# ============================================================ # Stage 1: Install dependencies # ============================================================ FROM node:20-bookworm-slim AS deps RUN apt-get update -y && apt-get install -y openssl && rm -rf /var/lib/apt/lists/* RUN npm install -g pnpm@9.14.2 WORKDIR /app # Copy workspace manifests first for better layer caching COPY package.json pnpm-workspace.yaml pnpm-lock.yaml ./ COPY tooling/ ./tooling/ COPY packages/shared/package.json ./packages/shared/ COPY packages/db/package.json ./packages/db/ COPY packages/engine/package.json ./packages/engine/ COPY packages/staffing/package.json ./packages/staffing/ COPY packages/application/package.json ./packages/application/ COPY packages/api/package.json ./packages/api/ COPY packages/ui/package.json ./packages/ui/ COPY apps/web/package.json ./apps/web/ RUN pnpm install --frozen-lockfile # ============================================================ # Stage 2: Build the application # ============================================================ FROM node:20-bookworm-slim AS builder RUN apt-get update -y && apt-get install -y openssl && rm -rf /var/lib/apt/lists/* RUN npm install -g pnpm@9.14.2 WORKDIR /app # Copy installed dependencies from stage 1 COPY --from=deps /app/ ./ # Copy all source code COPY . . # Generate Prisma client RUN pnpm --filter @capakraken/db db:generate # Build the Next.js application ENV NEXT_TELEMETRY_DISABLED=1 ENV NODE_ENV=production # next build collects page data for /api/auth/[...nextauth] which crashes # without these envs even though they are placeholders at image-build time # (real values are injected at container start). Mirrors the CI build job. # # IMPORTANT: pass these only as inline env on the RUN step, not via `ENV`. # `ENV` persists the placeholder into the image layer — scanned as a leaked # secret and inherited by the `migrator` stage (which is published). ARG NEXTAUTH_URL=http://localhost:3100 ARG AUTH_URL=http://localhost:3100 ARG NEXTAUTH_SECRET=ci-build-placeholder-secret-minimum-32-chars ARG AUTH_SECRET=ci-build-placeholder-secret-minimum-32-chars ARG DATABASE_URL=postgresql://placeholder:placeholder@localhost:5432/placeholder ARG REDIS_URL=redis://placeholder:6379 RUN NEXTAUTH_URL="$NEXTAUTH_URL" \ AUTH_URL="$AUTH_URL" \ NEXTAUTH_SECRET="$NEXTAUTH_SECRET" \ AUTH_SECRET="$AUTH_SECRET" \ DATABASE_URL="$DATABASE_URL" \ REDIS_URL="$REDIS_URL" \ pnpm --filter @capakraken/web build # ============================================================ # Stage 3: Migration runner # ============================================================ FROM builder AS migrator ENV NODE_ENV=production CMD ["pnpm", "--filter", "@capakraken/db", "db:migrate:deploy"] # ============================================================ # Stage 4: Production runtime # ============================================================ FROM node:20-bookworm-slim AS runner RUN apt-get update -y && apt-get install -y openssl curl && rm -rf /var/lib/apt/lists/* WORKDIR /app ENV NODE_ENV=production ENV NEXT_TELEMETRY_DISABLED=1 ENV HOSTNAME=0.0.0.0 ENV PORT=3000 RUN addgroup --system --gid 1001 nodejs && \ adduser --system --uid 1001 nextjs # Copy the standalone output (includes server.js and node_modules) COPY --from=builder --chown=nextjs:nodejs /app/apps/web/.next/standalone ./ # Copy static assets and public files COPY --from=builder --chown=nextjs:nodejs /app/apps/web/.next/static ./apps/web/.next/static COPY --from=builder --chown=nextjs:nodejs /app/apps/web/public ./apps/web/public USER nextjs EXPOSE 3000 HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \ CMD curl -f http://localhost:3000/api/health || exit 1 CMD ["node", "apps/web/server.js"]