fix(ci): harden docker images and resolve build/lint/typecheck failures#2
Conversation
RinZ27
requested review from
hshanmug12,
maheshmunnangi and
srpatcha
as code owners
RinZ27
force-pushed
the
fix/harden-docker-production
branch
from
4882150 to
b2bcc6e
Compare
RinZ27
changed the title
srpatcha
left a comment
srpatcha
left a comment
There was a problem hiding this comment.
LGTM - Docker hardening and CI fixes look good.
| WORKDIR /app | ||
| COPY package*.json ./ | ||
| RUN npm install -g pnpm && pnpm install --prod | ||
| RUN npm install -g pnpm && pnpm install --prod && chown -R node:node /app |
There was a problem hiding this comment.
Solid improvements overall: running the container as a non‑root user with proper chown hardens security, combining RUN commands improves layer efficiency and caching, and explicit workspace‑based installs/builds improve determinism and CI stability. Please also test this change locally (on any machine) and attach the test results or logs to the PR.
|
@srpatcha I've verified the changes locally. Both |
2 participants
Summary
Implemented security hardening for production Docker images and resolved critical CI/CD failures. The updates include running processes as a non-root user in Docker, adding missing linting configurations, and fixing invalid build/typecheck scripts that were causing CI pipeline blocks.
Type of Change
Changes
Dockerfileandenterprise/docker/Dockerfileto use thenodeuser instead ofroot..eslintrc.jsonto project root to fix the "missing configuration" lint error.package.jsonscripts:typecheckto correctly usepnpm -r exec tsc --noEmitfor workspaces.lintrules to allow@ts-nocheckin test files.RUNinstructions in Dockerfiles to reduce image size.Testing
pnpm run test)Pre-Submission Checklist
Related Issues
None.
Additional Notes
These changes were necessary to make the project "production-ready" from a security perspective and to unblock the CI pipeline which was failing due to missing configs and invalid workspace script syntax. Verified all 215 tests pass locally.