mirror/pnpm
1
0
Fork 0
mirror of https://github.com/pnpm/pnpm.git synced 2026-06-27 17:35:30 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
a33eeec9cd96b617db6ecdbecf9a1b5deee87d78
pnpm/pnpr/docker/Dockerfile
Zoltan Kochan e2dab007f8 ci(pnpr): publish a Docker image on release (#12619) 
* ci(pnpr): publish a Docker image on release

Add a `docker` job to the pnpr release workflow that builds and pushes a
multi-arch (linux/amd64, linux/arm64) image to ghcr.io/pnpm/pnpr after the
npm packages are published.

The image is built from the static musl binaries the release job already
produces, so no Rust toolchain runs in the Docker build and the image
matches exactly what ships to npm. It is based on debian:stable-slim with
ca-certificates (pnpr reaches upstream registries over HTTPS via rustls'
platform cert verifier), runs as a non-root user, declares storage and
cache volumes, exposes 7677, and defaults to binding 0.0.0.0 so the server
is reachable from outside the container. The build self-checks that
`pnpr --version` matches the PNPR_VERSION build-arg.

Stable releases also move the mutable `latest` tag; prereleases (versions
containing a hyphen) only get the exact-version tag.

* ci(pnpr): drop unused id-token permission from docker job

The docker job uses only docker/build-push-action's built-in provenance
and SBOM attestations, which are pushed to GHCR via GITHUB_TOKEN. It does
not call actions/attest-build-provenance, so the OIDC id-token: write
permission was unused. Drop it to follow least privilege.

* ci(pnpr): verify staged binary checksum in the docker image build

The build job now pins each binary's SHA256 at build time and uploads it
with the artifact. The docker job verifies the staged binaries against
those checksums and passes them as build-args, and the Dockerfile
re-verifies the binary it copies before trusting it. A 'pnpr --version'
check only confirms reported metadata, so it cannot stand in for an
integrity check on the binary itself. Mirrors the existing pnpm image.

* ci(pnpr): extract release artifacts into an isolated directory

Extract the downloaded musl tarballs into a throwaway directory and move
only the expected, checksum-verified regular files into the Docker build
context. A malformed archive (path traversal or symlink entries) can no
longer escape into the workspace and overwrite the Dockerfile or staged
binaries before the image is pushed to GHCR.

* docs(pnpr): add a language to the docker README code fence

The image-name fenced block lacked a language identifier, tripping
markdownlint MD040. Tag it as text.
2026-06-24 14:40:29 +00:00

57 lines
2.2 KiB
Docker
Raw Blame History

# syntax=docker/dockerfile:1.7
# Refresh periodically: resolve with
# docker buildx imagetools inspect debian:stable-slim --format '{{.Manifest.Digest}}'
FROM debian:stable-slim@sha256:e51bfcd2226c480a5416730e0fa2c40df28b0da5ff562fc465202feeef2f1116
ARG PNPR_VERSION
ARG TARGETARCH
ARG PNPR_SHA256_AMD64
ARG PNPR_SHA256_ARM64
# pnpr reaches upstream registries over HTTPS via rustls' platform
# verifier, which reads the system CA bundle, so ca-certificates is required.
RUN set -eu; \
apt-get update; \
apt-get install -y --no-install-recommends ca-certificates; \
rm -rf /var/lib/apt/lists/*; \
useradd --system --create-home --home-dir /home/pnpr --shell /usr/sbin/nologin pnpr
# The build context stages the prebuilt static musl binary for each
# architecture as pnpr-<TARGETARCH> (pnpr-amd64, pnpr-arm64).
COPY pnpr-${TARGETARCH} /usr/local/bin/pnpr
# Verify the staged binary against the checksum pinned by the release job
# before trusting it. `pnpr --version` only confirms reported metadata, so
# it cannot stand in for an integrity check on the binary itself.
RUN set -eu; \
test -n "$PNPR_VERSION"; \
case "$TARGETARCH" in \
amd64) expected_sha="$PNPR_SHA256_AMD64" ;; \
arm64) expected_sha="$PNPR_SHA256_ARM64" ;; \
*) echo "unsupported architecture: $TARGETARCH" >&2; exit 1 ;; \
esac; \
test -n "$expected_sha" || { echo "missing PNPR_SHA256_* build-arg for $TARGETARCH" >&2; exit 1; }; \
echo "$expected_sha /usr/local/bin/pnpr" | sha256sum -c -; \
chmod 0755 /usr/local/bin/pnpr; \
installed="$(pnpr --version | awk '{print $NF}')"; \
test "$installed" = "$PNPR_VERSION" || { \
echo "pnpr version mismatch: expected $PNPR_VERSION, got $installed" >&2; \
exit 1; \
}; \
mkdir -p /pnpr/storage /pnpr/cache; \
chown -R pnpr:pnpr /pnpr
USER pnpr
WORKDIR /pnpr
# Persist published packages and the disposable upstream mirror.
VOLUME ["/pnpr/storage", "/pnpr/cache"]
# pnpr's default port. Bind to 0.0.0.0 so the server is reachable from
# outside the container (the binary defaults to 127.0.0.1).
EXPOSE 7677
ENTRYPOINT ["pnpr"]
CMD ["--listen", "0.0.0.0:7677", "--storage", "/pnpr/storage", "--cache", "/pnpr/cache"]
Reference in New Issue View Git Blame Copy Permalink