fix: Docker security hardening and CI version alignment (#712)

* fix: Docker security hardening and CI version alignment

Remove .env COPY from realtime, migrate, and seed Dockerfiles — env vars
are provided at runtime via docker-compose env_file. Add .env to
.dockerignore. Convert realtime Dockerfile to multi-stage build with
USER node. Enable --frozen-lockfile in processor build. Replace no-op
worker healthcheck with pgrep process check. Enable NEXT_TELEMETRY_DISABLED
in web Dockerfile. Align CI to Node 22 and Postgres 17 matching production.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: address review feedback on realtime Dockerfile and worker healthcheck

Realtime Dockerfile:
- Add build steps for shared packages and realtime service (tsc)
- Production-only install in runner stage (--prod) excludes devDependencies
- Remove git/npm config (only pnpm is used, no git-based deps)
- Runner now executes compiled JS via node instead of tsx

Worker healthcheck:
- Replace pgrep with node-based PID 1 liveness check
- Avoids procps-ng dependency and ancestor shell match false-positives

.dockerignore:
- Use .env* glob with !.env.example override for broader coverage

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add missing trailing newlines to worker and seed Dockerfiles

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: narrow realtime Dockerfile COPY to only required packages and dist artifacts

Builder stage: replace broad `COPY packages` with targeted copies of
packages/db, packages/lib, and types (needed for build-time type roots).

Runner stage: copy only compiled dist/ directories instead of full package
trees — package.json files are already present from the prod install step,
so Node module resolution via pnpm workspace links works correctly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: 2witstudios

.dockerignore

@@ -28,10 +28,8 @@ dist/
 !packages/**/dist/**
 
 # Environment files
-.env.local
-.env.development.local
-.env.test.local
-.env.production.local
+.env*
+!.env.example
 
 # IDE and editor files
 .vscode/

.github/workflows/test.yml

@@ -8,7 +8,7 @@ on:
   workflow_dispatch:
 
 env:
-  NODE_VERSION: '20'
+  NODE_VERSION: '22'
 
 jobs:
   unit-tests:
@@ -17,7 +17,7 @@ jobs:
 
     services:
       postgres:
-        image: postgres:16
+        image: postgres:17-alpine
         env:
           POSTGRES_PASSWORD: postgres
           POSTGRES_DB: pagespace_test

apps/processor/Dockerfile

@@ -27,9 +27,8 @@ COPY packages/db/package.json ./packages/db/
 COPY packages/lib/package.json ./packages/lib/
 COPY apps/processor/package.json ./apps/processor/
 
-# Install all dependencies
-# Install dependencies (allow lockfile update since processor deps changed)
-RUN --mount=type=cache,id=pnpm-store,target=/pnpm/store pnpm config set store-dir /pnpm/store && pnpm install --no-frozen-lockfile --prod=false
+# Install dependencies
+RUN --mount=type=cache,id=pnpm-store,target=/pnpm/store pnpm config set store-dir /pnpm/store && pnpm install --frozen-lockfile --prod=false
 
 # Now copy source code AFTER dependencies are installed
 COPY tsconfig.json ./

apps/realtime/Dockerfile

@@ -1,40 +1,58 @@
 # syntax=docker/dockerfile:1.6
-# This Dockerfile runs the realtime service.
-# It uses the same pattern as the working migrate container.
-FROM node:22.17.0-alpine
+# Multi-stage build for the realtime Socket.IO service
 
-# Set working directory
+# Stage 1: Install dependencies and build
+FROM node:22.17.0-alpine AS builder
 WORKDIR /app
 
-# Install basic tools and configure npm
-RUN apk add --no-cache git && \
-    npm config set fetch-timeout 300000 && \
-    npm config set fetch-retry-maxtimeout 120000 && \
-    npm config set fetch-retry-mintimeout 10000
-
-# Enable corepack and prepare specific pnpm version
 RUN corepack enable && \
     (corepack prepare pnpm@10.13.1 --activate || corepack prepare pnpm@10.13.1 --activate || corepack prepare pnpm@10.13.1 --activate)
 
-# Copy package files first for better Docker layer caching
 COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
 COPY packages/db/package.json ./packages/db/
 COPY packages/lib/package.json ./packages/lib/
 COPY apps/web/package.json ./apps/web/
 COPY apps/realtime/package.json ./apps/realtime/
 
-# Install ALL dependencies for the entire monorepo
 RUN --mount=type=cache,id=pnpm-store,target=/pnpm/store pnpm config set store-dir /pnpm/store && pnpm install --frozen-lockfile --prod=false
 
-# Copy only the source code needed (avoid copying node_modules)
-COPY packages ./packages
-COPY apps ./apps
+COPY types ./types
+COPY packages/db ./packages/db
+COPY packages/lib ./packages/lib
+COPY apps/realtime ./apps/realtime
 COPY tsconfig.json ./
 
-# Copy .env file for environment variables
-COPY .env ./
+# Build shared packages and the realtime service
+RUN pnpm --filter @pagespace/db build && \
+    pnpm --filter @pagespace/lib build && \
+    pnpm --filter realtime build
+
+# Stage 2: Production runner
+FROM node:22.17.0-alpine AS runner
+WORKDIR /app
+
+RUN corepack enable && \
+    (corepack prepare pnpm@10.13.1 --activate || corepack prepare pnpm@10.13.1 --activate || corepack prepare pnpm@10.13.1 --activate)
+
+# Copy manifests and lockfile for production install
+COPY --from=builder /app/package.json /app/pnpm-lock.yaml /app/pnpm-workspace.yaml ./
+COPY --from=builder /app/packages/db/package.json ./packages/db/
+COPY --from=builder /app/packages/lib/package.json ./packages/lib/
+COPY --from=builder /app/apps/web/package.json ./apps/web/
+COPY --from=builder /app/apps/realtime/package.json ./apps/realtime/
+
+# Install production-only dependencies
+RUN --mount=type=cache,id=pnpm-store,target=/pnpm/store pnpm config set store-dir /pnpm/store && pnpm install --frozen-lockfile --prod
+
+# Copy only compiled runtime artifacts from builder
+COPY --from=builder /app/packages/db/dist ./packages/db/dist
+COPY --from=builder /app/packages/lib/dist ./packages/lib/dist
+COPY --from=builder /app/apps/realtime/dist ./apps/realtime/dist
+
+ENV NODE_ENV=production
+
+USER node
 
 EXPOSE 3001
 
-# Run the realtime service with tsx
-CMD ["pnpm", "--filter", "realtime", "start"]
+CMD ["node", "apps/realtime/dist/index.js"]

apps/web/Dockerfile

@@ -47,8 +47,7 @@ ENV NEXT_PUBLIC_GOOGLE_OAUTH_IOS_CLIENT_ID=$NEXT_PUBLIC_GOOGLE_OAUTH_IOS_CLIENT_
 
 # Next.js collects telemetry data by default.
 # Learn more here: https://nextjs.org/telemetry
-# Uncomment the following line in case you want to disable telemetry.
-# ENV NEXT_TELEMETRY_DISABLED 1
+ENV NEXT_TELEMETRY_DISABLED=1
 
 # We are installing devDependencies via the --prod=false flag, so this is not needed
 # ENV NODE_ENV=development
@@ -65,8 +64,7 @@ FROM node:22.17.0-alpine AS runner
 WORKDIR /app
 
 ENV NODE_ENV=production
-# Uncomment the following line in case you want to disable telemetry.
-# ENV NEXT_TELEMETRY_DISABLED 1
+ENV NEXT_TELEMETRY_DISABLED=1
 
 # Use the existing node user (UID 1000) from the base image
 # This matches the processor container's UID for shared volume access

apps/web/Dockerfile.migrate

@@ -34,6 +34,3 @@ COPY tsconfig.json ./
 
 # Build the database package to ensure latest schema changes are compiled
 RUN pnpm --filter @pagespace/db build
-
-# Copy .env file for tsx --env-file
-COPY .env ./

apps/web/Dockerfile.seed

@@ -26,8 +26,5 @@ COPY packages ./packages
 COPY apps ./apps
 COPY tsconfig.json ./
 
-# Copy .env file for tsx --env-file
-COPY .env ./
-
 # Run seed
-CMD ["pnpm", "--filter", "@pagespace/db", "db:seed"]
+CMD ["pnpm", "--filter", "@pagespace/db", "db:seed"]

apps/web/Dockerfile.worker

@@ -39,9 +39,9 @@ COPY --from=deps --chown=worker:nodejs /app .
 
 USER worker
 
-# Health check
+# Health check - verify the main process (PID 1) is alive
 HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
-  CMD node -e "console.log('Worker health check')" || exit 1
+  CMD node -e "try { process.kill(1, 0); } catch(e) { process.exit(1); }"
 
 # Run the worker using tsx
-CMD ["pnpm", "tsx", "apps/web/src/workers/file-processor.ts"]
+CMD ["pnpm", "tsx", "apps/web/src/workers/file-processor.ts"]