refactor: run build in container (#826)

## Description

Currently the build process for pepr builds the code outside of the
container and then copies the transpiled code in.

This PR changes the build process to run the build step inside of a
container. This ensures that builds are fully reproducible and not
dependent on external tooling. It also streamlines building pepr
locally.

## Related Issue

## Type of change

- [x] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor Guide
Steps](https://docs.pepr.dev/main/contribute/contributor-guide/#submitting-a-pull-request)
followed

Signed-off-by: Eddie Zaneski <eddiezane@gmail.com>
Co-authored-by: Case Wylie <cmwylie19@defenseunicorns.com>

.github/workflows/release.yml

@@ -21,10 +21,10 @@ jobs:
 
       - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
-      - name: Use Node.js 18
+      - name: Use Node.js 20
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
-          node-version: 18
+          node-version: 20
           registry-url: "https://registry.npmjs.org"
           cache: "npm"
 
@@ -43,10 +43,6 @@ jobs:
 
           npm install -g npm
 
-          npm ci
-          npm --no-git-tag-version version ${{ github.ref_name }}
-          npm run build
-
-          docker buildx build --push --platform linux/arm64/v8,linux/amd64 --build-arg VER=${{ github.ref_name }} --tag ghcr.io/defenseunicorns/pepr/controller:${{ github.ref_name }} .
+          docker buildx build --push --platform linux/arm64/v8,linux/amd64 --build-arg PEPR_BUILD_VERSION=${{ github.ref_name }} --tag ghcr.io/defenseunicorns/pepr/controller:${{ github.ref_name }} .
 
           PEPR_VERSION=${{ github.ref_name }} npm publish --provenance --access public

Dockerfile

@@ -1,35 +1,44 @@
 ### BUILD ###
 
-FROM docker.io/library/node:22-alpine@sha256:94567107148ac59f1eb2ad9b7c1db03f1a1a12d28717b29eda0535aa3bd2f71e as with-git
+ARG PEPR_BUILD_VERSION=0.0.0-development
 
-WORKDIR /app
+# crane digest cgr.dev/chainguard/node-lts:latest-dev
+FROM cgr.dev/chainguard/node-lts@sha256:49163a9f8b52f3ad9e842a16ccf0d7fa673571a272762f6483e38b90ba83985f AS build
 
-# install git
-RUN apk --no-cache add git
+WORKDIR /app
 
 # Copy the node config files
 COPY --chown=node:node ./package*.json ./
 
-# Load only direct dependencies for Production use
-RUN npm ci --omit=dev --omit=peer && \
-    # Clean up npm cache
+RUN npm --no-git-tag-version version ${PEPR_BUILD_VERSION}
+
+# Install deps
+RUN npm ci
+
+COPY --chown=node:node ./hack/ ./hack/
+
+COPY --chown=node:node ./tsconfig.json ./build.mjs ./
+
+COPY --chown=node:node ./src/ ./src/
+
+RUN npm run build && \
+    npm ci --omit=dev --omit=peer && \
     npm cache clean --force && \
     # Remove @types
-    rm -fr node_modules/@types && \
+    rm -rf node_modules/@types && \
     # Remove Ramda unused Ramda files
-    rm -fr node_modules/ramda/dist && \
-    rm -fr node_modules/ramda/es && \
-    # Remove all typescript files
-    find . -name "*.ts" -type f -delete
-
-# Sync the pepr dist files
-COPY --chown=node:node ./dist/  ./node_modules/pepr/dist/
-COPY --chown=node:node ./package.json  ./node_modules/pepr/package.json
+    rm -rf node_modules/ramda/dist && \
+    rm -rf node_modules/ramda/es && \
+    find . -name "*.ts" -type f -delete && \
+    mkdir node_modules/pepr && \
+    cp -r dist node_modules/pepr/dist && \
+    cp package.json node_modules/pepr
 
 ##### DELIVER #####
 
+# crane digest cgr.dev/chainguard/node-lts:latest
 FROM cgr.dev/chainguard/node-lts@sha256:64578d895b168f20737413ac56a14cefd63663691611f8af5020e8bc8de53f82
 
 WORKDIR /app
 
-COPY --from=with-git --chown=node:node /app/ /app/
+COPY --from=build --chown=node:node /app/node_modules/ ./node_modules/