fix(docker): replace corepack with npm i -g pnpm; copy lockfile
Node 22's bundled Corepack strict-validates pnpm package signatures, and the Portainer build host couldn't complete `corepack prepare pnpm@9.12.3 --activate` (exit 1). Reproducible failure mode behind networks that can't reach Corepack's signing-key host or against pinned pnpm versions whose signatures aren't yet shipped in Corepack's known list. Switch all three stages to install pnpm via plain `npm i -g pnpm@9.12.3`, which has none of those constraints. Also copy pnpm-lock.yaml in so `--frozen-lockfile` actually does what it says (was previously running `--frozen-lockfile=false` because the lockfile wasn't being copied). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
22
Dockerfile
22
Dockerfile
@@ -1,16 +1,19 @@
|
||||
# NOTE: pin this base by SHA256 before first deploy. To resolve:
|
||||
# TODO(security): pin this base by SHA256 before shipping to production.
|
||||
# Resolve with:
|
||||
# docker pull node:22.12.0-alpine
|
||||
# docker inspect --format='{{index .RepoDigests 0}}' node:22.12.0-alpine
|
||||
# then replace the FROM lines below with `node@sha256:<digest>`.
|
||||
# then replace `node:22.12.0-alpine` below with `node@sha256:<digest>`.
|
||||
ARG NODE_IMAGE=node:22.12.0-alpine
|
||||
|
||||
FROM ${NODE_IMAGE} AS deps
|
||||
WORKDIR /app
|
||||
RUN corepack enable && corepack prepare pnpm@9.12.3 --activate
|
||||
COPY pnpm-workspace.yaml package.json ./
|
||||
# Avoid Corepack — Node 22 ships a Corepack that strict-validates pnpm
|
||||
# signatures and breaks behind builders that can't reach the signing host.
|
||||
RUN npm install -g pnpm@9.12.3 --no-fund --no-audit && npm cache clean --force
|
||||
COPY pnpm-workspace.yaml package.json pnpm-lock.yaml ./
|
||||
COPY apps/api/package.json apps/api/
|
||||
COPY apps/web/package.json apps/web/
|
||||
RUN pnpm install --frozen-lockfile=false
|
||||
RUN pnpm install --frozen-lockfile
|
||||
|
||||
FROM deps AS build-api
|
||||
WORKDIR /app
|
||||
@@ -25,12 +28,13 @@ RUN pnpm --filter @gashboard/web build
|
||||
FROM ${NODE_IMAGE} AS runtime
|
||||
WORKDIR /app
|
||||
ENV NODE_ENV=production
|
||||
RUN apk add --no-cache wget tini
|
||||
RUN corepack enable && corepack prepare pnpm@9.12.3 --activate
|
||||
RUN apk add --no-cache wget tini \
|
||||
&& npm install -g pnpm@9.12.3 --no-fund --no-audit \
|
||||
&& npm cache clean --force
|
||||
|
||||
COPY pnpm-workspace.yaml package.json ./
|
||||
COPY pnpm-workspace.yaml package.json pnpm-lock.yaml ./
|
||||
COPY apps/api/package.json apps/api/
|
||||
RUN pnpm install --filter @gashboard/api --prod --frozen-lockfile=false
|
||||
RUN pnpm install --filter @gashboard/api --prod --frozen-lockfile
|
||||
|
||||
COPY --from=build-api /app/apps/api/dist apps/api/dist
|
||||
COPY --from=build-web /app/apps/web/dist apps/api/public
|
||||
|
||||
Reference in New Issue
Block a user