feat(docker): update Dockerfile for Alpine base and add healthcheck s…

[chakrihacker]

…cript

Summary by Sourcery

Update Dockerfile to use Alpine-based Bun image, enforce reproducible installs, add and configure a healthcheck script, switch to non-root user, and expose port 3000.

New Features:

• Switch to an Alpine-based Bun Docker image
• Add a healthcheck script for application liveness verification
• Configure Docker HEALTHCHECK directive to use the newly added script

Enhancements:

• Install dependencies with --frozen-lockfile for reproducible builds
• Run the final container as a non-root user
• Clean up image layers by copying only necessary files into the build and runtime stages

Summary by CodeRabbit

• Chores
  • Updated the container build process for improved efficiency and security.
  • The application now runs as a non-root user within the container.
  • Added an automated health check to monitor the application's availability.
  • Exposed port 3000 for external access.

[sourcery-ai]

Reviewer's Guide

This PR migrates the Docker build to an Alpine-based Bun image, streamlines dependency installation with a frozen lockfile, adds a healthcheck script with corresponding Docker HEALTHCHECK, and refines runtime configuration for nonroot execution and proper file copying.

Flow diagram for Docker healthcheck process

flowchart TD
    Start([Docker HEALTHCHECK]) --> RunBun[/Run: bun healthcheck.js/]
    RunBun --> CheckHealth[Fetch http://localhost:3000/health]
    CheckHealth -->|HTTP 200 OK| Healthy[Exit 0]
    CheckHealth -->|HTTP error or network error| Unhealthy[Exit 1]

Loading

File-Level Changes

Change	Details	Files
Update Docker base image to Alpine	Switched build image from oven/bun to oven/bun:alpine	Dockerfile
Optimize dependency installation	Combined package.json and bun.lock copy into a single layer Ran bun install with --frozen-lockfile	Dockerfile
Introduce application health check	Added new healthcheck.js script for HTTP probe Copied healthcheck.js into final image Defined Docker HEALTHCHECK with interval, timeout, start-period, and retries	Dockerfile healthcheck.js
Refine runtime file copying and user setup	Consolidated copy of source, Prisma schema, and tsconfig Copied server binary from build stage Switched to nonroot user and exposed port 3000	Dockerfile

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

The Dockerfile was updated to use oven/bun:alpine as the build base, streamline file copying, and enforce lockfile consistency during installation. An intermediate stage installs curl, which is included in the final image. The final image now sets a non-root user and introduces a HEALTHCHECK using curl.

Changes

Cohort / File(s)	Change Summary
Dockerfile Updates Dockerfile	Switched build base to oven/bun:alpine, optimized copy commands, added --frozen-lockfile to bun install, added intermediate curl-downloader stage, included curl in final image, set user to nonroot:nonroot, added HTTP HEALTHCHECK with curl, and reordered EXPOSE/CMD.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

Poem

🐇
In Docker’s warren, changes hop,
Bun on Alpine, curl makes a stop.
Health checks now keep us spry,
Nonroot bunnies bounding by.
A streamlined build, a safer den,
Let’s ship our code and hop again!

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/optimize-docker

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[qodo-code-review]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Runtime Issue The healthcheck command uses /usr/local/bin/bun but the distroless base image may not have bun runtime available, which could cause the healthcheck to fail HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD ["/usr/local/bin/bun", "/app/healthcheck.js"] Compatibility Issue The fetch API with timeout option may not be available in all Node.js/Bun versions, and the script lacks error handling for cases where the health endpoint doesn't exist const res = await fetch(url, { timeout: 2000 }); if (res.ok) { Security Concern The healthcheck script is copied to the production image but may not be executable by the nonroot user, and the distroless image may lack necessary runtime dependencies COPY --from=build /app/healthcheck.js healthcheck.js # Ensure the binary is executable USER nonroot:nonroot

[sourcery-ai]

Hey @chakrihacker - I've reviewed your changes and they look great!

Prompt for AI Agents

Please address the comments from this code review:
## Individual Comments

### Comment 1
<location> `Dockerfile:44` </location>
<code_context>

-CMD ["./server"]
+# Health check
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD ["/usr/local/bin/bun", "/app/healthcheck.js"]
+
+EXPOSE 3000
</code_context>

<issue_to_address>
The healthcheck command assumes Bun is available in the runtime image.

The distroless/base image lacks Bun, so the healthcheck will fail unless Bun is added. Consider using a runtime image with Bun or a different healthcheck method.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): The healthcheck command assumes Bun is available in the runtime image.

The distroless/base image lacks Bun, so the healthcheck will fail unless Bun is added. Consider using a runtime image with Bun or a different healthcheck method.

[chakrihacker]

do you have any suggestions, for healthcheck?

[qodo-code-review]

Ask❓

do you have any suggestions, for healthcheck?

Answer:

Yes, I have several suggestions for the healthcheck given that the distroless/base image doesn't include Bun:

Option 1: Use curl/wget (requires adding them to the image)

# In the runtime stage, you'd need to use a different base image that includes curl
FROM gcr.io/distroless/base-debian11
# Or add curl to your build and copy it over
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD ["curl", "-f", "http://localhost:3000/health"]

Option 2: Use a simple shell script with built-in tools

# Create a simple healthcheck script that uses basic tools
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD ["sh", "-c", "wget --no-verbose --tries=1 --spider http://localhost:3000/health || exit 1"]

Option 3: Switch to a runtime image that includes Node.js/Bun

FROM oven/bun:alpine AS runtime
# This way your healthcheck.js will work as intended
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD ["bun", "/app/healthcheck.js"]

Option 4: Copy Bun binary from build stage

COPY --from=build /usr/local/bin/bun /usr/local/bin/bun
# Then your current healthcheck would work

Recommended approach: Option 3 (switch to bun:alpine runtime) since you're already using Bun and it maintains consistency. The distroless approach is great for security but creates this compatibility issue with your healthcheck script.

[sourcery-ai]

Great question! Since the final runtime image (gcr.io/distroless/base) does not include Bun, the current healthcheck (/usr/local/bin/bun /app/healthcheck.js) will fail because Bun isn't available.

Here are a few suggestions for your healthcheck:

1. Use a simpler healthcheck with curl or wget:

   • If you only need to check if your app is responding, you can use curl or wget in the healthcheck. However, the distroless image also doesn't include these tools by default. You'd need to switch to a minimal Alpine or Debian-based image that includes them, or add them in a custom image.

2. Custom minimal healthcheck binary:

   • You could write a tiny Go or Rust binary that performs the healthcheck and copy it into the image. This is a common approach for distroless images.

3. Switch to a Bun-based runtime image:

   • If you want to keep using a JS healthcheck, use a Bun-based image (like oven/bun:alpine) for your runtime instead of distroless. This way, Bun will be available for the healthcheck script.

4. Remove the healthcheck or use Docker's basic TCP check:

   • You can use Docker's built-in TCP healthcheck:

     HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
       CMD nc -z localhost 3000 || exit 1

     But again, nc (netcat) is not available in distroless, so you'd need a base image that includes it.

Summary:

• If you want to keep the image as small and secure as possible, consider a custom minimal binary for healthchecks.
• If you want a quick solution, switch to an Alpine-based runtime image and use curl or keep Bun for the healthcheck.

Let me know which direction you'd like to take, and I can provide a more detailed example!

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Missing health endpoint implementation The healthcheck script assumes a /health endpoint exists at http://localhost:3000/health, but there's no evidence this endpoint is implemented in the application. The health check will consistently fail if this endpoint doesn't exist, making the container appear unhealthy even when the application is running correctly. Examples: healthcheck.js [2-5] const url = "http://localhost:3000/health"; try { const res = await fetch(url, { timeout: 2000 }); Dockerfile [44-45] HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD ["/usr/local/bin/bun", "/app/healthcheck.js"] Solution Walkthrough: Before: // healthcheck.js // Attempts to check a health endpoint const url = "http://localhost:3000/health"; const res = await fetch(url); if (res.ok) { process.exit(0); } else { process.exit(1); // Will always exit 1 if /health is not found } // Application server (missing implementation) // No route for GET /health After: // healthcheck.js // (No changes needed here) // Application server (conceptual fix) // Needs a new route to be added app.get("/health", (req, res) => { // Check database connection, etc. res.status(200).send("OK"); }); Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies a critical flaw where the new health check will always fail because its target /health endpoint is not implemented, rendering a key feature of the PR non-functional.	High
Possible issue	Add executable permissions before user switch The USER directive should be placed after ensuring the binary has proper permissions. The nonroot user may not have execute permissions on the server binary. Dockerfile [38-39] # Ensure the binary is executable +RUN chmod +x server USER nonroot:nonroot Apply / Chat Suggestion importance[1-10]: 8 __ Why: This is a crucial fix that ensures the server binary has the necessary execute permissions before switching to a nonroot user, preventing a potential container startup failure.	Medium
Update

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d2bfc08 and 14c065f.

📒 Files selected for processing (2)

• Dockerfile (2 hunks)
• healthcheck.js (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

healthcheck.js (1)

src/index.ts (1)

• uptime (43-49)

🔇 Additional comments (8)

healthcheck.js (1)

1-2: LGTM!

Clear documentation and appropriate endpoint URL for health checking.

Dockerfile (7)

1-1: LGTM!

Alpine base image reduces the final image size while maintaining functionality.

---

6-6: LGTM!

Combining package file copying in a single command is more efficient and follows Docker best practices.

---

9-9: LGTM!

The --frozen-lockfile flag ensures reproducible builds by preventing automatic lockfile updates during installation.

---

14-15: LGTM!

File copying optimizations look good. The trailing ./ and healthcheck.js addition are appropriate.

---

36-36: LGTM!

Adding the healthcheck script to the final image enables container health monitoring.

---

39-39: LGTM!

Setting explicit non-root user improves container security by following the principle of least privilege.

---

47-49: LGTM!

Moving EXPOSE before CMD and maintaining the existing command structure is appropriate.

[coderabbitai]

⚠️ Potential issue

Fix timeout implementation and consider runtime compatibility.

The current implementation has two issues:

1. The timeout option in fetch() is not a standard Web API feature and may not work as expected in all runtimes.
2. Top-level await requires the script to be treated as an ES module or run in a compatible environment.

Apply this diff to fix the timeout implementation:

-// healthcheck.js
-const url = "http://localhost:3000/health";
-
-try {
-  const res = await fetch(url, { timeout: 2000 });
-  if (res.ok) {
-    process.exit(0); // Healthy
-  } else {
-    process.exit(1); // HTTP error
-  }
-} catch (err) {
-  process.exit(1); // Network error or timeout
-}
+// healthcheck.js
+const url = "http://localhost:3000/health";
+
+(async () => {
+  try {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), 2000);
+    
+    const res = await fetch(url, { signal: controller.signal });
+    clearTimeout(timeoutId);
+    
+    if (res.ok) {
+      process.exit(0); // Healthy
+    } else {
+      process.exit(1); // HTTP error
+    }
+  } catch (err) {
+    process.exit(1); // Network error or timeout
+  }
+})();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	try {
	const res = await fetch(url, { timeout: 2000 });
	if (res.ok) {
	process.exit(0); // Healthy
	} else {
	process.exit(1); // HTTP error
	}
	} catch (err) {
	process.exit(1); // Network error or timeout
	}
	// healthcheck.js
	const url = "http://localhost:3000/health";
	(async () => {
	try {
	const controller = new AbortController();
	const timeoutId = setTimeout(() => controller.abort(), 2000);
	const res = await fetch(url, { signal: controller.signal });
	clearTimeout(timeoutId);
	if (res.ok) {
	process.exit(0); // Healthy
	} else {
	process.exit(1); // HTTP error
	}
	} catch (err) {
	process.exit(1); // Network error or timeout
	}
	})();

🤖 Prompt for AI Agents

In healthcheck.js around lines 4 to 13, the current fetch call uses a
non-standard timeout option and top-level await which may cause compatibility
issues. Replace the timeout option by implementing an AbortController to handle
the timeout manually. Wrap the fetch call inside an async function and invoke it
to avoid top-level await usage. This ensures proper timeout handling and
compatibility across different runtimes.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

Dockerfile (1)

40-41: Comment says “Ensure the binary is executable” but no chmod is performed

If bun build --compile ever changes its default permissions, the image will
quietly break. Either delete the misleading comment or add an explicit
RUN chmod +x /app/server before switching to the non-root user.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14c065f and d636756.

📒 Files selected for processing (1)

• Dockerfile (2 hunks)

🔇 Additional comments (2)

Dockerfile (2)

6-9: Lockfile name may be wrong for Bun

The canonical Bun lockfile is bun.lockb, not bun.lock. If your repository
uses the binary format but the copy statement misses it, the build layer cache
will be invalidated unnecessarily and bun install --frozen-lockfile could
exit with a non-zero status.

-COPY package.json bun.lock ./
+COPY package.json bun.lockb ./

Please verify which lockfile is committed.

---

45-47: Good move to switch the healthcheck to curl and align the timeout

Once the curl binary compatibility issue above is fixed, the HEALTHCHECK
parameters look sane and the 5 s timeout matches the scriptless check.

[coderabbitai]

⚠️ Potential issue

Alpine-built curl is very likely to seg-fault in the Debian-based distroless image

apk add --no-cache curl produces a musl-linked binary /usr/bin/curl.
The final stage (gcr.io/distroless/base) is glibc-based and does not ship the musl
loader (/lib/ld-musl-x86_64.so.1) or any musl libraries, so the copied binary
will fail at runtime and the HEALTHCHECK will be reported as unhealthy.

Diff-style fix (one option):

-FROM alpine AS curl-downloader
-RUN apk add --no-cache curl
+FROM debian:stable-slim AS curl-downloader
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends curl ca-certificates \
+    && rm -rf /var/lib/apt/lists/*

or simply switch the runtime image to oven/bun:alpine and drop the extra
stage altogether.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	FROM alpine AS curl-downloader
	RUN apk add --no-cache curl
	FROM gcr.io/distroless/base
	WORKDIR /app
	# Copy the compiled binaries
	COPY --from=build /app/server server
	COPY --from=curl-downloader /usr/bin/curl /usr/bin/curl
	FROM debian:stable-slim AS curl-downloader
	RUN apt-get update \
	&& apt-get install -y --no-install-recommends curl ca-certificates \
	&& rm -rf /var/lib/apt/lists/*
	FROM gcr.io/distroless/base
	WORKDIR /app
	# Copy the compiled binaries
	COPY --from=build /app/server server
	COPY --from=curl-downloader /usr/bin/curl /usr/bin/curl

🤖 Prompt for AI Agents

In Dockerfile lines 29 to 39, the curl binary built with Alpine's musl libc is
copied into a glibc-based distroless image, causing runtime segfaults due to
missing musl libraries. To fix this, either build curl in a Debian-based image
compatible with the distroless base or switch the final runtime image to an
Alpine-based image like oven/bun:alpine to ensure libc compatibility and remove
the need for the extra curl-downloader stage.