From 1a94465dba12e2b754c2692f588a4addd63dec2c Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Tue, 3 Feb 2026 22:13:34 +0100
Subject: [PATCH] feat: streamline Docker builds with `.dockerignore` and pass
 `NPM_TOKEN` as a build secret for pnpm install.

---
 .dockerignore                               | 12 +++++++++
 .gitea/workflows/pipeline.yml               |  8 ++++++
 packages/infra/docker/Dockerfile.gatekeeper | 14 +++++------
 packages/infra/docker/Dockerfile.nextjs     | 27 +++++++++------------
 packages/infra/gitea/deploy-action.yml      |  2 ++
 5 files changed, 40 insertions(+), 23 deletions(-)
 create mode 100644 .dockerignore

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..ee629eb
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,12 @@
+node_modules
+.next
+.git
+.npmrc
+dist
+build
+out
+coverage
+.vercel
+.turbo
+*.log
+.DS_Store
diff --git a/.gitea/workflows/pipeline.yml b/.gitea/workflows/pipeline.yml
index 2524917..cd4946c 100644
--- a/.gitea/workflows/pipeline.yml
+++ b/.gitea/workflows/pipeline.yml
@@ -106,6 +106,8 @@ jobs:
           file: packages/infra/docker/Dockerfile.nextjs
           platforms: linux/amd64,linux/arm64
           push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
           tags: |
             registry.infra.mintel.me/mintel/nextjs:${{ github.ref_name }}
             registry.infra.mintel.me/mintel/nextjs:latest
@@ -117,6 +119,8 @@ jobs:
           file: packages/infra/docker/Dockerfile.runtime
           platforms: linux/amd64,linux/arm64
           push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
           tags: |
             registry.infra.mintel.me/mintel/runtime:${{ github.ref_name }}
             registry.infra.mintel.me/mintel/runtime:latest
@@ -128,6 +132,8 @@ jobs:
           file: packages/infra/docker/Dockerfile.gatekeeper
           platforms: linux/amd64,linux/arm64
           push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
           tags: |
             registry.infra.mintel.me/mintel/gatekeeper:${{ github.ref_name }}
             registry.infra.mintel.me/mintel/gatekeeper:latest
@@ -139,6 +145,8 @@ jobs:
           file: packages/infra/docker/Dockerfile.directus
           platforms: linux/amd64,linux/arm64
           push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
           tags: |
             registry.infra.mintel.me/mintel/directus:${{ github.ref_name }}
             registry.infra.mintel.me/mintel/directus:latest
diff --git a/packages/infra/docker/Dockerfile.gatekeeper b/packages/infra/docker/Dockerfile.gatekeeper
index 7474fba..ebe8d2a 100644
--- a/packages/infra/docker/Dockerfile.gatekeeper
+++ b/packages/infra/docker/Dockerfile.gatekeeper
@@ -6,15 +6,15 @@ WORKDIR /app
 # Enable pnpm
 RUN corepack enable pnpm
 
-# Install dependencies (using monorepo root context)
-COPY pnpm-lock.yaml pnpm-workspace.yaml package.json .npmrc* ./
-COPY packages/gatekeeper/package.json ./packages/gatekeeper/
-COPY packages/next-utils/package.json ./packages/next-utils/
-COPY packages/tsconfig/package.json ./packages/tsconfig/
-COPY packages/eslint-config/package.json ./packages/eslint-config/
-COPY packages/next-config/package.json ./packages/next-config/
+# Step 2: Install dependencies
+# We copy everything first because we have a .dockerignore
+# and we need the workspace structure for pnpm to work correctly
+COPY . .
 
+# Use a secret for NPM_TOKEN to authenticate with private registry
 RUN --mount=type=cache,target=/root/.local/share/pnpm/store/v3 \
+    --mount=type=secret,id=NPM_TOKEN \
+    export NPM_TOKEN=$(cat /run/secrets/NPM_TOKEN) && \
     pnpm i --frozen-lockfile
 
 # Copy source
diff --git a/packages/infra/docker/Dockerfile.nextjs b/packages/infra/docker/Dockerfile.nextjs
index 4327b0c..0b434dd 100644
--- a/packages/infra/docker/Dockerfile.nextjs
+++ b/packages/infra/docker/Dockerfile.nextjs
@@ -1,24 +1,19 @@
+# Step 1: Base image
 FROM node:20-alpine AS base
-
 RUN apk add --no-cache libc6-compat curl
 WORKDIR /app
-
-# Enable pnpm
 RUN corepack enable pnpm
 
-# Copy root configurations
-COPY pnpm-lock.yaml pnpm-workspace.yaml package.json .npmrc* ./
-
-# Copy all package.json files to allow pnpm install to be cached
-COPY packages/*/package.json ./packages/
-COPY apps/*/package.json ./apps/
-
-# Install dependencies for the entire monorepo
-RUN --mount=type=cache,target=/root/.local/share/pnpm/store/v3 \
-    pnpm i --frozen-lockfile
-
-# Copy the rest of the source code
+# Step 2: Install dependencies
+# We copy everything first because we have a .dockerignore
+# and we need the workspace structure for pnpm to work correctly
 COPY . .
 
-# Post-install/Build shared packages if needed
+# Use a secret for NPM_TOKEN to authenticate with private registry
+RUN --mount=type=cache,target=/root/.local/share/pnpm/store/v3 \
+    --mount=type=secret,id=NPM_TOKEN \
+    export NPM_TOKEN=$(cat /run/secrets/NPM_TOKEN) && \
+    pnpm i --frozen-lockfile
+
+# Step 3: Build shared packages
 RUN pnpm -r build --filter="./packages/*"
diff --git a/packages/infra/gitea/deploy-action.yml b/packages/infra/gitea/deploy-action.yml
index 2bb1fac..1701f14 100644
--- a/packages/infra/gitea/deploy-action.yml
+++ b/packages/infra/gitea/deploy-action.yml
@@ -199,6 +199,8 @@ jobs:
             NEXT_PUBLIC_BASE_URL=${{ needs.prepare.outputs.next_public_base_url }}
             NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }}
           push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
           tags: registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:${{ needs.prepare.outputs.image_tag }}
           cache-from: type=registry,ref=registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:buildcache
           cache-to: type=registry,ref=registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:buildcache,mode=max