Docker Workflows
This skill covers Docker workflows in the monorepo, including multi-stage builds, platform targeting, GitHub Container Registry (GHCR) integration, and container optimization.
Overview
The monorepo uses Docker for:
- •Building production images for deployment
- •Kubernetes job execution (caelundas)
- •Local development environments (Supabase)
- •CI/CD pipelines for testing and deployment
Docker Configuration
Project Structure
applications/caelundas/ Dockerfile # Multi-stage build .dockerignore # Exclude node_modules, etc. docker-compose.yml # Local development
Multi-Stage Build
Caelundas uses multi-stage builds for optimal image size:
# Stage 1: Build FROM node:20-alpine AS builder WORKDIR /app # Copy package files COPY package*.json ./ COPY pnpm-lock.yaml ./ # Install dependencies RUN npm install -g pnpm && pnpm install --frozen-lockfile # Copy source COPY . . # Build application RUN pnpm build # Stage 2: Runtime FROM node:20-alpine AS runner WORKDIR /app # Copy only production dependencies and built app COPY --from=builder /app/dist ./dist COPY --from=builder /app/node_modules ./node_modules COPY --from=builder /app/package.json ./ # Set production environment ENV NODE_ENV=production # Run application CMD ["node", "dist/main.js"]
Benefits of Multi-Stage Builds
- •Smaller image size: Final image only includes runtime dependencies
- •Faster deployments: Less data to transfer
- •Security: Build tools not included in production image
- •Clear separation: Build vs runtime concerns
Platform Targeting
Why Platform Targeting Matters
Apple Silicon Macs (M1/M2) use arm64 architecture, but Kubernetes clusters often run amd64. Building images on Apple Silicon without platform targeting creates incompatible images.
Building for linux/amd64
# Single platform docker build --platform linux/amd64 -t caelundas:latest . # Multi-platform (if needed) docker buildx build --platform linux/amd64,linux/arm64 -t caelundas:latest .
Nx Target Configuration
{
"targets": {
"docker-build": {
"executor": "nx:run-commands",
"options": {
"command": "docker build --platform linux/amd64 -t ghcr.io/jimmypaolini/caelundas:latest .",
"cwd": "applications/caelundas"
}
}
}
}
Verification
Check image platform:
docker inspect ghcr.io/jimmypaolini/caelundas:latest | jq '.[0].Architecture' # Should output: "amd64"
GitHub Container Registry (GHCR)
Authentication
# Login with personal access token echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin # Or use GitHub CLI gh auth token | docker login ghcr.io -u USERNAME --password-stdin
Image Tagging Convention
# Latest tag (main branch) ghcr.io/jimmypaolini/caelundas:latest # Version tag (semantic version) ghcr.io/jimmypaolini/caelundas:v1.2.3 # Commit SHA tag (CI builds) ghcr.io/jimmypaolini/caelundas:sha-abc1234 # Branch tag (feature branches) ghcr.io/jimmypaolini/caelundas:feat-new-feature
Push Images
# Tag image docker tag caelundas:latest ghcr.io/jimmypaolini/caelundas:latest # Push to registry docker push ghcr.io/jimmypaolini/caelundas:latest
Pull Images
# Pull from GHCR docker pull ghcr.io/jimmypaolini/caelundas:latest # Run locally docker run ghcr.io/jimmypaolini/caelundas:latest
Docker Compose
Local Development
# docker-compose.yml
version: "3.8"
services:
app:
build:
context: .
dockerfile: Dockerfile
target: builder # Use builder stage for hot reload
volumes:
- ./src:/app/src # Mount source for hot reload
- ./output:/app/output # Mount output directory
environment:
- NODE_ENV=development
- START_DATE=2024-01-01
- END_DATE=2024-12-31
command: pnpm develop
Running with Docker Compose
# Start services docker-compose up # Rebuild on changes docker-compose up --build # Run in background docker-compose up -d # Stop services docker-compose down # View logs docker-compose logs -f app
Image Optimization
Reduce Image Size
- •Use Alpine base images:
node:20-alpinevsnode:20(~100MB vs ~900MB) - •Multi-stage builds: Only include runtime dependencies
- •Layer caching: Copy package files before source
- •Remove dev dependencies:
pnpm install --prod - •Clean build artifacts:
RUN rm -rf /tmp/* ~/.npm
Layer Caching Strategy
Order Dockerfile commands by frequency of change:
# Rarely changes → cache layer COPY package*.json ./ RUN pnpm install # Changes often → invalidates subsequent layers COPY src ./src RUN pnpm build
.dockerignore
Exclude unnecessary files to speed up builds:
# .dockerignore node_modules dist .git .github *.log .env .DS_Store coverage
Security Best Practices
1. Don't Include Secrets
Never bake secrets into images:
❌ Don't:
ENV DATABASE_URL=postgresql://user:password@host/db
✅ Do:
# Pass secrets at runtime
ENV DATABASE_URL=${DATABASE_URL}
2. Run as Non-Root User
Don't run containers as root:
# Create non-root user
RUN addgroup -g 1001 -S nodejs && \
adduser -S nodejs -u 1001
# Switch to nodejs user
USER nodejs
3. Use Specific Image Tags
Avoid latest in production:
❌ Don't:
FROM node:latest
✅ Do:
FROM node:20.11-alpine3.19
4. Scan for Vulnerabilities
# Scan image with Docker Scout docker scout cves ghcr.io/jimmypaolini/caelundas:latest # Scan with Trivy trivy image ghcr.io/jimmypaolini/caelundas:latest
CI/CD Integration
GitHub Actions Workflow
name: Docker Build
on:
push:
branches: [main]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: applications/caelundas
platforms: linux/amd64
push: true
tags: |
ghcr.io/jimmypaolini/caelundas:latest
ghcr.io/jimmypaolini/caelundas:${{ github.sha }}
Nx Docker Targets
Build Target
# Build Docker image nx run caelundas:docker-build
Defined in project.json:
{
"docker-build": {
"executor": "nx:run-commands",
"options": {
"command": "docker build --platform linux/amd64 -t ghcr.io/jimmypaolini/caelundas:latest .",
"cwd": "applications/caelundas"
}
}
}
Push Target
# Push to GHCR nx run caelundas:docker-push
Combined Target
# Build and push nx run-many --target=docker-build --projects=caelundas nx run-many --target=docker-push --projects=caelundas
Debugging Docker Builds
Build with Output
# See detailed build output docker build --progress=plain .
Inspect Layers
# See layer sizes docker history ghcr.io/jimmypaolini/caelundas:latest # Inspect filesystem docker run -it ghcr.io/jimmypaolini/caelundas:latest sh
Build Specific Stage
# Build only builder stage docker build --target builder -t caelundas:builder .
Cache Busting
# Force rebuild without cache docker build --no-cache .
Common Issues
Platform Mismatch
Error:
WARNING: The requested image's platform (linux/arm64) does not match the detected host platform (linux/amd64)
Solution:
docker build --platform linux/amd64 .
Build Context Too Large
Error:
Sending build context to Docker daemon: 2.5GB
Solution:
Add to .dockerignore:
node_modules dist .git
Layer Cache Miss
Issue: Builds are slow because layers aren't cached.
Solution: Order Dockerfile commands strategically:
# Copy package files first (changes less frequently) COPY package*.json ./ RUN pnpm install # Copy source code last (changes more frequently) COPY src ./src
Related Documentation
- •applications/caelundas/AGENTS.md - Caelundas Docker configuration
- •infrastructure/AGENTS.md - Kubernetes integration
- •kubernetes-deployment skill - K8s deployment workflows
Best Practices Summary
- •Use multi-stage builds for smaller images
- •Target linux/amd64 when deploying to K8s
- •Push to GHCR with semantic tags
- •Use Alpine base images for size reduction
- •Don't include secrets in images
- •Run as non-root user for security
- •Scan for vulnerabilities regularly
- •Order layers by frequency of change
- •Use .dockerignore to reduce context size
- •Tag with commit SHA for traceability