From 91c1bc848ed6a7aca3c0d10e91daa25eb22e2e30 Mon Sep 17 00:00:00 2001 From: Doan Minh Tu Date: Wed, 11 Mar 2026 06:49:10 +0700 Subject: [PATCH] ci: harden Dockerfile and workflow security --- .github/dependabot.yml | 6 ++++++ .github/workflows/docker-publish.yml | 2 ++ Dockerfile | 6 +++++- 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..ca79ca5b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index e37c10f9..64f143ac 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -63,3 +63,5 @@ jobs: cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache,mode=max platforms: linux/amd64 + provenance: false + sbom: false diff --git a/Dockerfile b/Dockerfile index 5d2491cf..8901e172 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,7 @@ COPY package*.json ./ RUN if [ -f package-lock.json ]; then npm ci --no-audit --no-fund; else npm install --no-audit --no-fund; fi COPY . ./ +ENV NEXT_TELEMETRY_DISABLED=1 RUN npm run build FROM node:20-alpine AS runner @@ -15,15 +16,18 @@ LABEL org.opencontainers.image.title="9router" ENV NODE_ENV=production ENV PORT=20128 ENV HOSTNAME=0.0.0.0 +ENV NEXT_TELEMETRY_DISABLED=1 # Runtime writable location for localDb when DATA_DIR is configured to /app/data -RUN mkdir -p /app/data +RUN mkdir -p /app/data && chown node:node /app/data COPY --from=builder /app/public ./public COPY --from=builder /app/.next/static ./.next/static COPY --from=builder /app/.next/standalone ./ COPY --from=builder /app/open-sse ./open-sse +USER node + EXPOSE 20128 CMD ["node", "server.js"]