refactor: enhance Dockerfile for improved build process and security practices

nimit9 · nimit9 · commit 4590bfd2bb3a · 2025-09-27T13:21:52.000+05:30
diff --git a/Docker/Dockerfile.api b/Docker/Dockerfile.api
@@ -1,35 +1,89 @@
-FROM node:22-slim
+# Use an ARG to allow for easy version upgrades
+ARG NODE_VERSION=22
 
-# 🛠 Install OpenSSL 1.1 (needed by Prisma) and other required packages
-RUN apt-get update && apt-get install -y \
-    openssl \
-    libssl-dev \
-    libstdc++6 \
-    zlib1g \
-    bash \
- && rm -rf /var/lib/apt/lists/*
+# =================================================================================================
+# 1. Builder Stage: Installs all dependencies, builds the source code, and prunes dev dependencies.
+# =================================================================================================
+FROM node:${NODE_VERSION}-slim AS builder
 
-RUN npm install -g pnpm@9.9.0
+# Set environment variables for pnpm
+ENV PNPM_HOME="/pnpm"
+ENV PATH="$PNPM_HOME:$PATH"
+# Use corepack to install pnpm, which is the recommended method since Node.js v16.13
+RUN corepack enable && corepack prepare pnpm@9.9.0 --activate
 
 WORKDIR /usr/src/app
 
-COPY ./packages ./packages
-COPY ./pnpm-lock.yaml ./pnpm-lock.yaml
-COPY ./pnpm-workspace.yaml ./pnpm-workspace.yaml
+# 🛠 Install OpenSSL and build tools needed for native modules (like Prisma)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    openssl \
+    libssl-dev \
+    pkg-config \
+    build-essential \
+    python3 \
+ && rm -rf /var/lib/apt/lists/*
 
-COPY ./package.json ./package.json
-COPY ./tsconfig.json ./tsconfig.json
-COPY ./turbo.json ./turbo.json
+# Copy only the files required to install dependencies.
+# This maximizes layer caching. The install step will only re-run if these files change.
+COPY pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY package.json tsconfig.json turbo.json ./
+COPY packages/ packages/
+COPY apps/api/package.json apps/api/
 
-COPY ./apps/api ./apps/api
+# Use `pnpm fetch` to download dependencies into a shared content-addressable store.
+# This creates a highly cacheable layer.
+RUN pnpm fetch
 
-RUN pnpm install --frozen-lockfile
+# Copy the rest of the source code
+COPY . .
 
-# Generate Prisma client
+# Install dependencies using the fetched packages (offline) and generate Prisma client
+RUN pnpm install --frozen-lockfile --offline
 RUN pnpm db:generate
 
+# Build the specific 'api' application
 RUN pnpm build --filter=api
 
+# Prune development dependencies to reduce the size of the node_modules folder
+RUN pnpm prune --prod
+
+# =================================================================================================
+# 2. Production Stage: Creates the final, small, and secure image.
+# =================================================================================================
+FROM node:${NODE_VERSION}-slim AS production
+
+# Set the environment to production
+ENV NODE_ENV=production
+
+WORKDIR /usr/src/app
+
+# Install only the runtime dependency for Prisma (OpenSSL)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    openssl \
+ && rm -rf /var/lib/apt/lists/*
+
+# Create a non-root user and group for security
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nodejs
+
+# Copy pruned dependencies, built code, and necessary package files from the builder stage
+# --chown sets the correct permissions for our non-root user
+COPY --from=builder --chown=nodejs:nodejs /usr/src/app/node_modules ./node_modules
+COPY --from=builder --chown=nodejs:nodejs /usr/src/app/pnpm-lock.yaml ./pnpm-lock.yaml
+COPY --from=builder --chown=nodejs:nodejs /usr/src/app/apps/api/dist ./apps/api/dist
+COPY --from=builder --chown=nodejs:nodejs /usr/src/app/apps/api/package.json ./apps/api/package.json
+# Prisma client also needs access to the schema file at runtime
+COPY --from=builder --chown=nodejs:nodejs /usr/src/app/apps/api/prisma ./apps/api/prisma
+
+# Switch to the non-root user
+USER nodejs
+
+# Change to the app-specific directory
 WORKDIR /usr/src/app/apps/api
 
-CMD ["pnpm", "start"]
+# Expose the port your app runs on (replace 3000 if different)
+EXPOSE 3000
+
+# Start the application directly with node, avoiding the need for pnpm in the final image.
+# Assumes your start script runs `node dist/main.js` or similar.
+CMD ["node", "dist/main.js"]
