mirror of
https://github.com/RayLabsHQ/gitea-mirror.git
synced 2026-03-16 16:21:59 +03:00
82b5ac8160
Git-lfs v3.7.1 pre-built binaries use Go 1.25.3, which is affected by CVE-2025-68121 (critical), CVE-2026-27142, CVE-2026-25679, CVE-2025-61729, CVE-2025-61726, and CVE-2025-47913 (golang.org/x/crypto). Since no newer git-lfs release exists, compile from source in a dedicated build stage using Go 1.25.8 (latest patched release). Only the final binary is copied into the runner image.
92 lines
3.1 KiB
Docker
92 lines
3.1 KiB
Docker
# syntax=docker/dockerfile:1.4
|
|
|
|
FROM oven/bun:1.3.10-debian AS base
|
|
WORKDIR /app
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
python3 make g++ gcc wget sqlite3 openssl ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# ----------------------------
|
|
FROM base AS builder
|
|
COPY package.json ./
|
|
COPY bun.lock* ./
|
|
RUN bun install --frozen-lockfile
|
|
|
|
COPY . .
|
|
RUN bun run build
|
|
RUN mkdir -p dist/scripts && \
|
|
for script in scripts/*.ts; do \
|
|
bun build "$script" --target=bun --outfile=dist/scripts/$(basename "${script%.ts}.js"); \
|
|
done
|
|
|
|
# ----------------------------
|
|
FROM base AS pruner
|
|
COPY package.json ./
|
|
COPY bun.lock* ./
|
|
RUN bun install --production --omit=peer --frozen-lockfile
|
|
|
|
# ----------------------------
|
|
# Build git-lfs from source with patched Go to resolve Go stdlib CVEs
|
|
FROM debian:trixie-slim AS git-lfs-builder
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
wget ca-certificates git make \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
ARG GO_VERSION=1.25.8
|
|
ARG GIT_LFS_VERSION=3.7.1
|
|
RUN ARCH="$(dpkg --print-architecture)" \
|
|
&& wget -qO /tmp/go.tar.gz "https://go.dev/dl/go${GO_VERSION}.linux-${ARCH}.tar.gz" \
|
|
&& tar -C /usr/local -xzf /tmp/go.tar.gz \
|
|
&& rm /tmp/go.tar.gz
|
|
ENV PATH="/usr/local/go/bin:${PATH}"
|
|
RUN git clone --branch "v${GIT_LFS_VERSION}" --depth 1 https://github.com/git-lfs/git-lfs.git /tmp/git-lfs \
|
|
&& cd /tmp/git-lfs \
|
|
&& make \
|
|
&& install -m 755 /tmp/git-lfs/bin/git-lfs /usr/local/bin/git-lfs
|
|
|
|
# ----------------------------
|
|
FROM oven/bun:1.3.10-debian AS runner
|
|
WORKDIR /app
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
git wget sqlite3 openssl ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
COPY --from=git-lfs-builder /usr/local/bin/git-lfs /usr/local/bin/git-lfs
|
|
RUN git lfs install
|
|
COPY --from=pruner /app/node_modules ./node_modules
|
|
COPY --from=builder /app/dist ./dist
|
|
COPY --from=builder /app/package.json ./package.json
|
|
COPY --from=builder /app/docker-entrypoint.sh ./docker-entrypoint.sh
|
|
COPY --from=builder /app/drizzle ./drizzle
|
|
|
|
# Remove build-only packages that are not needed at runtime
|
|
# (esbuild, vite, rollup, tailwind, svgo — all only used during `astro build`)
|
|
RUN rm -rf node_modules/esbuild node_modules/@esbuild \
|
|
node_modules/rollup node_modules/@rollup \
|
|
node_modules/vite node_modules/svgo \
|
|
node_modules/@tailwindcss/vite \
|
|
node_modules/tailwindcss
|
|
|
|
ENV NODE_ENV=production
|
|
ENV HOST=0.0.0.0
|
|
ENV PORT=4321
|
|
ENV DATABASE_URL=file:data/gitea-mirror.db
|
|
|
|
# Create directories and setup permissions
|
|
RUN mkdir -p /app/certs && \
|
|
chmod +x ./docker-entrypoint.sh && \
|
|
mkdir -p /app/data && \
|
|
groupadd --system --gid 1001 nodejs && \
|
|
useradd --system --uid 1001 --gid 1001 --create-home --home-dir /home/gitea-mirror gitea-mirror && \
|
|
chown -R gitea-mirror:nodejs /app/data && \
|
|
chown -R gitea-mirror:nodejs /app/certs && \
|
|
chown -R gitea-mirror:nodejs /home/gitea-mirror
|
|
|
|
USER gitea-mirror
|
|
|
|
VOLUME /app/data
|
|
EXPOSE 4321
|
|
|
|
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
|
|
CMD wget --no-verbose --tries=1 --spider http://localhost:4321/api/health || exit 1
|
|
|
|
ENTRYPOINT ["./docker-entrypoint.sh"]
|