Mirrors/Rocket.Chat
1
0
Fork 0
mirror of https://github.com/RocketChat/Rocket.Chat.git synced 2025-12-28 06:47:25 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

chore(ci): do not include dev dependencies in docker images (#37481)

Browse Source
This commit is contained in:
Rodrigo Nascimento 2025-11-14 16:40:40 -03:00 committed by GitHub
parent 7d90c9d685
commit 06915142d2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 89 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.github/actions/build-docker/action.yml vendored
View File

@ -75,6 +75,16 @@ runs:
set -o xtrace set -o xtrace
export DENO_VERSION="${{ inputs.deno-version }}" export DENO_VERSION="${{ inputs.deno-version }}"
# Removes unnecessary swc cores to reduce image sized
swc_arch='x64'
if [[ "${{ inputs.service }}" == 'rocketchat' ]]; then
if [[ "${{ inputs.arch }}" == 'arm64' ]]; then
swc_arch='arm64'
fi
find /tmp/build/bundle/programs/server/npm/node_modules/meteor/babel-compiler/node_modules/@meteorjs/swc-core/.swc/node_modules/@swc -type d -name 'core-*' -not -name "*linux-${swc_arch}-gnu*" -exec rm -rf {} +
fi
if [[ "${{ inputs.publish-image }}" == 'true' ]]; then if [[ "${{ inputs.publish-image }}" == 'true' ]]; then
LOAD_OR_PUSH="--push" LOAD_OR_PUSH="--push"
else else

47
.github/actions/meteor-build/action.yml vendored
View File

@ -42,6 +42,15 @@ runs:
with: with:
swap-size-gb: 4 swap-size-gb: 4
- name: Merge dependencies for build
shell: bash
if: steps.cache-build.outputs.cache-hit != 'true'
run: |
# Merge dependencies and devDependencies into a new 'dependencies' field
cd apps/meteor
cp package.json package.json.bak
jq '.dependencies = (.dependencies + .devDependencies) | del(.devDependencies)' package.json > package.json.tmp && mv package.json.tmp package.json
- name: Setup NodeJS - name: Setup NodeJS
uses: ./.github/actions/setup-node uses: ./.github/actions/setup-node
if: steps.cache-build.outputs.cache-hit != 'true' if: steps.cache-build.outputs.cache-hit != 'true'
@ -50,6 +59,7 @@ runs:
deno-version: ${{ inputs.deno-version }} deno-version: ${{ inputs.deno-version }}
cache-modules: true cache-modules: true
install: true install: true
type: 'production'
NPM_TOKEN: ${{ inputs.NPM_TOKEN }} NPM_TOKEN: ${{ inputs.NPM_TOKEN }}
# - name: Free disk space # - name: Free disk space
@ -150,12 +160,41 @@ runs:
echo "Coverage enabled" echo "Coverage enabled"
fi fi
# Restore original package.json so meteor should not copy devDependencies
mv apps/meteor/package.json.bak apps/meteor/package.json
yarn build:ci yarn build:ci
- name: Translation check declare -a meter_modules_to_remove=(
shell: bash "meteor/babel-compiler/node_modules/@meteorjs/swc-core/.swc/node_modules/@swc/core-darwin-arm64" # Removes 35M
if: steps.cache-build.outputs.cache-hit != 'true' "meteor/babel-compiler/node_modules/@meteorjs/swc-core/.swc/node_modules/@swc/core-linux-x64-musl" # Removes 58M
run: yarn turbo run translation-check "meteor/babel-compiler/node_modules/@meteorjs/swc-core/.swc/node_modules/@swc/core-linux-arm64-musl" # Removes 44M
"meteor/babel-compiler/node_modules/typescript" # Removes 31M
"meteor/babel-compiler/node_modules/@babel" # Removes 14M
"@rocket.chat/i18n/src" # Removes 16M
"typescript" # Removes 19M
# "@babel" # Removes 34M - Needed by Minimongo
)
du -s /tmp/dist/bundle
for dir_path in "${meter_modules_to_remove[@]}"; do
path=/tmp/dist/bundle/programs/server/npm/node_modules/${dir_path}
if [ -d "$path" ]; then
rm -rf "$path"
echo "Removed directory: $path"
else
echo "Path is not a directory or does not exist: $path"
fi
done
# Remove all .d.ts files from node_modules to reduce size
# Removes 184M
find /tmp/dist/bundle -type f -name "*.d.ts" -delete
du -s /tmp/dist/bundle
- name: Prepare build - name: Prepare build
shell: bash shell: bash

15
.github/actions/setup-node/action.yml vendored
View File

@ -12,6 +12,11 @@ inputs:
required: false required: false
description: 'Install dependencies' description: 'Install dependencies'
type: boolean type: boolean
type:
required: false
description: 'development or production'
type: string
default: 'development'
deno-version: deno-version:
required: true required: true
description: 'Deno version' description: 'Deno version'
@ -46,7 +51,8 @@ runs:
apps/meteor/ee/server/services/node_modules apps/meteor/ee/server/services/node_modules
packages/apps-engine/node_modules packages/apps-engine/node_modules
packages/apps-engine/.deno-cache packages/apps-engine/.deno-cache
key: node-modules-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('yarn.lock') }}-deno-v${{ inputs.deno-version }}-${{ hashFiles('packages/apps-engine/deno-runtime/deno.lock') }} key: node-modules-${{ inputs.type }}-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('package.json') }}-${{ hashFiles('yarn.lock') }}-deno-v${{ inputs.deno-version }}-${{ hashFiles('packages/apps-engine/deno-runtime/deno.lock') }}-v3
# key: node-modules-${{ inputs.type }}-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('package.json') }}-${{ hashFiles('yarn.lock') }}-deno-v${{ inputs.deno-version }}-${{ hashFiles('packages/apps-engine/deno-runtime/deno.lock') }}-v${{ github.run_id }}
# #
# Could use this command to list all paths to save: # Could use this command to list all paths to save:
# find . -name 'node_modules' -prune | grep -v "/\.meteor/" | grep -v "/meteor/packages/" # find . -name 'node_modules' -prune | grep -v "/\.meteor/" | grep -v "/meteor/packages/"
@ -70,6 +76,11 @@ runs:
echo "//registry.npmjs.org/:_authToken=${{ inputs.NPM_TOKEN }}" > ~/.npmrc echo "//registry.npmjs.org/:_authToken=${{ inputs.NPM_TOKEN }}" > ~/.npmrc
- name: yarn install - name: yarn install
if: inputs.install if: inputs.install && inputs.type == 'development'
shell: bash shell: bash
run: YARN_ENABLE_HARDENED_MODE=${{ inputs.HARDENED_MODE }} yarn run: YARN_ENABLE_HARDENED_MODE=${{ inputs.HARDENED_MODE }} yarn
- name: yarn install production
if: inputs.install && inputs.type == 'production'
shell: bash
run: YARN_ENABLE_HARDENED_MODE=${{ inputs.HARDENED_MODE }} yarn workspaces focus --all --production

2
.github/workflows/ci.yml vendored
View File

@ -66,7 +66,7 @@ jobs:
--exclude='.git' \ --exclude='.git' \
. .
SOURCE_HASH=$(sha256sum /tmp/RocketChat-source.tar | awk '{ print $1 }')-v3 SOURCE_HASH=$(sha256sum /tmp/RocketChat-source.tar | awk '{ print $1 }')-v8
# Uncomment the following line to include the run ID in the hash and disable caching between runs # Uncomment the following line to include the run ID in the hash and disable caching between runs
# SOURCE_HASH=$(sha256sum /tmp/RocketChat-source.tar | awk '{ print $1 }')-${{ github.run_id }} # SOURCE_HASH=$(sha256sum /tmp/RocketChat-source.tar | awk '{ print $1 }')-${{ github.run_id }}

47
apps/meteor/.docker/Dockerfile.alpine
View File

@ -1,3 +1,23 @@
FROM node:22.16.0-alpine3.20 AS builder
ENV LANG=C.UTF-8
RUN apk add --no-cache python3 make g++ py3-setuptools libc6-compat
COPY . /app
ENV NODE_ENV=production
RUN cd /app/bundle/programs/server \
&& npm install --omit=dev \
# Re install sharp dependencies to ensure proper binary for architecture
# We only need the @img folder from sharp dependencies
&& cd /app/bundle/programs/server/npm/node_modules/sharp \
&& npm install --omit=dev \
&& rm -rf ../@img \
&& mv node_modules/@img ../@img \
&& rm -rf node_modules
FROM node:22.16.0-alpine3.20 FROM node:22.16.0-alpine3.20
LABEL maintainer="buildmaster@rocket.chat" LABEL maintainer="buildmaster@rocket.chat"
@ -16,16 +36,13 @@ ENV LANG=C.UTF-8
# and more complex or security conscious daemons run as dedicated users. # and more complex or security conscious daemons run as dedicated users.
# The daemon user is also handy for locally installed daemons. # The daemon user is also handy for locally installed daemons.
# """ # """
RUN apk add --no-cache deno ttf-dejavu \ RUN apk add --no-cache shadow deno ttf-dejavu \
&& apk add --no-cache --virtual deps shadow python3 make g++ py3-setuptools libc6-compat \
# Update OpenSSL # Update OpenSSL
# CVE -> https://scout.docker.com/vulnerabilities/id/CVE-2025-9230?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.21 # CVE -> https://scout.docker.com/vulnerabilities/id/CVE-2025-9230?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.21
&& apk upgrade --no-cache openssl \ && apk upgrade --no-cache openssl \
&& groupmod -n rocketchat nogroup \ && groupmod -n rocketchat nogroup \
&& useradd -u 65533 -r -g rocketchat rocketchat && useradd -u 65533 -r -g rocketchat rocketchat
COPY --chown=rocketchat:rocketchat . /app
# needs a mongo instance - defaults to container linking with alias 'mongo' # needs a mongo instance - defaults to container linking with alias 'mongo'
ENV DEPLOY_METHOD=docker \ ENV DEPLOY_METHOD=docker \
NODE_ENV=production \ NODE_ENV=production \
@ -37,27 +54,7 @@ ENV DEPLOY_METHOD=docker \
USER rocketchat USER rocketchat
RUN cd /app/bundle/programs/server \ COPY --from=builder --chown=rocketchat:rocketchat /app /app
&& npm install --omit=dev \
&& cd /app/bundle/programs/server \
&& rm -rf npm/node_modules/sharp \
&& npm install sharp@0.32.6 --no-save \
&& mv node_modules/sharp npm/node_modules/sharp \
# End hack for sharp
# # Start hack for isolated-vm...
# && rm -rf npm/node_modules/isolated-vm \
# && npm install isolated-vm@4.6.0 \
# && mv node_modules/isolated-vm npm/node_modules/isolated-vm \
# # End hack for isolated-vm
&& cd /app/bundle/programs/server/npm \
&& npm rebuild bcrypt --build-from-source \
&& npm cache clear --force
USER root
RUN apk del deps
USER rocketchat
VOLUME /app/uploads VOLUME /app/uploads

1
package.json
View File

@ -7,7 +7,6 @@
"scripts": { "scripts": {
"build": "turbo run build", "build": "turbo run build",
"build:services": "turbo run build --filter=rocketchat-services...", "build:services": "turbo run build --filter=rocketchat-services...",
"build:ci": "turbo run build:ci",
"testunit": "turbo run testunit", "testunit": "turbo run testunit",
"test-storybook": "turbo run test-storybook", "test-storybook": "turbo run test-storybook",
"dev": "turbo run dev --env-mode=loose --parallel --filter=@rocket.chat/meteor...", "dev": "turbo run dev --env-mode=loose --parallel --filter=@rocket.chat/meteor...",

3
turbo.json
View File

@ -22,9 +22,6 @@
"lint": { "lint": {
"outputs": [] "outputs": []
}, },
"translation-check": {
"outputs": []
},
"typecheck": { "typecheck": {
"outputs": [] "outputs": []
}, },