chore(ci): Lint dockerfiles

[AndesKrrrrrrrrrrr]

Fix lints for our Dockerfiles, with minimal functional change.

Summary by CodeRabbit

• New Features

  • Added ICU analysis plugin for Unicode support in Elasticsearch.

• Improvements

  • Streamlined Dockerfile processes for better clarity and efficiency.
  • Replaced ADD commands with COPY for clearer file handling.
  • Updated package installation commands to optimize image size and cleanliness.

• Style

  • Enhanced readability by standardizing stage names and adjusting command indentation.

[coderabbitai]

Walkthrough

The pull request includes modifications to several Dockerfiles across different services, enhancing clarity, efficiency, and functionality. Key updates involve the installation of the ICU analysis plugin in the Elasticsearch Dockerfile, improvements to package installation commands, and standardization of syntax in multiple Dockerfiles. The changes also include replacing ADD with COPY for better practice, and adjustments to command formatting for readability. Overall, these updates aim to streamline the build process and improve maintainability.

Changes

File Path	Change Summary
apps/services/search-indexer/dev-services/elasticsearch/Dockerfile	Added ICU analysis plugin installation, updated CentOS repository configurations, optimized package installation command with cleanup.
infra/scripts/Dockerfile	Updated stage names to uppercase, optimized package installation with --no-cache, replaced ADD with COPY, and combined RUN commands.
scripts/Dockerfile.proxy	Adjusted indentation for CMD instructions to enhance readability without changing functionality.
scripts/ci/Dockerfile	Replaced ADD with COPY, standardized stage name syntax, updated dependency installations, and refined ENTRYPOINT and CMD instructions.

Possibly related PRs

• chore: Various maintenance #16326: The changes in infra/scripts/helm-diff.sh related to simplifying the script's usage and enhancing its functionality are relevant as they improve the handling of release branches, which may connect to the overall Dockerfile optimizations in the main PR.
• chore(dsl): Remove global auth annotations #16433: The modifications to the ingress configurations in apps/services/search-indexer/infra/search-indexer-service.ts may relate to the overall service management and deployment strategies that could be impacted by the changes in the Elasticsearch Dockerfile.

Suggested labels

automerge

Suggested reviewers

• lodmfjord
• svanaeinars

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.77%. Comparing base (3288149) to head (841beaa).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #16558      +/-   ##
==========================================
- Coverage   36.77%   36.77%   -0.01%     
==========================================
  Files        6853     6853              
  Lines      142181   142194      +13     
  Branches    40556    40559       +3     
==========================================
+ Hits        52292    52295       +3     
- Misses      89889    89899      +10     

Flag	Coverage Δ
judicial-system-api	18.43% <ø> (+0.04%)	⬆️
judicial-system-web	27.80% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 4 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3288149...841beaa. Read the comment docs.

[datadog-island-is]

Datadog Report

All test runs e09711b 🔗

✅ 2 Total Test Services: 0 Failed, 2 Passed
➡️ Test Sessions change in coverage: 2 no change

Test Services

Service Name	Failed	Known Flaky	New Flaky	Passed	Skipped	Total Time	Code Coverage Change	Test Service View
judicial-system-api	0	0	0	57	0	6.47s	1 no change	Link
judicial-system-web	0	0	0	338	0	1m 12.26s	1 no change	Link

[coderabbitai]

Actionable comments posted: 3

🧹 Outside diff range and nitpick comments (5)

infra/scripts/Dockerfile (1)

21-22: LGTM! Efficient layer management.

Good use of && to combine build commands, reducing the number of layers. Consider adding a comment explaining what each ncc build produces for better maintainability.

-RUN ./node_modules/.bin/ncc build src/feature-env.ts -o /app/dist/feature-env && \
-  ./node_modules/.bin/ncc build src/secrets.ts -o /app/dist/secrets
+# Build feature environment and secrets management utilities
+RUN ./node_modules/.bin/ncc build src/feature-env.ts -o /app/dist/feature-env && \
+  ./node_modules/.bin/ncc build src/secrets.ts -o /app/dist/secrets

apps/services/search-indexer/dev-services/elasticsearch/Dockerfile (3)

Line range hint 4-4: Add error handling for plugin installation.

While adding the ICU plugin is beneficial for Unicode support, consider adding error checking to ensure the installation succeeds.

-RUN bin/elasticsearch-plugin install analysis-icu
+RUN bin/elasticsearch-plugin install analysis-icu || exit 1

---

Line range hint 6-7: Optimize repository configuration commands.

The two sed commands can be combined into a single RUN instruction to reduce the number of layers in the final image.

-RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
-RUN sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
+RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* && \
+    sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*

---

14-14: Enhance security for external downloads.

The GitHub download lacks checksum verification, which could pose a security risk. Consider adding SHA256 verification for the downloaded file.

+ARG DICT_SHA256="<expected-sha256-hash>"
 RUN wget -O master.zip https://github.com/island-is/elasticsearch-dictionaries/archive/master.zip
+RUN echo "${DICT_SHA256} master.zip" | sha256sum -c -

scripts/ci/Dockerfile (1)

138-139: Address TODO regarding awscli dependency

The TODO comment indicates a large dependency (157 MB) that could be removed. This should be addressed to reduce the image size.

Would you like me to help create an issue to track the removal of the awscli dependency?

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 66f2b3b and c864bb7.

📒 Files selected for processing (4)

• apps/services/search-indexer/dev-services/elasticsearch/Dockerfile (1 hunks)
• infra/scripts/Dockerfile (1 hunks)
• scripts/Dockerfile.proxy (1 hunks)
• scripts/ci/Dockerfile (10 hunks)

✅ Files skipped from review due to trivial changes (1)

• scripts/Dockerfile.proxy

🧰 Additional context used

📓 Path-based instructions (2)

apps/services/search-indexer/dev-services/elasticsearch/Dockerfile (2)

Pattern apps/services/**/*: "Confirm that the code adheres to the following:

• NestJS architecture, including modules, services, and controllers.
• Dependency injection patterns and service encapsulation.
• Integration and unit testing coverage and practices."

---

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

scripts/ci/Dockerfile (1)

Pattern scripts/**/*: "Confirm that the code adheres to the following:

• Script efficiency, readability, and maintainability.
• Usage of environmental variables and configuration files for flexibility.
• Integration with NX workspace utilities and commands."

🔇 Additional comments (9)

infra/scripts/Dockerfile (3)

3-3: LGTM! Good practices implemented.

The changes follow Docker best practices:

• Using uppercase for stage names improves readability
• Using --no-cache with apk add prevents unnecessary package index caching
• Proper use of hadolint ignore directive

Also applies to: 5-6

---

8-9: LGTM! Proper stage setup.

Good practice to set WORKDIR early in the stage, providing clear context for subsequent commands.

---

24-29: LGTM! Clean final stage setup.

Good practices observed:

• Proper use of COPY instead of ADD
• Clear WORKDIR setting
• Well-organized file copying from build stage

scripts/ci/Dockerfile (6)

13-16: Good use of COPY instead of ADD!

The change from ADD to COPY is a best practice as it makes the intention more explicit and predictable. Also, using --immutable with yarn ensures reproducible builds.

---

Line range hint 29-37: Good environment variable configuration for builds

The use of build arguments and environment variables follows best practices:

• Setting NODE_ENV=production
• Configuring NODE_OPTIONS for memory management
• Using build arguments for app configuration

---

104-111: Well-structured package updates and configuration

Good practices observed:

• Package updates and upgrades are properly sequenced
• Environment extraction scripts are organized in appropriate locations
• Base path configuration is flexible

---

Line range hint 152-161: Good security practices with user permissions

Excellent handling of permissions:

• Files are properly owned by pwuser
• Playwright browser installation is user-specific
• Environment variables are well configured

---

Line range hint 67-88: Verify the need for --no-experimental-fetch flag

The flag --no-experimental-fetch is used in the Express output but not in Next.js output. Please verify if this inconsistency is intentional.

---

Line range hint 114-127: Verify the empty Jest configuration

The empty Jest configuration (module.exports = {};) might be too permissive. Consider explicitly defining the test environment and other relevant configurations.

✅ Verification successful

Let me gather more information about the Jest configuration by checking the actual content of some key Jest configuration files.

---

Let me check the Jest configuration in package.json and nx.json since they might contain the project's base Jest configuration.

---

Let me check the actual Jest configuration files in the project to understand the test setup better.

---

Let me check the actual Jest configuration files in the project, focusing on the main configuration files.

---

Based on the analysis of the Jest configuration files, I can now provide a final response about the empty Jest configuration concern.

Empty Jest configuration is intentional and inherits from project preset

The empty Jest configuration in the Dockerfile (module.exports = {};) is acceptable because:

1. The project uses a comprehensive base Jest preset (jest.preset.js) that provides all necessary configuration including:

   • Test matching patterns
   • Coverage collection rules
   • Module extensions
   • Custom resolver
   • Module name mapping for special cases

2. The empty configuration allows the container to inherit these base settings while remaining flexible for different test scenarios.

3. The setup is consistent with the project's testing architecture, which uses multiple Jest setup files for specific testing requirements.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for existing Jest configurations in the codebase
rg -l "jest.config"

Length of output: 67999

---

Script:

#!/bin/bash
# Check content of Jest configuration files
rg -l "jest.config" | xargs -I {} sh -c 'echo "=== {} ==="; cat {} 2>/dev/null | grep -A 10 "module.exports"'

Length of output: 83118

---

Script:

#!/bin/bash
# Check Jest configuration in package.json and nx.json
echo "=== package.json Jest config ==="
cat package.json | jq '.jest'

echo -e "\n=== nx.json Jest config ==="
cat nx.json | jq '.jest'

Length of output: 210

---

Script:

#!/bin/bash
# Find and check content of Jest config files
echo "=== Searching for Jest config files ==="
fd "jest.config" --type f --exec cat {}

echo -e "\n=== Checking test setup in package.json ==="
cat package.json | jq '.scripts | select(.test)'

Length of output: 214994

---

Script:

#!/bin/bash
# Check content of main Jest configuration files
echo "=== jest.config.js ==="
cat jest.config.js 2>/dev/null || echo "File not found"

echo -e "\n=== jest.preset.js ==="
cat jest.preset.js 2>/dev/null || echo "File not found"

echo -e "\n=== Searching for Jest setup files ==="
fd "jest.setup" --type f --exec cat {}

Length of output: 2626

[busla]

LGTM