Alfo dev patch 1

.github/workflows/publish-docker-image.yaml

@@ -0,0 +1,73 @@
+name: Publish Docker image
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+
+jobs:
+  push_to_registries:
+    name: Push Docker image to multiple registries
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130  # v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2  # v3
+
+      - name: Extract metadata for Docker
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf  # v6
+        with:
+          images: ghcr.io/${{ github.repository }}
+
+      # ── Step 1: Build locally (no push) ─────────────────────────────────
+      - name: Build Docker image (local, no push)
+        id: build-local
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4  # v6
+        with:
+          context: .
+          # Note: load: true is not supported for multi-arch builds.
+          # For linux/amd64 + linux/arm64 → scan against amd64 image only,
+          # or set up a dedicated scan job using docker buildx build --load.
+          platforms: linux/amd64
+          push: false
+          load: true
+          tags: ghcr.io/${{ github.repository }}:scan-target
+          labels: ${{ steps.meta.outputs.labels }}
+
+      # ── Step 2: Scan before push ─────────────────────────────────────────
+      - name: Scan image for vulnerabilities
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
+        with:
+          image-ref: ghcr.io/${{ github.repository }}:scan-target
+          format: table
+          exit-code: '0'
+          ignore-unfixed: true
+          severity: CRITICAL,HIGH
+
+      # ── Step 3: Push after scan ──────────────────────────────
+      - name: Build and push Docker images
+        id: build
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4  # v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

Dockerfile

@@ -1,5 +1,6 @@
 FROM node:22-alpine AS builder
 
+RUN apk upgrade --no-cache zlib
 RUN corepack enable pnpm
 WORKDIR /app
 ENV HUSKY=0
@@ -8,14 +9,16 @@ RUN pnpm install --frozen-lockfile
 COPY tsconfig.json ./
 COPY src/ ./src/
 RUN pnpm run build
+RUN pnpm install --frozen-lockfile --prod --ignore-scripts
 
 FROM node:22-alpine
 
-RUN corepack enable pnpm
+RUN apk upgrade --no-cache zlib
+RUN rm -rf /usr/local/lib/node_modules/npm \
+    && rm -f /usr/local/bin/npm /usr/local/bin/npx
 WORKDIR /app
 ENV HUSKY=0
-COPY package.json pnpm-lock.yaml ./
-RUN pnpm install --frozen-lockfile --prod --ignore-scripts
+COPY --from=builder /app/node_modules/ ./node_modules/
 COPY --from=builder /app/dist/ ./dist/
 
 EXPOSE 3000

package.json

@@ -66,7 +66,12 @@
   },
   "pnpm": {
     "overrides": {
-      "eslint-plugin-import-x>eslint": "$eslint"
+      "eslint-plugin-import-x>eslint": "$eslint",
+      "glob": ">=10.5.0",
+      "minimatch": ">=9.0.7",
+      "tar": ">=7.5.11",
+      "undici": ">=7.24.0",
+      "flatted": "^3.4.0"
     },
     "onlyBuiltDependencies": [
       "esbuild",