From 67c2af958a9300452eaf41a20c57f31984f9d331 Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Mon, 9 Feb 2026 22:26:16 +0100
Subject: [PATCH] fix: docker images

---
 .dockerignore                            |  2 +-
 packages/infra/docker/Dockerfile.nextjs  | 16 +++++++++++-----
 packages/infra/docker/Dockerfile.runtime | 17 ++++++++++-------
 3 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index ee629eb..3590a02 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,7 +1,7 @@
 node_modules
 .next
 .git
-.npmrc
+# .npmrc is allowed as it contains the registry template
 dist
 build
 out
diff --git a/packages/infra/docker/Dockerfile.nextjs b/packages/infra/docker/Dockerfile.nextjs
index b7dcc93..a8c8e16 100644
--- a/packages/infra/docker/Dockerfile.nextjs
+++ b/packages/infra/docker/Dockerfile.nextjs
@@ -5,15 +5,21 @@ WORKDIR /app
 RUN corepack enable pnpm
 
 # Step 2: Install dependencies
-# We copy everything first because we have a .dockerignore
-# and we need the workspace structure for pnpm to work correctly
-COPY . .
+# Copy manifest files specifically for better layer caching
+COPY pnpm-lock.yaml pnpm-workspace.yaml package.json .npmrc ./
+# Copy all package.json files
+COPY packages/*/package.json ./packages/
+# Note: globbing subdirectories for package.json might require more specific COPY commands 
+# if the structure is deep, but for our flat packages/* it works or needs manual listing.
+# Since we have many packages, copying them individually or as a block is better.
 
-# Use a secret for NPM_TOKEN to authenticate with private registry
-RUN --mount=type=cache,target=/root/.local/share/pnpm/store/v3 \
+# Use a secret for NPM_TOKEN and a standardized cache mount
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
     --mount=type=secret,id=NPM_TOKEN \
     export NPM_TOKEN=$(cat /run/secrets/NPM_TOKEN) && \
+    pnpm config set store-dir /pnpm/store && \
     pnpm i --frozen-lockfile
 
 # Step 3: Build shared packages
+COPY . .
 RUN pnpm --filter "./packages/*" -r build
diff --git a/packages/infra/docker/Dockerfile.runtime b/packages/infra/docker/Dockerfile.runtime
index 09f0ea5..6db4b38 100644
--- a/packages/infra/docker/Dockerfile.runtime
+++ b/packages/infra/docker/Dockerfile.runtime
@@ -1,19 +1,22 @@
-FROM node:20-alpine
+FROM node:20-alpine AS runner
+RUN apk add --no-cache libc6-compat curl
 
-# Install essential production utilities
-RUN apk add --no-cache curl libc6-compat
+WORKDIR /app
 
-# Set standard production environment
 ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
 ENV PORT=3000
 ENV HOSTNAME="0.0.0.0"
 
-WORKDIR /app
-
 # Create non-root user for security
 RUN addgroup --system --gid 1001 nodejs && \
     adduser --system --uid 1001 nextjs
 
-# Expose the default Next.js port
+# Set correct permissions
+RUN chown -R nextjs:nodejs /app
+
+USER nextjs
+
 EXPOSE 3000
+
+CMD ["node", "server.js"]