mirror of
https://github.com/TecharoHQ/anubis.git
synced 2026-05-20 05:10:30 +00:00
fix(docs/deploy): harden public docs deployment and pin images
Add a pod-level security context to the nginx container in the public docs deployment (non-root uid 101, dropped capabilities, read-only root filesystem, RuntimeDefault seccomp) and rebind it to unprivileged port 8080 so it does not need CAP_NET_BIND_SERVICE. The nginx PID and proxy temp paths move under a tmpfs-backed emptyDir so the read-only root filesystem does not break startup. Replace the mutable :main tags on both containers with immutable sha256 digests and switch imagePullPolicy to IfNotPresent so each rollout references an auditable artifact instead of whatever happens to be tagged :main when the pod starts. The docs-deploy workflow now overlays the freshly built docs digest via `kustomize edit set image` so the manifest stays accurate without a manual edit on each push to main. The docs Dockerfile pins its node and nginx-micro base images to specific versions for the same reason. Ref: AWOO-011, AWOO-012 Assisted-by: Claude Opus 4.7 via Claude Code Signed-off-by: Xe Iaso <me@xeiaso.net>
This commit is contained in:
Xe Iaso
+2
-2
@@ -1,11 +1,11 @@
|
||||
FROM docker.io/library/node:lts AS build
|
||||
FROM docker.io/library/node:22.22.3-alpine AS build
|
||||
|
||||
WORKDIR /app
|
||||
COPY . .
|
||||
|
||||
RUN npm ci && npm run build
|
||||
|
||||
FROM ghcr.io/xe/nginx-micro
|
||||
FROM ghcr.io/xe/nginx-micro:v1.29.0
|
||||
COPY --from=build /app/build /www
|
||||
COPY ./manifest/cfg/nginx/nginx.conf /conf
|
||||
LABEL org.opencontainers.image.source="https://github.com/TecharoHQ/anubis"
|
||||
Reference in New Issue
Block a user