Make gitrest docker build install with a frozen lockfile (#23535)

## Description Main desirable change: updates the gitrest docker build to copy `.npmrc` within the docker container before installing, which ensures the subsequent install includes `frozen-lockfile=true`. Fallout from this desire: the previous CI setup for docker builds involved using `flub` to set the package version before the docker build. This makes `pnpm install` with frozen lockfile fail, since the dependency versions of packages within the workspace will be whatever that package version was set to, rather than the version within source control. To fix this, I've updated the docker build to support setting the package version from within the docker container using `flub`, and plumbed through necessary variables in CI to make that possible. Also includes some minor quality improvements to the docker build, such as fixing up deprecated syntax warnings, using a cache mount for the pnpm dependencies, and reducing the footprint of the `runner` build slightly (there's still much more that could be done in that area if we care to invest: we keep around dev deps, for example). [AB#26779](https://dev.azure.com/fluidframework/235294da-091d-4c29-84fc-cdfc3d90890b/_workitems/edit/26779) --------- Co-authored-by: Abram Sanderson <absander@microsoft.com> Co-authored-by: Alex Villarreal <716334+alexvy86@users.noreply.github.com>
microsoft · Jan 14, 2025 · 40d5824 · 40d5824
1 parent 26cb010
commit 40d5824
Show file tree

Hide file tree

Showing 7 changed files with 1,731 additions and 1,400 deletions.
diff --git a/server/gitrest/Dockerfile b/server/gitrest/Dockerfile
@@ -2,37 +2,83 @@
 # Licensed under the MIT License.
 # DisableDockerDetector "No feasible secure solution for OSS repos yet"
 
-FROM node:18.17.1-buster-slim@sha256:cb2a746612c2564d3bd0f871174618337af9d0f4d895df6a623fd7a69ca6e5bd AS base
+FROM node:18.17.1-buster-slim@sha256:cb2a746612c2564d3bd0f871174618337af9d0f4d895df6a623fd7a69ca6e5bd AS runnerbase
+
+ARG SETVERSION_VERSION=dev
+ENV SETVERSION_VERSION=$SETVERSION_VERSION
+
+ARG SETVERSION_CODEVERSION=dev
+ENV SETVERSION_CODEVERSION=$SETVERSION_CODEVERSION
+
+ARG INTERDEPENDENCY_RANGE=^
+ENV INTERDEPENDENCY_RANGE=$INTERDEPENDENCY_RANGE
+
+ARG RELEASE_GROUP=gitrest
+ENV RELEASE_GROUP=$RELEASE_GROUP
+
+ARG BUILD_ROOT=/usr/FluidFramework
+ARG GITREST_ROOT=$BUILD_ROOT/server/gitrest
 
 # Add Tini
-ENV TINI_VERSION v0.18.0
+ENV TINI_VERSION=v0.18.0
 ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
 RUN chmod +x /tini
 
-# Copy over and build the server
-WORKDIR /home/node/server
+FROM runnerbase AS base
+
+# Copy over and build the server. We use the same directory structure as outside of the docker container to ensure flub works smoothly.
+WORKDIR $GITREST_ROOT
 
 COPY package*.json ./
 COPY pnpm*.yaml ./
+COPY .npmrc ./
+COPY lerna.json ./
 COPY scripts/*.* ./scripts/
 COPY .npmrc ./
 
 COPY packages/gitrest/package*.json packages/gitrest/
 COPY packages/gitrest-base/package*.json packages/gitrest-base/
 
+ENV PNPM_HOME="/pnpm"
+# Add package dependency's executables to the PATH. We also add global pnpm executables by including $PNPM_HOME,
+# though it's not leveraged currently.
+ENV PATH="$PNPM_HOME:$GITREST_ROOT/node_modules/.bin:$PATH"
 RUN corepack enable
 
 # Need to set the --unsafe-perm flag since we are doing the install as root. Consider adding an 'app' account so we
 # can do the install as node but then switch to 'app' to run. As app we won't be able to write to installed files
 # and be able to change them.
-# TODO: AB#26779: This Workaround (passing --no-frozen-lockfile) should be removed when possible.
-RUN pnpm install --unsafe-perm --no-frozen-lockfile
+# Using a cache mount for the pnpm store improves the incremental docker build.
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store\
+    pnpm install --unsafe-perm
 
 COPY . .
-RUN npm run build
+
+# Copy over fluid config files to allow flub versioning to work
+WORKDIR $BUILD_ROOT
+COPY --from=root fluidBuild.config.cjs ./fluidBuild.base.config.cjs
+COPY --from=root ./server/gitrest/fluidBuild.docker.config.cjs fluidBuild.config.cjs
+WORKDIR $GITREST_ROOT
+ENV _FLUID_ROOT_=$BUILD_ROOT
+COPY --from=root /scripts/update-package-version.sh ./scripts/update-package-version.sh
+RUN chmod +x ./scripts/update-package-version.sh
+RUN set -eu;\
+if [ "$SETVERSION_VERSION" != "dev" ]; then\
+    echo "Setting package version: $SETVERSION_VERSION";\
+    ./scripts/update-package-version.sh;\
+else\
+    echo "Skipping package version for dev build.";\
+fi
+
+RUN pnpm run build
 
 # Build that actually runs
-FROM base AS runner
+FROM runnerbase AS runner
+
+WORKDIR /home/node/server
+
+COPY --from=base $GITREST_ROOT/node_modules ./node_modules
+COPY --from=base $GITREST_ROOT/packages ./packages
 
 # Expose the port the app runs under
 EXPOSE 3000

diff --git a/server/gitrest/fluidBuild.docker.config.cjs b/server/gitrest/fluidBuild.docker.config.cjs
@@ -0,0 +1,19 @@
+/*!
+ * Copyright (c) Microsoft Corporation and contributors. All rights reserved.
+ * Licensed under the MIT License.
+ */
+
+// This file is only used from within the context of a docker build.
+// fluid-build takes dependencies on the structure of the FluidFramework repository.
+// The root fluid build config is renamed to fluidBuild.base.config.cjs within the docker container
+// and this file is also placed at the FF repository root, hence the relative path setup below.
+// This extra config is necessary in the first place as we don't want to copy the entire FF repo into the docker container,
+// thus flub needs to have a pared down set of repoPackages.
+module.exports = {
+	...require("./fluidBuild.base.config.cjs"),
+	repoPackages: {
+		gitrest: {
+			directory: "server/gitrest",
+		},
+	},
+};
diff --git a/server/gitrest/package.json b/server/gitrest/package.json
@@ -13,6 +13,7 @@
 	"scripts": {
 		"build": "npm run build:genver && npm run build:compile && npm run lint",
 		"build:compile": "pnpm run -r --stream build:compile",
+		"build:docker": "docker build . --build-context root=../..",
 		"build:genver": "pnpm run -r --no-sort --stream --no-bail build:genver",
 		"ci:eslint": "pnpm run -r --no-sort --stream --no-bail eslint",
 		"clean": "rimraf --glob dist \"**/*.tsbuildinfo\" \"**/*.build.log\"",
@@ -45,7 +46,7 @@
 		"temp-directory": "nyc/.nyc_output"
 	},
 	"devDependencies": {
-		"@fluid-tools/build-cli": "^0.49.0",
+		"@fluid-tools/build-cli": "0.52.0-315632",
 		"@fluidframework/build-common": "^2.0.3",
 		"@fluidframework/build-tools": "^0.49.0",
 		"@fluidframework/eslint-config-fluid": "^5.4.0",