Merge branch 'main' into dependabot/github_actions/docker/setup-build…

…x-action-3.9.0
ducktors · Feb 8, 2025 · 27f7ebd · 27f7ebd
2 parents b8871fb + 6020c7e
commit 27f7ebd
Show file tree

Hide file tree

Showing 7 changed files with 495 additions and 714 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  PNPM_VERSION: 9.15.5
+
 permissions: read-all
 
 jobs:
@@ -31,7 +34,7 @@ jobs:
       - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         name: Install pnpm
         with:
-          version: 9.14.2
+          version: ${{ env.PNPM_VERSION }}
       - name: Install with pnpm
         run: pnpm install --frozen-lockfile
       - name: Check commit message
@@ -97,7 +100,7 @@ jobs:
       - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         name: Install pnpm
         with:
-          version: 9.14.2
+          version: ${{ env.PNPM_VERSION }}
       - name: Install with pnpm
         run: pnpm install
       - name: Lint code

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,6 +9,8 @@ concurrency: ${{ github.workflow }}-${{ github.ref }}
 
 env:
   NPM_CONFIG_PROVENANCE: true
+  PNPM_VERSION: 9.15.5
+  NODE_VERSION: 22
 
 permissions:
   contents: read
@@ -35,11 +37,11 @@ jobs:
       - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         name: Install Node
         with:
-          node-version: 20
+          node-version: ${{ env.NODE_VERSION }}
       - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         name: Install pnpm
         with:
-          version: 9.14.2
+          version: ${{ env.PNPM_VERSION }}
       - name: Install dependencies
         run: pnpm install
       - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -12,6 +12,10 @@ concurrency:
 
 permissions: read-all
 
+env:
+  NODE_VERSION: 22
+  PNPM_VERSION: 9.15.5
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -27,11 +31,11 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
-          node-version: 20
+          node-version: ${{ env.NODE_VERSION }}
       - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         name: Install pnpm
         with:
-          version: 9.14.2
+          version: ${{ env.PNPM_VERSION }}
       - name: Install with pnpm
         run: pnpm install
       - name: Run tests with coverage

diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-20.18.1
+22
diff --git a/Dockerfile b/Dockerfile
@@ -1,55 +1,72 @@
-FROM node:20.18.1-alpine3.19 AS build
+ARG PNPM_VERSION=9.15.5
+ARG NODE_VERSION=20.13.1-alpine3.19
 
-# set app basepath
-ENV HOME=/home/app
+FROM node:${NODE_VERSION} AS build
 
-# add app dependencies
-COPY package.json $HOME/node/
-COPY pnpm-lock.yaml $HOME/node/
+# Use a more specific working directory
+ENV HOME=/opt/app
 
-# change working dir and install deps
-WORKDIR $HOME/node
+# Create non-root user early in build stage
+RUN addgroup -g 101 app && adduser -u 100 -D -G app -s /bin/false app
+
+# Set ownership and permissions
+WORKDIR $HOME
+RUN chown app:app $HOME
+
+# Install pnpm globally before switching to non-root user
+USER root
+RUN npm install -g pnpm@${PNPM_VERSION}
+
+# Switch to non-root user for remaining operations
+USER app
+
+# Add package files with specific ownership
+COPY --chown=app:app package.json pnpm-lock.yaml ./
 
-# enable pnpm and install deps
-RUN corepack enable
-RUN pnpm --ignore-scripts --frozen-lockfile install
+# Install dependencies
+RUN pnpm install --frozen-lockfile --ignore-scripts
 
-# copy all app files
-COPY . $HOME/node/
+# Copy application code
+COPY --chown=app:app . .
 
-# compile typescript and build all production stuff
+# Build application
 RUN pnpm build:docker
 
-# remove dev dependencies and files that are not needed in production
-RUN rm -rf node_modules
-RUN pnpm install --prod --frozen-lockfile --ignore-scripts
-RUN rm -rf $PROJECT_WORKDIR/.pnpm-store
+# Clean up development dependencies
+RUN pnpm install --prod --frozen-lockfile --ignore-scripts && \
+    rm -rf .pnpm-store
 
-# start new image for lower size
-FROM node:20.13.1-alpine3.19
+# Production image
+FROM node:${NODE_VERSION}
 
-# Update OpenSSL and install dumb-init
+# Update system and install security packages
 RUN apk update && \
-    apk upgrade openssl && \
-    apk add --no-cache dumb-init && \
+    apk upgrade --no-cache && \
+    apk add --no-cache dumb-init tini && \
     rm -rf /var/cache/apk/*
 
-# create user with no permissions
+# Create non-root user
 RUN addgroup -g 101 app && adduser -u 100 -D -G app -s /bin/false app
 
-# set app basepath
-ENV HOME=/home/app
+# Set up application directory
+WORKDIR /opt/app
 
-# copy production compiled node app to the new image
-COPY --chown=app:app --from=build $HOME/node/ $HOME/node/
+# Copy only necessary files from build stage
+COPY --chown=app:app --from=build /opt/app/dist ./dist
+COPY --chown=app:app --from=build /opt/app/node_modules ./node_modules
+COPY --chown=app:app --from=build /opt/app/package.json ./
 
-# run app with low permissions level user
+# Set secure defaults
 USER app
-WORKDIR $HOME/node
+ENV NODE_ENV=production \
+    NODE_OPTIONS="--max-old-space-size=2048 --max-http-header-size=8192"
 
-EXPOSE 3000
+# Health check
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD wget --no-verbose --tries=1 --spider http://localhost:3000/health || exit 1
 
-ENV NODE_ENV=production
+EXPOSE 3000
 
-ENTRYPOINT ["dumb-init"]
+# Use tini as init system
+ENTRYPOINT ["/sbin/tini", "--"]
 CMD ["node", "--enable-source-maps", "dist/index.js"]
diff --git a/package.json b/package.json
@@ -64,28 +64,28 @@
   },
   "devDependencies": {
     "@biomejs/biome": "1.2.2",
-    "@commitlint/cli": "^19.6.0",
-    "@commitlint/config-conventional": "^19.6.0",
-    "@commitlint/prompt": "^19.6.0",
+    "@commitlint/cli": "^19.7.1",
+    "@commitlint/config-conventional": "^19.7.1",
+    "@commitlint/prompt": "^19.7.1",
     "@ducktors/tsconfig": "^1.0.0",
     "@semantic-release/changelog": "^6.0.3",
-    "@semantic-release/commit-analyzer": "^13.0.0",
+    "@semantic-release/commit-analyzer": "^13.0.1",
     "@semantic-release/git": "^10.0.1",
-    "@semantic-release/github": "^10.3.5",
+    "@semantic-release/github": "^11.0.1",
     "@semantic-release/npm": "^12.0.1",
-    "@semantic-release/release-notes-generator": "^14.0.1",
+    "@semantic-release/release-notes-generator": "^14.0.3",
     "@types/node": "^20.6.3",
     "c8": "^9.0.0",
     "commitizen": "^4.3.1",
     "commitlint-config-cz": "^0.13.3",
-    "commitlint-plugin-function-rules": "^2.0.2",
+    "commitlint-plugin-function-rules": "^4.0.1",
     "cz-conventional-changelog": "^3.3.0",
     "fastify-tsconfig": "^2.0.0",
-    "husky": "^8.0.3",
+    "husky": "^9.1.7",
     "npm-run-all": "^4.1.5",
-    "rimraf": "^4.4.1",
+    "rimraf": "^6.0.1",
     "s3rver": "^3.7.1",
-    "semantic-release": "^22.0.12",
+    "semantic-release": "^24.2.1",
     "tsx": "^4.7.0",
     "typescript": "^5.2.2"
   },
@@ -95,7 +95,7 @@
   "homepage": "https://github.com/ducktors/turborepo-remote-cache#readme",
   "engines": {
     "node": ">=20.0.0",
-    "pnpm": ">=9.14.2"
+    "pnpm": ">=9.15.5"
   },
   "keywords": [
     "turborepo",