Fix: merge consecutive RUN instructions in frontend Dockerfile

[Shubb07]

Proposed change

Resolves #3427

This PR fixes a SonarCloud maintainability issue (docker:S7031) in
docker/frontend/Dockerfile, where consecutive RUN instructions were
used.

The instructions were merged into a single RUN layer to reduce the
number of Docker image layers and improve maintainability, following
Docker best practices. This change does not alter any functional
behavior.

Checklist

• I followed the contributing workflow
• I verified that my code works as intended and resolves the issue as described
• The change is limited in scope and does not introduce functional behavior changes
• I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Optimized Docker build process and configuration for improved build efficiency and artifact management.

---

Note: This release contains only internal infrastructure improvements with no user-facing changes.

Walkthrough

Reworked docker/frontend/Dockerfile runner stage to merge consecutive RUNs into a single chain for packaging and patching tar (7.5.7) and @isaacs/brace-expansion (5.0.1), moved WORKDIR usage for packaging, reordered user/group creation after version checks, and expanded final image COPY/ownership and cleanup steps.

Changes

Cohort / File(s)	Summary
Docker frontend Dockerfile — runner & packaging docker/frontend/Dockerfile	Merged consecutive RUNs into one chain; perform tar and @isaacs/brace-expansion download, verification (grep), patching and installation in incremental steps within the same RUN; use /tmp for packaging then restore /app.
Docker frontend Dockerfile — final image & permissions docker/frontend/Dockerfile	Adjusted final image COPY sources from builder, set ownership/permissions for public assets and standalone/.next artifacts, ensure /app paths exist, and switch to non-root user after permission fixes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Update docker files location #3112: Modifies the same docker/frontend/Dockerfile areas and refactors runner-stage steps and version-check sequence.

Suggested labels

frontend, docker

Suggested reviewers

• kasya

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: merging consecutive RUN instructions in the frontend Dockerfile to fix a SonarCloud issue.
Description check	✅ Passed	The description is clearly related to the changeset, explaining the SonarCloud issue being fixed and the approach taken to resolve it.
Linked Issues check	✅ Passed	The PR successfully addresses issue #3427 by merging consecutive RUN instructions into a single layer using shell chaining, directly meeting the stated objectives.
Out of Scope Changes check	✅ Passed	All changes in the Dockerfile are directly related to merging consecutive RUN instructions as specified in issue #3427; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

docker/frontend/Dockerfile (1)

59-77: Merged RUN chain looks correct and well-structured.

The CVE patches, version verification via grep -q, cleanup, and user/group creation are properly chained. The grep -q assertions are a good defensive measure — if a patch silently fails, the build aborts early.

One minor inconsistency: line 66 uses a regex pattern ('version.*7.5.7') while line 75 uses a literal match ('"version": "5.0.1"'). Consider making them consistent for readability.

♻️ Suggested: align both grep patterns to the same style

-    grep -q 'version.*7.5.7' "${TAR_DIR}/package.json" && \
+    grep -q '"version": "7.5.7"' "${TAR_DIR}/package.json" && \

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[arkid15r]

Please resolve merge conflicts.

[Shubb07]

HI @arkid15r , Conflicts have been resolved and the branch was rebased onto main. Please re-review.

[arkid15r]

Could you resovle the merge conflicts?

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@docker/frontend/Dockerfile`:
- Line 58: The Dockerfile contains a bare "Note: Must download tar BEFORE
removing the old tar (npm needs it)" line which is not a valid Docker
instruction and causes a DL1000 parse error; update that line to be a proper
Dockerfile comment by prefixing it with "#" (or remove it entirely) so the
parser ignores it and the build no longer fails — look for the literal "Note:
Must download tar BEFORE removing the old tar (npm needs it)" in the Dockerfile
and change it to "# Note: Must download tar BEFORE removing the old tar (npm
needs it)".

🧹 Nitpick comments (1)

docker/frontend/Dockerfile (1)

67-67: Inconsistent version check pattern — use an exact match like line 76.

Line 67 uses the loose pattern 'version.*7.5.7' while line 76 uses the precise '"version": "5.0.1"'. The loose pattern could theoretically match unintended strings. For consistency and robustness, use the same format.

♻️ Proposed fix

-    grep -q 'version.*7.5.7' "${TAR_DIR}/package.json" && \
+    grep -q '"version": "7.5.7"' "${TAR_DIR}/package.json" && \

[Shubb07]

Hi @arkid15r , I have resolved merge conflicts. Combined both CVE fixes into a single RUN layer to keep security patches while preserving fewer Docker layers.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.68%. Comparing base (08adfcc) to head (b34d34d).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3644   +/-   ##
=======================================
  Coverage   93.68%   93.68%           
=======================================
  Files         463      463           
  Lines       14419    14419           
  Branches     1939     1939           
=======================================
  Hits        13508    13508           
  Misses        535      535           
  Partials      376      376           

Flag	Coverage Δ
backend	95.65% <ø> (ø)
frontend	88.17% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 08adfcc...b34d34d. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.