| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 |
- # syntax=docker/dockerfile:1.7
- # ---------- node stage: build Tailwind + JS bundle ----------
- FROM node:20-alpine AS assets
- WORKDIR /app
- COPY package.json package-lock.json* ./
- RUN npm install --no-audit --no-fund
- COPY tailwind.config.js postcss.config.js ./
- COPY resources ./resources
- RUN mkdir -p public/assets \
- && npx tailwindcss -i resources/css/app.css -o public/assets/app.css --minify \
- && npx esbuild resources/js/app.js --bundle --minify --target=es2020 --outfile=public/assets/app.js
- # ---------- composer stage ----------
- FROM composer:2 AS deps
- WORKDIR /app
- COPY composer.json composer.lock* ./
- RUN composer install --no-dev --no-interaction --no-scripts --no-progress --optimize-autoloader
- # ---------- runtime ----------
- FROM dunglas/frankenphp:1-php8.3-alpine
- ENV PHP_INI_SCAN_DIR=/usr/local/etc/php/conf.d
- RUN apk add --no-cache \
- icu-dev \
- oniguruma-dev \
- bash \
- && install-php-extensions \
- mbstring \
- intl \
- opcache
- WORKDIR /app
- COPY --from=deps /app/vendor ./vendor
- COPY . ./
- COPY --from=assets /app/public/assets ./public/assets
- COPY docker/Caddyfile /etc/Caddyfile
- COPY docker/entrypoint.sh /usr/local/bin/entrypoint.sh
- # SEC_REVIEW F18: drop root. /app stays root-owned and world-readable;
- # the UI has no per-container persistent volume so only /home/app's
- # XDG dirs need to be app-writable. PHP sessions live under /tmp by
- # default which is world-writable, so no extra path setup is needed
- # for the BFF session store.
- RUN addgroup -S -g 1000 app \
- && adduser -S -u 1000 -G app -h /home/app app \
- && chmod +x /usr/local/bin/entrypoint.sh \
- && mkdir -p /home/app/.config /home/app/.local/share \
- && chown -R app:app /home/app
- ENV XDG_CONFIG_HOME=/home/app/.config \
- XDG_DATA_HOME=/home/app/.local/share
- USER app
- EXPOSE 8080
- ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
- CMD ["ui"]
|
