Merge pull request #219 from 0xPolygonID/DEVOPS-1

gseriche · web-flow · commit e8af9512f36b · 2024-11-14T02:32:31.000-03:00
DEVOPS-1 Fix variables missing with ECR
diff --git a/.github/workflows/deployment_new_aws_account.yml b/.github/workflows/deployment_new_aws_account.yml
@@ -33,6 +33,7 @@ jobs:
           role-session-name: GithubActionsSession
 
       - name: Login to Amazon ECR
+        id: login-ecr
         uses: aws-actions/amazon-ecr-login@v1
 
       - name: Install dependencies
@@ -48,12 +49,17 @@ jobs:
       - name: Build
         run: npm run build
 
+      - name: Set ECR registry
+        run: echo "ECR_REGISTRY=${{ steps.login-ecr.outputs.registry }}" >> $GITHUB_ENV
+      
       - name: Build, tag, and push image to Amazon ECR
         id: build-image
         env:
-          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REGISTRY: ${{ env.ECR_REGISTRY }}
           IMAGE_TAG: ${{ github.sha }}
         run: |
+          echo "Using ECR_REGISTRY=$ECR_REGISTRY"
+          echo "Using IMAGE_TAG=$IMAGE_TAG"
           docker build --cache-from $ECR_REGISTRY/$ECR_REPOSITORY:latest -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
           docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
           echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
diff --git a/Dockerfile b/Dockerfile
@@ -1,14 +1,29 @@
-#Serve the app with NGINX
-FROM nginx:alpine
+# Use a specific version of nginx for better reproducibility
+FROM nginx:1.25.3-alpine
 
-# Copy the build files from the build folder to /usr/share/nginx/html
-COPY build /usr/share/nginx/html
+# Add a non-root user for security
+RUN adduser -D -H -u 1001 nginxuser && \
+    chown -R nginxuser:nginxuser /usr/share/nginx/html && \
+    chown -R nginxuser:nginxuser /var/cache/nginx && \
+    touch /var/run/nginx.pid && \
+    chown -R nginxuser:nginxuser /var/run/nginx.pid
 
-#Replace default nginx.conf with custom configuration
-COPY nginx.conf /etc/nginx/conf.d/default.conf
+# Copy files with specific ownership
+COPY --chown=nginxuser:nginxuser build /usr/share/nginx/html
+COPY --chown=nginxuser:nginxuser nginx.conf /etc/nginx/conf.d/default.conf
 
-# Expose the desired port (default is 80 for NGINX)
+# Set working directory
+WORKDIR /usr/share/nginx/html
+
+# Switch to non-root user
+USER nginxuser
+
+# Expose port
 EXPOSE 80
 
-# Start NGINX
+# Use exec form of CMD for better signal handling
 CMD ["nginx", "-g", "daemon off;"]
+
+# Add healthcheck
+HEALTHCHECK --interval=30s --timeout=3s \
+    CMD wget --quiet --tries=1 --spider http://localhost:80/ || exit 1
