feat(HMS-3914): harden Dockerfile

Apply an 'ignore by default' policy for the .dockerignore
configuration file. Be specific about the copied files.
Inject values for build-args by default on container-build
rule. Show the last commit when running container-build.

Signed-off-by: Alejandro Visiedo <[email protected]>

.dockerignore

@@ -1,13 +1,28 @@
-# Ignore /secrets directory content
-secrets
-
-# Ignore common directories
-.git
-bin
-node_modules
-.venv
-config/bonfire.yaml
-.npm
-.cache
-.devcontainer
+# Ignore by default
+**
+
+# Add exceptions
+!api
+api/.git
+!dist
+!babel.config.js
+!fec.config.js
+!jest.config.js
+!tsconfig.json
+!Makefile
+!openapitools.json
+!package.json
+!package-lock.json
+!requirements-dev.txt
+!requirements.txt
+!config/jest.setup.js
+!src
+!build/package/**
+
+# NOTE DO NOT ADD CHANGES AFTER THIS LINE
+
+# Specific ignore
+.docker
+.podman
+.kube
 

build/package/Dockerfile

@@ -3,11 +3,12 @@ FROM registry.redhat.io/rhel9/nodejs-16:1-110 AS builder
 # TODO Set env variable indicated into the URL
 USER root
 WORKDIR /opt/app-root/src
-COPY package*.json .
+
+COPY babel.config.js fec.config.js jest.config.js tsconfig.json .
+COPY package.json package-lock.json .
 RUN npm install
+
 COPY src src
-COPY *.js .
-COPY tsconfig.json tsconfig.json
 RUN npm run build
 
 COPY build/package/gen.app.info.sh gen.app.info.sh

scripts/mk/container.mk

@@ -41,6 +41,7 @@ registry-login:
 
 .PHONY: container-build
 container-build:  ## Build image CONTAINER_IMAGE from CONTAINERFILE using the CONTAINER_CONTEXT_DIR
+	[ ! -e "$(PROJECT_DIR)/.git" ] || git --no-pager log -n 1
 	$(CONTAINER_ENGINE) build \
 	  --label "quay.expires-after=$(QUAY_EXPIRATION)" \
 	  $(CONTAINER_BUILD_OPTS) \

scripts/mk/variables.mk

@@ -3,5 +3,10 @@
 ##
 
 APP_NAME := idmsvc
+SRC_HASH ?= "$(shell git rev-parse HEAD)"
+ifeq (,$(SRC_HASH))
+SRC_HASH := no-hash
+endif
 
+CONTAINER_BUILD_OPTS ?= --build-arg "APP_NAME=$(APP_NAME)" --build-arg "SRC_HASH=$(shell git rev-parse HEAD)"