Skip to content

Fix Docker build warnings and upgrade Node.js #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ashwin47 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix Docker build warnings and upgrade Node.js #91

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,14 @@

# Make sure it matches the Ruby version in .ruby-version and Gemfile
ARG RUBY_VERSION=3.3.1
FROM ruby:$RUBY_VERSION-slim as base
FROM ruby:$RUBY_VERSION-slim AS base

# Configure trusted repositories and clean apt cache
RUN rm -rf /etc/apt/sources.list.d/* && \
echo "deb [trusted=yes] http://deb.debian.org/debian bookworm main" > /etc/apt/sources.list && \
echo "deb [trusted=yes] http://deb.debian.org/debian bookworm-updates main" >> /etc/apt/sources.list && \
echo "deb [trusted=yes] http://deb.debian.org/debian-security bookworm-security main" >> /etc/apt/sources.list && \
Comment on lines +7 to +11
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid globally trusting Debian repositories

The new base stage rewrites /etc/apt/sources.list with [trusted=yes] on every entry, which disables GPG signature verification for all apt-get operations in both build and runtime stages. This removes integrity checks for every package installed from Debian mirrors and leaves the image vulnerable to tampered packages or man‑in‑the‑middle attacks. If the goal is to work around temporary “invalid signature” errors, consider using Acquire::Check-Valid-Until=false or fixing the system clock for the initial update instead of permanently turning off signature validation.

Useful? React with 👍 / 👎.

apt-get clean && rm -rf /var/cache/apt/archives/*

# Rails app lives here
WORKDIR /rails
Expand All @@ -14,11 +21,13 @@ ENV RAILS_ENV="production" \
BUNDLE_WITHOUT="development"

# Throw-away build stage to reduce size of final image
FROM --platform=$TARGETPLATFORM base as build
FROM base AS build

# Install packages need to build gems and Node.js for Tailwind
RUN apt-get update -qq && \
apt-get install -y build-essential git pkg-config nodejs npm
apt-get install -y build-essential git pkg-config curl && \
curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
apt-get install -y nodejs

# Install application gems
COPY Gemfile Gemfile.lock ./
Expand Down Expand Up @@ -70,4 +79,4 @@ HEALTHCHECK --interval=5s --timeout=3s --start-period=30s --retries=3 \
CMD curl -f http://localhost:3000/up || exit 1

# Start the server by default, this can be overwritten at runtime
CMD service cron start && bin/configure && bin/boot
CMD ["sh", "-c", "service cron start && bin/configure && bin/boot"]