fix: inject APP_VERSION from build host instead of running git inside the image#57
Merged
chiro-hiro merged 2 commits intoJun 6, 2026
Conversation
… the image The image build context excludes .git, so git rev-parse failed under set -euo pipefail and aborted the build at builder stage. Take APP_VERSION from the build host (injected via build-arg/ENV); keep a tolerant git fallback only for local runs.
…injection Emit ARG APP_VERSION + ENV APP_VERSION before the builder build RUN so the version computed on the build host (which has .git) is available to build-prod-node.sh inside the container.
This was referenced Jun 7, 2026
chiro-hiro
added a commit
that referenced
this pull request
Jun 7, 2026
…#58) Consumer docker builds (and the CI trust checks) could hang indefinitely in the fetch/install phase. Every curl fetch in dev-off ran without a timeout, so a stalled-but-open TCP connection blocked forever with no output. yarn and corepack have their own network timeouts; the bare `curl ... | bash` that fetches the build script — and the trust-script fetches — did not. Add bounded --connect-timeout/--max-time plus --retry/--retry-delay to every curl so a stalled fetch fails fast and retries transient blips instead of hanging: - dockerfile.sh: generated build RUN fetch + remote template fetch - check-gpg.sh / check-ssh.sh: checksum + allowlist fetches (CURL_OPTS array) - generate-ssh-allowed-signers.sh: GitHub .keys fetch Also restore green CI (both jobs went red after the #57 merge): - regenerate checksum.sha256 — it was stale because #57 changed dockerfile.sh and scripts/build-prod-node.sh without refreshing it - silence a false-positive shellcheck SC2016 on the intentional single-quoted `ENV APP_VERSION=${APP_VERSION}` (Docker, not the shell, expands it)
chiro-hiro
added a commit
to chiro-hiro/dev-off
that referenced
this pull request
Jun 7, 2026
The generated Dockerfile ran `corepack enable` only in the runner stage, even
though the build (`yarn install`/`yarn build`) happens in the builder. It worked
by accident — the orochinetwork/ubuntu:node base image already ships yarn as a
corepack shim — and contradicted the documented contract (DOCKERFILE.md:
"Enables corepack in both the builder and the runner"). If the base image ever
stopped pre-shimming yarn, the Strapi (Yarn 4 berry) build would break with no
corepack in the builder.
Emit the corepack-enable RUN layer in BOTH stages:
- Dockerfile.template: add {{builder_corepack_run}}, placed as root before the
USER switch (and before COPY, so the layer caches independently of code).
- dockerfile.sh: substitute {{builder_corepack_run}} from the same generator;
refresh the now-stale comment.
Also carries the same shellcheck SC2016 silence as orochi-network#58 so this PR is green
independently of merge order (the finding was introduced by the orochi-network#57 merge).
chiro-hiro
added a commit
that referenced
this pull request
Jun 7, 2026
…ner (#59) The generated Dockerfile ran `corepack enable` only in the runner stage, even though the build (`yarn install`/`yarn build`) happens in the builder. It worked by accident — the orochinetwork/ubuntu:node base image already ships yarn as a corepack shim — and contradicted the documented contract (DOCKERFILE.md: "Enables corepack in both the builder and the runner"). If the base image ever stopped pre-shimming yarn, the Strapi (Yarn 4 berry) build would break with no corepack in the builder. Emit the corepack-enable RUN layer in BOTH stages: - Dockerfile.template: add {{builder_corepack_run}}, placed as root before the USER switch (and before COPY, so the layer caches independently of code). - dockerfile.sh: substitute {{builder_corepack_run}} from the same generator; refresh the now-stale comment. Also carries the same shellcheck SC2016 silence as #58 so this PR is green independently of merge order (the finding was introduced by the #57 merge).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The generated Dockerfile builds with a context that excludes
.git(consumers.dockerignoreit). Butscripts/build-prod-node.shcomputed the version inside the container:Under
set -euo pipefailthat command substitution aborts the build at the builder stage:This broke every template build that runs
build-prod-node.sh(node, strapi).Fix — compute the version on the build host, pass it in
dockerfile.sh: emitARG APP_VERSION+ENV APP_VERSION=${APP_VERSION}right before the builder buildRUN, so a version injected via--build-argis visible to the build script.scripts/build-prod-node.sh: use the injected$APP_VERSION; only fall back togit(now tolerant:|| echo unknown) when run locally inside a real repo. No more hardgitdependency inside the image.Companion change in
orochi-network/actions(build-docker-template) computes the version on the runner (which does have.git) and passes--build-arg APP_VERSION=....Backward-compatible / independently safe: if the build-arg is absent,
APP_VERSIONis empty and the script falls back tounknownrather than crashing.