feat: Optimize Docker image, build for amd64+arm64

The image size is reduced by 13% using the following measures:

* Extended .dockerignore to remove further metadata and tests.
    This also ensures better layer caching for repeat builds.
* Cleaning npm cache for the final stage.

Inline source maps are enabled to improve error reporting. Stack traces will
now refer to the TypeScript source locations instead of transpiled JS.

Multiplatform build for arm64 in addition to amd64 is enabled to improve
performance on ARM devices due to not needing emulation.

Finally, the `docker run` example in README.md is amended to include
security best practices.

.dockerignore

@@ -1,19 +1,35 @@
 # Default ignored files
-.env
-.idea
-node_modules/
-renovate.json
-.github
-README.md
+**/.DS_Store
+**/.env
+**/node_modules
+
 .gitignore
 .gitattributes
+.github
+.idea
+.vscode
+
+README.md
+CHANGELOG.md
+
+renovate.json
+.release-please-manifest.json
+release-please-config.json
+
+.dockerignore
+Dockerfile
 
 # build folders and files
-/dist
+**/dist
 .nyc_output
 /tmp
 /coverage
 /junit.xml
 
+# test folders and files
+/test
+/integration
+/backend/test
+
 # configuration
 /config

.github/workflows/build.yml

@@ -25,6 +25,7 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           context: ./
+          platforms: linux/amd64,linux/arm64
           push: false
           cache-from: type=gha
           cache-to: type=gha,mode=max

.github/workflows/publish.yml

@@ -44,6 +44,7 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           context: .
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}

Dockerfile

@@ -17,12 +17,13 @@ RUN npm run build
 FROM node:20.18.1-alpine
 WORKDIR /app
 
+RUN apk add --no-cache tini
+
 # install PRODUCTION dependencies
 COPY package*.json ./
 COPY backend/package*.json ./backend/
 COPY frontend/package*.json ./frontend/
-RUN npm ci --omit=dev
-RUN apk add --no-cache tini
+RUN npm ci --omit=dev --workspace=backend --include-workspace-root && npm cache clean --force
 
 # add the already compiled code and the default config
 # (custom config must be set via volume)
@@ -37,4 +38,4 @@ EXPOSE 8080
 
 # use tini as init process since Node.js isn't designed to be run as PID 1
 ENTRYPOINT ["/sbin/tini", "--"]
-CMD ["node", "--disable-proto=delete", "dist/main.js"]
+CMD ["node", "--enable-source-maps", "--disable-proto=delete", "dist/main.js"]

README.md

@@ -57,10 +57,17 @@ For more information, refer to the [Kubernetes RBAC documentation](https://kuber
 
 ### Docker
 
-You can run Foreman via Docker using the following command:
+You can run Foreman via Docker:
 
 ```sh
-docker run -p 8080:8080 -v /path/to/config:/app/config contane/foreman:latest
+docker run --detach \
+    --restart=unless-stopped \
+    --cap-drop=all \
+    --security-opt=no-new-privileges \
+    --read-only \
+    --volume=/path/to/config:/app/config:ro \
+    -p=8080:8080/tcp \
+    contane/foreman:latest
 ```
 
 Here, `/path/to/config` is the path to the configuration directory on the host, and Foreman will be accessible on

backend/tsconfig.json

@@ -9,6 +9,7 @@
     "skipLibCheck": true,
     "forceConsistentCasingInFileNames": true,
     "declaration": true,
+    "inlineSourceMap": true,
     "outDir": "./dist"
   },
   "include": [

package.json

@@ -18,7 +18,7 @@
     "test": "npm run test:unit && npm run test:integration",
     "test:unit": "npm run test --workspaces --if-present && mocha --require tsx --recursive \"test/**/*.ts\"",
     "test:integration": "mocha --require tsx --recursive \"integration/**/*.ts\"",
-    "start": "node --disable-proto=delete dist/main.js"
+    "start": "node --enable-source-maps --disable-proto=delete dist/main.js"
   },
   "repository": {
     "type": "git",

tsconfig.json

@@ -9,6 +9,7 @@
     "skipLibCheck": true,
     "forceConsistentCasingInFileNames": true,
     "declaration": false,
+    "inlineSourceMap": true,
     "outDir": "./dist"
   },
   "include": [