production hardening

Dockerfile

@@ -1,16 +1,28 @@
-FROM node:20-alpine AS builder
+FROM node:24-alpine AS base
+ENV PNPM_HOME="/pnpm"
+ENV PATH="$PNPM_HOME:$PATH"
+RUN corepack enable
+
+FROM base AS deps
 WORKDIR /app
 COPY package.json pnpm-lock.yaml ./
-RUN npm i -g pnpm && pnpm install --frozen-lockfile
+RUN pnpm install --frozen-lockfile
+
+FROM deps AS builder
+WORKDIR /app
 COPY . .
 RUN DATABASE_URL="postgresql://dummy:dummy@localhost:5432/dummy" pnpm prisma:generate
 RUN pnpm build
 
-FROM node:20-alpine
+FROM base AS runner
 WORKDIR /app
-COPY --from=builder /app/dist ./dist
-COPY --from=builder /app/node_modules ./node_modules
+ENV NODE_ENV=production
+RUN addgroup -S nodejs && adduser -S nestjs -G nodejs
+COPY package.json pnpm-lock.yaml ./
 COPY --from=builder /app/prisma ./prisma
 COPY --from=builder /app/prisma.config.ts ./prisma.config.ts
-COPY --from=builder /app/package.json ./package.json
+RUN pnpm install --frozen-lockfile --prod
+COPY --from=builder /app/dist ./dist
+COPY --from=builder /app/node_modules/.prisma ./node_modules/.prisma
+USER nestjs
 CMD ["node", "dist/src/main.js"]