Fix Docker build failure: copy postinstall patch script into build context

The .dockerignore excluded the scripts/ directory, so scripts/patch-bundled-deps.sh was missing during npm install in the base-node-deps Docker image. This caused the postinstall hook to fail with "No such file or directory" on every retry. - Whitelist scripts/patch-bundled-deps.sh in .dockerignore - Add COPY for the script in Dockerfile.node-deps before npm install https://claude.ai/code/session_01LsQx9CLjseJn72Sup32Dwm
fix(ci): add Verdaccio to stack and Gate 7 for @esbuild-kit registry
2026-04-25 06:14:59 +00:00 · 2026-03-12 07:28:14 +00:00 · 2026-03-11 22:38:17 +00:00 · 2026-03-11 22:08:56 +00:00 · 2026-03-11 21:12:53 +00:00
5 changed files with 91 additions and 5 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -96,6 +96,9 @@ mojo
 spec
 scripts
 .claude
+
+# Allow postinstall patch script for node-deps base image
+!scripts/patch-bundled-deps.sh
 dist

 # Allow specific dbal paths through for app builds
--- a/.github/workflows/gated-pipeline.yml
+++ b/.github/workflows/gated-pipeline.yml
@@ -1342,6 +1342,56 @@ jobs:

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4
+        with:
+          # host networking lets BuildKit reach Verdaccio on localhost:4873
+          driver-opts: network=host
+
+      - name: Start Verdaccio and publish patched packages
+        if: matrix.image == 'base-node-deps'
+        shell: bash
+        run: |
+          npm install -g verdaccio@6 --silent
+
+          mkdir -p /tmp/verdaccio-storage
+          cat > /tmp/verdaccio-ci.yaml << 'VERDACCIO_EOF'
+          storage: /tmp/verdaccio-storage
+          uplinks:
+            npmjs:
+              url: https://registry.npmjs.org/
+              timeout: 60s
+              max_fails: 3
+          packages:
+            '@esbuild-kit/*':
+              access: $all
+              publish: $all
+              proxy: npmjs
+            '**':
+              access: $all
+              publish: $all
+              proxy: npmjs
+          server:
+            keepAliveTimeout: 60
+          log:
+            type: stdout
+            format: pretty
+            level: warn
+          listen: 0.0.0.0:4873
+          VERDACCIO_EOF
+
+          verdaccio --config /tmp/verdaccio-ci.yaml &
+          timeout 30 bash -c 'until curl -sf http://localhost:4873/-/ping >/dev/null 2>&1; do sleep 1; done'
+          echo "Verdaccio ready"
+
+          # Publish patched tarballs
+          for tarball in deployment/npm-patches/*.tgz; do
+            [ -f "$tarball" ] || continue
+            echo "Publishing $tarball..."
+            npm publish "$tarball" \
+              --registry http://localhost:4873 \
+              --tag patched \
+              2>&1 | grep -v "^npm notice" || true
+          done
+          echo "Patched packages published to Verdaccio"

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v4
--- a/deployment/base-images/Dockerfile.node-deps
+++ b/deployment/base-images/Dockerfile.node-deps
@@ -7,7 +7,7 @@
 # App Dockerfiles:
 #   COPY --from=metabuilder/base-node-deps /app/node_modules ./node_modules

-FROM node:20-alpine
+FROM node:20-slim

 WORKDIR /app

@@ -51,6 +51,9 @@ COPY translations/package.json                         ./translations/
 COPY types/package.json                                ./types/
 COPY workflow/package.json                             ./workflow/

+# Postinstall patch script (patches vulnerable bundled deps in npm)
+COPY scripts/patch-bundled-deps.sh                     ./scripts/
+
 # Install all workspace deps (generates lock file from package.json manifests)
 RUN npm config set fetch-retries 5 \
    && npm config set fetch-retry-mintimeout 20000 \
--- a/deployment/docker-compose.stack.yml
+++ b/deployment/docker-compose.stack.yml
@@ -36,6 +36,29 @@
 #   http://localhost/kibana/      Kibana (Elasticsearch admin)

 services:
+  # ============================================================================
+  # NPM Registry (Verdaccio) — serves patched @esbuild-kit packages
+  # ============================================================================
+
+  verdaccio:
+    image: verdaccio/verdaccio:6
+    container_name: metabuilder-verdaccio
+    restart: unless-stopped
+    ports:
+      - "4873:4873"
+    volumes:
+      - ./verdaccio.yaml:/verdaccio/conf/config.yaml:ro
+      - ./npm-patches:/verdaccio/patches:ro
+      - verdaccio-storage:/verdaccio/storage
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://127.0.0.1:4873/-/ping"]
+      interval: 15s
+      timeout: 5s
+      retries: 3
+      start_period: 5s
+    networks:
+      - metabuilder
+
  # ============================================================================
  # Core Services
  # ============================================================================
@@ -1062,6 +1085,9 @@ services:
 # Volumes
 # ============================================================================
 volumes:
+  # NPM registry
+  verdaccio-storage:
+    driver: local
  # Core
  postgres-data:
    driver: local
--- a/deployment/verdaccio.yaml
+++ b/deployment/verdaccio.yaml
@@ -3,11 +3,15 @@
 # else to npmjs.org.
 #
 # Usage:
-#   npx verdaccio --config deployment/verdaccio.yaml &
-#   bash deployment/publish-npm-patches.sh --verdaccio
-#   # .npmrc already points @esbuild-kit:registry to localhost:4873
+#   Local dev: npx verdaccio --config deployment/verdaccio.yaml &
+#   Compose:   docker compose -f docker-compose.stack.yml up verdaccio
+#   CI:        uses inline config with /tmp/verdaccio-storage
+#   Then:      bash deployment/publish-npm-patches.sh --verdaccio
+#   .npmrc already points @esbuild-kit:registry to localhost:4873

-storage: /tmp/verdaccio-storage
+# Docker container path (volume-mounted in docker-compose.stack.yml).
+# For local dev, use the CI composite action or npx verdaccio (default config).
+storage: /verdaccio/storage
 uplinks:
  npmjs:
    url: https://registry.npmjs.org/
Author	SHA1	Message	Date
Claude	3bb4349f0b	Fix Docker build failure: copy postinstall patch script into build context The .dockerignore excluded the scripts/ directory, so scripts/patch-bundled-deps.sh was missing during npm install in the base-node-deps Docker image. This caused the postinstall hook to fail with "No such file or directory" on every retry. - Whitelist scripts/patch-bundled-deps.sh in .dockerignore - Add COPY for the script in Dockerfile.node-deps before npm install https://claude.ai/code/session_01LsQx9CLjseJn72Sup32Dwm	2026-03-12 07:28:14 +00:00
rw	45daa18bb1	fix(ci): add Verdaccio to stack and Gate 7 for @esbuild-kit registry The base-node-deps Docker build failed because .npmrc routes @esbuild-kit packages to localhost:4873 (Verdaccio), which is unreachable inside BuildKit. - Add Verdaccio service to docker-compose.stack.yml with patched tarballs - Start Verdaccio in Gate 7 Tier 1 before base-node-deps build - Configure buildx with network=host so BuildKit can reach localhost:4873 - Update verdaccio.yaml storage path for container volume mount Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 22:38:17 +00:00
rw	ad51d61ee4	fix(docker): switch base-node-deps from alpine to slim for bash support The postinstall script (patch-bundled-deps.sh) requires bash, which is not available on Alpine. This caused npm install to fail silently, leaving node_modules empty and breaking the devcontainer build. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 22:08:56 +00:00
johndoe6345789	d84543314e	Merge pull request #1507 from johndoe6345789/claude/fix-seed-endpoint-PjaLE fix(e2e): add /api/setup route to workflowui and fail fast on seed error	2026-03-11 21:12:53 +00:00