From 852a9068d9dfc7a1ef8d22d308f8b6c060779478 Mon Sep 17 00:00:00 2001 From: Chiro Hiro Date: Sat, 6 Jun 2026 13:10:30 +0700 Subject: [PATCH 1/2] fix(build-prod-node): use injected APP_VERSION; do not run git inside the image The image build context excludes .git, so git rev-parse failed under set -euo pipefail and aborted the build at builder stage. Take APP_VERSION from the build host (injected via build-arg/ENV); keep a tolerant git fallback only for local runs. --- scripts/build-prod-node.sh | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/scripts/build-prod-node.sh b/scripts/build-prod-node.sh index 152b60f..3ffba8e 100644 --- a/scripts/build-prod-node.sh +++ b/scripts/build-prod-node.sh @@ -3,13 +3,17 @@ # On error exit set -euo pipefail -git config --global --add safe.directory /home/ubuntu/app - -# Compute version info -REV=$(git rev-parse --short HEAD) -TAG=$(git tag --points-at HEAD 2>/dev/null || echo "") CWD=$(pwd) -APP_VERSION="${REV} (${TAG:-undefined})" + +# APP_VERSION is normally injected from the build host (the image build context +# has no .git, so git cannot run here). Fall back to git only when this script +# is run locally inside a real repository. +if [ -z "${APP_VERSION:-}" ]; then + git config --global --add safe.directory "$CWD" 2>/dev/null || true + REV=$(git rev-parse --short HEAD 2>/dev/null || echo "unknown") + TAG=$(git tag --points-at HEAD 2>/dev/null || echo "") + APP_VERSION="${REV} (${TAG:-undefined})" +fi echo "Building: ${APP_VERSION}" From cbade2ab85076cdea751e7cf48970c648f9d1ce6 Mon Sep 17 00:00:00 2001 From: Chiro Hiro Date: Sat, 6 Jun 2026 13:10:31 +0700 Subject: [PATCH 2/2] feat(dockerfile): declare ARG/ENV APP_VERSION for build-host version injection Emit ARG APP_VERSION + ENV APP_VERSION before the builder build RUN so the version computed on the build host (which has .git) is available to build-prod-node.sh inside the container. --- dockerfile.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dockerfile.sh b/dockerfile.sh index 2613303..7b15c9c 100755 --- a/dockerfile.sh +++ b/dockerfile.sh @@ -395,6 +395,9 @@ generate_build_command() { # .yarnrc.yml writes use `printf` at build time (POSIX printf interprets \n in # every shell), not `echo` (whose \n handling depends on the builder's /bin/sh). local h="/home/${BUILDER_USER}" + printf '%s\n' "# Application version, injected from the build host (image context has no .git)" + printf '%s\n' "ARG APP_VERSION" + printf '%s\n' 'ENV APP_VERSION=${APP_VERSION}' printf '%s\n' "# Build with npm auth mounted as a secret (token never persists in a layer)" printf '%s\n' "RUN --mount=type=secret,id=npm_access_token,mode=0444 set -eu && \\" printf '%s\n' " NPM_ACCESS_TOKEN=\$(cat /run/secrets/npm_access_token) && \\"