SwissDataScienceCenter · leafty · Apr 15, 2025 · Apr 15, 2025
@@ -1,6 +1,11 @@
+# syntax=docker/dockerfile:1
 FROM node:22 AS builder
 
-RUN apt-get update && apt-get upgrade --quiet --assume-yes
+RUN <<EOT bash
+    set -ex
+    apt-get update
+    apt-get upgrade --quiet --assume-yes
+EOT
 
 WORKDIR /app
 
@@ -22,38 +27,42 @@ RUN npm run storybook-build -- -o storybook-static
 
 FROM nginxinc/nginx-unprivileged:1.27-alpine
 
-COPY --from=builder /app/build /usr/share/nginx/html
-COPY --from=builder /app/storybook-static /usr/share/nginx/html/storybook
-COPY nginx.vh.default.conf /etc/nginx/conf.d/default.conf
-COPY docker-entrypoint.sh /app/docker-entrypoint.sh
-COPY scripts/generate_sitemap.sh /app/scripts/generate_sitemap.sh
+COPY --from=builder --chown=root:root /app/build /usr/share/nginx/html
+COPY --from=builder --chown=root:root /app/storybook-static /usr/share/nginx/html/storybook
+COPY --chown=nginx:root nginx.vh.default.conf /etc/nginx/conf.d/default.conf
+COPY --chown=root:root --chmod=755 docker-entrypoint.sh /app/docker-entrypoint.sh
+COPY --chown=root:root --chmod=755 scripts/generate_sitemap.sh /app/scripts/generate_sitemap.sh
 
 # Set up the config files written by docker-entrypoint
 USER root
-RUN touch /usr/share/nginx/html/config.json
-RUN chmod a+r /usr/share/nginx/html/config.json
-RUN chown nginx /usr/share/nginx/html/config.json
 
-RUN touch /usr/share/nginx/html/robots.txt
-RUN chmod a+r /usr/share/nginx/html/robots.txt
-RUN chown nginx /usr/share/nginx/html/robots.txt
+RUN <<EOT ash
+  set -ex
 
-RUN touch /usr/share/nginx/html/sitemap.xml
-RUN chmod a+r /usr/share/nginx/html/sitemap.xml
-RUN chown nginx /usr/share/nginx/html/sitemap.xml
+  touch /usr/share/nginx/html/config.json
+  chown nginx:root /usr/share/nginx/html/config.json
+  chmod a+rw /usr/share/nginx/html/config.json
 
-RUN touch /usr/share/nginx/html/privacy-statement.md
-RUN chmod a+r /usr/share/nginx/html/privacy-statement.md
-RUN chown nginx /usr/share/nginx/html/privacy-statement.md
+  touch /usr/share/nginx/html/robots.txt
+  chown nginx:root /usr/share/nginx/html/robots.txt
+  chmod a+rw /usr/share/nginx/html/robots.txt
 
-RUN touch /usr/share/nginx/html/terms-of-use.md
-RUN chmod a+r /usr/share/nginx/html/terms-of-use.md
-RUN chown nginx /usr/share/nginx/html/terms-of-use.md
+  touch /usr/share/nginx/html/sitemap.xml
+  chown nginx:root /usr/share/nginx/html/sitemap.xml
+  chmod a+rw /usr/share/nginx/html/sitemap.xml
 
-USER nginx
+  touch /usr/share/nginx/html/privacy-statement.md
+  chown nginx:root /usr/share/nginx/html/privacy-statement.md
+  chmod a+rw /usr/share/nginx/html/privacy-statement.md
+
+  touch /usr/share/nginx/html/terms-of-use.md
+  chown nginx:root /usr/share/nginx/html/terms-of-use.md
+  chmod a+rw /usr/share/nginx/html/terms-of-use.md
+EOT
 
+USER nginx
 
-HEALTHCHECK --interval=20s --timeout=10s --retries=5 CMD test -e /var/run/nginx.pid
+HEALTHCHECK --interval=20s --timeout=10s --retries=5 CMD test -e /tmp/nginx.pid
 
 ARG SHORT_SHA
 ENV RENKU_UI_SHORT_SHA=$SHORT_SHA

@@ -113,4 +113,10 @@ else
   echo "No terms-of-use.md"
 fi
 
+chmod 644 /usr/share/nginx/html/config.json
+chmod 644 /usr/share/nginx/html/robots.txt
+chmod 644 /usr/share/nginx/html/sitemap.xml
+chmod 644 /usr/share/nginx/html/privacy-statement.md
+chmod 644 /usr/share/nginx/html/terms-of-use.md
+
 exec -- "$@"