feat(node): add production-ready Node.js Dockerfile templates with pnpm

- Multi-stage build with Node.js 22 slim base - PNPM package manager via corepack (2x faster than npm) - Build cache mounts for fast rebuilds - Non-root user (appuser:1000) for security - Health check using native fetch API - Alpine variant for size optimization (~130MB) - Distroless variant for maximum security (~110MB) - Comprehensive .dockerignore for clean builds - Full documentation with framework-specific guidance
2026-02-10 06:45:04 +00:00 · 2026-02-07 18:04:24 +00:00
parent 8e8ae27640
commit df5ea66906
5 changed files with 510 additions and 0 deletions
--- a/node/Dockerfile.distroless
+++ b/node/Dockerfile.distroless
@@ -0,0 +1,59 @@
+# syntax=docker/dockerfile:1.7
+#
+# Node.js Distroless Dockerfile (Maximum Security)
+# Features: No shell, no package manager, minimal attack surface
+#
+# Note: Distroless images have no shell - debugging requires ephemeral containers
+#
+# Usage:
+#   docker build -f Dockerfile.distroless -t myapp:latest .
+#   docker run --rm -p 3000:3000 myapp:latest
+
+# =============================================================================
+# Stage 1: Build environment
+# =============================================================================
+ARG NODE_VERSION=22
+
+FROM node:${NODE_VERSION}-slim AS builder
+
+RUN corepack enable && corepack prepare pnpm@latest --activate
+
+WORKDIR /app
+
+# Copy dependency files
+COPY package.json pnpm-lock.yaml* ./
+
+# Fetch and install dependencies
+RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store \
+    pnpm fetch --frozen-lockfile && \
+    pnpm install --frozen-lockfile
+
+# Copy source and build
+COPY . .
+RUN pnpm build
+
+# Prune to production only
+RUN pnpm prune --prod
+
+# =============================================================================
+# Stage 2: Distroless runtime (maximum security)
+# =============================================================================
+FROM gcr.io/distroless/nodejs22-debian12:nonroot AS runtime
+
+WORKDIR /app
+
+# Copy production dependencies
+COPY --from=builder /app/node_modules ./node_modules
+
+# Copy built application
+COPY --from=builder /app/dist ./dist
+COPY --from=builder /app/package.json ./
+
+# Environment
+ENV NODE_ENV=production
+
+# Expose port
+EXPOSE 3000
+
+# Start application (exec form required - no shell in distroless)
+CMD ["dist/index.js"]