plex-playlist/Dockerfile.cicd

# CICD Setup - Clean base image with development tools only
FROM ubuntu:22.04

# Set timezone and make installs non-interactive
ENV DEBIAN_FRONTEND=noninteractive
ENV TZ=America/New_York

# Configure timezone
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone

# Install apt-fast for faster downloads
RUN apt-get update && apt-get install -y \
    software-properties-common \
    && add-apt-repository -y ppa:apt-fast/stable \
    && apt-get update && apt-get install -y \
    apt-fast \
    && rm -rf /var/lib/apt/lists/*

# Configure apt-fast for non-interactive use with timeouts
RUN echo 'apt-fast apt-fast/maxdownloads string 10' | debconf-set-selections && \
    echo 'apt-fast apt-fast/dlflag boolean true' | debconf-set-selections && \
    echo 'apt-fast apt-fast/aptmanager string apt-get' | debconf-set-selections

# Configure apt timeouts and retries
RUN echo 'Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
    echo 'Acquire::http::Timeout "60";' >> /etc/apt/apt.conf.d/80retries && \
    echo 'Acquire::https::Timeout "60";' >> /etc/apt/apt.conf.d/80retries && \
    echo 'Acquire::ftp::Timeout "60";' >> /etc/apt/apt.conf.d/80retries

# Install system dependencies using apt-fast
RUN apt-fast update && apt-fast install -y \
    git \
    curl \
    ca-certificates \
    software-properties-common \
    build-essential \
    openssh-client \
    tzdata \
    && rm -rf /var/lib/apt/lists/*

# Configure system for memory-intensive builds
RUN echo "vm.overcommit_memory=1" >> /etc/sysctl.conf && \
    echo "vm.max_map_count=262144" >> /etc/sysctl.conf && \
    sysctl -w vm.overcommit_memory=1 && \
    sysctl -w vm.max_map_count=262144

# Install Python 3.13 with retry and fallback mechanisms
RUN for i in 1 2 3; do \
        echo "Attempt $i: Adding deadsnakes PPA..." && \
        add-apt-repository -y ppa:deadsnakes/ppa && \
        apt-get update && \
        break || \
        (echo "Attempt $i failed, retrying in 10s..." && sleep 10); \
    done

RUN for i in 1 2 3; do \
        echo "Attempt $i: Installing Python 3.13..." && \
        timeout 300 apt-fast install -y \
        python3.13 \
        python3.13-venv \
        python3.13-dev && \
        break || \
        (echo "Attempt $i failed, retrying in 15s..." && sleep 15); \
    done && \
    rm -rf /var/lib/apt/lists/*

# Install Node.js 24 with retry mechanism
RUN for i in 1 2 3; do \
        echo "Attempt $i: Installing Node.js 24..." && \
        curl -fsSL --connect-timeout 30 --max-time 300 \
        https://deb.nodesource.com/setup_24.x | bash - && \
        apt-fast update && \
        timeout 300 apt-fast install -y nodejs && \
        break || \
        (echo "Attempt $i failed, retrying in 15s..." && sleep 15); \
    done && \
    rm -rf /var/lib/apt/lists/*

# Enable corepack for yarn and set up Yarn Berry
RUN corepack enable \
    && corepack prepare yarn@stable --activate \
    && yarn set version berry

# Configure Yarn globally for CI performance
RUN yarn config set httpTimeout 60000 && \
    yarn config set networkTimeout 60000 && \
    yarn config set enableGlobalCache false && \
    yarn config set compressionLevel 0 && \
    export NODE_OPTIONS="--max-old-space-size=2048"

# Install uv package manager globally
COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv

# Accept build arguments for Git checkout (no secrets here!)
ARG GITHUB_SHA

# Set working directory
WORKDIR /workspace

# Set up SSH and clone repository using BuildKit secrets
RUN --mount=type=secret,id=ssh_private_key \
    mkdir -p ~/.ssh && \
    cp /run/secrets/ssh_private_key ~/.ssh/id_rsa && \
    chmod 600 ~/.ssh/id_rsa && \
    echo "Host dogar.darkhelm.org" > ~/.ssh/config && \
    echo "    Port 2222" >> ~/.ssh/config && \
    echo "    StrictHostKeyChecking no" >> ~/.ssh/config && \
    echo "    UserKnownHostsFile /dev/null" >> ~/.ssh/config && \
    chmod 600 ~/.ssh/config && \
    ssh-keyscan -p 2222 dogar.darkhelm.org >> ~/.ssh/known_hosts 2>/dev/null && \
    GIT_SSH_COMMAND="ssh -F ~/.ssh/config" \
    git clone --depth 1 --branch main \
    ssh://git@dogar.darkhelm.org:2222/DarkHelm.org/plex-playlist.git . && \
    if [ -n "$GITHUB_SHA" ]; then \
        git checkout "$GITHUB_SHA" 2>/dev/null || echo "Using main branch HEAD"; \
    fi && \
    rm -rf ~/.ssh

# Set up Python environment for backend
WORKDIR /workspace/backend
ENV VIRTUAL_ENV=/workspace/backend/.venv
RUN uv venv $VIRTUAL_ENV
ENV PATH="$VIRTUAL_ENV/bin:$PATH"

# Install backend dev dependencies
RUN uv sync --dev

# Install backend package in development mode
RUN uv pip install -e .

# Set up frontend dependencies
WORKDIR /workspace/frontend

# Create temporary swap file for memory-intensive yarn install
RUN dd if=/dev/zero of=/tmp/swapfile bs=1M count=1024 2>/dev/null && \
    mkswap /tmp/swapfile && \
    swapon /tmp/swapfile || echo "Swap setup failed, continuing without swap"

# Configure Yarn for CI environment with memory optimizations
RUN echo "# CI optimizations" >> .yarnrc.yml && \
    echo "httpTimeout: 60000" >> .yarnrc.yml && \
    echo "networkTimeout: 60000" >> .yarnrc.yml && \
    echo "enableGlobalCache: false" >> .yarnrc.yml && \
    echo "compressionLevel: 0" >> .yarnrc.yml && \
    echo "nmMode: hardlinks-local" >> .yarnrc.yml

# Install frontend dependencies with memory optimizations and retry mechanism
RUN export NODE_OPTIONS="--max-old-space-size=2048 --gc-interval=100" && \
    export YARN_ENABLE_NETWORK=1 && \
    for i in 1 2 3; do \
        echo "Attempt $i: Installing frontend dependencies..." && \
        yarn install --immutable \
            --network-timeout 60000 \
            --cache-folder /tmp/yarn-cache \
            --network-concurrency 1 \
            --verbose \
        && break || \
        (echo "Attempt $i failed, cleaning up and retrying..." && \
         rm -rf node_modules .yarn/cache .yarn/install-state.gz /tmp/yarn-cache && \
         yarn cache clean --all 2>/dev/null || true && \
         sleep 15); \
    done && \
    rm -rf /tmp/yarn-cache .yarn/cache && \
    swapoff /tmp/swapfile 2>/dev/null || true && \
    rm -f /tmp/swapfile

# Verify all tools are working with the project
RUN cd /workspace/backend && \
    echo "=== Backend Tools Verification ===" && \
    uv run ruff --version && \
    uv run pyright --version && \
    uv run darglint --version && \
    uv run pytest --version && \
    uv run yamllint --version && \
    uv run toml-sort --version && \
    uv run xdoctest --version

RUN cd /workspace/frontend && \
    echo "=== Frontend Tools Verification ===" && \
    yarn eslint --version && \
    yarn prettier --version && \
    yarn tsc --version && \
    yarn vitest --version

# Create a script to set up SSH for git operations (using secrets mount)
RUN echo '#!/bin/bash' > /usr/local/bin/setup-ssh && \
    echo 'if [ -f /run/secrets/ssh_private_key ]; then' >> /usr/local/bin/setup-ssh && \
    echo '  mkdir -p ~/.ssh' >> /usr/local/bin/setup-ssh && \
    echo '  cp /run/secrets/ssh_private_key ~/.ssh/id_rsa' >> /usr/local/bin/setup-ssh && \
    echo '  chmod 600 ~/.ssh/id_rsa' >> /usr/local/bin/setup-ssh && \
    echo '  ssh-keyscan -H github.com >> ~/.ssh/known_hosts 2>/dev/null' >> /usr/local/bin/setup-ssh && \
    echo '  ssh-keyscan -p 2222 -H dogar.darkhelm.org >> ~/.ssh/known_hosts 2>/dev/null' >> /usr/local/bin/setup-ssh && \
    echo 'else' >> /usr/local/bin/setup-ssh && \
    echo '  echo "No SSH key provided via secrets mount"' >> /usr/local/bin/setup-ssh && \
    echo 'fi' >> /usr/local/bin/setup-ssh && \
    chmod +x /usr/local/bin/setup-ssh

# Set Python path for backend
ENV PYTHONPATH=/workspace/backend/src:/workspace/backend

# Set working directory back to root
WORKDIR /workspace

# Default to bash
SHELL ["/bin/bash", "-c"]
CMD ["/bin/bash"]