fix: stabilize Docker builds by standardizing on ARM64 and explicit stage naming (klz-2026 pattern)

.dockerignore

@@ -0,0 +1,12 @@
+node_modules
+.next
+.git
+.npmrc
+dist
+build
+out
+coverage
+.vercel
+.turbo
+*.log
+.DS_Store

.gitea/workflows/pipeline.yml

@@ -2,13 +2,8 @@ name: Monorepo Pipeline
 
 on:
   push:
-    branches:
-      - main
     tags:
       - 'v*'
-  pull_request:
-    branches:
-      - main
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -18,6 +13,8 @@ jobs:
   qa:
     name: 🧪 Quality Assurance
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -31,7 +28,6 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node_version: 20
-          cache: 'pnpm'
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -52,6 +48,8 @@ jobs:
     needs: qa
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     env:
       NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -70,7 +68,6 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node_version: 20
-          cache: 'pnpm'
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -86,6 +83,8 @@ jobs:
     needs: qa
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -94,49 +93,64 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: 🔐 Registry Login
-        run: |
-          echo "${{ secrets.REGISTRY_PASS }}" | docker login registry.infra.mintel.me -u "${{ secrets.REGISTRY_USER }}" --password-stdin
+        uses: docker/login-action@v3
+        with:
+          registry: registry.infra.mintel.me
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASS }}
 
       - name: 🏗️ Build & Push Nextjs Build-Base
-        env:
-          TAG: ${{ github.ref_name }}
-        run: |
-          docker buildx build \
-            --platform linux/amd64,linux/arm64 \
-            -t registry.infra.mintel.me/mintel/nextjs:$TAG \
-            -t registry.infra.mintel.me/mintel/nextjs:latest \
-            -f packages/infra/docker/Dockerfile.nextjs \
-            --push .
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: packages/infra/docker/Dockerfile.nextjs
+          platforms: linux/arm64
+          pull: true
+          push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+          tags: |
+            registry.infra.mintel.me/mintel/nextjs:${{ github.ref_name }}
+            registry.infra.mintel.me/mintel/nextjs:latest
 
       - name: 🏗️ Build & Push Production Runtime
-        env:
-          TAG: ${{ github.ref_name }}
-        run: |
-          docker buildx build \
-            --platform linux/amd64,linux/arm64 \
-            -t registry.infra.mintel.me/mintel/runtime:$TAG \
-            -t registry.infra.mintel.me/mintel/runtime:latest \
-            -f packages/infra/docker/Dockerfile.runtime \
-            --push .
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: packages/infra/docker/Dockerfile.runtime
+          platforms: linux/arm64
+          pull: true
+          push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+          tags: |
+            registry.infra.mintel.me/mintel/runtime:${{ github.ref_name }}
+            registry.infra.mintel.me/mintel/runtime:latest
 
       - name: 🏗️ Build & Push Gatekeeper (Product)
-        env:
-          TAG: ${{ github.ref_name }}
-        run: |
-          docker buildx build \
-            --platform linux/amd64,linux/arm64 \
-            -t registry.infra.mintel.me/mintel/gatekeeper:$TAG \
-            -t registry.infra.mintel.me/mintel/gatekeeper:latest \
-            -f packages/infra/docker/Dockerfile.gatekeeper \
-            --push .
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: packages/infra/docker/Dockerfile.gatekeeper
+          platforms: linux/arm64
+          pull: true
+          push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+          tags: |
+            registry.infra.mintel.me/mintel/gatekeeper:${{ github.ref_name }}
+            registry.infra.mintel.me/mintel/gatekeeper:latest
 
       - name: 🏗️ Build & Push Directus (Base)
-        env:
-          TAG: ${{ github.ref_name }}
-        run: |
-          docker buildx build \
-            --platform linux/amd64,linux/arm64 \
-            -t registry.infra.mintel.me/mintel/directus:$TAG \
-            -t registry.infra.mintel.me/mintel/directus:latest \
-            -f packages/infra/docker/Dockerfile.directus \
-            --push .
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: packages/infra/docker/Dockerfile.directus
+          platforms: linux/arm64
+          pull: true
+          push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+          tags: |
+            registry.infra.mintel.me/mintel/directus:${{ github.ref_name }}
+            registry.infra.mintel.me/mintel/directus:latest

packages/infra/docker/Dockerfile.gatekeeper

@@ -1,30 +1,24 @@
-FROM node:20-alpine AS base
-
+# Step 1: Builder stage
+FROM node:20-alpine AS builder
 RUN apk add --no-cache libc6-compat curl
 WORKDIR /app
-
-# Enable pnpm
 RUN corepack enable pnpm
 
-# Install dependencies (using monorepo root context)
-COPY pnpm-lock.yaml pnpm-workspace.yaml package.json .npmrc* ./
-COPY packages/gatekeeper/package.json ./packages/gatekeeper/
-COPY packages/next-utils/package.json ./packages/next-utils/
-COPY packages/tsconfig/package.json ./packages/tsconfig/
-COPY packages/eslint-config/package.json ./packages/eslint-config/
-COPY packages/next-config/package.json ./packages/next-config/
-
-RUN --mount=type=cache,target=/root/.local/share/pnpm/store/v3 \
-    pnpm i --frozen-lockfile
-
-# Copy source
+# Copy source (honoring .dockerignore)
 COPY . .
 
+# Use a secret for NPM_TOKEN to authenticate with private registry
+RUN --mount=type=cache,target=/root/.local/share/pnpm/store/v3 \
+    --mount=type=secret,id=NPM_TOKEN \
+    export NPM_TOKEN=$(cat /run/secrets/NPM_TOKEN) && \
+    pnpm i --frozen-lockfile
+
 # Build Gatekeeper
 RUN pnpm --filter @mintel/gatekeeper build
 
-# Runner
-FROM base AS runner
+# Step 2: Runner stage
+FROM node:20-alpine AS runner
+RUN apk add --no-cache libc6-compat curl
 WORKDIR /app
 ENV NODE_ENV=production
 RUN addgroup --system --gid 1001 nodejs

packages/infra/docker/Dockerfile.nextjs

@@ -1,24 +1,19 @@
-FROM node:20-alpine AS base
-
+# Step 1: Builder image
+FROM node:20-alpine AS builder
 RUN apk add --no-cache libc6-compat curl
 WORKDIR /app
-
-# Enable pnpm
 RUN corepack enable pnpm
 
-# Copy root configurations
-COPY pnpm-lock.yaml pnpm-workspace.yaml package.json .npmrc* ./
-
-# Copy all package.json files to allow pnpm install to be cached
-COPY packages/*/package.json ./packages/
-COPY apps/*/package.json ./apps/
-
-# Install dependencies for the entire monorepo
-RUN --mount=type=cache,target=/root/.local/share/pnpm/store/v3 \
-    pnpm i --frozen-lockfile
-
-# Copy the rest of the source code
+# Step 2: Install dependencies
+# We copy everything first because we have a .dockerignore
+# and we need the workspace structure for pnpm to work correctly
 COPY . .
 
-# Post-install/Build shared packages if needed
-RUN pnpm -r build --filter="./packages/*"
+# Use a secret for NPM_TOKEN to authenticate with private registry
+RUN --mount=type=cache,target=/root/.local/share/pnpm/store/v3 \
+    --mount=type=secret,id=NPM_TOKEN \
+    export NPM_TOKEN=$(cat /run/secrets/NPM_TOKEN) && \
+    pnpm i --frozen-lockfile
+
+# Step 3: Build shared packages
+RUN pnpm --filter "./packages/*" -r build

packages/infra/gitea/deploy-action.yml

@@ -24,6 +24,8 @@ jobs:
   prepare:
     name: 🔍 Prepare Environment
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     outputs:
       target:           ${{ steps.determine.outputs.target }}
       image_tag:        ${{ steps.determine.outputs.image_tag }}
@@ -136,6 +138,8 @@ jobs:
     needs: prepare
     if: needs.prepare.outputs.target != 'skip'
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -144,7 +148,6 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20
-          cache: 'npm'
 
       - name: Install dependencies
         run: npm ci
@@ -171,6 +174,8 @@ jobs:
     needs: prepare
     if: needs.prepare.outputs.target != 'skip'
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -179,23 +184,28 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: 🔐 Registry Login
-        run: |
-          echo "${{ secrets.REGISTRY_PASS }}" | docker login registry.infra.mintel.me -u "${{ secrets.REGISTRY_USER }}" --password-stdin
+        uses: docker/login-action@v3
+        with:
+          registry: registry.infra.mintel.me
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASS }}
 
       - name: 🏗️ Docker Build & Push
-        env:
-          IMAGE_TAG: ${{ needs.prepare.outputs.image_tag }}
-          NEXT_PUBLIC_BASE_URL: ${{ needs.prepare.outputs.next_public_base_url }}
-        run: |
-          docker buildx build \
-            --pull \
-            --platform linux/arm64 \
-            --build-arg NEXT_PUBLIC_BASE_URL="$NEXT_PUBLIC_BASE_URL" \
-            --build-arg NEXT_PUBLIC_TARGET="${{ needs.prepare.outputs.target }}" \
-            -t registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:$IMAGE_TAG \
-            --cache-from type=registry,ref=registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:buildcache \
-            --cache-to type=registry,ref=registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:buildcache,mode=max \
-            --push .
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: packages/infra/docker/Dockerfile.nextjs
+          platforms: linux/arm64
+          pull: true
+          build-args: |
+            NEXT_PUBLIC_BASE_URL=${{ needs.prepare.outputs.next_public_base_url }}
+            NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }}
+          push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+          tags: registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:${{ needs.prepare.outputs.image_tag }}
+          cache-from: type=registry,ref=registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:buildcache
+          cache-to: type=registry,ref=registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:buildcache,mode=max
 
   # ──────────────────────────────────────────────────────────────────────────────
   # JOB 4: Deploy
@@ -205,6 +215,8 @@ jobs:
     needs: [prepare, build, qa]
     if: needs.prepare.outputs.target != 'skip'
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     env:
       TARGET: ${{ needs.prepare.outputs.target }}
       IMAGE_TAG: ${{ needs.prepare.outputs.image_tag }}
@@ -271,6 +283,8 @@ jobs:
     needs: [prepare, deploy]
     if: always()
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     steps:
       - name: 🔔 Gotify - Success
         if: needs.deploy.result == 'success'

packages/infra/scripts/prune-registry.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+set -e
+
+# Configuration
+REGISTRY_DATA="/opt/infra/registry/data/docker/registry/v2"
+KEEP_TAGS=5
+
+echo "🏥 Starting Registry & Docker Maintenance..."
+
+# 1. Prune Registry Tags (Filesystem level)
+# This identifies main-* tags and keeps only the latest N
+for repo_dir in "$REGISTRY_DATA/repositories/mintel/"*; do
+    repo_name=$(basename "$repo_dir")
+    tags_dir="$repo_dir/_manifests/tags"
+    
+    if [ -d "$tags_dir" ]; then
+        echo "🔍 Processing repository: mintel/$repo_name"
+        
+        # Get main-* tags sorted by modification time (newest first)
+        main_tags=$(ls -dt "$tags_dir"/main-* 2>/dev/null || true)
+        
+        count=0
+        for tag_path in $main_tags; do
+            ((++count))
+            if [ $count -gt $KEEP_TAGS ]; then
+                echo "  🗑️ Deleting old tag: $(basename "$tag_path")"
+                rm -rf "$tag_path"
+            fi
+        done
+    fi
+done
+
+# 2. Run Garbage Collection
+echo "♻️ Running Registry Garbage Collection..."
+docker exec registry-registry-1 bin/registry garbage-collect /etc/docker/registry/config.yml
+
+# 3. Prune Host Docker resources
+echo "🧹 Pruning Host Docker resources..."
+# Separate prune commands because --filter and --volumes can be incompatible on some versions
+docker system prune -af --filter "until=168h"
+docker volume prune -f
+
+echo "✅ Maintenance complete!"
+df -h /

packages/next-utils/src/index.test.ts

@@ -1,5 +1,5 @@
 import { describe, it, expect } from "vitest";
-import { isValidLang } from "../src/index";
+import { isValidLang } from "./lang";
 
 describe("next-utils", () => {
   it("should validate languages correctly", () => {

packages/next-utils/src/index.ts

@@ -30,12 +30,7 @@ export async function rateLimit(
   submissions[identifier] = now;
 }
 
-export const languages = ["en", "de"] as const;
-export type Lang = (typeof languages)[number];
-
-export function isValidLang(lang: string): lang is Lang {
-  return (languages as readonly string[]).includes(lang);
-}
+export * from "./lang";
 
 export * from "./i18n";
 export * from "./env";

packages/next-utils/src/lang.ts

@@ -0,0 +1,6 @@
+export const languages = ["en", "de"] as const;
+export type Lang = (typeof languages)[number];
+
+export function isValidLang(lang: string): lang is Lang {
+  return (languages as readonly string[]).includes(lang);
+}