compose.yml

services:
  npm:
    build:
      context: "./images/node"
      network: host
    cap_add:
      # Minimum permissions for Docker User Mirror entrypoint:
      - CAP_SETGID # Needed to switch from root to another user.
      - CAP_SETUID # Needed to switch from root to another user.
      - CAP_SETPCAP # Needed to change permissions when switching users.
      - CAP_CHOWN # Needed to write changes to /etc/gshadow and /etc/shadow.
      - CAP_DAC_OVERRIDE # Needed for Podman.
    cap_drop: ["ALL"]
    command: ["run", "clean-verify"]
    entrypoint: [/entrypoint, --, npm]
    environment:
      CAPABILITIES: # setpriv --bounding-set options. Must be a subset of cap_add. See https://www.man7.org/linux/man-pages/man1/setpriv.1.html#OPTIONS
      CHOWN_LIST: # Set by Docker User Mirror
      HOST_MAPPED_GROUP: # Set by Docker User Mirror
      HOST_MAPPED_GID: # Set by Docker User Mirror
      HOST_MAPPED_USER: # Set by Docker User Mirror
      HOST_MAPPED_UID: # Set by Docker User Mirror
      MINISIGN_CONFIG_DIR: /run/secrets
      SERVICE_NAME: npm # Used to filter CHOWN_LIST with Docker User Mirror
    network_mode: "host"
    secrets:
      - source: minisign
        target: "minisign.key"

    security_opt: ["no-new-privileges:true"]
    volumes:
      # Bind the current directory to the working directory inside the container.
      - type: "bind"
        source: "./"
        target: "/app"

      # Rename "docker.npmrc" to ".npmrc"
      - type: "bind"
        read_only: true
        source: "./docker.npmrc"
        target: "/app/.npmrc"

      # Bind the NPM cache.
      - type: "bind"
        source: "~/.npm"
        target: "/tmp/npm-cache"
        bind:
          create_host_path: true
      
      # Prepare build directory.
      - type: "bind"
        source: "./build"
        target: "/app/build"
        bind:
          create_host_path: true

      # Use higher performance volumes for intermediate directories.
      - type: "volume"
        source: build_rollup
        target: "/app/build/rollup"
      - type: "volume"
        source: build_typescript
        target: "/app/build/typescript"
      - type: "volume"
        source: node_modules
        target: "/app/node_modules"
    
    working_dir: "/app"

secrets:
   minisign:
    file: "${MINISIGN_KEY_PATH:-/dev/null}"

volumes:
  build_rollup:
  build_typescript:
  node_modules: