44 lines
1.2 KiB
Docker
44 lines
1.2 KiB
Docker
FROM oven/bun:alpine AS deps
|
|
|
|
WORKDIR /app
|
|
|
|
COPY package.json bun.lock ./
|
|
RUN bun install --frozen-lockfile --production
|
|
|
|
# ─────────────────────────────────────────────
|
|
FROM oven/bun:alpine AS builder
|
|
|
|
WORKDIR /app
|
|
|
|
COPY package.json bun.lock ./
|
|
RUN bun install --frozen-lockfile
|
|
|
|
COPY . .
|
|
|
|
# PUBLIC_API_BASE_URL is baked at build time if using $env/static/public.
|
|
# If using $env/dynamic/public, remove the ARG/ENV below and pass it at runtime.
|
|
ARG PUBLIC_API_BASE_URL=https://api.marktvogt.de
|
|
ENV PUBLIC_API_BASE_URL=$PUBLIC_API_BASE_URL
|
|
|
|
RUN bun run build
|
|
|
|
# ─────────────────────────────────────────────
|
|
FROM node:22-alpine
|
|
|
|
WORKDIR /app
|
|
|
|
COPY --from=builder /app/build ./build
|
|
COPY --from=deps /app/node_modules ./node_modules
|
|
COPY --from=builder /app/package.json .
|
|
|
|
# node:22-alpine already ships nobody at UID 65534 — matches podSecurityContext.runAsUser
|
|
USER nobody:nobody
|
|
|
|
# ORIGIN is required by adapter-node for CSRF protection.
|
|
# Must match the public-facing URL exactly (set via k8s ConfigMap).
|
|
ENV PORT=3000 HOST=0.0.0.0 NODE_ENV=production
|
|
|
|
EXPOSE 3000
|
|
|
|
CMD ["node", "build"]
|