letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
1a2d2dd1e114105876e43a8200f528917d87218e
pn-new-crm/Dockerfile.worker
Matt 6c159a8cac
All checks were successful
Build & Push Docker Images / lint (push) Successful in 1m25s
Details
Build & Push Docker Images / build-and-push (push) Successful in 14m51s
Details
fix(build): make prepare tolerant of missing husky + bump deps (Phase 1a) 
Two related changes:

1. package.json `prepare` script: changed from "husky" to "husky || true"
   so the script doesn't fail in --prod installs where husky (a
   devDependency) isn't present. The earlier "ENV HUSKY=0" attempt
   didn't help because HUSKY=0 only skips git-hook install once husky
   is invoked — when the husky binary itself is missing, the prepare
   script fails with "sh: husky: not found" before any HUSKY env var
   is consulted. Reverted that ENV from Dockerfile.worker.

2. Phase 1a deps refresh — `pnpm update` within current semver ranges.
   Notably:
   - @pdfme/common, @pdfme/generator, @pdfme/schemas: 5.5.8 → 5.5.10
     (closes XSS in SVG/Select schemas + SSRF in getB64BasePdf +
     decompression-bomb in FlateDecode)
   - postcss: 8.5.8 → 8.5.14 (XSS via </style> in stringify output)
   - mailparser, openai, postgres, react, react-dom, react-hook-form,
     recharts, zustand, jose, libphonenumber-js, prettier, vitest,
     autoprefixer, dotenv: routine minor/patch.

Tests: 1185/1185 vitest passing locally.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 16:15:34 +02:00

41 lines
1.9 KiB
Docker
Raw Blame History

# Stage 1: Install dependencies (dev deps needed for esbuild)
FROM node:20-alpine AS deps
RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
WORKDIR /app
COPY package.json pnpm-lock.yaml ./
RUN pnpm install --frozen-lockfile --prod=false
# Stage 2: Build the worker bundle
FROM node:20-alpine AS builder
RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
ENV SKIP_ENV_VALIDATION=1
RUN pnpm build:worker
# Stage 3: Production runner (prod deps only).
#
# Critical ordering: create the worker user FIRST and chown the workdir
# BEFORE pnpm install, so node_modules + lazy-cache directories
# (tesseract.js, sharp) are owned by the worker user. Without this, the
# previous layout had pnpm install run as root → node_modules root-owned
# → tesseract.js / sharp wrote to node_modules/.cache and EACCES'd at
# first PDF parse in prod (auditor-K §39).
FROM node:20-alpine AS runner
RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
RUN addgroup --system --gid 1001 nodejs && adduser --system --uid 1001 worker
WORKDIR /app
RUN chown -R worker:nodejs /app
USER worker
COPY --chown=worker:nodejs package.json pnpm-lock.yaml ./
RUN pnpm install --frozen-lockfile --prod
COPY --from=builder --chown=worker:nodejs /app/dist/worker.js ./worker.js
# Healthcheck — pings Redis from inside the worker container. Without
# this, a worker whose Redis connection has silently dropped (BullMQ
# rejects new jobs but the Node process is alive) is invisible to
# compose / swarm and jobs queue indefinitely (auditor-K §40).
HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
CMD node -e "const Redis=require('ioredis');const r=new Redis(process.env.REDIS_URL,{maxRetriesPerRequest:1,connectTimeout:3000,lazyConnect:true});r.connect().then(()=>r.ping()).then(()=>{r.disconnect();process.exit(0)}).catch(()=>process.exit(1))" || exit 1
CMD ["node", "worker.js"]
Reference in New Issue View Git Blame Copy Permalink