From 015124cffb630920232ae641c5d0827b0351055b Mon Sep 17 00:00:00 2001 From: Chiro Hiro Date: Sun, 7 Jun 2026 12:24:13 +0700 Subject: [PATCH] fix(template): enable corepack in the builder stage, not just the runner MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The generated Dockerfile ran `corepack enable` only in the runner stage, even though the build (`yarn install`/`yarn build`) happens in the builder. It worked by accident — the orochinetwork/ubuntu:node base image already ships yarn as a corepack shim — and contradicted the documented contract (DOCKERFILE.md: "Enables corepack in both the builder and the runner"). If the base image ever stopped pre-shimming yarn, the Strapi (Yarn 4 berry) build would break with no corepack in the builder. Emit the corepack-enable RUN layer in BOTH stages: - Dockerfile.template: add {{builder_corepack_run}}, placed as root before the USER switch (and before COPY, so the layer caches independently of code). - dockerfile.sh: substitute {{builder_corepack_run}} from the same generator; refresh the now-stale comment. Also carries the same shellcheck SC2016 silence as #58 so this PR is green independently of merge order (the finding was introduced by the #57 merge). --- Dockerfile.template | 6 ++++++ checksum.sha256 | 4 ++-- dockerfile.sh | 8 +++++--- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index 69132aa..e8da561 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -11,6 +11,12 @@ ARG BUILDER_WORKDIR=/home/{{builder_user}}/app RUN mkdir -p ${BUILDER_WORKDIR} && \ chown -R {{builder_user}}:{{builder_group}} /home/{{builder_user}} +# Enable corepack as root, before switching to the non-root build user, so +# `yarn install`/`yarn build` below run under the project's pinned package +# manager (e.g. Yarn 4 berry for Strapi). Placed before COPY so the layer is +# cached independently of application code changes. +{{builder_corepack_run}} + # Set the working directory WORKDIR ${BUILDER_WORKDIR} diff --git a/checksum.sha256 b/checksum.sha256 index 21ebfc5..0c6387c 100644 --- a/checksum.sha256 +++ b/checksum.sha256 @@ -1,11 +1,11 @@ 1e0c7cc14593577dcbd2b343f39a87120bc42482f25df215c52a9373029dbd4a ./ssh-allowed-signers -2866d0bf67d0a5e284123f445e2978e4b1389e2498de9fe08c3bb43dbe0e63b5 ./dockerfile.sh 48f2d49fab1d7c52f6930bfb239874f1e61479210ceb260d0e2dd9a54c2877e6 ./gpg-list.asc 4939e1364e91cfbb589ddf645ae26530a1e4ecbb4e21c607aad8ee64c9414bca ./scripts/build-prod-node.sh 4aa825fa514655414968415bebfbec5b0252803fbba16e994b29ff1fd3004110 ./check-ssh.sh 5b7f96cd62b02c59adb90159877bd61230c3d95eca3e19a1c4e5dfb4140a986c ./scripts/build-prod-next.sh -9dbf9d726d881c43729954f9a29777c0e17d84755c9c32c2fc72a0df39f335cb ./Dockerfile.template +66ae4f55698cd5320bf009314ae59c4e34c07bd24a3a2b30540189e6089565b0 ./Dockerfile.template aad9d75f80076441f3164f81fb9fca4f4d55ec3c021129cad29633d89b24170d ./scripts/build-prod-nginx.sh beee0be70f1a3e4a219e142bf7400415a26dea1873ce279f95f401e682fe0fe6 ./check-gpg.sh f15c4e8e374105e07ab7de3cf94e3ec6aaccd02a76ca9907368782612bc7e50f ./configs/nginx.conf +fb6fe984478967e5b25939954d1296b8effe74c038e469cc60d93b0e4ffae0a9 ./dockerfile.sh fcf790d01c0ccde52a74a4fa49df33ba9a0f6210868dfa7895048a58bd613710 ./generate-yarn-npm.sh diff --git a/dockerfile.sh b/dockerfile.sh index d1245c2..6b7409b 100755 --- a/dockerfile.sh +++ b/dockerfile.sh @@ -434,8 +434,10 @@ generate_env_copy() { # Generate corepack enable command # ============================================================================ # Emit corepack enable as its own RUN layer when the template requires it -# (node/next). Kept as a standalone command instead of being chained onto the -# runner chmod, so the template carries no shell operators in its variables. +# (node/next/strapi). The same layer is emitted in BOTH the builder stage (so +# yarn install/build run under the project's pinned package manager) and the +# runner stage — see DOCKERFILE.md. Kept standalone (not chained onto a chmod) +# so the template carries no shell operators in its variables. generate_corepack_run() { if [[ -n "$COREPACK_ENABLE" ]]; then echo "# Enable corepack to manage the project's package manager" @@ -506,7 +508,7 @@ while IFS= read -r line; do cat "$TMP_WORK/runner_commands.txt" elif [[ "$line" == "{{env_copy}}" ]]; then cat "$TMP_WORK/env_copy.txt" - elif [[ "$line" == "{{corepack_run}}" ]]; then + elif [[ "$line" == "{{corepack_run}}" || "$line" == "{{builder_corepack_run}}" ]]; then cat "$TMP_WORK/corepack_run.txt" else echo "$line"