cms.utcode.net/Dockerfile at main · ut-code/cms.utcode.net · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
FROM oven/bun:1.3.2-slim AS base
WORKDIR /app
# Install sops, age, and git (for data migration)
RUN apt-get update && apt-get install -y --no-install-recommends \
    curl ca-certificates git \
    && curl -LO https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 \
    && mv sops-v3.9.4.linux.amd64 /usr/local/bin/sops \
    && chmod +x /usr/local/bin/sops \
    && curl -LO https://github.com/FiloSottile/age/releases/download/v1.2.0/age-v1.2.0-linux-amd64.tar.gz \
    && tar -xzf age-v1.2.0-linux-amd64.tar.gz \
    && mv age/age /usr/local/bin/ \
    && rm -rf age age-v1.2.0-linux-amd64.tar.gz \
    && apt-get remove -y curl && apt-get autoremove -y && rm -rf /var/lib/apt/lists/*

FROM base AS builder

COPY package.json bun.lock ./
RUN bun install --frozen-lockfile

COPY . .
RUN bun run prepare

# Build with sops secrets
ARG SOPS_AGE_KEY
ARG SECRETS_FILE=secrets.prod.yaml
ENV SOPS_AGE_KEY=${SOPS_AGE_KEY}
RUN sops exec-env ${SECRETS_FILE} 'bun run build'

FROM base AS executor
WORKDIR /app
ARG SECRETS_FILE=secrets.prod.yaml

# Copy built application
COPY --from=builder /app/build ./build
COPY --from=builder /app/package.json ./
COPY ${SECRETS_FILE} ./secrets.yaml

# Copy drizzle migration files and config
COPY --from=builder /app/drizzle ./drizzle
COPY --from=builder /app/drizzle.config.ts ./
COPY --from=builder /app/src/lib/env/env.server.ts ./src/lib/env/env.server.ts
COPY --from=builder /app/src/lib/shared/models/schema.ts ./src/lib/shared/models/schema.ts
COPY --from=builder /app/bun.lock ./
RUN bun install --frozen-lockfile
ENV NODE_ENV=production
ENV PORT=3000
EXPOSE 3000

# SOPS_AGE_KEY must be set at runtime
CMD ["sh", "-c", "sops exec-env secrets.yaml 'bun drizzle-kit migrate && exec bun build/index.js'"]