Dockerfile

# syntax=docker/dockerfile:1

# Frontend: runs natively on build host
FROM --platform=$BUILDPLATFORM node:22-alpine AS frontend
ARG REGISTRY_TOKEN
WORKDIR /ui
COPY ui/package.json ui/package-lock.json ui/.npmrc ./
RUN --mount=type=cache,target=/root/.npm echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc && npm ci
COPY ui/ .
RUN npm run build

# Maven build: runs natively on build host (no QEMU emulation)
FROM --platform=$BUILDPLATFORM eclipse-temurin:21-jdk-alpine AS build
WORKDIR /build
COPY .mvn/ .mvn/
COPY mvnw pom.xml ./
# Cache deps — BuildKit cache mount persists across --no-cache builds
RUN --mount=type=cache,target=/root/.m2/repository ./mvnw dependency:go-offline -U -B || true
COPY src/ src/
COPY --from=frontend /ui/dist/ src/main/resources/static/
RUN --mount=type=cache,target=/root/.m2/repository ./mvnw package -DskipTests -U -B

# Runtime: Chainguard Wolfi-based JRE (glibc, daily CVE refresh, non-root by default)
FROM cgr.dev/chainguard/jre:openjdk-21
WORKDIR /app
USER root
RUN mkdir -p /data/jars && chown -R nonroot:nonroot /data
COPY --chown=nonroot:nonroot --from=build /build/target/*.jar app.jar
USER nonroot
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "app.jar"]
fix: restore multi-stage Dockerfiles, use cameleer-docker-builder Follow cameleer3-server CI pattern: docker job uses cameleer-docker-builder:1 (has Docker CLI), Dockerfiles contain multi-stage builds (self-contained, no external toolchain needed). - Dockerfile: restore frontend + maven + runtime stages - ui/sign-in/Dockerfile: add node build stage + Logto base - ci.yml: docker job reverts to cameleer-docker-builder:1, passes REGISTRY_TOKEN as build-arg, adds build cache Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 15:51:59 +02:00			`# syntax=docker/dockerfile:1`

			`# Frontend: runs natively on build host`
			`FROM --platform=$BUILDPLATFORM node:22-alpine AS frontend`
			`ARG REGISTRY_TOKEN`
			`WORKDIR /ui`
			`COPY ui/package.json ui/package-lock.json ui/.npmrc ./`
perf: add BuildKit cache mounts for Maven and npm in Docker builds Maven .m2 and npm caches persist across --no-cache builds, avoiding full dependency re-downloads on every CI run. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 22:29:14 +02:00			`RUN --mount=type=cache,target=/root/.npm echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc && npm ci`
fix: restore multi-stage Dockerfiles, use cameleer-docker-builder Follow cameleer3-server CI pattern: docker job uses cameleer-docker-builder:1 (has Docker CLI), Dockerfiles contain multi-stage builds (self-contained, no external toolchain needed). - Dockerfile: restore frontend + maven + runtime stages - ui/sign-in/Dockerfile: add node build stage + Logto base - ci.yml: docker job reverts to cameleer-docker-builder:1, passes REGISTRY_TOKEN as build-arg, adds build cache Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 15:51:59 +02:00			`COPY ui/ .`
			`RUN npm run build`

			`# Maven build: runs natively on build host (no QEMU emulation)`
			`FROM --platform=$BUILDPLATFORM eclipse-temurin:21-jdk-alpine AS build`
			`WORKDIR /build`
			`COPY .mvn/ .mvn/`
			`COPY mvnw pom.xml ./`
perf: add BuildKit cache mounts for Maven and npm in Docker builds Maven .m2 and npm caches persist across --no-cache builds, avoiding full dependency re-downloads on every CI run. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 22:29:14 +02:00			`# Cache deps — BuildKit cache mount persists across --no-cache builds`
fix: force SNAPSHOT updates in Docker build to resolve stale cache The BuildKit cache mount for ~/.m2/repository persists the old cameleer-license-minter SNAPSHOT (which depended on server-core). Adding -U forces Maven to re-resolve SNAPSHOTs from the Gitea registry, picking up the updated minter that depends on license-api. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-26 20:55:41 +02:00			`RUN --mount=type=cache,target=/root/.m2/repository ./mvnw dependency:go-offline -U -B \|\| true`
fix: restore multi-stage Dockerfiles, use cameleer-docker-builder Follow cameleer3-server CI pattern: docker job uses cameleer-docker-builder:1 (has Docker CLI), Dockerfiles contain multi-stage builds (self-contained, no external toolchain needed). - Dockerfile: restore frontend + maven + runtime stages - ui/sign-in/Dockerfile: add node build stage + Logto base - ci.yml: docker job reverts to cameleer-docker-builder:1, passes REGISTRY_TOKEN as build-arg, adds build cache Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 15:51:59 +02:00			`COPY src/ src/`
			`COPY --from=frontend /ui/dist/ src/main/resources/static/`
fix: force SNAPSHOT updates in Docker build to resolve stale cache The BuildKit cache mount for ~/.m2/repository persists the old cameleer-license-minter SNAPSHOT (which depended on server-core). Adding -U forces Maven to re-resolve SNAPSHOTs from the Gitea registry, picking up the updated minter that depends on license-api. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-26 20:55:41 +02:00			`RUN --mount=type=cache,target=/root/.m2/repository ./mvnw package -DskipTests -U -B`
fix: restore multi-stage Dockerfiles, use cameleer-docker-builder Follow cameleer3-server CI pattern: docker job uses cameleer-docker-builder:1 (has Docker CLI), Dockerfiles contain multi-stage builds (self-contained, no external toolchain needed). - Dockerfile: restore frontend + maven + runtime stages - ui/sign-in/Dockerfile: add node build stage + Logto base - ci.yml: docker job reverts to cameleer-docker-builder:1, passes REGISTRY_TOKEN as build-arg, adds build cache Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 15:51:59 +02:00
harden: swap cameleer-saas runtime stage to Chainguard JRE Replace eclipse-temurin:21-jre-alpine with cgr.dev/chainguard/jre:openjdk-21 for the SaaS management plane image. Use Chainguard's built-in nonroot user instead of custom adduser. Build stages unchanged (ephemeral). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-28 09:42:38 +02:00			`# Runtime: Chainguard Wolfi-based JRE (glibc, daily CVE refresh, non-root by default)`
			`FROM cgr.dev/chainguard/jre:openjdk-21`
feat: add Dockerfile and Gitea Actions CI pipeline Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 10:33:01 +02:00			`WORKDIR /app`
harden: swap cameleer-saas runtime stage to Chainguard JRE Replace eclipse-temurin:21-jre-alpine with cgr.dev/chainguard/jre:openjdk-21 for the SaaS management plane image. Use Chainguard's built-in nonroot user instead of custom adduser. Build stages unchanged (ephemeral). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-28 09:42:38 +02:00			`USER root`
			`RUN mkdir -p /data/jars && chown -R nonroot:nonroot /data`
			`COPY --chown=nonroot:nonroot --from=build /build/target/*.jar app.jar`
			`USER nonroot`
feat: add Dockerfile and Gitea Actions CI pipeline Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 10:33:01 +02:00			`EXPOSE 8080`
fix: mount custom sign-in UI over Logto experience dist CUSTOM_UI_PATH is a Logto Cloud feature, not available in OSS. The correct approach for self-hosted Logto is to volume-mount over /etc/logto/packages/experience/dist/. - Use init container (sign-in-ui) to copy dist to shared volume as root (fixes permission denied with cameleer user) - Logto mounts signinui volume at experience/dist path - Logto depends on sign-in-ui init container completion - Remove saas-entrypoint.sh approach (no longer needed) - Revert Dockerfile entrypoint to direct java -jar - Permit /favicon.svg in SecurityConfig for sign-in page logo Tested: full OIDC flow works end-to-end via Playwright. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 14:24:33 +02:00			`ENTRYPOINT ["java", "-jar", "app.jar"]`