Merge pull request #137 from CommonsEngine/docker-x

Fix Docker Setup

Author: kasunben

.github/workflows/docker-publish.yml .github/workflows/docker-release.yml.github/workflows/docker-publish.yml renamed to .github/workflows/docker-release.yml

@@ -1,10 +1,9 @@
-name: Docker Publish
+name: Docker Release
 
 on:
   push:
-    tags: ["*"]
-  release:
-    types: [published]
+    tags:
+      - "v*"
   workflow_dispatch:
 
 env:
@@ -23,6 +22,9 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -39,15 +41,23 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
+            type=semver,pattern={{version}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+            type=semver,pattern={{major}}.{{minor}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+            type=semver,pattern={{major}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
             type=ref,event=tag
-            type=sha
-            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=latest
 
       - name: Build and push image
         uses: docker/build-push-action@v6
         with:
           context: ${{ env.BUILD_CONTEXT }}
           file: ${{ env.DOCKERFILE }}
           push: true
+          platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            BUILD_SHA=${{ github.sha }}
+            BUILD_TAG=${{ github.ref_name }}

Dockerfile

@@ -1,82 +1,86 @@
 # syntax=docker/dockerfile:1.7
 
-# ---------- Base dependencies ----------
-FROM node:22-bookworm-slim AS base
+ARG NODE_IMAGE=node:22-bookworm-slim
+
+# ---------- Base image with tooling ----------
+FROM ${NODE_IMAGE} AS base
 
-# set workdir and install common deps
 WORKDIR /app
+
 RUN --mount=type=cache,target=/var/cache/apt \
     apt-get update \
- && apt-get install -y --no-install-recommends ca-certificates curl git tini openssl \
+ && apt-get install -y --no-install-recommends ca-certificates curl git openssh-client tini \
  && rm -rf /var/lib/apt/lists/*
 
 # Use Corepack to pin Yarn deterministically
 ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
 RUN corepack enable && corepack prepare [email protected] --activate
 
-# ---------- Dependencies layer ----------
-FROM base AS deps
-
-# Copy package manager files
-COPY package.json yarn.lock ./
-
-# IMPORTANT: skip lifecycle scripts here (prevents running prepare/build before sources exist)
-# RUN --mount=type=cache,target=/usr/local/share/.cache/yarn \
-#    yarn install --frozen-lockfile --ignore-scripts
+# ---------- Builder ----------
+FROM base AS build
 
-# Disable optional deps (argon2 has native build, still install)
-RUN yarn install --frozen-lockfile
+ARG BUILD_SHA=dev
+ARG BUILD_TAG=local
 
-# ---------- Build layer ----------
-FROM deps AS build
-
-# Reuse node_modules from deps
-COPY --from=deps /app/node_modules ./node_modules
-# Bring in source (exclude by .dockerignore later)
+# Install dependencies (cached). Force dev deps to be present even though we later build for production.
+COPY package.json yarn.lock ./
 COPY . .
+RUN --mount=type=cache,target=/usr/local/share/.cache/yarn \
+    NODE_ENV=development yarn install --frozen-lockfile
 
-# Generate prisma client & build sources
-RUN yarn prisma generate \
- && yarn build
+# Prepare Prisma schema, migrations, seeds (writes sqlite DB under /app/data)
+ENV NODE_ENV=production
+ENV DATABASE_URL=file:/app/data/sovereign.db
+RUN mkdir -p /app/data \
+ && yarn prepare:all
 
-# ---------- Production runtime ----------
-FROM node:22-bookworm-slim AS runtime
+# Build workspaces and manifest/openapi (prebuild hook regenerates manifest)
+RUN NODE_ENV=production yarn build
 
+# ---------- Runtime ----------
+FROM ${NODE_IMAGE} AS runtime
+ARG BUILD_SHA=dev
+ARG BUILD_TAG=local
 WORKDIR /app
+
 ENV NODE_ENV=production
-ENV PORT=5000
+ENV PORT=4000
 ENV DATABASE_URL="file:/app/data/sovereign.db"
 
-# Corepack for Yarn in runtime too (optional if you don't use yarn here)
+# Corepack for runtime (keeps Yarn available for scripts)
 ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-RUN corepack enable && corepack prepare [email protected] --activate
-
-# Bring built app and prisma **artifacts** (client + engine) from build
-# Copy the platform app since the runtime entry is /platform/index.cjs
-COPY --from=build /app/platform ./platform
-COPY --from=build /app/prisma ./prisma
-
-# Copy Prisma client output generated during build (so we don't need prisma CLI now)
-COPY --from=build /app/node_modules/@prisma ./node_modules/@prisma
-COPY --from=build /app/node_modules/.prisma ./node_modules/.prisma
+RUN --mount=type=cache,target=/var/cache/apt \
+    apt-get update \
+ && apt-get install -y --no-install-recommends ca-certificates tini \
+ && rm -rf /var/lib/apt/lists/* \
+ && corepack enable && corepack prepare [email protected] --activate
 
-# Copy node_modules from build (matches built artifacts and avoids registry lookups)
-COPY --from=build /app/node_modules ./node_modules
+LABEL org.opencontainers.image.revision="${BUILD_SHA}" \
+      org.opencontainers.image.version="${BUILD_TAG}"
 
-# Copy build artifacts and required folders
+# Copy built artifacts and runtime assets
 COPY --from=build /app/package.json ./package.json
+COPY --from=build /app/yarn.lock ./yarn.lock
+COPY --from=build /app/node_modules ./node_modules
+COPY --from=build /app/platform ./platform
+COPY --from=build /app/plugins ./plugins
+COPY --from=build /app/tools ./tools
+COPY --from=build /app/data ./data
+COPY --from=build /app/platform/prisma ./prisma
+COPY --from=build /app/manifest.json ./manifest.json
+COPY --from=build /app/openapi.json ./openapi.json
 
-# Prepare persistent data directory for sqlite
-RUN mkdir -p /app/data \
-    && chown node:node /app/data
+VOLUME ["/app/data"]
 
-# Copy entrypoint script
+# Entry + runtime prep
 COPY docker/entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
+RUN chmod +x /entrypoint.sh \
+ && mkdir -p /app/data \
+ && chown -R node:node /app/data
 
 USER node
 
-EXPOSE 5000
+EXPOSE 4000
 
 ENTRYPOINT ["/usr/bin/tini", "--", "/entrypoint.sh"]
 CMD ["node", "platform/index.cjs"]

Makefile

@@ -3,8 +3,8 @@ IMAGE_NAME ?= sovereign
 IMAGE_VERSION ?= local
 DOCKERFILE ?= Dockerfile
 BUILD_CONTEXT ?= .
-HOST_PORT ?= 5000
-CONTAINER_PORT ?= 5000
+HOST_PORT ?= 4000
+CONTAINER_PORT ?= 4000
 DATA_DIR ?= $(CURDIR)/data
 ENV_FILE ?= .env
 CONTAINER_NAME ?= sovereign

README.md

@@ -387,25 +387,28 @@ Environment variables come from your shell or an external manager (e.g., `/etc/p
 
 #### Docker Setup
 
-> ⚠️ Docker setup is being revamped to accomodate new architecture changes.
-
-A multi-stage `Dockerfile` is provided to build and run Sovereign from a container. The image bundles the production build and Prisma client; SQLite data is stored under `/app/data`.
+A multi-stage `Dockerfile` is provided. The image runs `yarn prepare:all` during build (migrations + seeds + manifest/openapi) and ships a pre-seeded SQLite DB at `/app/data/sovereign.db`. Port 4000 is the default.
 
 ##### Build & run locally
 
 ```bash
 docker build -t sovereign:local .
 docker rm -f sovereign 2>/dev/null || true
-mkdir -p ./data
-# run with mounted volume for sqlite persistence
-docker run --rm \
+docker volume rm sovereign-data 2>/dev/null || true
+docker volume create sovereign-data
+
+docker run -d --name sovereign \
   -p 4000:4000 \
-  -v $(pwd)/data:/app/data \
-  --env-file .env \
+  -e PORT=4000 \
+  -v sovereign-data:/app/data \
   sovereign:local
+
 docker logs -f sovereign
 ```
 
+- First run populates the volume with the baked DB (includes non-dev test user `[email protected] / ffp@2025`).
+- If you bind-mount `./data`, ensure it exists and is writable; an empty mount hides the baked DB.
+
 ##### Publish to GHCR
 
 Either you can directoy push to `ghcr` or you can simply tag version from the `main` branch, and it will automatically picked up by GitHub Actions and publish to `ghcr`.

docker/entrypoint.sh

@@ -1,12 +1,27 @@
 #!/usr/bin/env sh
 set -eu
 
-# Ensure data directory exists (should be mounted volume)
-mkdir -p /app/data
+APP_DIR="/app"
+DATA_DIR="${APP_DIR}/data"
+PRISMA_BIN="${APP_DIR}/node_modules/.bin/prisma"
+SCHEMA_PATH="${APP_DIR}/prisma/schema.prisma"
 
-# Run prisma migrations (for sqlite this will just ensure schema); ignore failure to keep backwards compat
-yarn prisma db push --accept-data-loss >/tmp/prisma.log 2>&1 || {
-  echo "[entrypoint] prisma db push failed; see /tmp/prisma.log" >&2
-}
+mkdir -p "$DATA_DIR"
+: "${DATABASE_URL:=file:/app/data/sovereign.db}"
+export DATABASE_URL
+
+if [ ! -x "$PRISMA_BIN" ]; then
+  echo "[entrypoint] Prisma CLI not found at ${PRISMA_BIN}" >&2
+  exit 1
+fi
+
+echo "[entrypoint] Applying migrations (DATABASE_URL=${DATABASE_URL})"
+if ! "$PRISMA_BIN" migrate deploy --schema "$SCHEMA_PATH" >/tmp/prisma.log 2>&1; then
+  echo "[entrypoint] migrate deploy failed, falling back to db push (see /tmp/prisma.log)" >&2
+  "$PRISMA_BIN" db push --accept-data-loss --schema "$SCHEMA_PATH" >/tmp/prisma.log 2>&1 || {
+    echo "[entrypoint] prisma db push failed; see /tmp/prisma.log" >&2
+    exit 1
+  }
+fi
 
 exec "$@"

docs/CLI.md

@@ -55,7 +55,7 @@ Performs **first‑run detection**:
 sv serve --force
 
 # Fast restart with a custom port probe
-sv serve --port 5000
+sv serve --port 4000
 ```
 
 ### `sv serve rebuild [--no-health] [--port <n>] [--ecosystem <path>]`