chore(infra): Faster docker build

[AndesKrrrrrrrrrrr]

Depends on #17051 and #17048

• Reduce cache busting
• Improve clarity
• Add comments
• Standardize DOCKER_REGISTRY for easier local development

Cherry-picking from #16882 stuff that's out-of-scope there.

Summary by CodeRabbit

• Chores
  • Enhanced the Dockerfile structure for improved efficiency and maintainability.
  • Streamlined configuration with the introduction of global ARGs.
  • Updated installation commands and optimized the build process.
  • Improved user permissions handling during file copying.

[coderabbitai]

Walkthrough

The pull request introduces significant changes to the Dockerfile located in scripts/ci. Key modifications include the addition of multiple global ARGs to streamline configuration, updating the base image, consolidating installation commands, and optimizing the build process. The structure has been refined for clarity and maintainability, with improved handling of user permissions and standardized entry points for output containers. Overall, these changes enhance the organization and efficiency of the Dockerfile.

Changes

File

Change Summary

scripts/ci/Dockerfile

- Added global ARGs: DOCKER_ECR_REGISTRY, DOCKER_REGISTRY, APP_HOME, APP_DIST_HOME, APP, GIT_BRANCH, GIT_COMMIT_SHA, GIT_REPOSITORY_URL. - Modified NODE_IMAGE_TAG to latest. - Updated ENV variables for APP, NODE_ENV, and PLAYWRIGHT_BROWSER. - Consolidated installation commands and added cache clean-up for yarn install. - Expanded file copying to include more directories and files. - Refined builder stage with additional verification commands. - Standardized entry points and improved user permissions handling with --chown.

Possibly related PRs

• chore(ci): Lint dockerfiles #16558: The changes in this PR involve linting Dockerfiles, which is directly related to the modifications made in the main PR's Dockerfile to enhance its structure and functionality.
• chore(system-e2e): Add git labeling (like in our other base images) #16638: This PR also modifies the scripts/ci/Dockerfile, adding new stages and environment variables, which aligns with the changes made in the main PR to improve the Dockerfile's organization and functionality.
• fix(CI): Use own buildkit image for buildx #16716: This PR addresses issues in the CI setup related to Docker builds, which is relevant as the main PR also focuses on enhancing the Dockerfile used in CI operations.
• chore: Making sure buildx image exists in our repo before pulling #16827: Similar to the main PR, this PR modifies the GitHub Actions workflow for Docker builds, indicating a focus on improving the Docker build process.
• chore(infra): Upgrade helm build yarn #16890: This PR upgrades the Yarn version in the infra project, which is relevant as the main PR includes updates to the Dockerfile that may involve package management and build processes.

Suggested labels

automerge, test everything

Suggested reviewers

• busla
• svanaeinars
• robertaandersen

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 35.69%. Comparing base (15571ef) to head (84e9e40).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #17050   +/-   ##
=======================================
  Coverage   35.69%   35.69%           
=======================================
  Files        6939     6939           
  Lines      147080   147081    +1     
  Branches    41832    41832           
=======================================
+ Hits        52497    52498    +1     
  Misses      94583    94583           

Flag	Coverage Δ
api	3.34% <ø> (ø)
application-system-api	38.73% <ø> (-0.01%)	⬇️
application-template-api-modules	27.79% <ø> (ø)
judicial-system-backend	55.63% <ø> (ø)
message-queue	68.87% <ø> (+0.07%)	⬆️
services-user-notification	46.76% <ø> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 2 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 15571ef...84e9e40. Read the comment docs.

[datadog-island-is]

Datadog Report

All test runs 1468e24 🔗

✅ 5 Total Test Services: 0 Failed, 5 Passed
⬆️ Test Sessions change in coverage: 2 increased, 6 no change

Test Services

Service Name	Failed	Known Flaky	New Flaky	Passed	Skipped	Total Time	Code Coverage Change	Test Service View
api	0	0	0	4	0	2.7s	1 no change	Link
application-system-api	0	0	0	40	0	2m 23.28s	1 no change	Link
application-template-api-modules	0	0	0	118	0	2m 38.76s	1 increased (+0.01%)	Link
message-queue	0	0	0	10	0	38.94s	1 increased (+0.83%)	Link
services-user-notification	0	0	0	51	0	1m 22.55s	1 no change	Link

[coderabbitai]

Actionable comments posted: 4

🧹 Outside diff range and nitpick comments (11)

scripts/ci/Dockerfile (11)

5-7: Simplify DOCKER_REGISTRY assignment for clarity

The current definition of DOCKER_REGISTRY might be unnecessarily complex. Since DOCKER_ECR_REGISTRY is already defined as public.ecr.aws/docker, the parameter expansion ${DOCKER_ECR_REGISTRY%/docker}/docker essentially reconstructs the same string. Consider simplifying the assignment for better readability.

Apply this diff to simplify the code:

-ARG DOCKER_REGISTRY=${DOCKER_ECR_REGISTRY%/docker}/docker
+ARG DOCKER_REGISTRY=${DOCKER_ECR_REGISTRY}

---

33-35: Remove unnecessary debug commands to streamline the build

The echo and ls commands are used for debugging purposes but may clutter the build output in a CI environment. Consider removing them to improve build efficiency and reduce noise in the logs.

Apply this diff to remove the debug commands:

-RUN echo "PWD: $PWD" && \
-  ls -lah && \
-  ls -lah -d node_modules/

---

51-52: Remove unnecessary debug commands to streamline the build

Similar to earlier, the echo and ls commands can be removed to clean up the build process.

Apply this diff to remove the debug commands:

-RUN echo "PWD: $PWD" && \
-  ls -lah

---

76-77: Use --production flag with yarn install to install only production dependencies

In a production environment, it's best practice to install only the necessary dependencies. Using the --production flag with yarn install helps in reducing the image size and potential attack surface.

Apply this diff to modify the yarn install command:

-RUN yarn install && \
+RUN yarn install --production && \
   yarn cache clean

---

89-90: Ensure the user creation commands are optimized

Combining user and group creation into a single command can improve efficiency and clarity.

Apply this diff to optimize user and group creation:

-RUN addgroup runners && \
-  adduser -D runner -G runners
+RUN adduser -D -G runners runner

---

117-120: Remove debug commands from the production image

The echo and ls commands increase the size of the image and may expose sensitive information about the build environment. It's recommended to remove them from the production stages.

Apply this diff to remove the debug commands:

-RUN echo "PWD: $PWD" && \
-  ls -lah ./ && \
-  ls -lah main.js

---

142-144: Remove debug commands from the production image

As with previous stages, removing unnecessary commands helps keep the image clean.

Apply this diff to remove the debug commands:

-RUN echo "PWD: $PWD" && \
-  ls -lah ./ && \
-  ls -lah main.js

---

219-222: Consolidate Yarn configuration copying and directory creation

You can streamline the commands to reduce the number of layers and improve efficiency.

Apply this diff to consolidate the commands:

-COPY --chown=pwuser:pwuser .yarnrc.yml ./
-RUN mkdir ./.yarn
-COPY --chown=pwuser:pwuser .yarn/releases ./.yarn/releases
+COPY --chown=pwuser:pwuser .yarnrc.yml ./
+COPY --chown=pwuser:pwuser .yarn/ ./.yarn/

---

235-237: Remove debug commands from the production image

As previously noted, removing unnecessary echo and ls commands is recommended.

Apply this diff to remove the debug commands:

-RUN echo "PWD: $PWD" && \
-  ls -lah ./ && \
-  ls -lah ./entrypoint.sh

---

265-267: Remove debug commands from the production image

Consistently remove these commands across all stages to maintain a clean Docker image.

Apply this diff to remove the debug commands:

-RUN echo "PWD: $PWD" && \
-  ls -lah ./ && \
-  ls -lah ./entrypoint.sh

---

272-273: Implement the output-native stage or remove if unnecessary

The output-native stage currently contains a RUN echo "not-implemented" command. Decide whether to implement this stage or remove it to avoid confusion.

If you need assistance in implementing the output-native stage, please let me know.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 15571ef and 84e9e40.

📒 Files selected for processing (1)

• scripts/ci/Dockerfile (3 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

scripts/ci/Dockerfile (1)

Pattern scripts/**/*: "Confirm that the code adheres to the following:

• Script efficiency, readability, and maintainability.
• Usage of environmental variables and configuration files for flexibility.
• Integration with NX workspace utilities and commands."

🔇 Additional comments (1)

scripts/ci/Dockerfile (1)

66-68: Ensure correct copying of Yarn configurations and dependencies

Copying Yarn configurations and .yarn directories to the ${APP_DIST_HOME} is crucial for the subsequent yarn install to work properly. Double-check that the paths are correct and that all necessary files are included.

Run the following script to verify that the required Yarn files are present in ${APP_DIST_HOME}:

✅ Verification successful

Let me verify the existence of these Yarn-related files in the repository first.

---

Yarn configuration files are correctly set up and copied

The verification shows that all required Yarn files are present in the repository root and are being correctly copied to ${APP_DIST_HOME}:

• yarn.lock and .yarnrc.yml exist in the root
• .yarn/patches directory contains necessary patch files
• .yarn/releases contains the Yarn binary (yarn-3.2.3.cjs)

The Dockerfile correctly sets up APP_DIST_HOME as a build argument and the copy commands are properly structured to move these files to their required locations. The subsequent yarn install command in the Dockerfile will have access to all necessary configuration files.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that Yarn configuration and necessary files are copied correctly.

# Expected: Files yarn.lock, .yarnrc.yml, and directories .yarn/patches, .yarn/releases exist in ${APP_DIST_HOME}
if [ -d "${APP_DIST_HOME}" ]; then
  ls "${APP_DIST_HOME}/yarn.lock" "${APP_DIST_HOME}/.yarnrc.yml" "${APP_DIST_HOME}/.yarn/patches" "${APP_DIST_HOME}/.yarn/releases"
else
  echo "Directory ${APP_DIST_HOME} does not exist."
fi

Length of output: 78

---

Script:

#!/bin/bash
# Check if the required Yarn files exist in the repository root
ls -la yarn.lock .yarnrc.yml .yarn/patches .yarn/releases 2>/dev/null || echo "Some files are missing"

# Also verify the content of the Dockerfile to ensure the APP_DIST_HOME variable is properly set
grep -A 5 "APP_DIST_HOME" scripts/ci/Dockerfile

Length of output: 4632

[coderabbitai]

🛠️ Refactor suggestion

Address the TODO: Remove awscli dependency to reduce image size

The TODO comment indicates that awscli adds significant weight to the image. Consider removing it or using a slimmer alternative to optimize the image size.

Here's a possible approach to remove awscli:

• Use the AWS SDK for JavaScript if AWS functionalities are required.
• If awscli is needed for specific commands, consider installing awscli-lite or using AWS's official Docker images for CLI operations.

Let me know if you would like assistance in implementing this change.

[coderabbitai]

⚠️ Potential issue

Avoid purging apt-get immediately after installation

The apt-get purge command is removing the entire package management system, which may cause issues if further apt commands are needed. Instead, use apt-get clean to remove cached package files.

Apply this diff to correct the cleanup step:

-RUN apt-get update -y && \
-  apt-get install --no-install-recommends -y zip awscli && \
-  apt-get purge
+RUN apt-get update -y && \
+  apt-get install --no-install-recommends -y zip awscli && \
+  apt-get clean && \
+  rm -rf /var/lib/apt/lists/*

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN apt-get update -y && \
	apt-get install --no-install-recommends -y zip awscli && \
	apt-get purge
	RUN apt-get update -y && \
	apt-get install --no-install-recommends -y zip awscli && \
	apt-get clean && \
	rm -rf /var/lib/apt/lists/*

[coderabbitai]

⚠️ Potential issue

Ensure ${APP_HOME} is correctly defined before using in COPY

The COPY command uses ${APP_HOME}/package.json. Verify that ${APP_HOME} is set and points to the correct directory to prevent build issues.

Apply this diff to define APP_HOME if not already set:

+# Ensure APP_HOME is defined
+ARG APP_HOME=your_app_directory

Replace your_app_directory with the appropriate path.

Committable suggestion skipped: line range outside the PR's diff.

[coderabbitai]

🛠️ Refactor suggestion

Use package manager to install jq for consistency and security

Instead of manually downloading jq, it's preferable to use the package manager apk to install it. This ensures that you receive a verified and up-to-date version from the repository, enhancing security and maintainability.

Apply this diff to install jq via apk:

-RUN apk --update --no-cache add git python3 build-base gcc && \
-  ln -sf /usr/bin/python3 /usr/bin/python && \
-  wget -O /tmp/jq-linux64 https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
-  chmod a+x /tmp/jq-linux64 && \
-  mv /tmp/jq-linux64 /usr/bin/jq
+RUN apk --update --no-cache add git python3 build-base gcc jq && \
+  ln -sf /usr/bin/python3 /usr/bin/python

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN apk --update --no-cache add git python3 build-base gcc && \
	ln -sf /usr/bin/python3 /usr/bin/python && \
	wget -O /tmp/jq-linux64 https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
	chmod a+x /tmp/jq-linux64 && \
	mv /tmp/jq-linux64 /usr/bin/jq
	RUN apk --update --no-cache add git python3 build-base gcc jq && \
	ln -sf /usr/bin/python3 /usr/bin/python

[github-actions]

Affected services are:
Feature deployment of your services will begin shortly. Your feature will be accessible here:

Deployed services: .
Excluded services: ``