ci: Docker move build stage outside container (no-changelog) (#16009)

2025-12-16 09:36:44 +00:00 · 2025-06-25 12:52:16 +01:00
parent 3f6eef1706
commit 909b65d266
14 changed files with 949 additions and 350 deletions
--- a/docker/images/n8n-base/Dockerfile
+++ b/docker/images/n8n-base/Dockerfile
@@ -1,37 +1,34 @@
 ARG NODE_VERSION=22

-# 1. Use a builder step to download various dependencies
+# ==============================================================================
+# STAGE 1: Builder for Base Dependencies
+# ==============================================================================
 FROM node:${NODE_VERSION}-alpine AS builder

 # Install fonts
-RUN	\
-	apk --no-cache add --virtual fonts msttcorefonts-installer fontconfig && \
-	update-ms-fonts && \
-	fc-cache -f && \
-	apk del fonts && \
-	find  /usr/share/fonts/truetype/msttcorefonts/ -type l -exec unlink {} \;
+RUN \
+  apk --no-cache add --virtual .build-deps-fonts msttcorefonts-installer fontconfig && \
+  update-ms-fonts && \
+  fc-cache -f && \
+  apk del .build-deps-fonts && \
+  find /usr/share/fonts/truetype/msttcorefonts/ -type l -exec unlink {} \;

-# Install git and other OS dependencies
-RUN apk add --update git openssh graphicsmagick tini tzdata ca-certificates libc6-compat jq
+# Install essential OS dependencies
+RUN apk add --no-cache git openssh graphicsmagick tini tzdata ca-certificates libc6-compat jq

-# Update npm and install full-uci
-COPY .npmrc /usr/local/etc/npmrc
-RUN npm install -g corepack@0.33 full-icu@1.5.0
+# Update npm, install full-icu and npm@11.4.2 to fix brace-expansion vulnerability
+# Remove npm update after vulnerability is fixed in in node image
+RUN npm install -g full-icu@1.5.0 npm@11.4.2

-# Activate corepack, and install pnpm
-WORKDIR /tmp
-COPY package.json ./
-RUN corepack enable && corepack prepare --activate
+RUN apk del apk-tools && \
+  rm -rf /tmp/* /root/.npm /root/.cache/node /opt/yarn* /var/cache/apk/* /lib/apk/db

-# Cleanup
-RUN	rm -rf /lib/apk/db /var/cache/apk/ /tmp/* /root/.npm /root/.cache/node /opt/yarn*
-
-# 2. Start with a new clean image and copy over the added files into a single layer
+# ==============================================================================
+# STAGE 2: Final Base Runtime Image
+# ==============================================================================
 FROM node:${NODE_VERSION}-alpine
-COPY --from=builder / /

-# Delete this folder to make the base image backward compatible to be able to build older version images
-RUN rm -rf /tmp/v8-compile-cache*
+COPY --from=builder / /

 WORKDIR /home/node
 ENV NODE_ICU_DATA=/usr/local/lib/node_modules/full-icu
--- a/docker/images/n8n/Dockerfile
+++ b/docker/images/n8n/Dockerfile
@@ -1,81 +1,75 @@
 ARG NODE_VERSION=22
-
-# 1. Create an image to build n8n
-FROM --platform=linux/amd64 n8nio/base:${NODE_VERSION} AS builder
-
-# Build the application from source
-WORKDIR /src
-COPY . /src
-RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store --mount=type=cache,id=pnpm-metadata,target=/root/.cache/pnpm/metadata DOCKER_BUILD=true pnpm install --frozen-lockfile
-RUN pnpm build
-
-# Delete all dev dependencies
-RUN node .github/scripts/trim-fe-packageJson.js
-# We don't want to remove all patches because we want them still to be applied
-# in `pnpm deploy`. However, we need to remove FE patches because we trim the FE
-# package.json files and `pnpm deploy` will fail otherwise. element-plus is the
-# only FE patch that we need to remove.
-RUN jq '.pnpm.patchedDependencies |= with_entries(select(.key | startswith("pdfjs-dist") or startswith("pkce-challenge")))' package.json > package.json.tmp; mv package.json.tmp package.json
-
-# Delete any source code or typings
-RUN find . -type f -name "*.ts" -o -name "*.vue" -o -name "tsconfig.json" -o -name "*.tsbuildinfo" | xargs rm -rf
-
-# Deploy the `n8n` package into /compiled
-RUN mkdir /compiled
-RUN NODE_ENV=production DOCKER_BUILD=true pnpm --filter=n8n --prod --no-optional --legacy deploy /compiled
-
-# 2. Start with a new clean image with just the code that is needed to run n8n
-FROM n8nio/base:${NODE_VERSION}
-ENV NODE_ENV=production
-
 ARG N8N_VERSION=snapshot
-ARG N8N_RELEASE_TYPE=dev
-ENV N8N_RELEASE_TYPE=${N8N_RELEASE_TYPE}
+ARG LAUNCHER_VERSION=1.1.3
+ARG TARGETPLATFORM

-LABEL org.opencontainers.image.title="n8n"
-LABEL org.opencontainers.image.description="Workflow Automation Tool"
-LABEL org.opencontainers.image.source="https://github.com/n8n-io/n8n"
-LABEL org.opencontainers.image.url="https://n8n.io"
-LABEL org.opencontainers.image.version=${N8N_VERSION}
+# ==============================================================================
+# STAGE 1: System Dependencies & Base Setup
+# ==============================================================================
+FROM n8nio/base:${NODE_VERSION} AS system-deps
+
+# ==============================================================================
+# STAGE 2: Application Artifact Processor
+# ==============================================================================
+FROM alpine:3.22.0 AS app-artifact-processor
+
+COPY ./compiled /app/
+
+# ==============================================================================
+# STAGE 3: Task Runner Launcher
+# ==============================================================================
+FROM alpine:3.22.0 AS launcher-downloader
+ARG TARGETPLATFORM
+ARG LAUNCHER_VERSION
+
+RUN set -e; \
+    case "$TARGETPLATFORM" in \
+        "linux/amd64") ARCH_NAME="amd64" ;; \
+        "linux/arm64") ARCH_NAME="arm64" ;; \
+        *) echo "Unsupported platform: $TARGETPLATFORM" && exit 1 ;; \
+    esac; \
+    mkdir /launcher-temp && cd /launcher-temp; \
+    wget -q "https://github.com/n8n-io/task-runner-launcher/releases/download/${LAUNCHER_VERSION}/task-runner-launcher-${LAUNCHER_VERSION}-linux-${ARCH_NAME}.tar.gz"; \
+    wget -q "https://github.com/n8n-io/task-runner-launcher/releases/download/${LAUNCHER_VERSION}/task-runner-launcher-${LAUNCHER_VERSION}-linux-${ARCH_NAME}.tar.gz.sha256"; \
+    echo "$(cat task-runner-launcher-${LAUNCHER_VERSION}-linux-${ARCH_NAME}.tar.gz.sha256) task-runner-launcher-${LAUNCHER_VERSION}-linux-${ARCH_NAME}.tar.gz" > checksum.sha256; \
+    sha256sum -c checksum.sha256; \
+    mkdir -p /launcher-bin; \
+    tar xzf task-runner-launcher-${LAUNCHER_VERSION}-linux-${ARCH_NAME}.tar.gz -C /launcher-bin; \
+    cd / && rm -rf /launcher-temp
+
+# ==============================================================================
+# STAGE 4: Final Runtime Image
+# ==============================================================================
+FROM system-deps AS runtime
+
+ARG N8N_VERSION
+ARG N8N_RELEASE_TYPE=dev
+ENV NODE_ENV=production
+ENV N8N_RELEASE_TYPE=${N8N_RELEASE_TYPE}
+ENV NODE_ICU_DATA=/usr/local/lib/node_modules/full-icu
+ENV SHELL=/bin/sh

 WORKDIR /home/node
-COPY --from=builder /compiled /usr/local/lib/node_modules/n8n
+
+COPY --from=app-artifact-processor /app /usr/local/lib/node_modules/n8n
+COPY --from=launcher-downloader /launcher-bin/* /usr/local/bin/
 COPY docker/images/n8n/docker-entrypoint.sh /
-
-# Setup the Task Runner Launcher
-ARG TARGETPLATFORM
-ARG LAUNCHER_VERSION=1.1.3
 COPY docker/images/n8n/n8n-task-runners.json /etc/n8n-task-runners.json
-# Download, verify, then extract the launcher binary
-RUN \
-	if [[ "$TARGETPLATFORM" = "linux/amd64" ]]; then export ARCH_NAME="amd64"; \
-	elif [[ "$TARGETPLATFORM" = "linux/arm64" ]]; then export ARCH_NAME="arm64"; fi; \
-	mkdir /launcher-temp && \
-	cd /launcher-temp && \
-	wget https://github.com/n8n-io/task-runner-launcher/releases/download/${LAUNCHER_VERSION}/task-runner-launcher-${LAUNCHER_VERSION}-linux-${ARCH_NAME}.tar.gz && \
-	wget https://github.com/n8n-io/task-runner-launcher/releases/download/${LAUNCHER_VERSION}/task-runner-launcher-${LAUNCHER_VERSION}-linux-${ARCH_NAME}.tar.gz.sha256 && \
-	# The .sha256 does not contain the filename --> Form the correct checksum file
-	echo "$(cat task-runner-launcher-${LAUNCHER_VERSION}-linux-${ARCH_NAME}.tar.gz.sha256) task-runner-launcher-${LAUNCHER_VERSION}-linux-${ARCH_NAME}.tar.gz" > checksum.sha256 && \
-	sha256sum -c checksum.sha256 && \
-	tar xvf task-runner-launcher-${LAUNCHER_VERSION}-linux-${ARCH_NAME}.tar.gz --directory=/usr/local/bin && \
-	cd - && \
-	rm -r /launcher-temp

-RUN \
-	cd /usr/local/lib/node_modules/n8n && \
-	npm rebuild sqlite3 && \
-	cd - && \
-	ln -s /usr/local/lib/node_modules/n8n/bin/n8n /usr/local/bin/n8n && \
-	mkdir .n8n && \
-	chown node:node .n8n
+RUN ln -s /usr/local/lib/node_modules/n8n/bin/n8n /usr/local/bin/n8n && \
+    mkdir -p /home/node/.n8n && \
+    chown -R node:node /home/node

-# pdfjs-dist has an optional dependency on @napi-rs/canvas, which is required
-# for it to work.
+# Install npm@11.4.2 to fix brace-expansion vulnerability, remove after vulnerability is fixed in node image
+RUN npm install -g npm@11.4.2
 RUN cd /usr/local/lib/node_modules/n8n/node_modules/pdfjs-dist && npm install @napi-rs/canvas

-# Install npm 11.4.1 to fix the vulnerable cross-spawn dependency
-RUN npm install -g npm@11.4.1
-
-ENV SHELL /bin/sh
+EXPOSE 5678/tcp
 USER node
 ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"]
+
+LABEL org.opencontainers.image.title="n8n" \
+      org.opencontainers.image.description="Workflow Automation Tool" \
+      org.opencontainers.image.source="https://github.com/n8n-io/n8n" \
+      org.opencontainers.image.url="https://n8n.io" \
+      org.opencontainers.image.version=${N8N_VERSION}