From cb11c177a7119de8dd6d17c232610069876fd23f Mon Sep 17 00:00:00 2001 From: "soroush.asadi" Date: Sun, 21 Jun 2026 17:08:16 +0330 Subject: [PATCH] fix(ci): stop pulling Alpine packages from the geo-blocked CDN MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The CI server can't reach dl-cdn.alpinelinux.org (TLS error) — only the Nexus mirror is reachable, and it proxies Docker images, not apk packages. - frontend: drop `apk add libc6-compat` (vestigial Next.js-template line; the deps stage only runs `npm ci` and the build/runtime stages never had it). - 5 Go services (file/gateway/notification/payment/render): replace `apk add ca-certificates tzdata` with copying ca-certificates.crt from the golang builder stage + embedding tzdata via `go build -tags timetzdata`. No more apk -> no dependency on the Alpine CDN. Co-Authored-By: Claude Opus 4.8 --- Dockerfile | 5 ++++- services/file/Dockerfile | 4 ++-- services/gateway/Dockerfile | 4 ++-- services/notification/Dockerfile | 4 ++-- services/payment/Dockerfile | 4 ++-- services/render/Dockerfile | 4 ++-- 6 files changed, 14 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3499648..12a3f45 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,9 @@ # ── Stage 1: install dependencies ──────────────────────────────────────────── FROM mirror.soroushasadi.com/node:20-alpine AS deps -RUN apk add --no-cache libc6-compat +# NOTE: do NOT `apk add libc6-compat` here — the deps stage only runs `npm ci` +# (which doesn't need it) and the build/runtime stages omit it anyway. Pulling it +# reaches Alpine's public CDN (dl-cdn.alpinelinux.org), which is unreachable from +# the CI server (only the Nexus mirror is) and fails the whole build. WORKDIR /app COPY package.json package-lock.json* ./ diff --git a/services/file/Dockerfile b/services/file/Dockerfile index c7e706d..7ff4ebb 100644 --- a/services/file/Dockerfile +++ b/services/file/Dockerfile @@ -3,10 +3,10 @@ ENV GOPROXY=https://mirror.kargadan.ir/repository/go-group/ GOSUMDB=off WORKDIR /src # Dependencies are vendored — build fully offline (proxy.golang.org is geo-blocked from some regions) COPY . . -RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -o /file-svc ./cmd/server +RUN CGO_ENABLED=0 GOOS=linux go build -tags timetzdata -mod=vendor -o /file-svc ./cmd/server FROM mirror.soroushasadi.com/alpine:3.20 -RUN apk add --no-cache ca-certificates tzdata +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY --from=build /file-svc /file-svc EXPOSE 8080 ENTRYPOINT ["/file-svc"] diff --git a/services/gateway/Dockerfile b/services/gateway/Dockerfile index 8d87e73..0d9655c 100644 --- a/services/gateway/Dockerfile +++ b/services/gateway/Dockerfile @@ -4,10 +4,10 @@ ENV GOPROXY=https://mirror.kargadan.ir/repository/go-group/ GOSUMDB=off WORKDIR /app # Dependencies are vendored — build fully offline (proxy.golang.org is geo-blocked from some regions) COPY . . -RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags="-s -w" -o gateway ./cmd/server +RUN CGO_ENABLED=0 GOOS=linux go build -tags timetzdata -mod=vendor -ldflags="-s -w" -o gateway ./cmd/server FROM mirror.soroushasadi.com/alpine:3.20 -RUN apk add --no-cache ca-certificates tzdata +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt WORKDIR /app COPY --from=builder /app/gateway . EXPOSE 8080 diff --git a/services/notification/Dockerfile b/services/notification/Dockerfile index 86d8e14..16b6622 100644 --- a/services/notification/Dockerfile +++ b/services/notification/Dockerfile @@ -3,10 +3,10 @@ ENV GOPROXY=https://mirror.kargadan.ir/repository/go-group/ GOSUMDB=off WORKDIR /app # Dependencies are vendored — build fully offline (proxy.golang.org is geo-blocked from some regions) COPY . . -RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags="-s -w" -o notification-svc ./cmd/server +RUN CGO_ENABLED=0 GOOS=linux go build -tags timetzdata -mod=vendor -ldflags="-s -w" -o notification-svc ./cmd/server FROM mirror.soroushasadi.com/alpine:3.20 -RUN apk add --no-cache ca-certificates tzdata +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt WORKDIR /app COPY --from=builder /app/notification-svc . EXPOSE 8080 diff --git a/services/payment/Dockerfile b/services/payment/Dockerfile index 8311f2a..d329040 100644 --- a/services/payment/Dockerfile +++ b/services/payment/Dockerfile @@ -3,10 +3,10 @@ ENV GOPROXY=https://mirror.kargadan.ir/repository/go-group/ GOSUMDB=off WORKDIR /app # Dependencies are vendored — build fully offline (proxy.golang.org is geo-blocked from some regions) COPY . . -RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags="-s -w" -o payment-svc ./cmd/server +RUN CGO_ENABLED=0 GOOS=linux go build -tags timetzdata -mod=vendor -ldflags="-s -w" -o payment-svc ./cmd/server FROM mirror.soroushasadi.com/alpine:3.20 -RUN apk add --no-cache ca-certificates tzdata +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt WORKDIR /app COPY --from=builder /app/payment-svc . EXPOSE 8080 diff --git a/services/render/Dockerfile b/services/render/Dockerfile index 5ed2d97..364a98e 100644 --- a/services/render/Dockerfile +++ b/services/render/Dockerfile @@ -3,10 +3,10 @@ ENV GOPROXY=https://mirror.kargadan.ir/repository/go-group/ GOSUMDB=off WORKDIR /app # Dependencies are vendored — build fully offline (proxy.golang.org is geo-blocked from some regions) COPY . . -RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags="-s -w" -o render-svc ./cmd/server +RUN CGO_ENABLED=0 GOOS=linux go build -tags timetzdata -mod=vendor -ldflags="-s -w" -o render-svc ./cmd/server FROM mirror.soroushasadi.com/alpine:3.20 -RUN apk add --no-cache ca-certificates tzdata +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt WORKDIR /app COPY --from=builder /app/render-svc . EXPOSE 8080