Harden Docker production build

.dockerignore

@@ -0,0 +1,5 @@
+node_modules
+cache
+*.log
+.DS_Store
+.git

.gitignore

@@ -0,0 +1,10 @@
+node_modules/
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+.DS_Store
+.env
+.env.*
+!.env.example

Dockerfile

@@ -1,29 +1,43 @@
-FROM node:20-slim
+FROM node:20.12.2-slim
+
+ENV NODE_ENV=production
 
 # Install Chrome and dependencies
-RUN apt update && apt install -y \
-    wget gnupg ca-certificates xvfb \
-    fonts-liberation libappindicator3-1 libasound2 libatk-bridge2.0-0 \
-    libatk1.0-0 libxss1 libnss3 libxcomposite1 libxdamage1 libxrandr2 libgbm1 \
-    && wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb \
-    && apt install -y ./google-chrome-stable_current_amd64.deb \
-    && rm google-chrome-stable_current_amd64.deb
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates wget gnupg xvfb fonts-liberation \
+    && wget -qO- https://dl.google.com/linux/linux_signing_key.pub \
+    | gpg --dearmor -o /usr/share/keyrings/google-linux-signing-keyring.gpg \
+    && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-linux-signing-keyring.gpg] https://dl.google.com/linux/chrome/deb/ stable main" \
+    > /etc/apt/sources.list.d/google-chrome.list \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends google-chrome-stable \
+    && apt-get purge -y --auto-remove wget gnupg \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN corepack enable
+
+# Create a non-root user for running the app
+RUN useradd --create-home --home-dir /app --shell /bin/sh appuser
 
 # Set working directory
 WORKDIR /app
 
+# Entrypoint script
+COPY docker-entrypoint.sh /usr/local/bin/
+RUN chmod 755 /usr/local/bin/docker-entrypoint.sh
+
 # Copy and install dependencies
-COPY package*.json ./
-RUN npm install
+COPY --chown=appuser:appuser package.json pnpm-lock.yaml ./
+USER appuser
+RUN corepack prepare pnpm@9.0.0 --activate \
+    && pnpm install --frozen-lockfile --prod \
+    && pnpm store prune
 
 # Copy app code
-COPY . .
+COPY --chown=appuser:appuser . .
 
 # Expose port (match your app's port)
 EXPOSE 10000
 
 # Start Xvfb and run the bot
-CMD rm -f /tmp/.X99-lock && \
-    Xvfb :99 -screen 0 1024x768x24 & \
-    export DISPLAY=:99 && \
-    npm start
+CMD ["/usr/local/bin/docker-entrypoint.sh"]

docker-entrypoint.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+rm -f /tmp/.X99-lock
+Xvfb :99 -screen 0 1024x768x24 &
+xvfb_pid=$!
+
+export DISPLAY=:99
+
+npm start &
+app_pid=$!
+
+term_handler() {
+  kill "$app_pid" 2>/dev/null || true
+  kill "$xvfb_pid" 2>/dev/null || true
+}
+
+trap term_handler INT TERM
+
+while kill -0 "$app_pid" 2>/dev/null; do
+  if ! kill -0 "$xvfb_pid" 2>/dev/null; then
+    echo "Xvfb exited; stopping app." >&2
+    kill "$app_pid" 2>/dev/null || true
+    wait "$app_pid" 2>/dev/null || true
+    exit 1
+  fi
+  sleep 1
+done
+
+wait "$app_pid"
+app_status=$?
+kill "$xvfb_pid" 2>/dev/null || true
+wait "$xvfb_pid" 2>/dev/null || true
+exit "$app_status"