build: docker file as non root user

.github/workflows/pull-request.yaml

@@ -18,8 +18,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
-        with:
-          node-version: '16'
       #- run: yarn test
       - run: yarn
       - run: yarn build

Dockerfile

@@ -1,10 +1,37 @@
-FROM nginx
-COPY dist /usr/share/nginx/html
-RUN rm etc/nginx/conf.d/default.conf
-COPY nginx.conf etc/nginx/conf.d/
+# Build environment
+FROM node:20-alpine AS build
+WORKDIR /app
+COPY package.json yarn.lock .env ./
+COPY public ./public
+COPY index.html ./
+RUN yarn install --frozen-lockfile --network-timeout 600000
+COPY tsconfig.json .prettierrc vite.config.js ./
+COPY scripts ./scripts
+COPY src ./src
+RUN yarn build
+COPY nginx.conf ./
 
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod 755 /entrypoint.sh
+# Production Env
+FROM nginx:stable-alpine
+COPY --from=build /app/nginx.conf /etc/nginx/conf.d/default.conf    
+WORKDIR /usr/share/nginx/html
+
+# Add bash
+RUN apk add --no-cache bash
+
+## Copy .env file and shell script to container
+COPY --from=build /app/dist ./
+COPY --from=build /app/entrypoint.sh .
+RUN chmod 755 entrypoint.sh
+
+# add non-root user
+RUN touch /var/run/nginx.pid
+RUN chown -R nginx:nginx /var/run/nginx.pid /usr/share/nginx/html /var/cache/nginx /var/log/nginx /etc/nginx/conf.d
+
+# non root users cannot listen on 80
+EXPOSE 8080
+
+USER nginx
 
 ENTRYPOINT [ "/entrypoint.sh" ]
 CMD ["nginx", "-g", "daemon off;"]