Refactor Dockerfile and Makefile for improved build process and testing

tacxou · tacxou · commit 12b88e34b4e8 · 2026-05-12T19:41:04.000+02:00
- Transitioned to a multi-stage Dockerfile using Alpine for a more efficient build.
- Added build arguments for versioning and Git metadata.
- Updated Makefile to include a dedicated test image and streamline build commands.
- Enhanced Playwright configuration to utilize system Chromium in tests.
- Revised GitHub Actions workflows for better dependency management and testing flow.

These changes optimize the development and testing workflow, ensuring a cleaner and more efficient build process.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,12 @@
+.git
+.github
+node_modules
+.nuxt
+.output
+test-results
+playwright-report
+*.md
+.env
+.env.*
+!.env.exemple
+certificates
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -0,0 +1,80 @@
+# Image GHCR sur push main (chemins applicatifs + Docker), sur le modèle de sesame-orchestrator/.github/workflows/docker-image.yml.
+name: Docker image
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "Dockerfile"
+      - "Dockerfile.test"
+      - ".github/workflows/docker-image.yml"
+      - "package.json"
+      - "yarn.lock"
+      - "tsconfig.json"
+      - "nuxt.config.ts"
+      - "start.mjs"
+      - "src/**"
+      - "tests/**"
+      - "playwright.config.ts"
+      - "vitest.config.ts"
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: yarn
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Lint and unit tests
+        run: yarn lint && yarn test:unit
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Extract version and commit info
+        id: version
+        run: |
+          echo "version=$(jq -r .version package.json)" >> "$GITHUB_OUTPUT"
+          echo "build_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64
+          build-args: |
+            BUILD_VERSION=${{ steps.version.outputs.version }}-${{ steps.version.outputs.build_id }}
+            GIT_BRANCH=${{ github.ref_name }}
+            GIT_COMMIT=${{ github.sha }}
+            DOCKER_TAG=${{ steps.version.outputs.version }}-${{ steps.version.outputs.build_id }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -6,9 +6,9 @@ on:
       - '*'
 
 env:
-  CI_IMG: ghcr.io/libertech-fr/sesame-gestion-mdp
+  APP_CI_IMG: sesame-gestion-mdp:ci
+  TEST_CI_IMG: sesame-gestion-mdp:ci-test
   NODE_MODULES_VOL: sesame-gestion-mdp-node-modules
-  PLAYWRIGHT_CACHE_VOL: sesame-gestion-mdp-playwright-cache
 
 jobs:
   lint-app:
@@ -21,37 +21,41 @@ jobs:
       - name: Réseau Docker dev
         run: docker network create dev || true
 
-      - name: Dépendances + Chromium Playwright (dans Docker)
+      - name: Images Docker (app Alpine + test avec Chromium)
+        run: |
+          docker build -t "${APP_CI_IMG}" .
+          docker build -f Dockerfile.test --build-arg BASE_IMAGE="${APP_CI_IMG}" -t "${TEST_CI_IMG}" .
+
+      - name: Dépendances (yarn install dans l’image de test)
         run: |
           docker run --rm \
             -u 0 \
             -e NODE_ENV=development \
             -e NODE_TLS_REJECT_UNAUTHORIZED=0 \
-            -e DEBIAN_FRONTEND=noninteractive \
             --add-host host.docker.internal:host-gateway \
             --platform linux/amd64 \
             --network dev \
             -v "${GITHUB_WORKSPACE}:/data" \
             -v "${NODE_MODULES_VOL}:/data/node_modules" \
-            -v "${PLAYWRIGHT_CACHE_VOL}:/root/.cache/ms-playwright" \
             -w /data \
-            "${CI_IMG}" sh -lc 'yarn install --prefer-offline --non-interactive && yarn playwright:install-chromium'
+            "${TEST_CI_IMG}" \
+            sh -lc 'yarn install --prefer-offline --non-interactive'
 
-      - name: Tests + build (yarn ci dans Docker)
+      - name: Tests + build (yarn ci)
         run: |
           docker run --rm \
             -u 0 \
             -e CI=1 \
             -e NODE_ENV=development \
             -e NODE_TLS_REJECT_UNAUTHORIZED=0 \
-            -e DEBIAN_FRONTEND=noninteractive \
             -e SESAME_HTTPS_ENABLED=false \
             -e BROWSERSLIST_IGNORE_OLD_DATA=1 \
             -e PLAYWRIGHT_BASE_URL=http://127.0.0.1:3000 \
+            -e PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium \
             --platform linux/amd64 \
             --network dev \
             -v "${GITHUB_WORKSPACE}:/data" \
             -v "${NODE_MODULES_VOL}:/data/node_modules" \
-            -v "${PLAYWRIGHT_CACHE_VOL}:/root/.cache/ms-playwright" \
             -w /data \
-            "${CI_IMG}" sh -lc 'yarn playwright:install-deps && yarn ci'
+            "${TEST_CI_IMG}" \
+            sh -lc 'yarn ci'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -31,6 +31,21 @@ jobs:
       packages: write
 
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: yarn
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Lint and unit tests
+        run: yarn lint && yarn test:unit
+
       - name: Build docker
         uses: Libertech-FR/lt-actions/release@main
         with:
@@ -42,3 +57,8 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
           access_token: ${{ secrets.GITHUB_TOKEN }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          args: |
+            BUILD_VERSION={{NEW_VERSION}}
+            GIT_BRANCH=${{ github.ref_name }}
+            GIT_COMMIT=${{ github.sha }}
+            DOCKER_TAG={{NEW_VERSION}}
diff --git a/Dockerfile b/Dockerfile
@@ -1,39 +1,64 @@
-FROM node:22-bookworm-slim
+# Multi-stage Alpine (même esprit que sesame-orchestrator) : build isolé, runtime avec node_modules complet pour `start.mjs` (rebuild si `.env` change).
+FROM node:22-alpine AS builder
+
+WORKDIR /data
+
+RUN apk add --no-cache git
+
+COPY package.json yarn.lock ./
+
+RUN yarn install \
+  --prefer-offline \
+  --frozen-lockfile \
+  --non-interactive \
+  --production=false
+
+COPY . .
+
+RUN yarn build
+
+FROM node:22-alpine AS production
 
 ARG NODE_ENV=production
+ARG BUILD_VERSION=dev
+ARG GIT_BRANCH=unknown
+ARG GIT_COMMIT=unknown
+ARG DOCKER_TAG=unknown
+
 ENV NODE_ENV=${NODE_ENV}
-ENV NODE_OPTIONS=--openssl-legacy-provider
+ENV BUILD_VERSION=${BUILD_VERSION}
+ENV GIT_BRANCH=${GIT_BRANCH}
+ENV GIT_COMMIT=${GIT_COMMIT}
+ENV DOCKER_TAG=${DOCKER_TAG}
+ENV DO_NOT_TRACK=1
+ENV TZ=Europe/Paris
 
 WORKDIR /data
 
-# Install dependencies. Note that the package names and the package manager are different for Debian-based images.
-RUN apt-get update && apt-get -y --no-install-recommends upgrade && apt-get install -y --no-install-recommends \
+RUN apk add --no-cache \
   git \
+  openssl \
   jq \
-  nano \
-  vim \
   bash \
-  bash-completion \
-  iputils-ping \
-  telnet \
-  dnsutils \
-  net-tools \
-  tcpdump \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
+  tzdata \
+  && cp "/usr/share/zoneinfo/${TZ}" /etc/localtime \
+  && echo "${TZ}" > /etc/timezone
 
-COPY . .
+COPY package.json yarn.lock ./
 
-# Pas de --frozen-lockfile : le yarn.lock est synchronisé depuis le dépôt après « make exec » puis « yarn install » (bind-mount).
-RUN yarn install \
-  --prefer-offline \
-  --non-interactive \
-  --production=false
-# && yarn cache clean \
-# && yarn autoclean --init \
-# && yarn autoclean --force
+# Même jeu de fichiers que le builder : `start.mjs` peut relancer `yarn build` si le hash `.env` change.
+COPY --from=builder /data/node_modules ./node_modules
+COPY --from=builder /data/.output ./.output
+COPY --from=builder /data/start.mjs ./start.mjs
+COPY --from=builder /data/nuxt.config.ts ./nuxt.config.ts
+COPY --from=builder /data/tsconfig.json ./tsconfig.json
+COPY --from=builder /data/src ./src
+COPY --from=builder /data/playwright.config.ts ./playwright.config.ts
+COPY --from=builder /data/vitest.config.ts ./vitest.config.ts
+COPY --from=builder /data/tests ./tests
 
-RUN yarn build
+RUN yarn cache clean \
+  && rm -rf /tmp/* /var/cache/apk/* /root/.npm /root/.node-gyp
 
 EXPOSE 3000
 
diff --git a/Dockerfile.test b/Dockerfile.test
@@ -0,0 +1,16 @@
+# Image de test : image app Alpine + Chromium (apk) + devDependencies pour Playwright.
+ARG BASE_IMAGE=ghcr.io/libertech-fr/sesame-gestion-mdp
+FROM ${BASE_IMAGE}
+
+USER root
+
+RUN apk add --no-cache chromium
+
+WORKDIR /data
+
+COPY playwright.config.ts /data/playwright.config.ts
+
+RUN yarn install --frozen-lockfile --production=false --non-interactive
+
+ENV NODE_ENV=development
+ENV PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium
diff --git a/Makefile b/Makefile
@@ -5,14 +5,14 @@ APP_WEB_PORT_SECURE = 3443
 APP_WEB_DEBUG_PORT = 24678
 
 IMG_NAME = ghcr.io/libertech-fr/sesame-gestion-mdp
+TEST_IMG_NAME = sesame-gestion-mdp-test-local
 BASE_NAME = sesame
 APP_NAME = sesame-gestion-mdp
 # Volume dédié : évite de monter les node_modules du mac dans le conteneur Linux.
 # Réseau Docker « dev » : créer une fois (make network-dev ou docker network create dev).
-# Flux : pas de yarn sur le Mac — make exec puis yarn install ; e2e / CI : docker dans .github/workflows/lint.yml.
-# Chaque « make test » / « verify » : nouveau conteneur → yarn playwright:install-deps puis tests (prérequis : node_modules + cache Playwright remplis, ex. étapes du workflow ou exec).
+# Flux : pas de yarn sur le Mac — make exec puis yarn install ; PR : .github/workflows/lint.yml ; push main (chemins filtrés) : docker-image.yml ; tests e2e locaux : make build && make test (image test basée sur $(IMG_NAME)).
 NODE_MODULES_VOLUME = sesame-gestion-mdp-node-modules
-# Cache Chromium Playwright (Linux) entre les « make exec » — pas sur le Mac.
+# Cache Playwright (binaires téléchargés) pour « make exec » ; make test / verify utilisent Chromium système Alpine (pas ce volume).
 PLAYWRIGHT_CACHE_VOLUME = sesame-gestion-mdp-playwright-cache
 
 -include .env
@@ -45,14 +45,19 @@ help:
 	@grep -h -E '^[-a-zA-Z0-9_\.\/]+:.*?## .*$$' $(MAKEFILE_LIST) \
 		| sort | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[32m%-18s\033[0m %s\n", $$1, $$2}'
 
-build: ## Image Docker (yarn build dans l’image ; pas de Playwright dans l’image — voir workflow GitHub)
+build: ## Image Docker (Alpine multi-stage ; pas de Playwright — voir Dockerfile.test et workflows)
 	@docker build --platform $(PLATFORM) -t $(IMG_NAME) --no-cache --progress=plain \
 		--build-arg BUILD_VERSION=$(DOCKER_TAG) \
 		--build-arg GIT_BRANCH=$(GIT_BRANCH) \
 		--build-arg GIT_COMMIT=$(GIT_COMMIT) \
 		--build-arg DOCKER_TAG=$(DOCKER_TAG) \
 		.
 
+build-test-image: ## Image locale dédiée aux tests (FROM $(IMG_NAME) + Chromium + devDependencies)
+	@docker build --platform $(PLATFORM) -f Dockerfile.test \
+		--build-arg BASE_IMAGE=$(IMG_NAME) \
+		-t $(TEST_IMG_NAME) .
+
 # Mode « simulation » : image déjà buildée, env + certificats montés (sans écraser tout le code par le bind-mount complet)
 simulation: ## Lancer en NODE_ENV=production avec montages ciblés (.env, certificats, hash)
 	@touch $(CURDIR)/.env.hash
@@ -151,41 +156,39 @@ stop-all: ## Arrêter le conteneur applicatif (équivalent ici, pas de stack BDD
 run-lint: ## Rejouer le job GitHub Actions « lint-app » avec act (nécessite nektos/act)
 	act --container-architecture=linux/amd64 -j lint-app
 
-test: ## Tests : paquets système Chromium puis prepare + Vitest + E2E (yarn install + Chromium : voir lint.yml)
+test: build-test-image ## Vitest + Playwright dans l’image test (prérequis : make build pour taguer $(IMG_NAME) en local)
 	@docker run --rm \
 		-u 0 \
 		-e CI=1 \
 		-e NODE_ENV=development \
 		-e NODE_TLS_REJECT_UNAUTHORIZED=0 \
-		-e DEBIAN_FRONTEND=noninteractive \
 		-e SESAME_HTTPS_ENABLED=false \
 		-e BROWSERSLIST_IGNORE_OLD_DATA=1 \
 		-e PLAYWRIGHT_BASE_URL=http://127.0.0.1:3000 \
+		-e PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium \
 		--platform $(PLATFORM) \
 		--network dev \
-		-v $(CURDIR):/data \
-		-v $(NODE_MODULES_VOLUME):/data/node_modules \
-		-v $(PLAYWRIGHT_CACHE_VOLUME):/root/.cache/ms-playwright \
+		-v $(CURDIR)/playwright.config.ts:/data/playwright.config.ts \
+		-v $(CURDIR)/tests:/data/tests \
 		-w /data \
-		$(IMG_NAME) yarn test
+		$(TEST_IMG_NAME) sh -lc 'yarn test'
 
-verify: ## CI locale : paquets système Chromium puis yarn ci (même prérequis que test)
+verify: build-test-image ## CI locale : yarn ci dans l’image test (lint + unit + e2e + build)
 	@docker run --rm \
 		-u 0 \
 		-e CI=1 \
 		-e NODE_ENV=development \
 		-e NODE_TLS_REJECT_UNAUTHORIZED=0 \
-		-e DEBIAN_FRONTEND=noninteractive \
 		-e SESAME_HTTPS_ENABLED=false \
 		-e BROWSERSLIST_IGNORE_OLD_DATA=1 \
 		-e PLAYWRIGHT_BASE_URL=http://127.0.0.1:3000 \
+		-e PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium \
 		--platform $(PLATFORM) \
 		--network dev \
-		-v $(CURDIR):/data \
-		-v $(NODE_MODULES_VOLUME):/data/node_modules \
-		-v $(PLAYWRIGHT_CACHE_VOLUME):/root/.cache/ms-playwright \
+		-v $(CURDIR)/playwright.config.ts:/data/playwright.config.ts \
+		-v $(CURDIR)/tests:/data/tests \
 		-w /data \
-		$(IMG_NAME) yarn ci
+		$(TEST_IMG_NAME) sh -lc 'yarn ci'
 
 ncu: ## Vérifier les mises à jour des dépendances
 	@npx npm-check-updates
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 # sesame-gestion-mdp
 Gestion des mot de passe sesame
 
-Les commandes **yarn** (install, test, build, etc.) se font dans **Docker** : `make build` puis `make exec`, puis par exemple `yarn install` et `yarn playwright:install` dans le shell du conteneur. Sur la CI, **`make ci-github`** enchaîne tout sans yarn sur le runner.
+Les commandes **yarn** (install, build, etc.) se font dans **Docker** : `make build` puis `make exec`, puis par exemple `yarn install`. Les **e2e** passent par **`make test`** (image `Dockerfile.test`, Chromium système Alpine, sans `apt-get`). Sur GitHub, le workflow **`.github/workflows/lint.yml`** construit l’image app + image de test puis exécute `yarn ci` dans l’image de test.
 
 ## build release
 Construire une release : 
diff --git a/package.json b/package.json
diff --git a/playwright.config.ts b/playwright.config.ts
