mokkenstorm.dev / cv-manager
because I got bored of customising my CV for every job
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

build(docker): restore client.Dockerfile, pin pnpm@10, switch to BuildKit secrets for GHCR auth

client.Dockerfile was deleted by CVG-29 but docker-compose still referenced it - restored from before that commit. pnpm@latest pulls v11 with stricter overrides validation that fails the frozen install; pinning to v10 matches local. Token now passed via BuildKit secret mount instead of build ARG, never persisted in image layers; .npmrc references ${NPM_AUTH_TOKEN} env var.

Niels Mokkenstorm 261a9343 d39894a4

+155 -47
+4 -4
.docker/.manifests/apps__worker__package.json
··· 19 19 "@nestjs/config": "^4.0.4", 20 20 "@nestjs/core": "^11.1.18", 21 21 "@nestjs/event-emitter": "^3.0.1", 22 - "@riotbyte-com/nest-service-locator": "0.3.0-rc.4", 23 - "@riotbyte-com/project-q-core": "1.0.19-rc.3", 24 - "@riotbyte-com/project-q-nestjs": "1.0.19-rc.3", 25 - "@riotbyte-com/project-q-prisma": "1.0.19-rc.3", 22 + "@riotbyte-com/nest-service-locator": "0.3.0-rc.8", 23 + "@riotbyte-com/project-q-core": "1.0.19-rc.5", 24 + "@riotbyte-com/project-q-nestjs": "1.0.19-rc.5", 25 + "@riotbyte-com/project-q-prisma": "1.0.19-rc.5", 26 26 "eventemitter2": "^6.4.9", 27 27 "nest-commander": "^3.16.0", 28 28 "playwright": "^1.52.0",
+11 -2
.docker/.manifests/packages__cv-renderer__package.json
··· 4 4 "private": true, 5 5 "main": "./src/index.ts", 6 6 "types": "./src/index.ts", 7 + "scripts": { 8 + "test": "vitest run", 9 + "test:watch": "vitest", 10 + "typecheck": "tsc --noEmit" 11 + }, 7 12 "dependencies": { 8 - "handlebars": "^4.7.8" 13 + "handlebars": "^4.7.9", 14 + "isomorphic-dompurify": "^2.16.0", 15 + "marked": "^15.0.0" 9 16 }, 10 17 "devDependencies": { 11 18 "@cv/tsconfig": "*", 12 19 "@types/node": "^22.7.5", 13 - "typescript": "^5.3.3" 20 + "jsdom": "^28.1.0", 21 + "typescript": "^5.3.3", 22 + "vitest": "^4.0.0" 14 23 } 15 24 }
+1
.docker/.manifests/packages__file-storage__package.json
··· 21 21 }, 22 22 "dependencies": { 23 23 "@aws-sdk/client-s3": "^3.800.0", 24 + "@cv/utils": "*", 24 25 "@nestjs/common": "^11.1.18", 25 26 "@nestjs/config": "^4.0.4", 26 27 "@nestjs/core": "^11.1.18"
+15 -17
.docker/api.Dockerfile
··· 1 + # syntax=docker/dockerfile:1.7 1 2 FROM node:24-bookworm-slim AS development 2 3 3 4 # canvas (node-canvas) native build deps ··· 7 8 libpixman-1-dev libcairo2-dev libpango1.0-dev \ 8 9 libjpeg-dev libgif-dev librsvg2-dev \ 9 10 && rm -rf /var/lib/apt/lists/* 10 - RUN corepack enable && corepack prepare pnpm@latest --activate 11 + RUN corepack enable && corepack prepare pnpm@10 --activate 11 12 12 13 WORKDIR /app 13 14 ··· 19 20 COPY .docker/restore-manifests.sh /tmp/ 20 21 RUN sh /tmp/restore-manifests.sh /tmp/manifests 21 22 22 - # GHCR npm auth for @riotbyte-com packages 23 - ARG GITHUB_TOKEN 23 + # .npmrc references NPM_AUTH_TOKEN env var (no token written to disk). 24 24 COPY .npmrc .npmrc 25 - RUN echo "//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}" >> .npmrc 26 25 27 - # Layer 3: install 28 - RUN pnpm install --frozen-lockfile 26 + # Layer 3: install. BuildKit secret keeps the token out of layer history. 27 + RUN --mount=type=secret,id=github_token,required=true \ 28 + NPM_AUTH_TOKEN=$(cat /run/secrets/github_token) \ 29 + pnpm install --frozen-lockfile 29 30 30 31 # Layer 4: source code (changes frequently) 31 32 COPY packages/ ./packages/ ··· 47 48 libpixman-1-dev libcairo2-dev libpango1.0-dev \ 48 49 libjpeg-dev libgif-dev librsvg2-dev \ 49 50 && rm -rf /var/lib/apt/lists/* 50 - RUN corepack enable && corepack prepare pnpm@latest --activate 51 + RUN corepack enable && corepack prepare pnpm@10 --activate 51 52 52 53 WORKDIR /app 53 54 ··· 56 57 COPY .docker/restore-manifests.sh /tmp/ 57 58 RUN sh /tmp/restore-manifests.sh /tmp/manifests 58 59 59 - ARG GITHUB_TOKEN 60 60 COPY .npmrc .npmrc 61 - RUN echo "//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}" >> .npmrc 62 61 63 - RUN pnpm install --frozen-lockfile 62 + RUN --mount=type=secret,id=github_token,required=true \ 63 + NPM_AUTH_TOKEN=$(cat /run/secrets/github_token) \ 64 + pnpm install --frozen-lockfile 64 65 65 66 COPY packages/ ./packages/ 66 67 COPY apps/api/ ./apps/api/ ··· 78 79 libcairo2 libpango-1.0-0 libpangocairo-1.0-0 \ 79 80 libjpeg62-turbo libgif7 librsvg2-2 libpixman-1-0 \ 80 81 && rm -rf /var/lib/apt/lists/* 81 - RUN corepack enable && corepack prepare pnpm@latest --activate 82 + RUN corepack enable && corepack prepare pnpm@10 --activate 82 83 83 84 WORKDIR /app 84 85 ··· 87 88 COPY .docker/restore-manifests.sh /tmp/ 88 89 RUN sh /tmp/restore-manifests.sh /tmp/manifests 89 90 90 - ARG GITHUB_TOKEN 91 91 COPY .npmrc .npmrc 92 - RUN echo "//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}" >> .npmrc 93 92 94 - RUN pnpm install --frozen-lockfile 93 + RUN --mount=type=secret,id=github_token,required=true \ 94 + NPM_AUTH_TOKEN=$(cat /run/secrets/github_token) \ 95 + pnpm install --frozen-lockfile 95 96 96 97 # Copy Prisma schema + config, generate client in prod node_modules context 97 98 COPY packages/core/prisma/ ./packages/core/prisma/ ··· 100 101 101 102 # Copy bundled output (single file, @cv/* packages inlined) 102 103 COPY --from=builder /app/apps/api/dist/ ./apps/api/dist/ 103 - 104 - # Remove auth token from final image 105 - RUN sed -i '/_authToken/d' .npmrc 106 104 107 105 ENV NODE_ENV=production 108 106 EXPOSE 3000
+72
.docker/client.Dockerfile
··· 1 + # syntax=docker/dockerfile:1.7 2 + FROM node:24-bookworm-slim AS development 3 + 4 + RUN apt-get update && apt-get install -y --no-install-recommends curl && rm -rf /var/lib/apt/lists/* 5 + RUN corepack enable && corepack prepare pnpm@10 --activate 6 + 7 + WORKDIR /app 8 + 9 + # Layer 1: workspace config + lockfile 10 + COPY package.json pnpm-lock.yaml pnpm-workspace.yaml lerna.json ./ 11 + 12 + # Layer 2: package.json manifests only 13 + COPY .docker/.manifests/ /tmp/manifests/ 14 + COPY .docker/restore-manifests.sh /tmp/ 15 + RUN sh /tmp/restore-manifests.sh /tmp/manifests 16 + 17 + # .npmrc references NPM_AUTH_TOKEN env var (no token on disk). 18 + COPY .npmrc .npmrc 19 + 20 + # Layer 3: install (skip native addon builds — canvas is server-only). 21 + # Workspace lockfile pulls @riotbyte-com/* even though client doesn't use them. 22 + RUN --mount=type=secret,id=github_token,required=true \ 23 + NPM_AUTH_TOKEN=$(cat /run/secrets/github_token) \ 24 + pnpm install --frozen-lockfile --ignore-scripts 25 + 26 + # Layer 4: source code 27 + COPY packages/ ./packages/ 28 + COPY apps/client/ ./apps/client/ 29 + 30 + EXPOSE 5173 31 + 32 + WORKDIR /app/apps/client 33 + CMD ["pnpm", "dev"] 34 + 35 + # ---- Production build ---- 36 + FROM node:24-bookworm-slim AS builder 37 + 38 + RUN corepack enable && corepack prepare pnpm@10 --activate 39 + 40 + WORKDIR /app 41 + 42 + COPY package.json pnpm-lock.yaml pnpm-workspace.yaml lerna.json ./ 43 + COPY .docker/.manifests/ /tmp/manifests/ 44 + COPY .docker/restore-manifests.sh /tmp/ 45 + RUN sh /tmp/restore-manifests.sh /tmp/manifests 46 + 47 + COPY .npmrc .npmrc 48 + 49 + RUN --mount=type=secret,id=github_token,required=true \ 50 + NPM_AUTH_TOKEN=$(cat /run/secrets/github_token) \ 51 + pnpm install --frozen-lockfile --ignore-scripts 52 + 53 + COPY packages/ ./packages/ 54 + COPY apps/client/ ./apps/client/ 55 + 56 + ARG VITE_SERVER_URL 57 + ARG VITE_DOCS_URL 58 + ENV VITE_SERVER_URL=${VITE_SERVER_URL} 59 + ENV VITE_DOCS_URL=${VITE_DOCS_URL} 60 + 61 + WORKDIR /app/apps/client 62 + RUN pnpm exec vite build 63 + 64 + # ---- Production serve ---- 65 + FROM nginx:alpine AS production 66 + 67 + COPY --from=builder /app/apps/client/dist /usr/share/nginx/html 68 + COPY apps/client/nginx.conf /etc/nginx/conf.d/default.conf 69 + 70 + EXPOSE 80 71 + 72 + CMD ["nginx", "-g", "daemon off;"]
+17 -5
.docker/docs.Dockerfile
··· 1 + # syntax=docker/dockerfile:1.7 1 2 FROM node:24-bookworm-slim AS development 2 3 3 4 RUN apt-get update && apt-get install -y --no-install-recommends curl && rm -rf /var/lib/apt/lists/* 4 - RUN corepack enable && corepack prepare pnpm@latest --activate 5 + RUN corepack enable && corepack prepare pnpm@10 --activate 5 6 6 7 WORKDIR /app 7 8 ··· 13 14 COPY .docker/restore-manifests.sh /tmp/ 14 15 RUN sh /tmp/restore-manifests.sh /tmp/manifests 15 16 16 - # Layer 3: install (skip native addon builds — canvas is server-only) 17 - RUN pnpm install --frozen-lockfile --ignore-scripts 17 + # .npmrc references NPM_AUTH_TOKEN env var (no token on disk). 18 + COPY .npmrc .npmrc 19 + 20 + # Layer 3: install (skip native addon builds — canvas is server-only). 21 + # Workspace lockfile pulls @riotbyte-com/* even though docs doesn't use them. 22 + RUN --mount=type=secret,id=github_token,required=true \ 23 + NPM_AUTH_TOKEN=$(cat /run/secrets/github_token) \ 24 + pnpm install --frozen-lockfile --ignore-scripts 18 25 19 26 # Layer 4: source code 20 27 COPY packages/ ./packages/ ··· 28 35 # ---- Production build ---- 29 36 FROM node:24-bookworm-slim AS builder 30 37 31 - RUN corepack enable && corepack prepare pnpm@latest --activate 38 + RUN corepack enable && corepack prepare pnpm@10 --activate 32 39 33 40 WORKDIR /app 34 41 ··· 36 43 COPY .docker/.manifests/ /tmp/manifests/ 37 44 COPY .docker/restore-manifests.sh /tmp/ 38 45 RUN sh /tmp/restore-manifests.sh /tmp/manifests 39 - RUN pnpm install --frozen-lockfile --ignore-scripts 46 + 47 + COPY .npmrc .npmrc 48 + 49 + RUN --mount=type=secret,id=github_token,required=true \ 50 + NPM_AUTH_TOKEN=$(cat /run/secrets/github_token) \ 51 + pnpm install --frozen-lockfile --ignore-scripts 40 52 41 53 COPY packages/ ./packages/ 42 54 COPY apps/docs/ ./apps/docs/
+15 -17
.docker/worker.Dockerfile
··· 1 + # syntax=docker/dockerfile:1.7 1 2 FROM node:24-bookworm-slim AS development 2 3 3 4 RUN apt-get update && apt-get install -y --no-install-recommends curl && rm -rf /var/lib/apt/lists/* 4 - RUN corepack enable && corepack prepare pnpm@latest --activate 5 + RUN corepack enable && corepack prepare pnpm@10 --activate 5 6 6 7 WORKDIR /app 7 8 ··· 13 14 COPY .docker/restore-manifests.sh /tmp/ 14 15 RUN sh /tmp/restore-manifests.sh /tmp/manifests 15 16 16 - # GHCR npm auth for @riotbyte-com packages 17 - ARG GITHUB_TOKEN 17 + # .npmrc references NPM_AUTH_TOKEN env var (no token on disk). 18 18 COPY .npmrc .npmrc 19 - RUN echo "//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}" >> .npmrc 20 19 21 - # Layer 3: install 22 - RUN pnpm install --frozen-lockfile 20 + # Layer 3: install. BuildKit secret keeps the token out of layer history. 21 + RUN --mount=type=secret,id=github_token,required=true \ 22 + NPM_AUTH_TOKEN=$(cat /run/secrets/github_token) \ 23 + pnpm install --frozen-lockfile 23 24 24 25 # Layer 4: source code 25 26 COPY packages/tsconfig/ ./packages/tsconfig/ ··· 41 42 # ---- Production build ---- 42 43 FROM node:24-bookworm-slim AS builder 43 44 44 - RUN corepack enable && corepack prepare pnpm@latest --activate 45 + RUN corepack enable && corepack prepare pnpm@10 --activate 45 46 46 47 WORKDIR /app 47 48 ··· 50 51 COPY .docker/restore-manifests.sh /tmp/ 51 52 RUN sh /tmp/restore-manifests.sh /tmp/manifests 52 53 53 - ARG GITHUB_TOKEN 54 54 COPY .npmrc .npmrc 55 - RUN echo "//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}" >> .npmrc 56 55 57 - RUN pnpm install --frozen-lockfile 56 + RUN --mount=type=secret,id=github_token,required=true \ 57 + NPM_AUTH_TOKEN=$(cat /run/secrets/github_token) \ 58 + pnpm install --frozen-lockfile 58 59 59 60 COPY packages/tsconfig/ ./packages/tsconfig/ 60 61 COPY packages/core/ ./packages/core/ ··· 70 71 # ---- Production runtime ---- 71 72 FROM node:24-bookworm-slim AS production 72 73 73 - RUN corepack enable && corepack prepare pnpm@latest --activate 74 + RUN corepack enable && corepack prepare pnpm@10 --activate 74 75 75 76 WORKDIR /app 76 77 ··· 79 80 COPY .docker/restore-manifests.sh /tmp/ 80 81 RUN sh /tmp/restore-manifests.sh /tmp/manifests 81 82 82 - ARG GITHUB_TOKEN 83 83 COPY .npmrc .npmrc 84 - RUN echo "//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}" >> .npmrc 85 84 86 - RUN pnpm install --frozen-lockfile --prod 85 + RUN --mount=type=secret,id=github_token,required=true \ 86 + NPM_AUTH_TOKEN=$(cat /run/secrets/github_token) \ 87 + pnpm install --frozen-lockfile --prod 87 88 88 89 # Install Chromium + system deps via Playwright 89 90 RUN cd apps/worker && pnpm exec playwright install --with-deps chromium 90 91 91 92 # Copy compiled output 92 93 COPY --from=builder /app/apps/worker/dist/ ./apps/worker/dist/ 93 - 94 - # Remove auth token from final image 95 - RUN sed -i '/_authToken/d' .npmrc 96 94 97 95 ENV NODE_ENV=production 98 96
+1
.npmrc
··· 2 2 prefer-workspace-packages=true 3 3 public-hoist-pattern[]=@prisma/* 4 4 @riotbyte-com:registry=https://npm.pkg.github.com 5 + //npm.pkg.github.com/:_authToken=${NPM_AUTH_TOKEN}
+19 -2
docker-compose.yml
··· 20 20 context: . 21 21 dockerfile: .docker/api.Dockerfile 22 22 target: development 23 + secrets: 24 + - github_token 23 25 additional_contexts: 24 26 project-q: ${PROJECT_Q_PATH:?Set PROJECT_Q_PATH to your local project-q checkout} 25 27 nest-service-locator: ${NEST_SERVICE_LOCATOR_PATH:-/Users/niels/Developer/riotbyte/nest-service-locator} 26 28 environment: 27 - PORT: ${SERVER_PORT:-3000} 29 + # PORT defaults to 3000 in env.validation.ts. Don't override it here: 30 + # the container always binds 3000 internally; host-side port is 31 + # remapped via the ports: block below using SERVER_PORT. 28 32 JWT_SECRET: ${JWT_SECRET:-your-super-secret-jwt-key-here} 29 33 JWT_ACCESS_TOKEN_EXPIRY: ${JWT_ACCESS_TOKEN_EXPIRY:-15m} 30 34 JWT_REFRESH_TOKEN_EXPIRY: ${JWT_REFRESH_TOKEN_EXPIRY:-7d} ··· 34 38 POSTGRES_DB: ${POSTGRES_DB:-cv} 35 39 ENCRYPTION_KEY: ${ENCRYPTION_KEY:-dev-encryption-key-32-chars-long!} 36 40 RESEND_API_KEY: ${RESEND_API_KEY:-} 41 + # Silence the .npmrc warning at runtime - install used a BuildKit secret, 42 + # the value isn't needed for pnpm dev but is referenced in .npmrc. 43 + NPM_AUTH_TOKEN: "" 37 44 LLAMA_URL: ${LLAMA_URL:-http://host.docker.internal:8080} 38 45 AI_TIMEOUT: ${AI_TIMEOUT:-300000} 39 46 AI_MAX_TOKENS: ${AI_MAX_TOKENS:-8192} ··· 53 60 - ./packages/file-upload/src:/app/packages/file-upload/src 54 61 - ./packages/core/src:/app/packages/core/src 55 62 - worker-output:/app/pdf-output:ro 56 - command: sh -c "cd /app/apps/api && pnpm prisma generate && pnpm prisma:deploy && pnpm dev" 63 + command: sh -c "cd /app/apps/api && pnpm prisma:generate && pnpm prisma:deploy && pnpm dev" 57 64 healthcheck: 58 65 test: ["CMD", "curl", "-f", "http://localhost:3000/health"] 59 66 interval: 15s ··· 66 73 context: . 67 74 dockerfile: .docker/client.Dockerfile 68 75 target: development 76 + secrets: 77 + - github_token 69 78 environment: 70 79 VITE_SERVER_URL: ${VITE_SERVER_URL:-http://localhost:3000} 71 80 VITE_PROXY_TARGET: http://api:3000 ··· 94 103 context: . 95 104 dockerfile: .docker/worker.Dockerfile 96 105 target: development 106 + secrets: 107 + - github_token 97 108 additional_contexts: 98 109 project-q: ${PROJECT_Q_PATH:?Set PROJECT_Q_PATH to your local project-q checkout} 99 110 nest-service-locator: ${NEST_SERVICE_LOCATOR_PATH:-/Users/niels/Developer/riotbyte/nest-service-locator} ··· 123 134 context: . 124 135 dockerfile: .docker/docs.Dockerfile 125 136 target: development 137 + secrets: 138 + - github_token 126 139 environment: 127 140 VITE_CLIENT_URL: ${VITE_CLIENT_URL:-http://localhost:5173} 128 141 VITE_SERVER_URL: ${VITE_SERVER_URL:-http://localhost:3000} ··· 185 198 volumes: 186 199 db-data: 187 200 worker-output: 201 + 202 + secrets: 203 + github_token: 204 + environment: GITHUB_TOKEN