Update

.github/workflows/cicd.yml

@@ -15,6 +15,11 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Set up SSH agent
+        uses: webfactory/ssh-agent@v0.8.1
+        with:
+          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -30,8 +35,8 @@ jobs:
         with:
           context: .
           push: true
+          ssh: default
           build-args: |
-            SSH_PRIVATE_KEY=${{ secrets.SSH_PRIVATE_KEY }}
             ENV_VARS=${{ secrets.ENV_VARS }}
           tags: |
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest

Dockerfile

@@ -1,33 +1,28 @@
-# Install dependencies only when needed
+# syntax=docker/dockerfile:1.4
 FROM node:19-alpine AS deps
-
+WORKDIR /leCoffre-front
-WORKDIR leCoffre-front
 
 COPY package.json ./
 
 ARG ENV_VARS
 RUN echo "${ENV_VARS}" > .env
 
-RUN apk update && apk add openssh-client git
+RUN apk update && apk add --no-cache openssh-client git
 
-ARG SSH_PRIVATE_KEY
+# Forward SSH agent via BuildKit (clé jamais écrite dans l'image)
-RUN mkdir -p /root/.ssh && \
+RUN --mount=type=ssh \
-    echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa && \
+    mkdir -p /root/.ssh && \
-    chmod 600 /root/.ssh/id_rsa && \
-    eval "$(ssh-agent -s)" && \
-    ssh-add /root/.ssh/id_rsa && \
     ssh-keyscan git.4nkweb.com >> /root/.ssh/known_hosts
 
 RUN npm install --frozen-lockfile
 
 # Rebuild the source code only when needed
 FROM node:19-alpine AS builder
+WORKDIR /leCoffre-front
 
-WORKDIR leCoffre-front
+COPY --from=deps /leCoffre-front/node_modules ./node_modules
-
+COPY --from=deps /leCoffre-front/package.json ./package.json
-COPY --from=deps leCoffre-front/node_modules ./node_modules
+COPY --from=deps /leCoffre-front/.env ./.env
-COPY --from=deps leCoffre-front/package.json package.json
-COPY --from=deps leCoffre-front/.env ./.env
 COPY tsconfig.json tsconfig.json
 COPY next.config.js next.config.js
 COPY src src
@@ -36,17 +31,17 @@ RUN npm run build
 
 # Production image, copy all the files and run next
 FROM node:19-alpine AS production
+WORKDIR /leCoffre-front
 
-WORKDIR leCoffre-front
+# Création de l’utilisateur non-root
-
 RUN adduser -D lecoffreuser --uid 10000 && chown -R lecoffreuser .
 
 COPY public ./public
-COPY --from=builder --chown=lecoffreuser leCoffre-front/node_modules ./node_modules
+COPY --from=builder --chown=lecoffreuser /leCoffre-front/node_modules ./node_modules
-COPY --from=builder --chown=lecoffreuser leCoffre-front/.next ./.next
+COPY --from=builder --chown=lecoffreuser /leCoffre-front/.next ./.next
-COPY --from=builder --chown=lecoffreuser leCoffre-front/next.config.js ./next.config.js
+COPY --from=builder --chown=lecoffreuser /leCoffre-front/next.config.js ./next.config.js
-COPY --from=builder --chown=lecoffreuser leCoffre-front/package.json ./package.json
+COPY --from=builder --chown=lecoffreuser /leCoffre-front/package.json ./package.json
-COPY --from=builder --chown=lecoffreuser leCoffre-front/.env ./.env
+COPY --from=builder --chown=lecoffreuser /leCoffre-front/.env ./.env
 
 USER lecoffreuser