FROM node:22-alpine AS builder # Install pnpm and build deps for native modules (e.g., bcrypt) RUN npm install -g pnpm \ && apk add --no-cache python3 make g++ libc6-compat WORKDIR /app # Install all deps for building server COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./ RUN pnpm install --frozen-lockfile --ignore-scripts=false # Copy only server sources and tsconfig for server build COPY src/server ./src/server COPY tsconfig.server.json ./tsconfig.server.json COPY tsconfig.server.build.json ./tsconfig.server.build.json # Build server only (no client build) RUN pnpm tsc -p tsconfig.server.build.json FROM node:22-alpine AS production # Install pnpm, runtime tools and build deps for native modules present in prod deps RUN npm install -g pnpm ts-node \ && apk add --no-cache su-exec curl python3 make g++ libc6-compat # Set working directory WORKDIR /app # Copy package files COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./ # Install production dependencies only RUN pnpm install --frozen-lockfile --prod --ignore-scripts=false \ && pnpm rebuild bcrypt || true # Copy prebuilt application artifacts from repository (no TS build in image) COPY dist ./dist # Use freshly built server from builder stage COPY --from=builder /app/server-dist ./server-dist COPY public ./public # Copy necessary runtime files COPY start.sh ./start.sh # Create non-root user for security RUN addgroup -g 1001 -S nodejs RUN adduser -S nextjs -u 1001 # Make start script executable RUN chmod +x /app/start.sh # Change ownership of the app directory (but keep root for .storage) RUN chown -R nextjs:nodejs /app RUN chown root:root /app/.storage 2>/dev/null || true # Don't switch to nextjs user here - the start script will handle it # USER nextjs # Expose port EXPOSE 3000 # Health check HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD node -e "require('http').get('http://localhost:3000/health', (res) => { process.exit(res.statusCode === 200 ? 0 : 1) })" || exit 1 # Start the application with startup script CMD ["/app/start.sh"] # Prebuilt runtime stage (used locally): copies prebuilt dist and server-dist from context FROM node:22-alpine AS production-prebuilt RUN npm install -g pnpm ts-node \ && apk add --no-cache su-exec curl python3 make g++ libc6-compat WORKDIR /app COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./ RUN pnpm install --frozen-lockfile --prod --ignore-scripts=false \ && pnpm rebuild bcrypt || true # Copy prebuilt artifacts from repository COPY dist ./dist COPY server-dist ./server-dist COPY public ./public COPY start.sh ./start.sh RUN addgroup -g 1001 -S nodejs && adduser -S nextjs -u 1001 \ && chmod +x /app/start.sh \ && chown -R nextjs:nodejs /app \ && chown root:root /app/.storage 2>/dev/null || true EXPOSE 3000 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD node -e "require('http').get('http://localhost:3000/health', (res) => { process.exit(res.statusCode === 200 ? 0 : 1) })" || exit 1 CMD ["/app/start.sh"]