| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859 |
- # syntax=docker/dockerfile:1.7
- # ---------- composer stage ----------
- FROM composer:2 AS deps
- WORKDIR /app
- COPY composer.json composer.lock* ./
- RUN composer install --no-dev --no-interaction --no-scripts --no-progress --optimize-autoloader
- # ---------- runtime ----------
- FROM dunglas/frankenphp:1-php8.3-alpine
- ENV PHP_INI_SCAN_DIR=/usr/local/etc/php/conf.d
- # System deps for PHP extensions
- RUN apk add --no-cache \
- icu-dev \
- oniguruma-dev \
- sqlite-dev \
- bash \
- && install-php-extensions \
- pdo_sqlite \
- pdo_mysql \
- mbstring \
- intl \
- opcache \
- bcmath
- WORKDIR /app
- COPY --from=deps /app/vendor ./vendor
- COPY . ./
- # Caddyfile and entrypoint
- COPY docker/Caddyfile /etc/Caddyfile
- COPY docker/entrypoint.sh /usr/local/bin/entrypoint.sh
- # SEC_REVIEW F18: drop root. /app stays root-owned and world-readable
- # (the runtime only needs to read source); /data is app-owned so the
- # SQLite db, attached volume, and `auth:bootstrap-service-token`
- # writes succeed without root. /home/app/.{config,local/share} are
- # pre-created and owned so FrankenPHP/Caddy XDG state has somewhere
- # to land. apk + install-php-extensions still ran above as root
- # because they touch /usr/local; no further root-owned work remains.
- RUN addgroup -S -g 1000 app \
- && adduser -S -u 1000 -G app -h /home/app app \
- && chmod +x /usr/local/bin/entrypoint.sh \
- && chmod +x bin/console \
- && mkdir -p /data /home/app/.config /home/app/.local/share \
- && chown -R app:app /data /home/app
- ENV XDG_CONFIG_HOME=/home/app/.config \
- XDG_DATA_HOME=/home/app/.local/share
- USER app
- EXPOSE 8081
- ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
- CMD ["api"]
|
