Refactor Dockerfiles to use node:22-alpine and optimize npm install with cache

max-ostapenko · max-ostapenko · commit 1c0bc815c838 · 2025-12-14T14:50:53.000+01:00
diff --git a/infra/bigquery-export/Dockerfile b/infra/bigquery-export/Dockerfile
@@ -1,30 +1,21 @@
-# checkov:skip=CKV_DOCKER_3:Ensure that a user for the container has been created
-FROM node:22-slim
+FROM node:22-alpine
 
-# Set the working directory
 WORKDIR /app
 
-# Create a non-root user
-RUN groupadd -r appuser && useradd -r -g appuser appuser
+RUN addgroup -S appuser && adduser -S -G appuser appuser
 
-# Copy package files first for better layer caching
 COPY package*.json ./
 
-# Install dependencies (this layer will be cached unless package files change)
-RUN npm ci --only=production --quiet --no-fund --no-audit && npm cache clean --force
+RUN --mount=type=cache,target=/root/.npm npm ci --only=production --quiet --no-fund --no-audit && npm cache clean --force
 
 ENV EXPORT_CONFIG=""
 
-# Copy source code
 COPY . .
 
-# Change ownership of the app directory to the non-root user
 RUN chown -R appuser:appuser /app
 
-# Switch to non-root user
 USER appuser
 
-# No healthcheck needed for one-time job containers
 HEALTHCHECK NONE
 
 CMD ["node", "index.js"]
diff --git a/infra/dataform-service/Dockerfile b/infra/dataform-service/Dockerfile
@@ -1,35 +1,24 @@
-FROM node:22-slim
+FROM node:22-alpine
 
-# Set the working directory
 WORKDIR /app
 
-# Create a non-root user
-RUN groupadd -r appuser && useradd -r -g appuser appuser
+RUN addgroup -S appuser && adduser -S -G appuser appuser
 
-# Copy package files first for better layer caching
 COPY package*.json ./
 
-# Install dependencies (this layer will be cached unless package files change)
-RUN npm ci --only=production --quiet --no-fund --no-audit && npm cache clean --force
+RUN --mount=type=cache,target=/root/.npm npm ci --only=production --quiet --no-fund --no-audit && npm cache clean --force
 
-# Copy source code
 COPY . .
 
-# Change ownership of the app directory to the non-root user
 RUN chown -R appuser:appuser /app
 
-# Switch to non-root user
 USER appuser
 
-# Set default port (Cloud Run will override this)
 ENV PORT=8080
 
-# Expose port for Cloud Run
 EXPOSE 8080
 
-# Add healthcheck
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
   CMD node -e "require('http').get('http://localhost:$PORT/health', (res) => { process.exit(res.statusCode === 200 ? 0 : 1) }).on('error', () => { process.exit(1) })" || exit 1
 
-# Start the function
-CMD ["npm", "start"]
+CMD ["npx", "functions-framework", "--target=dataform-service"]
