chore: Refactor Docker setup — single multi-stage Dockerfile + AIO image#2
Merged
bun4uk merged 6 commits intoMay 19, 2026
Conversation
bun4uk
added a commit
that referenced
this pull request
May 19, 2026
The CVE-2026-24049 mitigation from the original root Dockerfile (commit d91576e) was dropped when the build moved to docker/Dockerfile in #2. Re-add the rm -rf for /usr/lib/python*/site-packages/setuptools/_vendor/wheel-*.dist-info inside the aio target's apk RUN. See vex/chadmin.openvex.json for rationale. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
bun4uk
added a commit
that referenced
this pull request
May 19, 2026
The Critical CVE-2023-27482 finding cleared in v2.0.1 because PR #2 bumped the base from alpine3.22 (supervisor 4.2.5-r5, matched by the scanner) to alpine3.23 (supervisor 4.3.0-r0, out of range) — not because Docker Scout honored the cosign-attached VEX. CVE-2026-24049 is handled directly by the wheel-*.dist-info removal in docker/Dockerfile. Removing the unproven layer of complexity: - vex/chadmin.openvex.json deleted - cosign install + attest steps removed from docker-publish.yml - id-token: write permission no longer needed If a scanner false-positive comes back, VEX can be reintroduced in a few minutes — keeping it speculatively was not paying for itself. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidates the Docker setup from a fragmented multi-file layout into a clean, security-hardened structure under
docker/.What changed
Dockerfile (
Dockerfile→docker/Dockerfile)docker/and restructured as a proper multi-stage build:vendor— Composer deps viacomposer:2.9.8imagefrontend— Node 24 + Vite build vianode:24.15.0-alpine3.23base—php:8.5.5-fpm-alpine3.23runtime only (no nginx/supervisor)aio— All-in-one target: adds nginx + supervisord into a single image for zero-dependency deployments (e.g.docker run -p 80:80)chadmin(UID 1984) owns the app files and runs PHP-FPMDockerfileat root deletedConfigs (
docker/configs/)nginx.conf— main nginx config extracted from legacydocker/prod/nginx.confnginx-chadmin.conf— vhost config (was nested underdocker/dev/nginx/)php-fpm.conf— pool config (wasdocker/prod/php-fpm.conf)supervisord.conf— manages nginx + php-fpm processes inside theaiotargetEntrypoint (
docker/aio-entrypoint.sh)docker/entrypoint.shAPP_SECRETfallback if not set, preventing container crash on first run without full env configdocker-compose.yml
nginx+phpDockerfiles with:nginxinc/nginx-unprivileged:1.31.0-alpine3.23-slim— rootless nginx out of the boxdocker/Dockerfilebasetarget for PHP-FPMcomposer:latestandnode:24.15.0-alpine3.23images for depsphp-sockvolume) for nginx ↔ PHP-FPM communication instead of TCPDeleted
docker/dev/nginx/Dockerfile,docker/dev/php/Dockerfile— replaced by official imagesdocker/prod/nginx.conf,php-fpm.conf,php.ini,supervisord.conf— consolidated intodocker/configs/Why
nginx-unprivileged(UID 1984)docker/configs/aiotarget: one image, onedocker runTesting