retrieve-countries/Dockerfile at main · rgdevment/retrieve-countries · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# =============================================
# BASE — shared layer for all stages
# =============================================
FROM node:24-alpine AS base
WORKDIR /app
COPY package.json package-lock.json ./

# =============================================
# DEVELOPMENT — hot-reload, full source mount
# =============================================
FROM base AS development
ENV NODE_ENV=development
RUN npm ci
COPY . .
CMD ["npm", "run", "start:dev"]

# =============================================
# BUILD — compile TypeScript only (used by prod)
# =============================================
FROM base AS build
RUN npm ci
COPY . .
RUN npm run build

# =============================================
# PRODUCTION — minimal, secure, distroless-ish
# =============================================
FROM node:24-alpine AS production

# Install build tools for native modules (better-sqlite3) and tini
RUN apk --no-cache add \
    python3 \
    make \
    g++ \
    tini \
    && rm -rf /var/cache/apk/*

# Security: no root, no shell attack surface
RUN addgroup -S app && adduser -S app -G app

WORKDIR /app

# Copy only production artifacts
COPY --from=build /app/dist ./dist
COPY --from=build /app/package.json ./package.json
COPY --from=build /app/package-lock.json ./package-lock.json

# Install ONLY production deps (build better-sqlite3 native module)
RUN npm ci --omit=dev \
    && npm cache clean --force \
    && rm -rf /tmp/*

# SQLite data directory
RUN mkdir -p /app/data && chown -R app:app /app

COPY docker-entrypoint.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/docker-entrypoint.sh

ENV NODE_ENV=production
EXPOSE 3000

# Entrypoint: fix perms → ensure indexes → start server as 'app'
ENTRYPOINT ["/sbin/tini", "--", "docker-entrypoint.sh"]