chore: image security update

frouriojs · Jun 20, 2024 · f9f17d3 · f9f17d3
1 parent aa6b0b0
commit f9f17d3
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 1 deletion.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,8 @@
+.git
+.github
+.vscode
+data
+**/node_modules
+README.md
+.gitignore
+**/.env
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,9 +18,11 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV
-      - uses: docker/build-push-action@v5
+      - uses: docker/build-push-action@v6
         with:
+          sbom: true
           push: true
+          provenance: mode=max
           build-args: |
             VERSION=${{ env.VERSION }}
           tags: frourio/magnito:latest,frourio/magnito:${{ env.VERSION }}
diff --git a/Dockerfile b/Dockerfile
@@ -25,6 +25,9 @@ FROM node:20-alpine
 
 WORKDIR /usr/src/app
 
+RUN apk add sudo
+RUN echo '%node ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
+
 ARG CLIENT_PORT=5001
 
 ENV PORT=5000
@@ -49,9 +52,14 @@ COPY --from=builder /usr/src/app/server/prisma ./server/prisma
 RUN apk --no-cache add curl
 COPY --from=builder /usr/src/app/data ./data
 
+RUN chown -R node:node /usr/src/app
+
 HEALTHCHECK --interval=5s --timeout=5s --retries=3 CMD curl -f http://localhost:$PORT/health && curl -f http://localhost:$CLIENT_PORT || exit 1
 
 EXPOSE ${PORT} ${CLIENT_PORT}
 VOLUME ["/usr/src/app/data"]
 
+USER node
+ENTRYPOINT ["sh", "-c", "sudo chown -R node /usr/src/app/data && ls -l /usr/src/app && exec \"$@\"", "--"]
+
 CMD ["npm", "start"]