-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile.analysis
More file actions
86 lines (70 loc) · 3.21 KB
/
Dockerfile.analysis
File metadata and controls
86 lines (70 loc) · 3.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Dockerfile.analysis — image for hover-analysis (lighthouse audit service).
#
# Phase 3 layers Chromium and the lighthouse npm package on top of the
# analysis Go binary. The runtime stage is node:20-slim (Debian bookworm)
# rather than Alpine so we can pull Chromium from Debian's main repo —
# Debian's chromium tracks upstream within days, while Alpine's
# chromium package historically lags by weeks and carries unpatched CVEs
# longer.
#
# Confined to this Dockerfile only; the main Dockerfile (hover, hover-worker)
# stays lean and Alpine-based.
#
# Pin discipline: chromium and lighthouse are pinned to exact versions
# below. Bumps are a deliberate Dockerfile change, not a "latest" drift.
# Schedule: bump monthly to track Chromium's stable channel for security
# fixes (Debian publishes within days of upstream). See
# docs/plans/lighthouse-performance-reports.md § Phase 3 for context.
FROM grafana/alloy:v1.15.1@sha256:1f40cf52adda8fab3e058f9347a5d165624ecb9fbc1527769cb744748961940d AS alloy
FROM golang:1.26.3-alpine AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -o analysis ./cmd/analysis/main.go
FROM node:20-slim AS runtime
# Chromium plus the few runtime libs Lighthouse needs and ca-certificates
# for outbound HTTPS (Supabase, OTLP, Grafana Cloud, R2). fonts-liberation
# stops Chromium falling back to bitmap fonts on JS-heavy pages, which
# breaks rendering audits.
#
# TODO(phase3): pin chromium=<exact> after first successful build to make
# the bump cadence deliberate. Left unpinned now so the initial build
# resolves whatever Debian bookworm currently ships, and we capture that
# version in a follow-up commit on this PR.
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
chromium \
chromium-sandbox \
ca-certificates \
fonts-liberation \
dumb-init \
&& rm -rf /var/lib/apt/lists/*
# Lighthouse CLI. Pinned to the 12.x line; bump in lockstep with Chromium.
RUN npm install -g lighthouse@12.2.1 \
&& npm cache clean --force
# Non-root runtime user mirrors the previous Alpine image's appuser.
RUN useradd --create-home --shell /bin/sh --uid 10001 appuser
WORKDIR /app
COPY --from=builder /app/analysis .
# Alloy sidecar so the analysis service emits app/environment-tagged
# metrics without each pod needing its own Prometheus push secret.
# Debian's glibc means no gcompat shim is needed — it ran on Alpine
# only because Alpine ships musl.
COPY --from=alloy /bin/alloy /usr/local/bin/alloy
COPY alloy.river .
COPY scripts/start-analysis.sh ./start.sh
RUN chmod +x start.sh /usr/local/bin/alloy \
&& chown -R appuser:appuser /app
# CHROMIUM_BIN / LIGHTHOUSE_BIN are baked here so cmd/analysis can read
# them via env without each Fly toml having to repeat the paths. The
# tomls still set them so a misconfigured base image fails loudly rather
# than silently picking up a different binary.
ENV CHROMIUM_BIN=/usr/bin/chromium \
LIGHTHOUSE_BIN=/usr/local/bin/lighthouse
USER appuser
# dumb-init reaps zombies left behind by Chromium renderer crashes.
# Without it the analysis container accumulates defunct processes over
# time and eventually exhausts the PID table.
ENTRYPOINT ["dumb-init", "--"]
CMD ["./start.sh"]