grant/recap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Vendor @keysat/licensing-client to avoid private-repo auth in Docker build

Browse Source 
The keysat-client-ts repo is private. Previous builds were succeeding
purely because Docker layer caching reused a node_modules from when
the repo had been accessible — once anything invalidated the
server/package.json or server/package-lock.json hash (the rename did),
npm in a fresh container hit github with no credentials and 404'd.

Fix: copy the built dist/ from server/node_modules/@keysat/licensing-
client/ into vendor/keysat-licensing-client/, strip the prepare/build
scripts (we already have the compiled output), and switch the server
package.json dep to a file: path:

  "@keysat/licensing-client": "file:../vendor/keysat-licensing-client"

Dockerfile now COPY's vendor/ before npm ci. No git, no SSH, no
credentials needed in the build container — and the npm step is
pure-local so it's deterministic.

Side cleanup: dropped the apt-install-git + url.insteadOf gymnastics
that existed solely to work around the now-removed git+https resolution.
The image is slightly smaller (no git in the builder stage). Switched
the npm flag to the modern --omit=dev (the legacy --production printed
a warning).

If keysat-client-ts updates, regenerate vendor/ by:

  cp -r server/node_modules/@keysat/licensing-client/{dist,package.json,LICENSE,README.md} \
        vendor/keysat-licensing-client/
  # then strip prepare/build scripts and devDeps from the copied package.json
  # (or just hand-edit if the upstream package.json hasn't changed)
This commit is contained in:
Keysat
2026-05-08 13:45:12 -05:00
parent 2c2ccfae05
commit 8aaa405843
11 changed files with 1818 additions and 272 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Dockerfile
+6 -12
View File
@@ -10,20 +10,14 @@
# ── Stage 1: Install Node.js dependencies ──────────────────
FROM node:20-slim AS builder
# git is required by npm to clone the @keysat/licensing-client git+https
# dependency. Stripped from the final image (only used in this builder stage).
# The url.insteadOf rewrites force npm/git to use https for github.com even
# when npm's git resolver tries ssh first — there's no ssh client or key in
# this container.
RUN apt-get update && apt-get install -y --no-install-recommends git ca-certificates \
&& rm -rf /var/lib/apt/lists/* \
&& git config --global --add url."https://github.com/".insteadOf "ssh://git@github.com/" \
&& git config --global --add url."https://github.com/".insteadOf "git@github.com:" \
&& git config --global --add url."https://github.com/".insteadOf "git://github.com/"
# @keysat/licensing-client is a private git repo, so we vendor its built
# output into vendor/ and reference it via a file: dep. That removes any
# need for git or credentials in the build container.
WORKDIR /app
COPY vendor/keysat-licensing-client /app/vendor/keysat-licensing-client
WORKDIR /app/server
COPY server/package.json server/package-lock.json* ./
RUN npm ci --production --ignore-scripts 2>/dev/null || npm install --production --ignore-scripts
RUN npm ci --omit=dev --ignore-scripts 2>/dev/null || npm install --omit=dev --ignore-scripts
# ── Stage 2: Final runtime image ───────────────────────────
FROM node:20-slim AS runner