fix(template): enable corepack in the builder stage, not just the runner#59
Merged
chiro-hiro merged 1 commit intoJun 7, 2026
Conversation
The generated Dockerfile ran `corepack enable` only in the runner stage, even
though the build (`yarn install`/`yarn build`) happens in the builder. It worked
by accident — the orochinetwork/ubuntu:node base image already ships yarn as a
corepack shim — and contradicted the documented contract (DOCKERFILE.md:
"Enables corepack in both the builder and the runner"). If the base image ever
stopped pre-shimming yarn, the Strapi (Yarn 4 berry) build would break with no
corepack in the builder.
Emit the corepack-enable RUN layer in BOTH stages:
- Dockerfile.template: add {{builder_corepack_run}}, placed as root before the
USER switch (and before COPY, so the layer caches independently of code).
- dockerfile.sh: substitute {{builder_corepack_run}} from the same generator;
refresh the now-stale comment.
Also carries the same shellcheck SC2016 silence as orochi-network#58 so this PR is green
independently of merge order (the finding was introduced by the orochi-network#57 merge).
chiro-hiro
force-pushed
the
fix/corepack-enable-in-builder
branch
from
9f28c1b to
015124c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The generated Dockerfile emits
RUN corepack enableonly in the runner stage, but the build —yarn install/yarn build— runs in the builder stage. This works today purely by accident: theorochinetwork/ubuntu:nodebase image already shipsyarnas a corepack shim, so the builder gets corepack behaviour it was never explicitly given.This contradicts the documented contract in
DOCKERFILE.md:If the base image ever stopped pre-shimming
yarn, the Strapi (Yarn 4 berry) build would break with no corepack in the builder — and the runner-stagecorepack enableis largely dead weight for the actual build.Fix
Emit the corepack-enable layer in both stages:
Dockerfile.template— add a{{builder_corepack_run}}placeholder in the builder stage, as root, before theUSERswitch (and beforeCOPY . ., so the layer caches independently of application code).dockerfile.sh— substitute{{builder_corepack_run}}from the same generator used for the runner; refresh the now-stale comment.nginx(which doesn't use corepack) is unaffected — neither stage gets the layer.Verification
dockerfile.shdry-run:corepack enablenow appears in builder and runner fornode/next/strapi, and in neither fornginx.RUN corepack enableis emitted beforeWORKDIR/COPY/USER→ runs as root.docker buildof a node consumer:corepack enableruns as root in the builder ([builder] RUN corepack enable) before theUSERswitch and the build succeeds.shellcheck -e SC1091clean,bash -nclean,checksum.sha256regenerated & verified, full dry-run smoke + strapi contract pass.Note on overlap with #58
This branch is cut from
main, which is currently red from the #57 merge (a false-positive shellcheckSC2016+ a stale checksum). To keep this PR green on its own, it carries the same one-lineSC2016silence as #58 and a freshly regeneratedchecksum.sha256. The two PRs therefore overlap ondockerfile.sh/checksum.sha256; whichever merges second needs a trivial rebase +./generate-checksums.sh. Functionally independent of #58.