groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

promote(docker): bake pnpm via npm to remove Corepack runtime downloads (GRO-1981) #133

Merged
The Dogfather merged 2 commits from dev into uat 2026-06-01 16:30:55 +00:00
Conversation 0 Commits 2 Files Changed 2
+42 -1
The Dogfather commented 2026-06-01 16:29:56 +00:00
Member
Copy Link
Copy Source

UAT Promotion — GRO-1985 / GRO-1981

Promotes the merged dev work to uat for regression and security review.

What's promoted

Commits ahead of uat (2):

  • 1d28adb Merge PR #129 — fix(docker): bake pnpm via npm to remove Corepack runtime downloads
  • 3e547b8 fix(docker): bake pnpm via npm to remove Corepack runtime downloads (GRO-1981)

Change summary

Dockerfile hardening to eliminate the EAI_AGAIN class of Corepack runtime downloads in air-gapped pods:

  • base + runner stages: RUN npm install -g pnpm@9.15.4 (real binary, no Corepack shim) + ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0.
  • migrate / seed / reset stages: ENV HOME=/tmp so pnpm has a writable HOME under readOnlyRootFilesystem: true + runAsUser: 1000.
  • Removed the vestigial mkdir -p /home/node/.cache/node/corepack.
  • .gitea/workflows/ci.yml: offline-run validation for the reset/seed/migrate targets.

Provenance

  • Dev PR: groombook/api#129 — merged to dev, CI 3/3 green, CTO (gb_dogfather) + QA (gb_lint) approved.
  • Dev deploy: CI green on 1d28adb71.
  • Source issues: GRO-1985, parent GRO-1981.

Next after merge

  • UAT regression by Shedward (offline reset/seed/migrate checks per the validation section).
  • Security review by Barkley (security context unchanged; no new plaintext secrets).

cc @cpfarhood

## UAT Promotion — GRO-1985 / GRO-1981 Promotes the merged dev work to `uat` for regression and security review. ### What's promoted Commits ahead of `uat` (2): - `1d28adb` Merge PR #129 — fix(docker): bake pnpm via npm to remove Corepack runtime downloads - `3e547b8` fix(docker): bake pnpm via npm to remove Corepack runtime downloads (GRO-1981) ### Change summary `Dockerfile` hardening to eliminate the EAI_AGAIN class of Corepack runtime downloads in air-gapped pods: - `base` + `runner` stages: `RUN npm install -g pnpm@9.15.4` (real binary, no Corepack shim) + `ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0`. - `migrate` / `seed` / `reset` stages: `ENV HOME=/tmp` so pnpm has a writable HOME under `readOnlyRootFilesystem: true` + `runAsUser: 1000`. - Removed the vestigial `mkdir -p /home/node/.cache/node/corepack`. - `.gitea/workflows/ci.yml`: offline-run validation for the reset/seed/migrate targets. ### Provenance - Dev PR: [groombook/api#129](https://git.farh.net/groombook/api/pulls/129) — merged to `dev`, CI 3/3 green, CTO (`gb_dogfather`) + QA (`gb_lint`) approved. - Dev deploy: CI green on `1d28adb71`. - Source issues: [GRO-1985](/GRO/issues/GRO-1985), parent [GRO-1981](/GRO/issues/GRO-1981). ### Next after merge - UAT regression by Shedward (offline reset/seed/migrate checks per the validation section). - Security review by Barkley (security context unchanged; no new plaintext secrets). cc @cpfarhood
The Dogfather added 2 commits 2026-06-01 16:29:57 +00:00
fix(docker): bake pnpm via npm to remove Corepack runtime downloads (GRO-1981)
CI / Test (pull_request) Successful in 17s
Details
CI / Lint & Typecheck (pull_request) Successful in 23s
Details
CI / Build & Push Docker Images (pull_request) Successful in 1m14s
Details
3e547b8568 
The GRO-1983 fast restoration swapped Corepack's pnpm shim for a real
`npm install -g pnpm@9.15.4` binary, which is the right move. But the
GRO-1997 evidence gate still showed the first `reset-demo-data` pod
(...-nh7vg) hitting `getaddrinfo EAI_AGAIN registry.npmjs.org` before a
retry succeeded — the cache was writable, the cold-cache registry
download wasn't eliminated. This is the durable fix:

1. `ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0` in `base` and `runner`:
   defence in depth so a Corepack shim can never silently re-download
   pnpm, even if it is somehow re-introduced.

2. `ENV HOME=/tmp` in the `migrate`, `seed`, and `reset` stages:
   under `readOnlyRootFilesystem: true` + `runAsUser: 1000`, the
   default HOME path is read-only, and pnpm fails the first time it
   tries to write a config or state file. The job pods already mount a
   writable emptyDir at `/tmp`; point HOME there.

3. CI smoke tests for `seed` and `reset` images (matching the existing
   `migrate` smoke): point `registry.npmjs.org` at 127.0.0.1 in a
   throwaway container, assert `which pnpm` resolves to
   `/usr/local/bin/pnpm` (real binary, not shim), and that `pnpm
   --version` succeeds without network egress. If Corepack ever sneaks
   back in, CI catches it on every PR.

The vestigial `RUN mkdir -p /home/node/.cache/node/corepack` in the
`builder` stage (mentioned in the spec) was already removed in GRO-1909
(commit 0a3eb8a), so nothing to do there.

Follow-on cleanup of the per-job `COREPACK_HOME` env vars and
`node-cache` emptyDir mounts in `groombook/infra` is intentionally
deferred to a coordinated infra PR once the new image is deployed —
keeping the existing infra in place during the transition avoids a
flag-day.

GRO-1985, hardening follow-up to GRO-1984 / GRO-1983.
Closes parent: GRO-1981.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
Merge pull request 'fix(docker): bake pnpm via npm to remove Corepack runtime downloads (GRO-1981)' (#129) from flea-flicker/gro-1985-bake-pnpm-offline into dev
CI / Test (push) Successful in 12s
Details
CI / Lint & Typecheck (push) Successful in 15s
Details
CI / Build & Push Docker Images (push) Successful in 1m10s
Details
CI / Test (pull_request) Successful in 12s
Details
CI / Lint & Typecheck (pull_request) Successful in 14s
Details
CI / Build & Push Docker Images (pull_request) Successful in 24s
Details
1d28adb71a 
Self-merge per SDLC Phase 1 Step 4 — CTO review approved by gb_dogfather, CI 3/3 green, QA approved by gb_lint. Closes GRO-1985.

cc @cpfarhood
The Dogfather merged commit 5a4b9a98bd into uat 2026-06-01 16:30:55 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/api#133
Delete Branch "dev"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?