refactor: rename Dockerfile build stage from base to builder

.dockerignore

@@ -0,0 +1,12 @@
+node_modules
+.next
+.git
+.npmrc
+dist
+build
+out
+coverage
+.vercel
+.turbo
+*.log
+.DS_Store

.gitea/workflows/pipeline.yml

@@ -13,6 +13,8 @@ jobs:
   qa:
     name: 🧪 Quality Assurance
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -26,7 +28,6 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node_version: 20
-          cache: 'pnpm'
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -47,6 +48,8 @@ jobs:
     needs: qa
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     env:
       NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -65,7 +68,6 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node_version: 20
-          cache: 'pnpm'
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -81,6 +83,8 @@ jobs:
     needs: qa
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -89,49 +93,60 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: 🔐 Registry Login
-        run: |
-          echo "${{ secrets.REGISTRY_PASS }}" | docker login registry.infra.mintel.me -u "${{ secrets.REGISTRY_USER }}" --password-stdin
+        uses: docker/login-action@v3
+        with:
+          registry: registry.infra.mintel.me
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASS }}
 
       - name: 🏗️ Build & Push Nextjs Build-Base
-        env:
-          TAG: ${{ github.ref_name }}
-        run: |
-          docker buildx build \
-            --platform linux/amd64,linux/arm64 \
-            -t registry.infra.mintel.me/mintel/nextjs:$TAG \
-            -t registry.infra.mintel.me/mintel/nextjs:latest \
-            -f packages/infra/docker/Dockerfile.nextjs \
-            --push .
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: packages/infra/docker/Dockerfile.nextjs
+          platforms: linux/amd64,linux/arm64
+          push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+          tags: |
+            registry.infra.mintel.me/mintel/nextjs:${{ github.ref_name }}
+            registry.infra.mintel.me/mintel/nextjs:latest
 
       - name: 🏗️ Build & Push Production Runtime
-        env:
-          TAG: ${{ github.ref_name }}
-        run: |
-          docker buildx build \
-            --platform linux/amd64,linux/arm64 \
-            -t registry.infra.mintel.me/mintel/runtime:$TAG \
-            -t registry.infra.mintel.me/mintel/runtime:latest \
-            -f packages/infra/docker/Dockerfile.runtime \
-            --push .
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: packages/infra/docker/Dockerfile.runtime
+          platforms: linux/amd64,linux/arm64
+          push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+          tags: |
+            registry.infra.mintel.me/mintel/runtime:${{ github.ref_name }}
+            registry.infra.mintel.me/mintel/runtime:latest
 
       - name: 🏗️ Build & Push Gatekeeper (Product)
-        env:
-          TAG: ${{ github.ref_name }}
-        run: |
-          docker buildx build \
-            --platform linux/amd64,linux/arm64 \
-            -t registry.infra.mintel.me/mintel/gatekeeper:$TAG \
-            -t registry.infra.mintel.me/mintel/gatekeeper:latest \
-            -f packages/infra/docker/Dockerfile.gatekeeper \
-            --push .
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: packages/infra/docker/Dockerfile.gatekeeper
+          platforms: linux/amd64,linux/arm64
+          push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+          tags: |
+            registry.infra.mintel.me/mintel/gatekeeper:${{ github.ref_name }}
+            registry.infra.mintel.me/mintel/gatekeeper:latest
 
       - name: 🏗️ Build & Push Directus (Base)
-        env:
-          TAG: ${{ github.ref_name }}
-        run: |
-          docker buildx build \
-            --platform linux/amd64,linux/arm64 \
-            -t registry.infra.mintel.me/mintel/directus:$TAG \
-            -t registry.infra.mintel.me/mintel/directus:latest \
-            -f packages/infra/docker/Dockerfile.directus \
-            --push .
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: packages/infra/docker/Dockerfile.directus
+          platforms: linux/amd64,linux/arm64
+          push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+          tags: |
+            registry.infra.mintel.me/mintel/directus:${{ github.ref_name }}
+            registry.infra.mintel.me/mintel/directus:latest

packages/infra/docker/Dockerfile.gatekeeper

@@ -1,4 +1,4 @@
-FROM node:20-alpine AS base
+FROM node:20-alpine AS builder
 
 RUN apk add --no-cache libc6-compat curl
 WORKDIR /app
@@ -6,15 +6,15 @@ WORKDIR /app
 # Enable pnpm
 RUN corepack enable pnpm
 
-# Install dependencies (using monorepo root context)
-COPY pnpm-lock.yaml pnpm-workspace.yaml package.json .npmrc* ./
-COPY packages/gatekeeper/package.json ./packages/gatekeeper/
-COPY packages/next-utils/package.json ./packages/next-utils/
-COPY packages/tsconfig/package.json ./packages/tsconfig/
-COPY packages/eslint-config/package.json ./packages/eslint-config/
-COPY packages/next-config/package.json ./packages/next-config/
+# Step 2: Install dependencies
+# We copy everything first because we have a .dockerignore
+# and we need the workspace structure for pnpm to work correctly
+COPY . .
 
+# Use a secret for NPM_TOKEN to authenticate with private registry
 RUN --mount=type=cache,target=/root/.local/share/pnpm/store/v3 \
+    --mount=type=secret,id=NPM_TOKEN \
+    export NPM_TOKEN=$(cat /run/secrets/NPM_TOKEN) && \
     pnpm i --frozen-lockfile
 
 # Copy source

packages/infra/docker/Dockerfile.nextjs

@@ -1,24 +1,19 @@
+# Step 1: Base image
 FROM node:20-alpine AS base
-
 RUN apk add --no-cache libc6-compat curl
 WORKDIR /app
-
-# Enable pnpm
 RUN corepack enable pnpm
 
-# Copy root configurations
-COPY pnpm-lock.yaml pnpm-workspace.yaml package.json .npmrc* ./
-
-# Copy all package.json files to allow pnpm install to be cached
-COPY packages/*/package.json ./packages/
-COPY apps/*/package.json ./apps/
-
-# Install dependencies for the entire monorepo
-RUN --mount=type=cache,target=/root/.local/share/pnpm/store/v3 \
-    pnpm i --frozen-lockfile
-
-# Copy the rest of the source code
+# Step 2: Install dependencies
+# We copy everything first because we have a .dockerignore
+# and we need the workspace structure for pnpm to work correctly
 COPY . .
 
-# Post-install/Build shared packages if needed
-RUN pnpm -r build --filter="./packages/*"
+# Use a secret for NPM_TOKEN to authenticate with private registry
+RUN --mount=type=cache,target=/root/.local/share/pnpm/store/v3 \
+    --mount=type=secret,id=NPM_TOKEN \
+    export NPM_TOKEN=$(cat /run/secrets/NPM_TOKEN) && \
+    pnpm i --frozen-lockfile
+
+# Step 3: Build shared packages
+RUN pnpm --filter "./packages/*" -r build

packages/infra/gitea/deploy-action.yml

@@ -24,6 +24,8 @@ jobs:
   prepare:
     name: 🔍 Prepare Environment
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     outputs:
       target:           ${{ steps.determine.outputs.target }}
       image_tag:        ${{ steps.determine.outputs.image_tag }}
@@ -136,6 +138,8 @@ jobs:
     needs: prepare
     if: needs.prepare.outputs.target != 'skip'
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -144,7 +148,6 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20
-          cache: 'npm'
 
       - name: Install dependencies
         run: npm ci
@@ -171,6 +174,8 @@ jobs:
     needs: prepare
     if: needs.prepare.outputs.target != 'skip'
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -179,23 +184,26 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: 🔐 Registry Login
-        run: |
-          echo "${{ secrets.REGISTRY_PASS }}" | docker login registry.infra.mintel.me -u "${{ secrets.REGISTRY_USER }}" --password-stdin
+        uses: docker/login-action@v3
+        with:
+          registry: registry.infra.mintel.me
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASS }}
 
       - name: 🏗️ Docker Build & Push
-        env:
-          IMAGE_TAG: ${{ needs.prepare.outputs.image_tag }}
-          NEXT_PUBLIC_BASE_URL: ${{ needs.prepare.outputs.next_public_base_url }}
-        run: |
-          docker buildx build \
-            --pull \
-            --platform linux/arm64 \
-            --build-arg NEXT_PUBLIC_BASE_URL="$NEXT_PUBLIC_BASE_URL" \
-            --build-arg NEXT_PUBLIC_TARGET="${{ needs.prepare.outputs.target }}" \
-            -t registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:$IMAGE_TAG \
-            --cache-from type=registry,ref=registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:buildcache \
-            --cache-to type=registry,ref=registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:buildcache,mode=max \
-            --push .
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/arm64
+          build-args: |
+            NEXT_PUBLIC_BASE_URL=${{ needs.prepare.outputs.next_public_base_url }}
+            NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }}
+          push: true
+          secrets: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+          tags: registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:${{ needs.prepare.outputs.image_tag }}
+          cache-from: type=registry,ref=registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:buildcache
+          cache-to: type=registry,ref=registry.infra.mintel.me/mintel/${{ github.event.repository.name }}:buildcache,mode=max
 
   # ──────────────────────────────────────────────────────────────────────────────
   # JOB 4: Deploy
@@ -205,6 +213,8 @@ jobs:
     needs: [prepare, build, qa]
     if: needs.prepare.outputs.target != 'skip'
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     env:
       TARGET: ${{ needs.prepare.outputs.target }}
       IMAGE_TAG: ${{ needs.prepare.outputs.image_tag }}
@@ -271,6 +281,8 @@ jobs:
     needs: [prepare, deploy]
     if: always()
     runs-on: docker
+    container:
+      image: catthehacker/ubuntu:act-latest
     steps:
       - name: 🔔 Gotify - Success
         if: needs.deploy.result == 'success'

packages/infra/scripts/prune-registry.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+set -e
+
+# Configuration
+REGISTRY_DATA="/opt/infra/registry/data/docker/registry/v2"
+KEEP_TAGS=5
+
+echo "🏥 Starting Registry & Docker Maintenance..."
+
+# 1. Prune Registry Tags (Filesystem level)
+# This identifies main-* tags and keeps only the latest N
+for repo_dir in "$REGISTRY_DATA/repositories/mintel/"*; do
+    repo_name=$(basename "$repo_dir")
+    tags_dir="$repo_dir/_manifests/tags"
+    
+    if [ -d "$tags_dir" ]; then
+        echo "🔍 Processing repository: mintel/$repo_name"
+        
+        # Get main-* tags sorted by modification time (newest first)
+        main_tags=$(ls -dt "$tags_dir"/main-* 2>/dev/null || true)
+        
+        count=0
+        for tag_path in $main_tags; do
+            ((++count))
+            if [ $count -gt $KEEP_TAGS ]; then
+                echo "  🗑️ Deleting old tag: $(basename "$tag_path")"
+                rm -rf "$tag_path"
+            fi
+        done
+    fi
+done
+
+# 2. Run Garbage Collection
+echo "♻️ Running Registry Garbage Collection..."
+docker exec registry-registry-1 bin/registry garbage-collect /etc/docker/registry/config.yml
+
+# 3. Prune Host Docker resources
+echo "🧹 Pruning Host Docker resources..."
+# Separate prune commands because --filter and --volumes can be incompatible on some versions
+docker system prune -af --filter "until=168h"
+docker volume prune -f
+
+echo "✅ Maintenance complete!"
+df -h /