ci: build and push container for api

.dockerignore

@@ -0,0 +1,3 @@
+/.angular
+/node_modules
+/.git

.github/actions/build-and-deploy-api/action.yml

@@ -17,6 +17,15 @@ inputs:
   sentryAuthToken:
     required: true
     description: "Sentry Auth Token"
+  containerRegistryUrl:
+    required: true
+    description: "Container registry url"
+  containerRegistryUsername:
+    required: true
+    description: "Container registry username"
+  containerRegistryPassword:
+    required: true
+    description: "Container registry password"
 outputs:
   url:
     description: "API URL"
@@ -25,18 +34,41 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - run: envsubst < apps/api/src/.env.template > apps/api/src/.env
+    - name: Set environment
+      run: envsubst < apps/api/src/.env.template > apps/api/src/.env
       env:
         MONGODB_URI: ${{ inputs.mongoUri }}
         ENVIRONMENT_NAME: ${{ inputs.slot }}
         RELEASE_VERSION: ${{ inputs.releaseVersion }}
         SENTRY_KEY: ${{ inputs.sentryKey }}
       shell: bash
-    - run: |
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v2
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v2
+      with:
+        registry: ${{ inputs.containerRegistryUrl }}
+        username: ${{ inputs.containerRegistryUsername }}
+        password: ${{ inputs.containerRegistryPassword }}
+    - name: Build app
+      run: |
         npx nx build api --prod
-        cd dist/apps/api
-        npm i --omit=dev --ignore-scripts
       shell: bash
+    - id: node-version-check
+      run: echo "node-version=$(cat .nvmrc | tr -cd '[:digit:].')" >> $GITHUB_OUTPUT
+      shell: bash
+    - name: Build and push image
+      uses: docker/build-push-action@v4
+      with:
+        context: ./
+        file: ./apps/api/Dockerfile
+        build-args: |
+          NODE_VERSION=${{ steps.node-version-check.outputs.node-version}}
+        push: true
+        tags: |
+          ghcr.io/kordis-leitstelle/kordis-api:${{ inputs.releaseVersion}}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
     - name: Deploy API
       id: wa-deployment
       uses: azure/webapps-deploy@v2

.github/workflows/next-deployment.yml

@@ -14,6 +14,10 @@ jobs:
       url: ${{ steps.spa-deployment.outputs.url }}
     outputs:
       spaUrl: ${{ steps.spa-deployment.outputs.url }}
+    permissions:
+      contents: read
+      packages: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
@@ -34,6 +38,9 @@ jobs:
           mongoUri: ${{ secrets.DEV_MONGODB_URI }}
           sentryKey: ${{ secrets.API_SENTRY_KEY }}
           sentryAuthToken: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          containerRegistryUrl: ghcr.io
+          containerRegistryUsername: ${{ github.actor }}
+          containerRegistryPassword: ${{ secrets.GITHUB_TOKEN }}
       - name: Apply Database Migrations
         run: ./tools/db/kordis-db.sh apply-pending-migrations
         env:

.github/workflows/preview-deployment.yml

@@ -60,6 +60,10 @@ jobs:
     if: |
       (github.event_name == 'issue_comment' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/deploy-preview')) &&
       (needs.comment-handler.outputs.is-admin == 'true')
+    permissions:
+      contents: read
+      packages: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v3
         with:
@@ -97,6 +101,9 @@ jobs:
           releaseVersion: ${{ github.sha }}
           sentryKey: ${{ secrets.API_SENTRY_KEY }}
           sentryAuthToken: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          containerRegistryUrl: ghcr.io
+          containerRegistryUsername: ${{ github.actor }}
+          containerRegistryPassword: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and Deploy SPA
         id: spa-deployment
         uses: ./.github/actions/build-and-deploy-spa
@@ -141,6 +148,10 @@ jobs:
     if: |
       (github.event_name == 'pull_request' && github.event.action == 'synchronize') &&
       (needs.has-deployment.outputs.has-swa == 'true' || needs.has-deployment.outputs.has-wa == 'true')
+    permissions:
+      contents: read
+      packages: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
@@ -177,6 +188,9 @@ jobs:
           releaseVersion: ${{ github.sha }}
           sentryKey: ${{ secrets.API_SENTRY_KEY }}
           sentryAuthToken: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          containerRegistryUrl: ghcr.io
+          containerRegistryUsername: ${{ github.actor }}
+          containerRegistryPassword: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and Deploy SPA
         id: spa-deployment
         uses: ./.github/actions/build-and-deploy-spa

apps/api/Dockerfile

@@ -0,0 +1,23 @@
+ARG NODE_VERSION
+
+FROM docker.io/node:${NODE_VERSION}-alpine AS builder
+
+WORKDIR /app
+
+# Install dependencies separately for caching
+COPY ./dist/apps/api/package.json ./dist/apps/api/package-lock.json ./
+RUN npm --omit=dev -f install
+
+COPY ./dist/apps/api ./
+
+# Use distroless for maximum security: https://github.com/GoogleContainerTools/distroless
+FROM gcr.io/distroless/nodejs${NODE_VERSION}-debian11
+
+COPY --from=builder /app /app
+WORKDIR /app
+
+ENV PORT=3333
+EXPOSE ${PORT}
+
+
+CMD ["./main.js"]

apps/api/project.json

@@ -58,6 +58,10 @@
 					"codeCoverage": true
 				}
 			}
+		},
+		"docker-build": {
+			"dependsOn": ["build"],
+			"command": "docker build --build-arg NODE_VERSION=$(cat .nvmrc | tr -cd [:digit:].) -f apps/api/Dockerfile . -t api"
 		}
 	},
 	"tags": []