chore(ci): do not include dev dependencies in docker images (#37481)

2 months ago · 06915142d2
parent 7d90c9d685
commit 06915142d2
7 changed files with 89 additions and 36 deletions
--- a/.github/actions/build-docker/action.yml
+++ b/.github/actions/build-docker/action.yml
@ -75,6 +75,16 @@ runs:
        set -o xtrace
        export DENO_VERSION="${{ inputs.deno-version }}"

+        # Removes unnecessary swc cores to reduce image sized
+        swc_arch='x64'
+        if [[ "${{ inputs.service }}" == 'rocketchat' ]]; then
+          if [[ "${{ inputs.arch }}" == 'arm64' ]]; then
+            swc_arch='arm64'
+          fi
+
+          find /tmp/build/bundle/programs/server/npm/node_modules/meteor/babel-compiler/node_modules/@meteorjs/swc-core/.swc/node_modules/@swc -type d -name 'core-*' -not -name "*linux-${swc_arch}-gnu*" -exec rm -rf {} +
+        fi
+
        if [[ "${{ inputs.publish-image }}" == 'true' ]]; then
          LOAD_OR_PUSH="--push"
        else
--- a/.github/actions/meteor-build/action.yml
+++ b/.github/actions/meteor-build/action.yml
@ -42,6 +42,15 @@ runs:
      with:
        swap-size-gb: 4

+    - name: Merge dependencies for build
+      shell: bash
+      if: steps.cache-build.outputs.cache-hit != 'true'
+      run: |
+        # Merge dependencies and devDependencies into a new 'dependencies' field
+        cd apps/meteor
+        cp package.json package.json.bak
+        jq '.dependencies = (.dependencies + .devDependencies) | del(.devDependencies)' package.json > package.json.tmp && mv package.json.tmp package.json
+
    - name: Setup NodeJS
      uses: ./.github/actions/setup-node
      if: steps.cache-build.outputs.cache-hit != 'true'
@ -50,6 +59,7 @@ runs:
        deno-version: ${{ inputs.deno-version }}
        cache-modules: true
        install: true
+        type: 'production'
        NPM_TOKEN: ${{ inputs.NPM_TOKEN }}

    # - name: Free disk space
@ -150,12 +160,41 @@ runs:
          echo "Coverage enabled"
        fi

+        # Restore original package.json so meteor should not copy devDependencies
+        mv apps/meteor/package.json.bak apps/meteor/package.json
+
        yarn build:ci

-    - name: Translation check
-      shell: bash
-      if: steps.cache-build.outputs.cache-hit != 'true'
-      run: yarn turbo run translation-check
+        declare -a meter_modules_to_remove=(
+            "meteor/babel-compiler/node_modules/@meteorjs/swc-core/.swc/node_modules/@swc/core-darwin-arm64" # Removes 35M
+            "meteor/babel-compiler/node_modules/@meteorjs/swc-core/.swc/node_modules/@swc/core-linux-x64-musl" # Removes 58M
+            "meteor/babel-compiler/node_modules/@meteorjs/swc-core/.swc/node_modules/@swc/core-linux-arm64-musl" # Removes 44M
+            "meteor/babel-compiler/node_modules/typescript" # Removes 31M
+            "meteor/babel-compiler/node_modules/@babel" # Removes 14M
+
+            "@rocket.chat/i18n/src" # Removes 16M
+            "typescript" # Removes 19M
+            # "@babel" # Removes 34M - Needed by Minimongo
+        )
+
+        du -s /tmp/dist/bundle
+
+        for dir_path in "${meter_modules_to_remove[@]}"; do
+          path=/tmp/dist/bundle/programs/server/npm/node_modules/${dir_path}
+
+          if [ -d "$path" ]; then
+              rm -rf "$path"
+
+              echo "Removed directory: $path"
+          else
+              echo "Path is not a directory or does not exist: $path"
+          fi
+        done
+
+        # Remove all .d.ts files from node_modules to reduce size
+        # Removes 184M
+        find /tmp/dist/bundle -type f -name "*.d.ts" -delete
+        du -s /tmp/dist/bundle

    - name: Prepare build
      shell: bash
--- a/.github/actions/setup-node/action.yml
+++ b/.github/actions/setup-node/action.yml
@ -12,6 +12,11 @@ inputs:
    required: false
    description: 'Install dependencies'
    type: boolean
+  type:
+    required: false
+    description: 'development or production'
+    type: string
+    default: 'development'
  deno-version:
    required: true
    description: 'Deno version'
@ -46,7 +51,8 @@ runs:
          apps/meteor/ee/server/services/node_modules
          packages/apps-engine/node_modules
          packages/apps-engine/.deno-cache
-        key: node-modules-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('yarn.lock') }}-deno-v${{ inputs.deno-version }}-${{ hashFiles('packages/apps-engine/deno-runtime/deno.lock') }}
+        key: node-modules-${{ inputs.type }}-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('package.json') }}-${{ hashFiles('yarn.lock') }}-deno-v${{ inputs.deno-version }}-${{ hashFiles('packages/apps-engine/deno-runtime/deno.lock') }}-v3
+        # key: node-modules-${{ inputs.type }}-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('package.json') }}-${{ hashFiles('yarn.lock') }}-deno-v${{ inputs.deno-version }}-${{ hashFiles('packages/apps-engine/deno-runtime/deno.lock') }}-v${{ github.run_id }}
    #
    # Could use this command to list all paths to save:
    # find . -name 'node_modules' -prune | grep -v "/\.meteor/" | grep -v "/meteor/packages/"
@ -70,6 +76,11 @@ runs:
        echo "//registry.npmjs.org/:_authToken=${{ inputs.NPM_TOKEN }}" > ~/.npmrc

    - name: yarn install
-      if: inputs.install
+      if: inputs.install && inputs.type == 'development'
      shell: bash
      run: YARN_ENABLE_HARDENED_MODE=${{ inputs.HARDENED_MODE }} yarn
+
+    - name: yarn install production
+      if: inputs.install && inputs.type == 'production'
+      shell: bash
+      run: YARN_ENABLE_HARDENED_MODE=${{ inputs.HARDENED_MODE }} yarn workspaces focus --all --production
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -66,7 +66,7 @@ jobs:
            --exclude='.git' \
            .

-          SOURCE_HASH=$(sha256sum /tmp/RocketChat-source.tar | awk '{ print $1 }')-v3
+          SOURCE_HASH=$(sha256sum /tmp/RocketChat-source.tar | awk '{ print $1 }')-v8

          # Uncomment the following line to include the run ID in the hash and disable caching between runs
          # SOURCE_HASH=$(sha256sum /tmp/RocketChat-source.tar | awk '{ print $1 }')-${{ github.run_id }}
--- a/apps/meteor/.docker/Dockerfile.alpine
+++ b/apps/meteor/.docker/Dockerfile.alpine
@ -1,3 +1,23 @@
+FROM node:22.16.0-alpine3.20 AS builder
+
+ENV LANG=C.UTF-8
+
+RUN apk add --no-cache python3 make g++ py3-setuptools libc6-compat
+
+COPY . /app
+
+ENV NODE_ENV=production
+
+RUN cd /app/bundle/programs/server \
+    && npm install --omit=dev \
+    # Re install sharp dependencies to ensure proper binary for architecture
+    # We only need the @img folder from sharp dependencies
+    && cd /app/bundle/programs/server/npm/node_modules/sharp \
+    && npm install --omit=dev \
+    && rm -rf ../@img \
+    && mv node_modules/@img ../@img \
+    && rm -rf node_modules
+
 FROM node:22.16.0-alpine3.20

 LABEL maintainer="buildmaster@rocket.chat"
@ -16,16 +36,13 @@ ENV LANG=C.UTF-8
 # and more complex or security conscious daemons run as dedicated users.
 # The daemon user is also handy for locally installed daemons.
 # """
-RUN apk add --no-cache deno ttf-dejavu \
-    && apk add --no-cache --virtual deps shadow python3 make g++ py3-setuptools libc6-compat \
+RUN apk add --no-cache shadow deno ttf-dejavu \
    # Update OpenSSL
    # CVE -> https://scout.docker.com/vulnerabilities/id/CVE-2025-9230?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.21
    && apk upgrade --no-cache openssl \
    && groupmod -n rocketchat nogroup \
    && useradd -u 65533 -r -g rocketchat rocketchat

-COPY --chown=rocketchat:rocketchat . /app
-
 # needs a mongo instance - defaults to container linking with alias 'mongo'
 ENV DEPLOY_METHOD=docker \
    NODE_ENV=production \
@ -37,27 +54,7 @@ ENV DEPLOY_METHOD=docker \

 USER rocketchat

-RUN cd /app/bundle/programs/server \
-    && npm install --omit=dev \
-    && cd /app/bundle/programs/server \
-    && rm -rf npm/node_modules/sharp \
-    && npm install sharp@0.32.6 --no-save \
-    && mv node_modules/sharp npm/node_modules/sharp \
-    # End hack for sharp
-    # # Start hack for isolated-vm...
-    # && rm -rf npm/node_modules/isolated-vm \
-    # && npm install isolated-vm@4.6.0 \
-    # && mv node_modules/isolated-vm npm/node_modules/isolated-vm \
-    # # End hack for isolated-vm
-    && cd /app/bundle/programs/server/npm \
-    && npm rebuild bcrypt --build-from-source \
-    && npm cache clear --force
-
-USER root
-
-RUN apk del deps
-
-USER rocketchat
+COPY --from=builder --chown=rocketchat:rocketchat /app /app

 VOLUME /app/uploads

--- a/package.json
+++ b/package.json
@ -7,7 +7,6 @@
 	"scripts": {
 		"build": "turbo run build",
 		"build:services": "turbo run build --filter=rocketchat-services...",
-		"build:ci": "turbo run build:ci",
 		"testunit": "turbo run testunit",
 		"test-storybook": "turbo run test-storybook",
 		"dev": "turbo run dev --env-mode=loose --parallel --filter=@rocket.chat/meteor...",
--- a/turbo.json
+++ b/turbo.json
@ -22,9 +22,6 @@
 		"lint": {
 			"outputs": []
 		},
-		"translation-check": {
-			"outputs": []
-		},
 		"typecheck": {
 			"outputs": []
 		},