Master multiarch 2#378
Conversation
Swathi-eGov
requested review from
jagankumar-egov,
kavi-egov,
pradeepkumarcm-egov and
vinothrallapalli-eGov
as code owners
WalkthroughReplaced custom alpine Node builder with official node:14-alpine3.14 multi-stage builds, added build toolchain (python2, make, g++), exposed build-time ARG/ENV (WORK_DIR, NODE_OPTIONS, YARN_DEBUG), split monolithic RUN into explicit build steps, and switched final runtime to nginx:mainline-alpine serving assets from /var/web/digit-ui. Changes
Sequence Diagram(s)sequenceDiagram
participant Dev as Developer
participant DockerBuild as Build (node:14-alpine3.14)
participant Nginx as Runtime (nginx:mainline-alpine)
Dev->>DockerBuild: docker build (multi-stage)
DockerBuild->>DockerBuild: apk add python2, make, g++, git
DockerBuild->>DockerBuild: set ARG/ENV (WORK_DIR, NODE_OPTIONS, YARN_DEBUG...)
DockerBuild->>DockerBuild: WORKDIR /app/web
DockerBuild->>DockerBuild: run install-deps.sh, yarn install, yarn build:webpack
DockerBuild-->>Nginx: COPY /app/web/build -> /var/web/digit-ui
DockerBuild-->>Nginx: COPY nginx.conf -> /etc/nginx/conf.d/default.conf
Dev->>Nginx: run container to serve assets
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Poem
Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
Status, Documentation and Community
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 15
🔭 Outside diff range comments (2)
frontend/micro-ui/web/docker/Dockerfile (1)
46-54: Consider adding HEALTHCHECK and running as non-root (if nginx.conf allows)
- HEALTHCHECK improves orchestration readiness/liveness.
- Running as non-root is recommended; requires nginx to listen on >1024 (e.g., 8080) and config alignment.
Example additions (adjust nginx.conf ports accordingly):
FROM nginx:mainline-alpine ENV WORK_DIR=/var/web/digit-ui RUN mkdir -p ${WORK_DIR} COPY --from=build /app/web/build ${WORK_DIR}/ COPY --from=build /app/web/docker/nginx.conf /etc/nginx/conf.d/default.conf +HEALTHCHECK --interval=30s --timeout=3s --retries=3 CMD wget -q -O- http://127.0.0.1:80/ >/dev/null || exit 1 +# If nginx.conf uses 8080: +# USER nginx +# EXPOSE 8080frontend/micro-ui/web/docker/devDockerfile (1)
81-88: Optional: add HEALTHCHECK and non-root executionSame considerations as the main Dockerfile.
FROM nginx:mainline-alpine #FROM ghcr.io/egovernments/nginx:mainline-alpine ENV WORK_DIR=/var/web/digit-ui RUN mkdir -p ${WORK_DIR} COPY --from=build /app/web/build ${WORK_DIR}/ COPY --from=build /app/web/docker/nginx.conf /etc/nginx/conf.d/default.conf +HEALTHCHECK --interval=30s --timeout=3s --retries=3 CMD wget -q -O- http://127.0.0.1:80/ >/dev/null || exit 1 +# Optionally switch to non-root if nginx.conf listens on 8080: +# USER nginx +# EXPOSE 8080
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
frontend/micro-ui/web/docker/Dockerfile(1 hunks)frontend/micro-ui/web/docker/devDockerfile(1 hunks)
🧰 Additional context used
🪛 Checkov (3.2.334)
frontend/micro-ui/web/docker/Dockerfile
[LOW] 1-53: Ensure that HEALTHCHECK instructions have been added to container images
(CKV_DOCKER_2)
[LOW] 1-53: Ensure that a user for the container has been created
(CKV_DOCKER_3)
🪛 Hadolint (2.12.0)
frontend/micro-ui/web/docker/Dockerfile
[warning] 7-7: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
[info] 7-7: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[warning] 8-8: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
[info] 29-29: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[info] 41-41: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[info] 44-44: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
🪛 GitHub Actions: Build digit-ui
frontend/micro-ui/web/docker/Dockerfile
[error] 8-9: apk add --no-cache python2 make g++ && ln -sf /usr/bin/python2 /usr/bin/python failed: python2 package not available in Alpine Linux v3.16. Command: RUN apk add --no-cache python2 make g++ && ln -sf /usr/bin/python2 /usr/bin/python
[warning] 17-17: LegacyKeyValueFormat: 'ENV key=value' should be used instead of legacy 'ENV key value' format (line 17)
[warning] 32-32: NoEmptyContinuation: Empty continuation line (line 32)
| # FROM egovio/alpine-node-builder-14:yarn AS build | ||
| #FROM ghcr.io/egovernments/alpine-node-builder-14:yarn AS build | ||
|
|
||
| FROM node:14-alpine3.16 AS build |
There was a problem hiding this comment.
🧹 Nitpick (assertive)
Node 14 EOL; consider upgrading to 18/20 if feasible
For dev images, upgrading earlier helps catch incompatibilities.
-FROM node:14-alpine3.16 AS build
+FROM node:20-alpine3.19 AS buildPlease verify app compatibility and native deps with newer Node.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| FROM node:14-alpine3.16 AS build | |
| FROM node:20-alpine3.19 AS build |
| RUN apk update | ||
| RUN apk add --no-cache git>2.30.0 | ||
| RUN apk add --no-cache python2 make g++ \ | ||
| && ln -sf /usr/bin/python2 /usr/bin/python | ||
|
|
There was a problem hiding this comment.
Same Alpine 3.16 python2 issue and git>2.30.0 redirection bug
Mirror the fixes from Dockerfile: switch to python3 and correct the git install. Drop apk update.
-RUN apk update
-RUN apk add --no-cache git>2.30.0
-RUN apk add --no-cache python2 make g++ \
- && ln -sf /usr/bin/python2 /usr/bin/python
+RUN apk add --no-cache git python3 make g++ \
+ && ln -sf /usr/bin/python3 /usr/bin/python
+# Or: RUN npm config set python /usr/bin/python3📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| RUN apk update | |
| RUN apk add --no-cache git>2.30.0 | |
| RUN apk add --no-cache python2 make g++ \ | |
| && ln -sf /usr/bin/python2 /usr/bin/python | |
| RUN apk add --no-cache git python3 make g++ \ | |
| && ln -sf /usr/bin/python3 /usr/bin/python | |
| # Or: RUN npm config set python /usr/bin/python3 |
🤖 Prompt for AI Agents
In frontend/micro-ui/web/docker/devDockerfile around lines 42-46, remove the
unnecessary "apk update" line, replace the invalid "apk add --no-cache
git>2.30.0" with a normal package install (e.g., "apk add --no-cache git"), and
switch python2 to python3 by installing python3 (and required build tools) and
creating the symlink to /usr/bin/python (ln -sf /usr/bin/python3
/usr/bin/python) so the container uses python3 instead of deprecated python2.
| ENV GENERATE_SOURCEMAP "false" | ||
|
|
||
| COPY ${WORK_DIR} . | ||
| RUN ls -lah |
There was a problem hiding this comment.
🧹 Nitpick (assertive)
Drop RUN ls -lah
Removes a no-op layer and noisy logs.
-RUN ls -lah📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| RUN ls -lah |
🤖 Prompt for AI Agents
In frontend/micro-ui/web/docker/devDockerfile around line 55, remove the "RUN ls
-lah" instruction — it's a no-op that creates an extra image layer and noisy
build output; delete that line from the Dockerfile (or replace with a meaningful
build step if directory inspection is required during debugging) and rebuild the
image.
| WORKDIR /app/web | ||
|
|
||
| # Show heap size limit | ||
| RUN node -e "console.log('Heap limit (MB):', v8.getHeapStatistics().heap_size_limit / (1024 * 1024))" |
There was a problem hiding this comment.
v8 require missing in Node heap one-liner
Same fix as the other Dockerfile.
-RUN node -e "console.log('Heap limit (MB):', v8.getHeapStatistics().heap_size_limit / (1024 * 1024))"
+RUN node -e "console.log('Heap limit (MB):', require('v8').getHeapStatistics().heap_size_limit / (1024 * 1024))"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| RUN node -e "console.log('Heap limit (MB):', v8.getHeapStatistics().heap_size_limit / (1024 * 1024))" | |
| RUN node -e "console.log('Heap limit (MB):', require('v8').getHeapStatistics().heap_size_limit / (1024 * 1024))" |
🤖 Prompt for AI Agents
In frontend/micro-ui/web/docker/devDockerfile around line 61, the one-liner uses
v8.getHeapStatistics() without requiring the v8 module; update the RUN command
to require the v8 module first (e.g., add a const v8 = require('v8') before
calling getHeapStatistics()) so the heap-size log works the same way as the
other Dockerfile.
| ENV YARN_DEBUG=true | ||
| ENV GENERATE_SOURCEMAP "false" | ||
|
|
There was a problem hiding this comment.
🛠️ Refactor suggestion
Use modern ENV syntax; fix GENERATE_SOURCEMAP format
Docker recommends ENV KEY=value. The current ENV GENERATE_SOURCEMAP "false" triggers linter warnings.
-ENV GENERATE_SOURCEMAP "false"
+ENV GENERATE_SOURCEMAP=falseOptional: make debug-only flags build-time toggles so they don’t leak to layers unintentionally.
-ENV YARN_DEBUG=true
+ARG YARN_DEBUG=false
+ENV YARN_DEBUG=${YARN_DEBUG}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ENV NODE_OPTIONS="--max-old-space-size=8500" | |
| ENV YARN_DEBUG=true | |
| ENV GENERATE_SOURCEMAP "false" | |
| ENV NODE_OPTIONS="--max-old-space-size=8500" | |
| ARG YARN_DEBUG=false | |
| ENV YARN_DEBUG=${YARN_DEBUG} | |
| ENV GENERATE_SOURCEMAP=false |
🧰 Tools
🪛 GitHub Actions: Build digit-ui
[warning] 17-17: LegacyKeyValueFormat: 'ENV key=value' should be used instead of legacy 'ENV key value' format (line 17)
🤖 Prompt for AI Agents
In frontend/micro-ui/web/docker/Dockerfile around lines 15 to 17, the ENV
entries use inconsistent/legacy syntax and the line ENV GENERATE_SOURCEMAP
"false" triggers linter warnings; change all ENV lines to the KEY=value form
(e.g. NODE_OPTIONS=..., YARN_DEBUG=true, GENERATE_SOURCEMAP=false) and
optionally convert debug-only flags (like YARN_DEBUG and NODE_OPTIONS) to
build-time ARGs and then set ENV from those ARGs so they don't persist in
intermediate layers unless explicitly needed.
|
|
||
| COPY ${WORK_DIR} . | ||
| RUN ls -lah | ||
|
|
There was a problem hiding this comment.
🧹 Nitpick (assertive)
Remove debug listing to keep image/layers clean
RUN ls -lah adds noise and a layer without value.
-RUN ls -lah📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| RUN ls -lah |
🤖 Prompt for AI Agents
In frontend/micro-ui/web/docker/Dockerfile around line 20, remove the debug
command RUN ls -lah which adds an unnecessary image layer and noisy output;
simply delete that line (or replace it with a multi-stage build step if you
intended to inspect files during build, use build-time tooling or
--progress=plain locally) so the Dockerfile produces a cleaner image and smaller
layer count.
|
|
||
| # Show heap size limit | ||
| RUN node -e "console.log('Heap limit (MB):', v8.getHeapStatistics().heap_size_limit / (1024 * 1024))" | ||
|
|
There was a problem hiding this comment.
v8 is not defined in Node one-liner
The v8 module must be required explicitly.
-RUN node -e "console.log('Heap limit (MB):', v8.getHeapStatistics().heap_size_limit / (1024 * 1024))"
+RUN node -e "console.log('Heap limit (MB):', require('v8').getHeapStatistics().heap_size_limit / (1024 * 1024))"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| RUN node -e "console.log('Heap limit (MB):', v8.getHeapStatistics().heap_size_limit / (1024 * 1024))" | |
| RUN node -e "console.log('Heap limit (MB):', require('v8').getHeapStatistics().heap_size_limit / (1024 * 1024))" |
🤖 Prompt for AI Agents
In frontend/micro-ui/web/docker/Dockerfile around line 26, the Node one-liner
uses v8 without importing it; update the RUN command to require the v8 module
first (e.g., use node -e "const v8 = require('v8'); console.log('Heap limit
(MB):', v8.getHeapStatistics().heap_size_limit / (1024 * 1024))") so v8 is
defined before calling getHeapStatistics.
| RUN yarn config set network-timeout 600000 | ||
|
|
||
| # Install dependencies | ||
| RUN yarn install | ||
|
|
||
| # Build the project | ||
| RUN yarn build:webpack | ||
|
|
There was a problem hiding this comment.
🛠️ Refactor suggestion
Prefer deterministic installs and pass timeout via CLI
Use frozen lockfile for reproducibility, and avoid persisting global Yarn config when a CLI flag suffices.
-# Increase timeout before install (recommended for GitHub Actions)
-RUN yarn config set network-timeout 600000
-
-# Install dependencies
-RUN yarn install
-
-# Build the project
-RUN yarn build:webpack
+RUN yarn install --frozen-lockfile --network-timeout 600000
+RUN yarn build:webpack🧰 Tools
🪛 Hadolint (2.12.0)
[info] 41-41: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[info] 44-44: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
🤖 Prompt for AI Agents
In frontend/micro-ui/web/docker/Dockerfile around lines 37 to 44, the Dockerfile
currently sets a persistent global Yarn config for network timeout and runs a
plain yarn install; update it to perform a deterministic install and avoid
altering global config by using the CLI flags: run yarn install with
--frozen-lockfile and pass the network timeout via the command line (e.g.,
--network-timeout 600000) in the same RUN that installs dependencies, then run
the build step as before.
There was a problem hiding this comment.
Actionable comments posted: 1
🔭 Outside diff range comments (2)
frontend/micro-ui/web/docker/devDockerfile (1)
81-89: Harden runtime image: run as non-root and add a simple healthcheckReduce risk and satisfy basic checks.
FROM nginx:mainline-alpine #FROM ghcr.io/egovernments/nginx:mainline-alpine ENV WORK_DIR=/var/web/digit-ui RUN mkdir -p ${WORK_DIR} -COPY --from=build /app/web/build ${WORK_DIR}/ +COPY --from=build --chown=nginx:nginx /app/web/build ${WORK_DIR}/ COPY --from=build /app/web/docker/nginx.conf /etc/nginx/conf.d/default.conf +RUN chown -R nginx:nginx ${WORK_DIR} /var/cache/nginx /var/run /var/log/nginx +USER nginx +HEALTHCHECK --interval=30s --timeout=3s --start-period=5s \ + CMD wget -qO- http://127.0.0.1:80/ >/dev/null || exit 1Note: If wget isn’t present, switch to curl and install it, or adjust to a path you know exists (e.g., index.html).
frontend/micro-ui/web/docker/Dockerfile (1)
46-54: Harden runtime image: non-root + healthcheckAdopt least-privilege and basic liveness probe.
FROM nginx:mainline-alpine #FROM ghcr.io/egovernments/nginx:mainline-alpine ENV WORK_DIR=/var/web/digit-ui RUN mkdir -p ${WORK_DIR} -COPY --from=build /app/web/build ${WORK_DIR}/ +COPY --from=build --chown=nginx:nginx /app/web/build ${WORK_DIR}/ COPY --from=build /app/web/docker/nginx.conf /etc/nginx/conf.d/default.conf +RUN chown -R nginx:nginx ${WORK_DIR} /var/cache/nginx /var/run /var/log/nginx +USER nginx +HEALTHCHECK --interval=30s --timeout=3s --start-period=5s \ + CMD wget -qO- http://127.0.0.1:80/ >/dev/null || exit 1
♻️ Duplicate comments (15)
frontend/micro-ui/web/docker/devDockerfile (7)
40-41: Node 14 is EOL; move to LTS (18/20) if compatibleUpgrade base image to reduce CVE exposure and future-proof builds.
-FROM node:14-alpine3.14 AS build +FROM node:20-alpine3.19 AS build
42-45: Fix apk usage: drop update, correct git install, switch to python3
apk updateunnecessary with--no-cache.git>2.30.0is shell redirection, not pinning.- Alpine variant uses python3; node-gyp supports py3.
-RUN apk update -RUN apk add --no-cache git>2.30.0 -RUN apk add --no-cache python2 make g++ \ - && ln -sf /usr/bin/python2 /usr/bin/python +RUN apk add --no-cache git python3 make g++ \ + && ln -sf /usr/bin/python3 /usr/bin/python +# Alternatively: RUN npm config set python /usr/bin/python3
50-52: Use modern ENV syntax; make YARN_DEBUG configurableAlso fix GENERATE_SOURCEMAP legacy format.
-ENV NODE_OPTIONS="--max-old-space-size=1792" -ENV YARN_DEBUG=true -ENV GENERATE_SOURCEMAP "false" +ENV NODE_OPTIONS="--max-old-space-size=1792" +ARG YARN_DEBUG=false +ENV YARN_DEBUG=${YARN_DEBUG} +ENV GENERATE_SOURCEMAP=false
50-56: Remove debug listing to keep image clean
RUN ls -lahadds a noisy, useless layer.COPY ${WORK_DIR} . -RUN ls -lah
60-62: Fix “v8 is not defined” in Node one-linerRequire the module explicitly.
-RUN node -e "console.log('Heap limit (MB):', v8.getHeapStatistics().heap_size_limit / (1024 * 1024))" +RUN node -e "console.log('Heap limit (MB):', require('v8').getHeapStatistics().heap_size_limit / (1024 * 1024))"
64-68: Trailing backslash breaks build; split or chain commandsThis currently parses as an empty continuation and fails.
-RUN node envs.js \ - - -RUN ./install-deps.sh +RUN node envs.js +RUN ./install-deps.sh
73-79: Deterministic installs and faster CIUse lockfile and CLI timeout instead of persisting global config.
-# Increase timeout before install (recommended for GitHub Actions) -RUN yarn config set network-timeout 600000 - -# Install dependencies -RUN yarn install +RUN yarn install --frozen-lockfile --network-timeout 600000 # Build the project RUN yarn build:webpackOptional: add
RUN yarn cache clean --allafter install to reduce image size.frontend/micro-ui/web/docker/Dockerfile (8)
4-5: Node 14 is EOL; move to LTS (18/20) if compatibleUpgrade to supported LTS to reduce CVEs and supply-chain risk.
-FROM node:14-alpine3.14 AS build +FROM node:20-alpine3.19 AS build
6-9: Fix packages: removeapk update, correct git install, use python3
- Avoid
apk updatewith--no-cache.- Replace
git>2.30.0redirection with proper install.- Use python3 + symlink for node-gyp.
-RUN apk update -RUN apk add --no-cache git>2.30.0 -RUN apk add --no-cache python2 make g++ \ - && ln -sf /usr/bin/python2 /usr/bin/python +RUN apk add --no-cache git python3 make g++ \ + && ln -sf /usr/bin/python3 /usr/bin/python +# Or: RUN npm config set python /usr/bin/python3
12-14: Default WORK_DIR to a safe path to avoid copying unintended filesPrevents accidental
COPYof the repo root when arg isn’t passed.-ARG WORK_DIR +ARG WORK_DIR=frontend/micro-ui/web WORKDIR /app COPY ${WORK_DIR} .Ensure CI/local builds pass: --build-arg WORK_DIR=frontend/micro-ui/web
15-17: Use KEY=value for ENV; make YARN_DEBUG a build argAlso fix legacy GENERATE_SOURCEMAP syntax.
-ENV NODE_OPTIONS="--max-old-space-size=8500" -ENV YARN_DEBUG=true -ENV GENERATE_SOURCEMAP "false" +ENV NODE_OPTIONS="--max-old-space-size=8500" +ARG YARN_DEBUG=false +ENV YARN_DEBUG=${YARN_DEBUG} +ENV GENERATE_SOURCEMAP=false
15-21: DropRUN ls -lahRemoves a no-op layer and noisy logs.
COPY ${WORK_DIR} . -RUN ls -lah
25-27: Fix v8 usage in Node one-linerRequire the module explicitly.
-RUN node -e "console.log('Heap limit (MB):', v8.getHeapStatistics().heap_size_limit / (1024 * 1024))" +RUN node -e "console.log('Heap limit (MB):', require('v8').getHeapStatistics().heap_size_limit / (1024 * 1024))"
29-33: Remove dangling backslash; it breaks the buildMake it a standalone RUN or chain properly.
-RUN node envs.js \ - - -RUN ./install-deps.sh +RUN node envs.js +RUN ./install-deps.sh
37-44: Deterministic dependency installUse lockfile and pass timeout via CLI.
-# Increase timeout before install (recommended for GitHub Actions) -RUN yarn config set network-timeout 600000 - -# Install dependencies -RUN yarn install +RUN yarn install --frozen-lockfile --network-timeout 600000 # Build the project RUN yarn build:webpack
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
frontend/micro-ui/web/docker/Dockerfile(1 hunks)frontend/micro-ui/web/docker/devDockerfile(1 hunks)
🧰 Additional context used
🪛 Checkov (3.2.334)
frontend/micro-ui/web/docker/Dockerfile
[LOW] 1-53: Ensure that HEALTHCHECK instructions have been added to container images
(CKV_DOCKER_2)
[LOW] 1-53: Ensure that a user for the container has been created
(CKV_DOCKER_3)
🪛 Hadolint (2.12.0)
frontend/micro-ui/web/docker/Dockerfile
[warning] 7-7: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
[info] 7-7: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[warning] 8-8: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
[info] 29-29: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[info] 41-41: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[info] 44-44: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Build application amd64
- GitHub Check: Build application arm64
🔇 Additional comments (1)
frontend/micro-ui/web/docker/Dockerfile (1)
46-54: Multi-stage flow and asset handoff to nginx look goodThe overall build → copy build artifacts → serve via nginx pattern is sound and aligns with the new path under /var/web/digit-ui.
| ARG WORK_DIR | ||
| WORKDIR /app | ||
| ENV NODE_OPTIONS "--max-old-space-size=1792" | ||
|
|
||
| ENV NODE_OPTIONS="--max-old-space-size=1792" | ||
| ENV YARN_DEBUG=true | ||
| ENV GENERATE_SOURCEMAP "false" | ||
|
|
||
| COPY ${WORK_DIR} . |
There was a problem hiding this comment.
🧹 Nitpick (assertive)
Provide a default for WORK_DIR to avoid copying the repo root
Without a default or build-arg, COPY ${WORK_DIR} . may copy unexpected paths.
-ARG WORK_DIR
+ARG WORK_DIR=frontend/micro-ui/web
COPY ${WORK_DIR} .Ensure CI/local builds pass: --build-arg WORK_DIR=frontend/micro-ui/web
🤖 Prompt for AI Agents
In frontend/micro-ui/web/docker/devDockerfile around lines 47 to 54, the
Dockerfile uses ARG WORK_DIR without a default which can cause COPY ${WORK_DIR}
. to copy unexpected paths; add a default value for WORK_DIR (e.g., ARG
WORK_DIR=frontend/micro-ui/web) before WORKDIR and keep COPY ${WORK_DIR} .
as-is, and update any build docs/CI configs to pass --build-arg
WORK_DIR=frontend/micro-ui/web to ensure consistent local and CI builds.
There was a problem hiding this comment.
Actionable comments posted: 2
🔭 Outside diff range comments (2)
frontend/micro-ui/web/docker/Dockerfile (1)
44-50: Harden the runtime image: HEALTHCHECK and non-root where feasible
- Consider adding a HEALTHCHECK (Checkov CKV_DOCKER_2).
- If nginx can listen on a high port (e.g., 8080) per your nginx.conf, drop privileges (CKV_DOCKER_3).
For example (if you can expose 8080 in nginx.conf):
- Add in final stage:
# Example only — ensure nginx.conf listens on 8080 # USER nginx # HEALTHCHECK --interval=30s --timeout=3s --retries=3 CMD wget -q -O - http://127.0.0.1:8080/ >/dev/null 2>&1 || exit 1Note: Busybox may not have wget/curl; you may need to
apk add --no-cache curlor use an alternative probe.frontend/micro-ui/web/docker/devDockerfile (1)
78-85: Consider HEALTHCHECK and non-root runtime (if nginx listens on high port)
Echoing the prod Dockerfile: add a HEALTHCHECK and drop privileges if your nginx.conf listens on >1024.Example (adjust to your config):
# USER nginx # HEALTHCHECK --interval=30s --timeout=3s --retries=3 CMD wget -q -O - http://127.0.0.1:8080/ >/dev/null 2>&1 || exit 1If tools aren’t available, install a minimal probe utility or use an alternative signal.
♻️ Duplicate comments (12)
frontend/micro-ui/web/docker/Dockerfile (6)
1-1: Node 14 is EOL — upgrade to an active LTS (18 or 20) to reduce CVEs and supply-chain risk
Move the build base to a supported Node LTS. Validate native deps (node-gyp) and build output with the upgrade.-FROM node:14-alpine3.14 AS build +FROM node:20-alpine AS buildIf you need to pin Alpine, pick a currently supported Alpine tag that satisfies your deployment constraints.
2-6: Fix invalid package spec and drop python2; use python3 for node-gyp
- The token
'git>2.30.0'is not a valid apk package (the comparator is unsupported here); this will fail.apk updateis unnecessary with--no-cacheand adds an extra layer.- Prefer python3; node-gyp works with Python 3. Avoid EOL python2.
-RUN apk update -RUN apk add --no-cache 'git>2.30.0' -# Install dependencies required for node-gyp (Python, make, g++, etc.) -RUN apk add --no-cache python2 make g++ \ - && ln -sf /usr/bin/python2 /usr/bin/python +# Install dependencies required for node-gyp (Python, make, g++, etc.) +RUN apk add --no-cache git python3 make g++ \ + && ln -sf /usr/bin/python3 /usr/bin/python +# Alternatively avoid the symlink: +# RUN npm config set python /usr/bin/python3Optional: pin versions per hadolint DL3018 (apk uses = for pinning), e.g., git=2.x.y-rz, python3=3.x.y-rz compatible with your chosen Alpine.
9-16: Provide a safe default for WORK_DIR and remove debug listing
Without a default, COPY ${WORK_DIR} . can fail or copy unintended paths if the build arg isn’t passed; and ls -lah adds a noisy layer.-ARG WORK_DIR +ARG WORK_DIR=frontend/micro-ui/web ... COPY ${WORK_DIR} . -RUN ls -lahRun this to ensure your build scripts pass WORK_DIR or rely on the new default:
#!/bin/bash set -euo pipefail echo "Docker build invocations passing WORK_DIR:" rg -nP 'docker buildx?.*--build-arg\s+WORK_DIR' -C2 || true echo echo "Verify the target path contains envs.js and install-deps.sh:" fd -a 'envs.js|install-deps.sh' -H | sed 's/^/ /'
11-13: Use KEY=value ENV format; make debug flags build-time configurable
Fix the legacy ENV syntax and avoid unconditionally enabling Yarn debug.-ENV NODE_OPTIONS="--max-old-space-size=8500" -ENV YARN_DEBUG=true -ENV GENERATE_SOURCEMAP "false" +ENV NODE_OPTIONS="--max-old-space-size=8500" +ARG YARN_DEBUG=false +ENV YARN_DEBUG=${YARN_DEBUG} +ENV GENERATE_SOURCEMAP=false
22-22: Build will fail:v8is not defined in the Node one-liner
Require the module before using it.-RUN node -e "console.log('Heap limit (MB):', v8.getHeapStatistics().heap_size_limit / (1024 * 1024))" +RUN node -e "console.log('Heap limit (MB):', require('v8').getHeapStatistics().heap_size_limit / (1024 * 1024))"
35-42: Deterministic installs and avoid persisting global Yarn config
Use the lockfile and pass timeout via CLI instead of writing to global config.-# Increase timeout before install (recommended for GitHub Actions) -RUN yarn config set network-timeout 600000 - -# Install dependencies -RUN yarn install - -# Build the project -RUN yarn build:webpack +# Install dependencies deterministically +RUN yarn install --frozen-lockfile --network-timeout 600000 +# Build the project +RUN yarn build:webpackOptional: add
RUN yarn cache clean --allafter install to slim layers if cache isn’t needed later.frontend/micro-ui/web/docker/devDockerfile (6)
36-36: Node 14 EOL — update dev base to LTS (18/20) to catch incompatibilities early
Same reasoning as prod Dockerfile; upgrade if feasible.-FROM node:14-alpine3.14 AS build +FROM node:20-alpine AS build
37-41: Fix invalid apk usage and move to python3
- Remove unnecessary
apk update.- Replace invalid
'git>2.30.0'.- Use python3 for node-gyp; drop python2.
-RUN apk update -RUN apk add --no-cache 'git>2.30.0' -# Install dependencies required for node-gyp (Python, make, g++, etc.) -RUN apk add --no-cache python2 make g++ \ - && ln -sf /usr/bin/python2 /usr/bin/python +# Install dependencies required for node-gyp (Python, make, g++, etc.) +RUN apk add --no-cache git python3 make g++ \ + && ln -sf /usr/bin/python3 /usr/bin/python +# Or: RUN npm config set python /usr/bin/python3Optional: pin package versions with
=if you require reproducibility.
43-50: Default WORK_DIR and remove debug listing
Avoid accidental COPY context issues; drop ls -lah.-ARG WORK_DIR +ARG WORK_DIR=frontend/micro-ui/web ... COPY ${WORK_DIR} . -RUN ls -lah#!/bin/bash set -euo pipefail echo "Dev builds passing WORK_DIR:" rg -nP 'docker buildx?.*--build-arg\s+WORK_DIR' -C2 || true
45-47: Fix ENV syntax and make debug toggles opt-in
Use KEY=value and avoid always-on debug in images.-ENV NODE_OPTIONS="--max-old-space-size=1792" -ENV YARN_DEBUG=true -ENV GENERATE_SOURCEMAP "false" +ENV NODE_OPTIONS="--max-old-space-size=1792" +ARG YARN_DEBUG=false +ENV YARN_DEBUG=${YARN_DEBUG} +ENV GENERATE_SOURCEMAP=false
56-56: Build will fail:v8is not defined
Require the module before using it.-RUN node -e "console.log('Heap limit (MB):', v8.getHeapStatistics().heap_size_limit / (1024 * 1024))" +RUN node -e "console.log('Heap limit (MB):', require('v8').getHeapStatistics().heap_size_limit / (1024 * 1024))"
69-76: Deterministic install; avoid global yarn config
Use lockfile and pass timeout per command.-# Increase timeout before install (recommended for GitHub Actions) -RUN yarn config set network-timeout 600000 - -# Install dependencies -RUN yarn install - -# Build the project -RUN yarn build:webpack +RUN yarn install --frozen-lockfile --network-timeout 600000 +RUN yarn build:webpackOptional:
RUN yarn cache clean --allif you don’t need the cache later.
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
frontend/micro-ui/web/docker/Dockerfile(1 hunks)frontend/micro-ui/web/docker/devDockerfile(1 hunks)
🧰 Additional context used
🪛 Checkov (3.2.334)
frontend/micro-ui/web/docker/Dockerfile
[LOW] 1-50: Ensure that HEALTHCHECK instructions have been added to container images
(CKV_DOCKER_2)
[LOW] 1-50: Ensure that a user for the container has been created
(CKV_DOCKER_3)
🪛 Hadolint (2.12.0)
frontend/micro-ui/web/docker/Dockerfile
[warning] 3-3: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
[info] 3-3: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[warning] 5-5: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
[info] 25-25: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[info] 30-30: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[info] 39-39: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[info] 42-42: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
| WORKDIR /app/web | ||
| RUN chmod +x ./install-deps.sh | ||
| RUN ./install-deps.sh | ||
|
|
||
| # Return to main directory for install/build | ||
| WORKDIR /app/web | ||
|
|
There was a problem hiding this comment.
🧹 Nitpick (assertive)
Minor cleanup: duplicate WORKDIRs not needed
Keep a single WORKDIR /app/web to simplify.
-WORKDIR /app/web
-...
-# Return to main directory for install/build
-WORKDIR /app/web
+# Single WORKDIR is sufficient
+WORKDIR /app/webCommittable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
In frontend/micro-ui/web/docker/devDockerfile around lines 62 to 68 there are
duplicate WORKDIR /app/web entries; remove the redundant one so the Dockerfile
sets WORKDIR /app/web once (before RUN chmod +x ./install-deps.sh and RUN
./install-deps.sh) and delete the later duplicate line to simplify and avoid
unnecessary repetition.
| # Set working directory | ||
| WORKDIR /app/web | ||
|
|
There was a problem hiding this comment.
🧹 Nitpick (assertive)
Reduce duplicate WORKDIR switches; keep it once
You set WORKDIR /app/web three times. One is sufficient.
-# Set working directory
-WORKDIR /app/web
...
-WORKDIR /app/web
...
-# Return to main directory for install/build
-WORKDIR /app/web
+# Set working directory (once)
+WORKDIR /app/webAlso applies to: 28-34
🤖 Prompt for AI Agents
In frontend/micro-ui/web/docker/Dockerfile around lines 18 to 20 (and also lines
28 to 34), there are multiple identical WORKDIR /app/web instructions; keep a
single WORKDIR directive at the appropriate place (preferably after setting up
/app and before COPY/ADD that relies on it) and remove the duplicate WORKDIR
lines to reduce redundancy and potential confusion.
1 participant
Summary by CodeRabbit
New Features
Refactor
Performance
Chores