-
Notifications
You must be signed in to change notification settings - Fork 159
Expand file tree
/
Copy pathDockerfile
More file actions
68 lines (52 loc) · 2.47 KB
/
Dockerfile
File metadata and controls
68 lines (52 loc) · 2.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
ARG PHP_VERSION=8.3
FROM docker.io/library/php:${PHP_VERSION}-cli
# Set working directory
WORKDIR /usr/src/dbdiff
# Install system dependencies (includes libpq-dev for PostgreSQL and libsqlite3-dev for SQLite)
RUN apt-get update && apt-get install -y \
git-core \
unzip \
libpq-dev \
libsqlite3-dev \
&& rm -rf /var/lib/apt/lists/*
# Add MySQL, PostgreSQL, and SQLite PDO extensions
RUN docker-php-ext-install mysqli pdo pdo_mysql pdo_pgsql pdo_sqlite
# Add Composer
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
RUN chmod 755 /usr/local/bin/composer
# Create a non-root user for execution
RUN useradd -m -s /bin/bash dbdiff
# Prepare application directory
RUN mkdir -p /usr/src/dbdiff && chown root:root /usr/src/dbdiff
# Switch BACK to root for copying files (to ensure they are owned by root)
# We will drop privileges only at runtime or when strictly necessary
USER root
# Copy composer.json as root:root with read-only permissions for others
# Docker Cache Layer 1
COPY --chown=root:root --chmod=644 composer.json ./
# Copy scripts early so Composer post-install hooks can run during install
COPY --chown=root:root --chmod=755 scripts/ scripts/
# Install dependencies as root (standard practice in many Dockerfiles)
# We are still building the image here
RUN composer install --no-interaction --no-progress --optimize-autoloader
# Explicitly copy source code and assets
# Enforce root ownership and strict read-only permissions for non-root users
# 755 = rwxr-xr-x (Owner: RWX, Group: RX, Others: RX)
# This allows 'dbdiff' user to read/execute but NOT modify
COPY --chown=root:root --chmod=755 src/ src/
COPY --chown=root:root --chmod=755 templates/ templates/
COPY --chown=root:root --chmod=755 docker/ docker/
# Copy individual files
COPY --chown=root:root --chmod=755 dbdiff ./
COPY --chown=root:root --chmod=755 dbdiff.php ./
COPY --chown=root:root --chmod=755 start.sh ./
COPY --chown=root:root --chmod=755 stop.sh ./
COPY --chown=root:root --chmod=644 README.md LICENSE SECURITY.md ./
# Copy tests
COPY --chown=root:root --chmod=755 tests/ tests/
# CRITICAL: We need a writable directory for any runtime artifacts if the app creates them.
# If DBDiff writes to .phpunit.cache or similar, we must create that folder and give ownership to dbdiff.
RUN mkdir -p .phpunit.cache && chown dbdiff:dbdiff .phpunit.cache
# Final switch to non-root user for runtime execution
USER dbdiff
ENTRYPOINT ["./docker/docker-entrypoint.sh"]