mirror of
https://github.com/goauthentik/authentik.git
synced 2026-06-17 19:09:11 +03:00
Teffen Ellis
c0d0bffae0
* root: bind-mount .npmrc into Dockerfile npm ci stages `npm` walks up from cwd looking for `.npmrc`. The two Dockerfiles that run `npm ci` (`lifecycle/container/Dockerfile` for the web build and `website/Dockerfile` for the docs build) bind-mount package.json / package-lock.json into the build context, but not `.npmrc`. As a result the project-level settings — most importantly `ignore-scripts=true` — are not honored inside the container, so a hypothetical malicious package's preinstall/postinstall hook would execute during the image build. Adding `--mount=type=bind,target=/work/.npmrc,src=./.npmrc` to each `npm ci` step closes that gap. The mount is read-only and only present for the install step, so it adds no layer weight. Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com> * Update bindmount. --------- Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
63 lines
3.8 KiB
Docker
63 lines
3.8 KiB
Docker
FROM --platform=${BUILDPLATFORM} docker.io/library/node:26.2.0-trixie@sha256:980c5420a7a2ddcb44037726977f2a349e5c7b64217516c7488dce4c74d71583 AS docs-builder
|
|
|
|
ENV NODE_ENV=production
|
|
|
|
WORKDIR /work
|
|
|
|
RUN --mount=type=bind,target=/work/package.json,src=./package.json \
|
|
--mount=type=bind,target=/work/package-lock.json,src=./package-lock.json \
|
|
--mount=type=bind,target=/work/scripts/node/,src=./scripts/node/ \
|
|
--mount=type=bind,target=/work/packages/logger-js/,src=./packages/logger-js/ \
|
|
--mount=type=bind,target=/work/packages/tsconfig/,src=./packages/tsconfig/ \
|
|
--mount=type=bind,target=/work/packages/eslint-config/,src=./packages/eslint-config/ \
|
|
--mount=type=bind,target=/work/packages/prettier-config/,src=./packages/prettier-config/ \
|
|
--mount=type=bind,target=/work/packages/docusaurus-config/,src=./packages/docusaurus-config/ \
|
|
--mount=type=bind,target=/work/website/package.json,src=./website/package.json \
|
|
--mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
|
|
node ./scripts/node/setup-corepack.mjs --force && \
|
|
node ./scripts/node/lint-runtime.mjs ./website
|
|
|
|
RUN --mount=type=bind,target=/work/.npmrc,src=./.npmrc \
|
|
--mount=type=bind,target=/work/package.json,src=./package.json \
|
|
--mount=type=bind,target=/work/package-lock.json,src=./package-lock.json \
|
|
--mount=type=bind,target=/work/scripts/node/,src=./scripts/node/ \
|
|
--mount=type=bind,target=/work/packages/logger-js/,src=./packages/logger-js/ \
|
|
--mount=type=bind,target=/work/packages/tsconfig/,src=./packages/tsconfig/ \
|
|
--mount=type=bind,target=/work/packages/eslint-config/,src=./packages/eslint-config/ \
|
|
--mount=type=bind,target=/work/packages/prettier-config/,src=./packages/prettier-config/ \
|
|
--mount=type=bind,target=/work/packages/docusaurus-config/,src=./packages/docusaurus-config/ \
|
|
--mount=type=bind,target=/work/website/package.json,src=./website/package.json \
|
|
--mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
|
|
--mount=type=bind,target=/work/website/vendored/detect-package-manager,src=./website/vendored/detect-package-manager \
|
|
--mount=type=bind,target=/work/website/docusaurus-theme/package.json,src=./website/docusaurus-theme/package.json \
|
|
--mount=type=bind,target=/work/website/api/package.json,src=./website/api/package.json \
|
|
--mount=type=bind,target=/work/website/integrations/package.json,src=./website/integrations/package.json \
|
|
--mount=type=bind,target=/work/website/docs/package.json,src=./website/docs/package.json \
|
|
--mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
|
|
corepack npm ci && \
|
|
corepack npm ci --workspaces --include-workspace-root --prefix ./website
|
|
|
|
WORKDIR /work/website
|
|
|
|
COPY ./website /work/website/
|
|
COPY ./blueprints /work/blueprints/
|
|
COPY ./schema.yml /work/
|
|
COPY ./lifecycle/container/compose.yml /work/lifecycle/container/
|
|
COPY ./SECURITY.md /work/
|
|
|
|
RUN --mount=type=bind,target=/work/packages/docusaurus-config/,src=./packages/docusaurus-config/ \
|
|
corepack npm run build -w docs
|
|
|
|
FROM docker.io/library/nginx:1.31-trixie@sha256:800e7c98538c6bf725f5177e841aa720ae0ed1c378bbea368b6330bfe18a36b3
|
|
LABEL org.opencontainers.image.authors="Authentik Security Inc." \
|
|
org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
|
|
org.opencontainers.image.description="authentik product documentation" \
|
|
org.opencontainers.image.documentation="https://docs.goauthentik.io" \
|
|
org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \
|
|
org.opencontainers.image.title="authentik docs image" \
|
|
org.opencontainers.image.url="https://goauthentik.io" \
|
|
org.opencontainers.image.vendor="Authentik Security Inc."
|
|
|
|
|
|
COPY --from=docs-builder /work/website/docs/build /usr/share/nginx/html
|