From 0ba805d7dbf509937e08051eeb73fd997835ea19 Mon Sep 17 00:00:00 2001 From: Lina Date: Tue, 26 May 2026 11:18:43 +0200 Subject: [PATCH 01/13] Docker hardened images --- .dockerignore | 11 ++++++++++ .drone.yml | 39 ++++++++++++++++++++++++++++----- Dockerfile | 37 ++++++++++++++++++++++++++----- dev.Dockerfile | 9 ++++++-- next.config.js | 1 + pages/recovery.tsx | 7 +++--- submodules/javascript-functions | 2 +- submodules/react-components | 2 +- 8 files changed, 91 insertions(+), 17 deletions(-) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..dff8814 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,11 @@ +.git +.next +node_modules +.env* +.cursor +.github +*.log +npm-debug.log* +dev.Dockerfile +.drone.yml +README.md diff --git a/.drone.yml b/.drone.yml index c8dec6a..90ec265 100644 --- a/.drone.yml +++ b/.drone.yml @@ -13,13 +13,20 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker + image: plugins/docker:21.2.8-linux-amd64 + depends_on: + - submodules settings: registry: registry.dev.kern.ai username: from_secret: docker_username password: from_secret: docker_password + base_image_registry: dhi.io + base_image_username: + from_secret: dockerhub_username + base_image_password: + from_secret: dockerhub_password repo: "registry.dev.kern.ai/${DRONE_REPO}" tags: ["${DRONE_COMMIT_SHA}", "${DRONE_COMMIT_BRANCH}"] cache_from: @@ -41,6 +48,7 @@ platform: steps: - name: trigger update image: appleboy/drone-ssh + failure: ignore settings: host: app.dev.kern.ai username: @@ -75,13 +83,20 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker + image: plugins/docker:21.2.8-linux-amd64 + depends_on: + - submodules settings: registry: registry.dev.kern.ai username: from_secret: docker_username password: from_secret: docker_password + base_image_registry: dhi.io + base_image_username: + from_secret: dockerhub_username + base_image_password: + from_secret: dockerhub_password repo: "registry.dev.kern.ai/${DRONE_REPO}" tags: ["${DRONE_COMMIT_SHA}_arm64", "${DRONE_COMMIT_BRANCH}_arm64"] cache_from: @@ -110,12 +125,19 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker + image: plugins/docker:21.2.8-linux-amd64 + depends_on: + - submodules settings: username: from_secret: dockerhub_username password: from_secret: dockerhub_password + base_image_registry: dhi.io + base_image_username: + from_secret: dockerhub_username + base_image_password: + from_secret: dockerhub_password repo: "kernai/${DRONE_REPO_NAME}" tag: "${DRONE_TAG}-drone-amd64" @@ -139,12 +161,19 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker + image: plugins/docker:21.2.8-linux-amd64 + depends_on: + - submodules settings: username: from_secret: dockerhub_username password: from_secret: dockerhub_password + base_image_registry: dhi.io + base_image_username: + from_secret: dockerhub_username + base_image_password: + from_secret: dockerhub_password repo: "kernai/${DRONE_REPO_NAME}" tag: "${DRONE_TAG}-drone-arm64" @@ -173,4 +202,4 @@ depends_on: trigger: event: - - tag \ No newline at end of file + - tag diff --git a/Dockerfile b/Dockerfile index 5370d18..558e99d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,36 @@ -FROM node:18-alpine AS build +ARG DHI_NODE_BUILD=dhi.io/node:20-debian12-dev +ARG DHI_NODE_RUNTIME=dhi.io/node:20-debian12 + +FROM ${DHI_NODE_BUILD} AS builder WORKDIR /app -COPY package*.json /app/ -RUN npm install -COPY . /app + +COPY package*.json ./ +ENV NEXT_TELEMETRY_DISABLED=1 +RUN npm install && npm cache clean --force + +COPY pages ./pages +COPY pkg ./pkg +COPY util ./util +COPY styles ./styles +COPY i18n ./i18n +COPY public ./public +COPY submodules ./submodules +COPY next.config.js . +COPY tsconfig.json . +COPY postcss.config.js . +COPY tailwind.config.js . + RUN npm run build -ENTRYPOINT ["/usr/local/bin/npm", "run", "start"] \ No newline at end of file +FROM ${DHI_NODE_RUNTIME} + +WORKDIR /app + +COPY --from=builder --chown=65532:65532 /app/.next/standalone ./ +COPY --from=builder --chown=65532:65532 /app/public ./public +COPY --from=builder --chown=65532:65532 /app/.next/static ./.next/static + +USER 65532:65532 + +ENTRYPOINT ["node", "server.js"] diff --git a/dev.Dockerfile b/dev.Dockerfile index 257cbb8..f983fc7 100644 --- a/dev.Dockerfile +++ b/dev.Dockerfile @@ -1,9 +1,12 @@ -FROM node:18-alpine +ARG DHI_NODE_BUILD=dhi.io/node:20-debian12-dev +FROM ${DHI_NODE_BUILD} WORKDIR /app VOLUME ["/app"] +USER root + COPY package*.json /app/ ENV NEXT_TELEMETRY_DISABLED=1 @@ -12,4 +15,6 @@ ENV WATCHPACK_POLLING=true RUN npm install --include=dev -ENTRYPOINT ["/usr/local/bin/npm", "run", "dev"] \ No newline at end of file +USER 65532:65532 + +ENTRYPOINT ["/usr/local/bin/npm", "run", "dev"] diff --git a/next.config.js b/next.config.js index 22dd8c1..5687959 100644 --- a/next.config.js +++ b/next.config.js @@ -1,5 +1,6 @@ /** @type {import('next').NextConfig} */ const nextConfig = { + output: 'standalone', reactStrictMode: true, swcMinify: true, env: { diff --git a/pages/recovery.tsx b/pages/recovery.tsx index a5df163..9428b01 100644 --- a/pages/recovery.tsx +++ b/pages/recovery.tsx @@ -11,7 +11,7 @@ import { KernLogo } from "@/pkg/ui/Icons" const Recovery: NextPage = () => { const router = useRouter() - const { flow: flowId, return_to: returnTo } = router.query + const { flow: flowId } = router.query const [flow, setFlow] = useState() @@ -26,7 +26,8 @@ const Recovery: NextPage = () => { data = res.data } else { const res = await ory.createBrowserRecoveryFlow({ - returnTo: returnTo ? String(returnTo) : undefined, + // Omit returnTo - Kratos uses default_browser_return_url. Passing custom return_to + // causes "return url not allowed" if not in allowed_return_urls. }) data = res.data } @@ -56,7 +57,7 @@ const Recovery: NextPage = () => { } fetchFlow() - }, [router.isReady, flowId, returnTo]) + }, [router.isReady, flowId]) const onSubmit = (values: UpdateRecoveryFlowBody) => router diff --git a/submodules/javascript-functions b/submodules/javascript-functions index 4850e39..60f9eeb 160000 --- a/submodules/javascript-functions +++ b/submodules/javascript-functions @@ -1 +1 @@ -Subproject commit 4850e39785215aa8cabcb1cd7df0cd47681be0d5 +Subproject commit 60f9eeba39b3188eee0a48bfca756296c57dfeda diff --git a/submodules/react-components b/submodules/react-components index 99e54d6..37dbcb4 160000 --- a/submodules/react-components +++ b/submodules/react-components @@ -1 +1 @@ -Subproject commit 99e54d67a477fa59655f93a21b8568659903e6c0 +Subproject commit 37dbcb486d1fe2eaf27b79cd23fc0644b8b7b24d From 9f42b0cad51b938366d47bb62c23cea5dd004637 Mon Sep 17 00:00:00 2001 From: Lina Date: Tue, 26 May 2026 11:21:11 +0200 Subject: [PATCH 02/13] Small fix --- pages/recovery.tsx | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/pages/recovery.tsx b/pages/recovery.tsx index 9428b01..b3054eb 100644 --- a/pages/recovery.tsx +++ b/pages/recovery.tsx @@ -11,7 +11,7 @@ import { KernLogo } from "@/pkg/ui/Icons" const Recovery: NextPage = () => { const router = useRouter() - const { flow: flowId } = router.query + const { flow: flowId, return_to: returnTo } = router.query const [flow, setFlow] = useState() @@ -26,8 +26,7 @@ const Recovery: NextPage = () => { data = res.data } else { const res = await ory.createBrowserRecoveryFlow({ - // Omit returnTo - Kratos uses default_browser_return_url. Passing custom return_to - // causes "return url not allowed" if not in allowed_return_urls. + returnTo: returnTo ? String(returnTo) : undefined }) data = res.data } @@ -57,7 +56,7 @@ const Recovery: NextPage = () => { } fetchFlow() - }, [router.isReady, flowId]) + }, [router.isReady, flowId, returnTo]) const onSubmit = (values: UpdateRecoveryFlowBody) => router From 642fb602348d22dac49214022e1c8b76353317ca Mon Sep 17 00:00:00 2001 From: Lina Date: Tue, 26 May 2026 11:27:29 +0200 Subject: [PATCH 03/13] Small fixes --- .drone.yml | 1 - pages/recovery.tsx | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.drone.yml b/.drone.yml index 90ec265..667f8f3 100644 --- a/.drone.yml +++ b/.drone.yml @@ -48,7 +48,6 @@ platform: steps: - name: trigger update image: appleboy/drone-ssh - failure: ignore settings: host: app.dev.kern.ai username: diff --git a/pages/recovery.tsx b/pages/recovery.tsx index b3054eb..a5df163 100644 --- a/pages/recovery.tsx +++ b/pages/recovery.tsx @@ -26,7 +26,7 @@ const Recovery: NextPage = () => { data = res.data } else { const res = await ory.createBrowserRecoveryFlow({ - returnTo: returnTo ? String(returnTo) : undefined + returnTo: returnTo ? String(returnTo) : undefined, }) data = res.data } From ac7d1416c0ac2982e30f1a9568a88633e01c9639 Mon Sep 17 00:00:00 2001 From: Lina Date: Wed, 27 May 2026 17:15:47 +0200 Subject: [PATCH 04/13] PR comments --- .drone.yml | 4 ++-- dev.Dockerfile | 2 -- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.drone.yml b/.drone.yml index 667f8f3..b32e8e0 100644 --- a/.drone.yml +++ b/.drone.yml @@ -82,7 +82,7 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker:21.2.8-linux-amd64 + image: plugins/docker:21.2.8-linux-arm64 depends_on: - submodules settings: @@ -160,7 +160,7 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker:21.2.8-linux-amd64 + image: plugins/docker:21.2.8-linux-arm64 depends_on: - submodules settings: diff --git a/dev.Dockerfile b/dev.Dockerfile index f983fc7..4a9649f 100644 --- a/dev.Dockerfile +++ b/dev.Dockerfile @@ -15,6 +15,4 @@ ENV WATCHPACK_POLLING=true RUN npm install --include=dev -USER 65532:65532 - ENTRYPOINT ["/usr/local/bin/npm", "run", "dev"] From a288d69cb89f08284e01183769831af888280acc Mon Sep 17 00:00:00 2001 From: andhreljaKern Date: Fri, 29 May 2026 15:01:28 +0200 Subject: [PATCH 05/13] fix: remove drone base image --- .drone.yml | 36 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/.drone.yml b/.drone.yml index b32e8e0..f21346b 100644 --- a/.drone.yml +++ b/.drone.yml @@ -13,7 +13,7 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker:21.2.8-linux-amd64 + image: plugins/docker depends_on: - submodules settings: @@ -22,12 +22,9 @@ steps: from_secret: docker_username password: from_secret: docker_password - base_image_registry: dhi.io - base_image_username: - from_secret: dockerhub_username - base_image_password: - from_secret: dockerhub_password repo: "registry.dev.kern.ai/${DRONE_REPO}" + platform: linux/amd64 + target_platform: linux/amd64 tags: ["${DRONE_COMMIT_SHA}", "${DRONE_COMMIT_BRANCH}"] cache_from: - "registry.dev.kern.ai/${DRONE_REPO}:dev" @@ -82,7 +79,7 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker:21.2.8-linux-arm64 + image: plugins/docker depends_on: - submodules settings: @@ -91,12 +88,9 @@ steps: from_secret: docker_username password: from_secret: docker_password - base_image_registry: dhi.io - base_image_username: - from_secret: dockerhub_username - base_image_password: - from_secret: dockerhub_password repo: "registry.dev.kern.ai/${DRONE_REPO}" + platform: linux/arm64 + target_platform: linux/arm64 tags: ["${DRONE_COMMIT_SHA}_arm64", "${DRONE_COMMIT_BRANCH}_arm64"] cache_from: - "registry.dev.kern.ai/${DRONE_REPO}:dev_arm64" @@ -124,7 +118,7 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker:21.2.8-linux-amd64 + image: plugins/docker depends_on: - submodules settings: @@ -132,12 +126,9 @@ steps: from_secret: dockerhub_username password: from_secret: dockerhub_password - base_image_registry: dhi.io - base_image_username: - from_secret: dockerhub_username - base_image_password: - from_secret: dockerhub_password repo: "kernai/${DRONE_REPO_NAME}" + platform: linux/amd64 + target_platform: linux/amd64 tag: "${DRONE_TAG}-drone-amd64" trigger: @@ -160,7 +151,7 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker:21.2.8-linux-arm64 + image: plugins/docker depends_on: - submodules settings: @@ -168,12 +159,9 @@ steps: from_secret: dockerhub_username password: from_secret: dockerhub_password - base_image_registry: dhi.io - base_image_username: - from_secret: dockerhub_username - base_image_password: - from_secret: dockerhub_password repo: "kernai/${DRONE_REPO_NAME}" + platform: linux/arm64 + target_platform: linux/arm64 tag: "${DRONE_TAG}-drone-arm64" trigger: From a94206ea709f162d9c4545364b3a4f6ea5ab9042 Mon Sep 17 00:00:00 2001 From: andhreljaKern Date: Wed, 3 Jun 2026 02:39:45 +0200 Subject: [PATCH 06/13] ci: build fix --- .drone.yml | 26 ++++++++++++++++---------- Dockerfile | 6 +++--- dev.Dockerfile | 5 +++-- 3 files changed, 22 insertions(+), 15 deletions(-) diff --git a/.drone.yml b/.drone.yml index f21346b..887a030 100644 --- a/.drone.yml +++ b/.drone.yml @@ -13,18 +13,22 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker + image: plugins/docker:21 depends_on: - submodules settings: + platform: linux/amd64 + base_image_registry: dhi.io + base_image_username: + from_secret: dockerhub_username + base_image_password: + from_secret: dockerhub_password registry: registry.dev.kern.ai username: from_secret: docker_username password: from_secret: docker_password repo: "registry.dev.kern.ai/${DRONE_REPO}" - platform: linux/amd64 - target_platform: linux/amd64 tags: ["${DRONE_COMMIT_SHA}", "${DRONE_COMMIT_BRANCH}"] cache_from: - "registry.dev.kern.ai/${DRONE_REPO}:dev" @@ -79,18 +83,22 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker + image: plugins/docker:21 depends_on: - submodules settings: + platform: linux/arm64 + base_image_registry: dhi.io + base_image_username: + from_secret: dockerhub_username + base_image_password: + from_secret: dockerhub_password registry: registry.dev.kern.ai username: from_secret: docker_username password: from_secret: docker_password repo: "registry.dev.kern.ai/${DRONE_REPO}" - platform: linux/arm64 - target_platform: linux/arm64 tags: ["${DRONE_COMMIT_SHA}_arm64", "${DRONE_COMMIT_BRANCH}_arm64"] cache_from: - "registry.dev.kern.ai/${DRONE_REPO}:dev_arm64" @@ -118,7 +126,7 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker + image: plugins/docker:21 depends_on: - submodules settings: @@ -128,7 +136,6 @@ steps: from_secret: dockerhub_password repo: "kernai/${DRONE_REPO_NAME}" platform: linux/amd64 - target_platform: linux/amd64 tag: "${DRONE_TAG}-drone-amd64" trigger: @@ -151,7 +158,7 @@ steps: - 'git config --global url."https://github.com/".insteadOf git@github.com:' - "git submodule update --recursive" - name: build and publish - image: plugins/docker + image: plugins/docker:21 depends_on: - submodules settings: @@ -161,7 +168,6 @@ steps: from_secret: dockerhub_password repo: "kernai/${DRONE_REPO_NAME}" platform: linux/arm64 - target_platform: linux/arm64 tag: "${DRONE_TAG}-drone-arm64" trigger: diff --git a/Dockerfile b/Dockerfile index 558e99d..0278e4c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ +ARG PARENT_IMAGE=registry.dev.kern.ai/code-kern-ai/refinery-parent-images:hardened-images-next ARG DHI_NODE_BUILD=dhi.io/node:20-debian12-dev -ARG DHI_NODE_RUNTIME=dhi.io/node:20-debian12 FROM ${DHI_NODE_BUILD} AS builder @@ -23,7 +23,7 @@ COPY tailwind.config.js . RUN npm run build -FROM ${DHI_NODE_RUNTIME} +FROM ${PARENT_IMAGE} WORKDIR /app @@ -31,6 +31,6 @@ COPY --from=builder --chown=65532:65532 /app/.next/standalone ./ COPY --from=builder --chown=65532:65532 /app/public ./public COPY --from=builder --chown=65532:65532 /app/.next/static ./.next/static -USER 65532:65532 +USER nonroot ENTRYPOINT ["node", "server.js"] diff --git a/dev.Dockerfile b/dev.Dockerfile index 4a9649f..6493ff2 100644 --- a/dev.Dockerfile +++ b/dev.Dockerfile @@ -1,5 +1,6 @@ -ARG DHI_NODE_BUILD=dhi.io/node:20-debian12-dev -FROM ${DHI_NODE_BUILD} +ARG PARENT_IMAGE=dhi.io/node:20-debian12-dev + +FROM ${PARENT_IMAGE} WORKDIR /app From ae9023f6fcd7fdc9410b5cf128d654a272d00fc4 Mon Sep 17 00:00:00 2001 From: andhreljaKern Date: Wed, 3 Jun 2026 10:28:15 +0200 Subject: [PATCH 07/13] ci: build fix --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0278e4c..e6fb454 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,6 +31,6 @@ COPY --from=builder --chown=65532:65532 /app/.next/standalone ./ COPY --from=builder --chown=65532:65532 /app/public ./public COPY --from=builder --chown=65532:65532 /app/.next/static ./.next/static -USER nonroot +USER node ENTRYPOINT ["node", "server.js"] From a086d639379148d77b44d2383c11fdf18fe135d0 Mon Sep 17 00:00:00 2001 From: andhreljaKern Date: Wed, 3 Jun 2026 11:50:25 +0200 Subject: [PATCH 08/13] ci: build fix --- Dockerfile | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index e6fb454..2968d2b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,12 @@ -ARG PARENT_IMAGE=registry.dev.kern.ai/code-kern-ai/refinery-parent-images:hardened-images-next ARG DHI_NODE_BUILD=dhi.io/node:20-debian12-dev +ARG DHI_NODE_RUNTIME=dhi.io/node:20-debian12 FROM ${DHI_NODE_BUILD} AS builder WORKDIR /app COPY package*.json ./ +ENV NODE_ENV=production ENV NEXT_TELEMETRY_DISABLED=1 RUN npm install && npm cache clean --force @@ -23,13 +24,19 @@ COPY tailwind.config.js . RUN npm run build -FROM ${PARENT_IMAGE} +# Standalone bundles its own traced node_modules (Next 12). Do not use +# hardened-images-next here: that parent pre-installs Next 15 and leaves +# extra modules under /app/node_modules, which breaks header handling at runtime. +FROM ${DHI_NODE_RUNTIME} WORKDIR /app -COPY --from=builder --chown=65532:65532 /app/.next/standalone ./ -COPY --from=builder --chown=65532:65532 /app/public ./public -COPY --from=builder --chown=65532:65532 /app/.next/static ./.next/static +ENV NODE_ENV=production +ENV NEXT_TELEMETRY_DISABLED=1 + +COPY --from=builder --chown=1000:1000 /app/.next/standalone ./ +COPY --from=builder --chown=1000:1000 /app/public ./public +COPY --from=builder --chown=1000:1000 /app/.next/static ./.next/static USER node From 255419e10be62c6aeb97afd4bca6e71cb040f626 Mon Sep 17 00:00:00 2001 From: andhreljaKern Date: Wed, 3 Jun 2026 14:30:29 +0200 Subject: [PATCH 09/13] ci: build fix --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 2968d2b..a754f7d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,6 @@ FROM ${DHI_NODE_BUILD} AS builder WORKDIR /app COPY package*.json ./ -ENV NODE_ENV=production ENV NEXT_TELEMETRY_DISABLED=1 RUN npm install && npm cache clean --force From ba4b71a45f30db94f965d635b4936e883e1aa3f4 Mon Sep 17 00:00:00 2001 From: andhreljaKern Date: Mon, 8 Jun 2026 13:29:15 +0200 Subject: [PATCH 10/13] test: use parent image --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index a754f7d..d22e09a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ -ARG DHI_NODE_BUILD=dhi.io/node:20-debian12-dev +ARG PARENT_IMAGE=kernai/refinery-parent-images:v2.0.0-next ARG DHI_NODE_RUNTIME=dhi.io/node:20-debian12 -FROM ${DHI_NODE_BUILD} AS builder +FROM ${PARENT_IMAGE} AS builder WORKDIR /app From 8687284aae9d0af1ad1a1d6264d85ae535af414f Mon Sep 17 00:00:00 2001 From: andhreljaKern Date: Mon, 8 Jun 2026 23:12:02 +0200 Subject: [PATCH 11/13] ci: build fix --- .drone.yml | 8 ++++++++ Dockerfile | 10 +++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/.drone.yml b/.drone.yml index 887a030..74d8cd8 100644 --- a/.drone.yml +++ b/.drone.yml @@ -14,6 +14,8 @@ steps: - "git submodule update --recursive" - name: build and publish image: plugins/docker:21 + environment: + BUILDX_NO_DEFAULT_ATTESTATIONS: "1" depends_on: - submodules settings: @@ -84,6 +86,8 @@ steps: - "git submodule update --recursive" - name: build and publish image: plugins/docker:21 + environment: + BUILDX_NO_DEFAULT_ATTESTATIONS: "1" depends_on: - submodules settings: @@ -127,6 +131,8 @@ steps: - "git submodule update --recursive" - name: build and publish image: plugins/docker:21 + environment: + BUILDX_NO_DEFAULT_ATTESTATIONS: "1" depends_on: - submodules settings: @@ -159,6 +165,8 @@ steps: - "git submodule update --recursive" - name: build and publish image: plugins/docker:21 + environment: + BUILDX_NO_DEFAULT_ATTESTATIONS: "1" depends_on: - submodules settings: diff --git a/Dockerfile b/Dockerfile index d22e09a..e14963b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ ARG PARENT_IMAGE=kernai/refinery-parent-images:v2.0.0-next -ARG DHI_NODE_RUNTIME=dhi.io/node:20-debian12 +ARG DHI_NODE_BUILD=dhi.io/node:20-debian12-dev -FROM ${PARENT_IMAGE} AS builder +FROM ${DHI_NODE_BUILD} AS builder WORKDIR /app @@ -23,15 +23,11 @@ COPY tailwind.config.js . RUN npm run build -# Standalone bundles its own traced node_modules (Next 12). Do not use -# hardened-images-next here: that parent pre-installs Next 15 and leaves -# extra modules under /app/node_modules, which breaks header handling at runtime. -FROM ${DHI_NODE_RUNTIME} +FROM ${PARENT_IMAGE} WORKDIR /app ENV NODE_ENV=production -ENV NEXT_TELEMETRY_DISABLED=1 COPY --from=builder --chown=1000:1000 /app/.next/standalone ./ COPY --from=builder --chown=1000:1000 /app/public ./public From 33b00039148572c1d97e7b01ef74a9ea920eca68 Mon Sep 17 00:00:00 2001 From: andhreljaKern Date: Mon, 8 Jun 2026 23:18:03 +0200 Subject: [PATCH 12/13] ci: build fix --- .drone.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.drone.yml b/.drone.yml index 74d8cd8..db48fff 100644 --- a/.drone.yml +++ b/.drone.yml @@ -136,6 +136,11 @@ steps: depends_on: - submodules settings: + base_image_registry: dhi.io + base_image_username: + from_secret: dockerhub_username + base_image_password: + from_secret: dockerhub_password username: from_secret: dockerhub_username password: @@ -170,6 +175,11 @@ steps: depends_on: - submodules settings: + base_image_registry: dhi.io + base_image_username: + from_secret: dockerhub_username + base_image_password: + from_secret: dockerhub_password username: from_secret: dockerhub_username password: From 386738a419667f3040405e3f300bbb2c69b40c29 Mon Sep 17 00:00:00 2001 From: andhreljaKern Date: Tue, 9 Jun 2026 10:58:43 +0200 Subject: [PATCH 13/13] ci: build fix --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index e14963b..da1db55 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ -ARG PARENT_IMAGE=kernai/refinery-parent-images:v2.0.0-next ARG DHI_NODE_BUILD=dhi.io/node:20-debian12-dev +ARG DHI_NODE_RUNTIME=dhi.io/node:20-debian12 FROM ${DHI_NODE_BUILD} AS builder @@ -23,11 +23,12 @@ COPY tailwind.config.js . RUN npm run build -FROM ${PARENT_IMAGE} +FROM ${DHI_NODE_RUNTIME} WORKDIR /app ENV NODE_ENV=production +ENV NEXT_TELEMETRY_DISABLED=1 COPY --from=builder --chown=1000:1000 /app/.next/standalone ./ COPY --from=builder --chown=1000:1000 /app/public ./public