build: use a base image for Docker builds

Split the Docker build into three stages: - base image: Node 20 Alpine with the build environment, package files, Yarn and Lerna config. - builder image: bootstraps the project and root apps from the base image. - runner image: installs only production dependencies and runs the built apps from the `builder` image. This is the image that's deployed to Kubernetes. - run the Next.js apps as the `node` user, to secure the apps in production.
zooniverse · Dec 5, 2024 · d60ac3d · d60ac3d
1 parent ebfab6f
commit d60ac3d
Showing 1 changed file with 12 additions and 33 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:20-alpine AS builder
+FROM node:20-alpine AS base
 
 ARG COMMIT_ID
 ENV COMMIT_ID=$COMMIT_ID
@@ -18,29 +18,25 @@ ENV APP_ENV=$APP_ENV
 
 ENV NEXT_TELEMETRY_DISABLED=1
 
-ARG CONTENTFUL_ACCESS_TOKEN
-
-ARG CONTENTFUL_SPACE_ID
-
-ARG SENTRY_AUTH_TOKEN
-
 RUN mkdir -p /usr/src
 
 WORKDIR /usr/src/
 
-ADD package.json /usr/src/
+RUN chown -R node:node .
 
-COPY .yarn /usr/src/.yarn
+COPY --chown=node:node package.json yarn.lock lerna.json .yarnrc /usr/src/
 
-ADD .yarnrc /usr/src/
+COPY --chown=node:node .yarn /usr/src/.yarn
 
-ADD lerna.json /usr/src/
+FROM base AS builder
 
-COPY ./packages /usr/src/packages
+ARG CONTENTFUL_ACCESS_TOKEN
 
-ADD yarn.lock /usr/src/
+ARG CONTENTFUL_SPACE_ID
 
-RUN chown -R node:node .
+ARG SENTRY_AUTH_TOKEN
+
+COPY --chown=node:node ./packages /usr/src/packages
 
 USER node
 
@@ -55,28 +51,11 @@ RUN --mount=type=cache,id=fem-builder-yarn,uid=1000,gid=1000,target=/home/node/.
 RUN echo $COMMIT_ID > /usr/src/packages/app-root/public/commit_id.txt
 RUN --mount=type=cache,id=fem-builder-yarn,uid=1000,gid=1000,target=/home/node/.yarn YARN_CACHE_FOLDER=/home/node/.yarn yarn workspace @zooniverse/fe-root build
 
-FROM node:20-alpine AS runner
-
-ARG NODE_ENV=production
-ENV NODE_ENV=$NODE_ENV
-
-RUN mkdir -p /usr/src
-
-WORKDIR /usr/src/
-
-RUN chown -R node:node .
+FROM base AS runner
 
 USER node
 
-COPY --from=builder /usr/src/package.json /usr/src/package.json
-
-COPY --from=builder /usr/src/.yarn /usr/src/.yarn
-
-COPY --from=builder /usr/src/.yarnrc /usr/src/.yarnrc
-
-COPY --from=builder /usr/src/packages ./packages
-
-COPY --from=builder /usr/src/yarn.lock /usr/src/yarn.lock
+COPY --from=builder --chown=node:node /usr/src/packages ./packages
 
 RUN --mount=type=cache,id=fem-runner-yarn,uid=1000,gid=1000,target=/home/node/.yarn YARN_CACHE_FOLDER=/home/node/.yarn yarn install --production --frozen-lockfile --ignore-scripts --prefer-offline