Enhance Dockerfile and Build Workflow

aalexmrt · aalexmrt · commit c8f3c01a6e1f · 2025-11-16T09:43:25.000-05:00
- Added verification for the existence of package-lock.json in both the build-and-push workflow and Dockerfile, ensuring reproducible builds.
- Implemented retry logic for npm ci commands in the Dockerfile to improve reliability during dependency installation.
- Added checks to verify critical dependencies are present in the built Docker image, enhancing the robustness of the build process.
diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
@@ -48,17 +48,72 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
 
+      - name: Verify package-lock.json exists
+        run: |
+          if [ ! -f backend/package-lock.json ]; then
+            echo "❌ ERROR: package-lock.json is missing!"
+            echo "   This file is required for reproducible builds."
+            echo "   Please commit it: git add backend/package-lock.json && git commit -m 'Add package-lock.json'"
+            exit 1
+          fi
+          echo "✅ package-lock.json found"
+
       - name: Build and push image
+        id: build
         run: |
+          IMAGE_TAG=${{ secrets.GCP_REGION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/github-scraper/${{ steps.extract.outputs.SERVICE }}:${{ steps.extract.outputs.VERSION }}
+          LATEST_TAG=${{ secrets.GCP_REGION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/github-scraper/${{ steps.extract.outputs.SERVICE }}:latest
+
+          echo "🔨 Building image..."
           docker buildx build \
             --platform linux/amd64 \
             -f ${{ steps.extract.outputs.DOCKERFILE }} \
             --build-arg VERSION=${{ steps.extract.outputs.VERSION }} \
-            -t ${{ secrets.GCP_REGION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/github-scraper/${{ steps.extract.outputs.SERVICE }}:${{ steps.extract.outputs.VERSION }} \
-            -t ${{ secrets.GCP_REGION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/github-scraper/${{ steps.extract.outputs.SERVICE }}:latest \
+            --cache-from type=registry,ref=${IMAGE_TAG} \
+            --cache-from type=registry,ref=${LATEST_TAG} \
+            -t ${IMAGE_TAG} \
+            -t ${LATEST_TAG} \
             --push \
+            --provenance=false \
+            --sbom=false \
             ./backend
-          echo "✅ Image built and pushed: ${{ steps.extract.outputs.SERVICE }}:${{ steps.extract.outputs.VERSION }}"
+
+          echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_OUTPUT
+          echo "LATEST_TAG=${LATEST_TAG}" >> $GITHUB_OUTPUT
+          echo "✅ Image built and pushed successfully"
+
+      - name: Verify image in registry
+        run: |
+          IMAGE_TAG="${{ steps.build.outputs.IMAGE_TAG }}"
+          EXPECTED_VERSION="${{ steps.extract.outputs.VERSION }}"
+
+          echo "🔍 Verifying image in registry..."
+
+          # Pull and verify APP_VERSION
+          docker pull ${IMAGE_TAG}
+
+          # Verify APP_VERSION is set
+          APP_VERSION=$(docker inspect ${IMAGE_TAG} --format='{{range .Config.Env}}{{println .}}{{end}}' | grep "^APP_VERSION=" | cut -d= -f2 || echo "")
+
+          if [ "$APP_VERSION" != "$EXPECTED_VERSION" ]; then
+            echo "❌ ERROR: APP_VERSION mismatch!"
+            echo "   Expected: ${EXPECTED_VERSION}"
+            echo "   Found: ${APP_VERSION:-not set}"
+            exit 1
+          fi
+          echo "✅ APP_VERSION verified: ${APP_VERSION}"
+
+          # Verify node_modules exists (quick check)
+          if ! docker run --rm --platform linux/amd64 --entrypoint /bin/sh ${IMAGE_TAG} -c "test -d /app/node_modules && test -f /app/node_modules/.bin/prisma && test -d /app/node_modules/fastify" 2>/dev/null; then
+            echo "❌ ERROR: Critical dependencies missing in image!"
+            echo "   Checking what's in /app:"
+            docker run --rm --platform linux/amd64 --entrypoint /bin/sh ${IMAGE_TAG} -c "ls -la /app" || true
+            exit 1
+          fi
+          echo "✅ Dependencies verified: node_modules, prisma, fastify all present"
+
+          echo "✅ Image verification passed"
+          echo "✅ Image ready: ${{ steps.extract.outputs.SERVICE }}:${{ steps.extract.outputs.VERSION }}"
           echo "   Version injected via build arg: ${{ steps.extract.outputs.VERSION }}"
 
       - name: Cleanup old images
diff --git a/backend/Dockerfile.prod b/backend/Dockerfile.prod
@@ -15,8 +15,25 @@ COPY prisma ./prisma/
 COPY tsconfig.json ./
 
 # Install all dependencies (including dev dependencies for building)
-# Retry npm ci up to 3 times on failure
-RUN for i in 1 2 3; do npm ci && break || sleep 10; done
+# Verify package-lock.json exists, then retry npm ci up to 3 times on failure
+RUN if [ ! -f package-lock.json ]; then \
+      echo "❌ ERROR: package-lock.json is missing! It must be committed to git."; \
+      echo "   Run: git add backend/package-lock.json && git commit -m 'Add package-lock.json'"; \
+      exit 1; \
+    fi && \
+    for i in 1 2 3; do \
+      if npm ci; then \
+        echo "✅ Dependencies installed successfully (attempt $i)"; \
+        break; \
+      else \
+        echo "⚠️  npm ci failed (attempt $i/3), retrying..."; \
+        if [ $i -eq 3 ]; then \
+          echo "❌ ERROR: npm ci failed after 3 attempts"; \
+          exit 1; \
+        fi; \
+        sleep 10; \
+      fi; \
+    done
 
 # Copy application code
 COPY src ./src
@@ -48,8 +65,34 @@ COPY package*.json ./
 COPY prisma ./prisma/
 
 # Install only production dependencies
-# Retry npm ci up to 3 times on failure
-RUN for i in 1 2 3; do npm ci --omit=dev && break || sleep 10; done
+# Verify package-lock.json exists, then retry npm ci up to 3 times on failure
+RUN if [ ! -f package-lock.json ]; then \
+      echo "❌ ERROR: package-lock.json is missing! It must be committed to git."; \
+      echo "   Run: git add backend/package-lock.json && git commit -m 'Add package-lock.json'"; \
+      exit 1; \
+    fi && \
+    for i in 1 2 3; do \
+      if npm ci --omit=dev; then \
+        echo "✅ Production dependencies installed successfully (attempt $i)"; \
+        break; \
+      else \
+        echo "⚠️  npm ci failed (attempt $i/3), retrying..."; \
+        if [ $i -eq 3 ]; then \
+          echo "❌ ERROR: npm ci failed after 3 attempts"; \
+          exit 1; \
+        fi; \
+        sleep 10; \
+      fi; \
+    done && \
+    # Verify critical dependencies are installed
+    if [ ! -d "node_modules" ] || [ ! -f "node_modules/.bin/prisma" ] || [ ! -d "node_modules/fastify" ]; then \
+      echo "❌ ERROR: Critical dependencies missing after installation"; \
+      echo "   node_modules exists: $([ -d node_modules ] && echo yes || echo no)"; \
+      echo "   prisma binary exists: $([ -f node_modules/.bin/prisma ] && echo yes || echo no)"; \
+      echo "   fastify exists: $([ -d node_modules/fastify ] && echo yes || echo no)"; \
+      exit 1; \
+    fi && \
+    echo "✅ Verified: node_modules, prisma, and fastify are present"
 
 # Copy built files from builder
 COPY --from=builder /app/dist ./dist
