update dockerfile for non root user#1006
Conversation
Greptile SummaryThis PR updates the Docker setup to run nginx as a non-root user by switching the final image from
Confidence Score: 4/5The non-root nginx migration is correct and the nginx.conf port change aligns properly, but the unpinned Node.js builder tag means different CI runs may pull different versions. The core goal of running nginx as a non-root user on port 8080 is implemented correctly. The nginx image is pinned and nginx.conf aligns with it. The unpinned Node.js builder tag is the main concern — a new patch release could silently change the build artifact between CI runs. The Dockerfile builder stage needs its Node.js image tag pinned to a specific version to restore build reproducibility. Important Files Changed
Sequence Diagram%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
participant Builder as node:22-alpine (builder)
participant Dist as /app/build
participant NginxImg as nginx-unprivileged:1.29-alpine
participant Container as nginx container (port 8080)
Builder->>Builder: npm ci (install deps)
Builder->>Builder: npm run build
Builder->>Dist: output static assets
Dist->>NginxImg: COPY build to /usr/share/nginx/html
NginxImg->>NginxImg: COPY nginx.conf
NginxImg->>Container: EXPOSE 8080
Container->>Container: nginx listens on 8080 (non-root user)
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
participant Builder as node:22-alpine (builder)
participant Dist as /app/build
participant NginxImg as nginx-unprivileged:1.29-alpine
participant Container as nginx container (port 8080)
Builder->>Builder: npm ci (install deps)
Builder->>Builder: npm run build
Builder->>Dist: output static assets
Dist->>NginxImg: COPY build to /usr/share/nginx/html
NginxImg->>NginxImg: COPY nginx.conf
NginxImg->>Container: EXPOSE 8080
Container->>Container: nginx listens on 8080 (non-root user)
Reviews (1): Last reviewed commit: "update dockerfile for non root user" | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| @@ -1,21 +1,24 @@ | |||
| FROM node:21.7.0-alpine AS builder | |||
| FROM node:22-alpine AS builder | |||
There was a problem hiding this comment.
node:21.7.0-alpine) to a floating major-version tag (node:22-alpine). The nginx image uses a pinned tag (1.29-alpine), so the two stages are inconsistent. A new Node.js 22.x patch can silently change the build output between runs, which undermines reproducibility in CI.
| FROM node:22-alpine AS builder | |
| FROM node:22.16.0-alpine AS builder |
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
| # HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ | ||
| # CMD wget -qO- http://localhost:8080/ || exit 1 No newline at end of file |
There was a problem hiding this comment.
| # HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ | |
| # CMD wget -qO- http://localhost:8080/ || exit 1 | |
| # HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ | |
| # CMD wget -qO- http://localhost:8080/ || exit 1 |
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
2 participants
No description provided.