mirror of
https://github.com/goauthentik/authentik
synced 2026-05-15 03:16:22 +02:00
9543b3c9f6
* core: add .npmrc baseline to block dependency lifecycle scripts Set ignore-scripts=true at the repo root, plus engine-strict, save-exact, audit, and prefer-offline. This neutralizes the dominant npm supply-chain attack vector — postinstall scripts in transitive dependencies — at the cost of requiring an explicit rebuild for the handful of packages that legitimately need install scripts (esbuild, chromedriver, tree-sitter, tree-sitter-json). The next commit wires that rebuild into the Makefile. Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com> * core: route node installs through make to retire website preinstall hook Make docs-install depend on a new root-node-install so the root deps are guaranteed before the website install runs, removing the need for the website/preinstall lifecycle script. Rebuild the small audited list of trusted packages (esbuild, chromedriver, tree-sitter, tree-sitter-json) after the web install so ignore-scripts=true remains the only path that needs maintenance. web/README documents the new workflow. Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com> * Clean up install scripts. * Track .npmrc in CODEOWNERS * Fix formatter config. Reformat. * Fix mounted references. * Flesh out node scripts. * Bump engines. * Prep containers. * Update makefile. * Flesh out github actions. * Clean up docs container. * lint. Bump. Lint. Bump NPM version. * Add limits. * collapse the composite's three setup-node calls to one cache restore * Add SHA. * Bump NPM range. * Run formatter. * Bump NPM. * Remove extra install. * Fix website deps. * Use local prettier. Fix drift in CI. * ci: build frontend in CI with node_env production Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Install docusaurus config. * Fix linter warning, order. * Add linter commands. * Add timeout. * Remove pre install check. --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
62 lines
3.7 KiB
Docker
62 lines
3.7 KiB
Docker
FROM --platform=${BUILDPLATFORM} docker.io/library/node:25.9.0-trixie@sha256:7a99c607c2a73ea54f8c554d10bc790569fb7d1173638d5a9f56a23923fe2f87 AS docs-builder
|
|
|
|
ENV NODE_ENV=production
|
|
|
|
WORKDIR /work
|
|
|
|
RUN --mount=type=bind,target=/work/package.json,src=./package.json \
|
|
--mount=type=bind,target=/work/package-lock.json,src=./package-lock.json \
|
|
--mount=type=bind,target=/work/scripts/node/,src=./scripts/node/ \
|
|
--mount=type=bind,target=/work/packages/logger-js/,src=./packages/logger-js/ \
|
|
--mount=type=bind,target=/work/packages/tsconfig/,src=./packages/tsconfig/ \
|
|
--mount=type=bind,target=/work/packages/eslint-config/,src=./packages/eslint-config/ \
|
|
--mount=type=bind,target=/work/packages/prettier-config/,src=./packages/prettier-config/ \
|
|
--mount=type=bind,target=/work/packages/docusaurus-config/,src=./packages/docusaurus-config/ \
|
|
--mount=type=bind,target=/work/website/package.json,src=./website/package.json \
|
|
--mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
|
|
node ./scripts/node/setup-corepack.mjs --force && \
|
|
node ./scripts/node/lint-runtime.mjs ./website
|
|
|
|
RUN --mount=type=bind,target=/work/package.json,src=./package.json \
|
|
--mount=type=bind,target=/work/package-lock.json,src=./package-lock.json \
|
|
--mount=type=bind,target=/work/scripts/node/,src=./scripts/node/ \
|
|
--mount=type=bind,target=/work/packages/logger-js/,src=./packages/logger-js/ \
|
|
--mount=type=bind,target=/work/packages/tsconfig/,src=./packages/tsconfig/ \
|
|
--mount=type=bind,target=/work/packages/eslint-config/,src=./packages/eslint-config/ \
|
|
--mount=type=bind,target=/work/packages/prettier-config/,src=./packages/prettier-config/ \
|
|
--mount=type=bind,target=/work/packages/docusaurus-config/,src=./packages/docusaurus-config/ \
|
|
--mount=type=bind,target=/work/website/package.json,src=./website/package.json \
|
|
--mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
|
|
--mount=type=bind,target=/work/website/vendored/detect-package-manager,src=./website/vendored/detect-package-manager \
|
|
--mount=type=bind,target=/work/website/docusaurus-theme/package.json,src=./website/docusaurus-theme/package.json \
|
|
--mount=type=bind,target=/work/website/api/package.json,src=./website/api/package.json \
|
|
--mount=type=bind,target=/work/website/integrations/package.json,src=./website/integrations/package.json \
|
|
--mount=type=bind,target=/work/website/docs/package.json,src=./website/docs/package.json \
|
|
--mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
|
|
corepack npm ci && \
|
|
corepack npm ci --workspaces --include-workspace-root --prefix ./website
|
|
|
|
WORKDIR /work/website
|
|
|
|
COPY ./website /work/website/
|
|
COPY ./blueprints /work/blueprints/
|
|
COPY ./schema.yml /work/
|
|
COPY ./lifecycle/container/compose.yml /work/lifecycle/container/
|
|
COPY ./SECURITY.md /work/
|
|
|
|
RUN --mount=type=bind,target=/work/packages/docusaurus-config/,src=./packages/docusaurus-config/ \
|
|
corepack npm run build -w docs
|
|
|
|
FROM docker.io/library/nginx:1.29-trixie@sha256:1881968aff6f7cdcc4b888c00a11f4ce241ad7ec957e0cb4a9e19e93a3ff87ea
|
|
LABEL org.opencontainers.image.authors="Authentik Security Inc." \
|
|
org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
|
|
org.opencontainers.image.description="authentik product documentation" \
|
|
org.opencontainers.image.documentation="https://docs.goauthentik.io" \
|
|
org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \
|
|
org.opencontainers.image.title="authentik docs image" \
|
|
org.opencontainers.image.url="https://goauthentik.io" \
|
|
org.opencontainers.image.vendor="Authentik Security Inc."
|
|
|
|
|
|
COPY --from=docs-builder /work/website/docs/build /usr/share/nginx/html
|