: |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:buildcache,mode=max type=registry,ref=ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:buildcache,mode=max
type=local,dest=/tmp/.buildx-cache,mode=max type=local,dest=/tmp/.buildx-cache,mode=max
env: env:
DOCKER_BUILDKIT: 1 DOCKER_BUILDKIT: 1

15
.github/workflows/frontend-latest.yml vendored
View File

@@ -36,6 +36,15 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
- name: Set lower case owner name
id: repo_owner
run: |
LOWER_OWNER="${OWNER,,}"
echo "REPO_OWNER=${LOWER_OWNER}" >>"$GITHUB_ENV"
echo "repo_owner=${LOWER_OWNER}" >>"$GITHUB_OUTPUT"
env:
OWNER: "${{ github.repository_owner }}"
- name: Build and push latest Docker image with BuildKit cache - name: Build and push latest Docker image with BuildKit cache
uses: docker/build-push-action@v5 uses: docker/build-push-action@v5
with: with:
@@ -43,12 +52,12 @@ jobs:
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64
push: true push: true
tags: | tags: |
ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:latest ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:latest
cache-from: | cache-from: |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:buildcache type=registry,ref=ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:buildcache
type=local,src=/tmp/.buildx-cache type=local,src=/tmp/.buildx-cache
cache-to: | cache-to: |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:buildcache,mode=max type=registry,ref=ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:buildcache,mode=max
type=local,dest=/tmp/.buildx-cache,mode=max type=local,dest=/tmp/.buildx-cache,mode=max
env: env:
DOCKER_BUILDKIT: 1 DOCKER_BUILDKIT: 1

17
.github/workflows/frontend-release.yml vendored
View File

@@ -31,6 +31,15 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
- name: Set lower case owner name
id: repo_owner
run: |
LOWER_OWNER="${OWNER,,}"
echo "REPO_OWNER=${LOWER_OWNER}" >>"$GITHUB_ENV"
echo "repo_owner=${LOWER_OWNER}" >>"$GITHUB_OUTPUT"
env:
OWNER: "${{ github.repository_owner }}"
- name: Build and push release Docker image with BuildKit cache - name: Build and push release Docker image with BuildKit cache
uses: docker/build-push-action@v5 uses: docker/build-push-action@v5
with: with:
@@ -38,13 +47,13 @@ jobs:
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64
push: true push: true
tags: | tags: |
ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:latest ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:latest
cache-from: | cache-from: |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:buildcache type=registry,ref=ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:buildcache
type=local,src=/tmp/.buildx-cache type=local,src=/tmp/.buildx-cache
cache-to: | cache-to: |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:buildcache,mode=max type=registry,ref=ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:buildcache,mode=max
type=local,dest=/tmp/.buildx-cache,mode=max type=local,dest=/tmp/.buildx-cache,mode=max
env: env:
DOCKER_BUILDKIT: 1 DOCKER_BUILDKIT: 1

24
frontend/Dockerfile
View File

@@ -1,5 +1,5 @@
# Use this image as the platform to build the app # Use this image as the platform to build the app
FROM node:22-alpine AS external-website FROM node:22-alpine AS builder
# Metadata labels for the AdventureLog image # Metadata labels for the AdventureLog image
LABEL maintainer="Sean Morley" \ LABEL maintainer="Sean Morley" \
@@ -42,6 +42,28 @@ RUN pnpm run build
# Make startup script executable # Make startup script executable
RUN chmod +x ./startup.sh RUN chmod +x ./startup.sh
# Keep only production dependencies for runtime image
RUN CI=true pnpm prune --prod
# Runtime image contains only built app + runtime deps
FROM node:22-alpine AS runtime
WORKDIR /app
# Upgrade zlib and remove npm toolchain from runtime image
RUN apk upgrade --no-cache zlib \
&& rm -f /usr/local/bin/npm /usr/local/bin/npx \
&& rm -rf /usr/local/lib/node_modules/npm /usr/local/lib/node_modules/corepack
# Copy build artifacts and production runtime dependencies
COPY --from=builder /app/build ./build
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/package.json ./package.json
COPY --from=builder /app/startup.sh ./startup.sh
# Ensure startup script is executable
RUN chmod +x ./startup.sh
# Change to non-root user for security # Change to non-root user for security
USER node:node USER node:node