From dc906adfab1c12e24047a32dac5c703eb696eb31 Mon Sep 17 00:00:00 2001
From: Jesse Chan <jc@linux.com>
Date: Sat, 5 Sep 2020 12:08:32 +0800
Subject: [PATCH] Dockerfile: do not run "git clean" for "pack"

Do not run "git clean" for "pack" as node image does not
have git and it is arguably more dangerous to copy .git
folder into intermediate build image.

As we don't run "git clean", sensitive information might
be included in result package. Add a warning for that.
---
 Dockerfile | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 5d9f3a42..9f91eca3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,8 @@
+# WARNING:
+# This Dockerfile uses contents of current folder which might contain
+# secrets, uncommitted changes or other sensitive information. DO NOT
+# publish the result image unless it was composed in a clean environment.
+
 ARG NODE_IMAGE=node:alpine
 
 FROM ${NODE_IMAGE} as nodebuild
@@ -8,10 +13,13 @@ WORKDIR /usr/src/app/
 COPY . ./
 
 # Fetch dependencies from npm
+RUN npm set unsafe-perm true
 RUN npm install
 
 # Build package
-RUN npm pack
+RUN cp config.cli.js config.js
+RUN npm run build
+RUN npm pack --ignore-scripts
 
 # Now get the clean image
 FROM ${NODE_IMAGE} as flood