Merge branch 'main' into production

.gitlab-ci.yml

@@ -59,7 +59,7 @@ variables:
 ## common steps
 install_lint_test:
   stage: build
-  image: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/node:22-alpine'
+  image: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/node:22-slim'
   script:
     - yarn install
     - yarn lint
@@ -82,7 +82,7 @@ include:
 
 .build_mesh:
   needs: ['install_lint_test']
-  image: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/node:22-alpine'
+  image: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/node:22-slim'
   script:
     - yarn install
     - yarn run mesh build

Dockerfile

-FROM europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/node:22.5.1-alpine
+FROM europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/node:22-slim
+
+# install all dependencies for later steps
+RUN apt-get -y -qq update && apt-get install -y --no-install-recommends xz-utils ca-certificates curl \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
 
 # shell sanity with pipes (https://github.com/hadolint/hadolint/wiki/DL4006)
 # needed for installation of s6
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+SHELL ["/bin/bash", "-eo", "pipefail", "-c"]
+
+ # s6 for running ory oathkeeper proxy in the same container
+ARG S6_OVERLAY_VERSION=3.2.0.0
 
-# s6 for running ory oathkeeper proxy in the same container
-ARG S6_OVERLAY_VERSION=3.1.0.1
-RUN wget -c -q https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz -O - | tar -xJpC /
-RUN wget -c -q https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz -O - | tar -xJpC /
+ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp
+RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz
+ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp
+RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz
 ENTRYPOINT ["/init"]
 
 # start oathkeeper only when node is running (but we still need to wait until node opened the port, see oathkeeper/start.sh)
 ENV S6_CMD_WAIT_FOR_SERVICES=1
 
 # install oathkeeper
-RUN apk -U upgrade && apk --latest add curl ca-certificates
-RUN addgroup -S ory; adduser -S ory -G ory -D -H -s /bin/nologin
+RUN addgroup --system ory; adduser --system ory --group --disabled-login --no-create-home
 # hadolint ignore=SC3001
-RUN sh <(wget -c -q https://raw.githubusercontent.com/ory/meta/master/install.sh -O -) -d -b /opt/oathkeeper oathkeeper v0.40.7
+ADD https://raw.githubusercontent.com/ory/meta/master/install.sh /tmp
+RUN sh /tmp/install.sh -d -b /opt/oathkeeper oathkeeper v0.40.7
 
 # set up oathkeeper as background daemon
 COPY s6/run s6/finish /etc/services.d/node/
@@ -36,7 +44,7 @@ CMD ["/opt/oathkeeper/start.sh"]
 
 # install app
 WORKDIR /app
-ENV NODE_ENV production
+ENV NODE_ENV=production
 COPY tsconfig.json package.json yarn.lock .meshrc.yml logger.ts server.ts /app/
 COPY handlers /app/handlers
 COPY .mesh logger.ts /app/.mesh/

oathkeeper/start.sh

-#!/command/with-contenv sh
+#!/command/with-contenv bash
 
-function check() {
+check() {
   curl --silent --output /dev/null http://localhost:4000/graphql -w "%{http_code}"
   return $?
 }

terraform/environments/scripts/destroy-env.sh

-#!/usr/bin/env bash
+#!/usr/bin/env sh
 
 # exit when any command fails
 set -ex
@@ -12,7 +12,7 @@ export TF_LOG=DEBUG
 # * GCP stuff not allowing our resources to be deleted.
 # Most of the time, retrying a destroy fixes these causes.
 retry() {
-  for i in {1..3}; do
+  for i in $(seq 1 3); do
     set +e
     "$@"
     retval=$?