services: apparel-designer: build: context: . dockerfile: Dockerfile # Pass an SSH private key in as a build secret so npm can # authenticate against git.kadil.dev for the `goods-editor` # git+ssh: dependency. The secret is only available during # the single RUN step that mounts it; nothing about the key # ends up in the built image. See Dockerfile docblock for # the full mechanism. secrets: - ssh_key container_name: apparel-designer ports: ["3001:3001"] volumes: - uploads_data:/app/uploads - exports_data:/app/exports environment: - NODE_ENV=production - PORT=3001 restart: unless-stopped # Build-time secret declaration. # # Two ways to provide the key, pick whichever fits where you're # building from: # # ── A. File-based (typical local dev / deployment server) ─────── # Set SSH_KEY_FILE in the environment before running compose: # # SSH_KEY_FILE=$HOME/.ssh/id_ed25519 docker compose build # # The `file:` source below reads from that path. The fallback # `/dev/null` exists so `docker compose config` (validation / # linting) doesn't error out when the env var isn't set — actual # builds against /dev/null will fail with a clear "permission # denied" rather than a cryptic compose error. # # ── B. Env-var-based (typical CI) ────────────────────────────── # Comment out the `file:` line and uncomment `environment:` below. # Provide the key contents in the SSH_PRIVATE_KEY env var: # # SSH_PRIVATE_KEY="$(cat ~/.ssh/id_ed25519)" docker compose build # # In GitHub Actions / GitLab CI / etc., set SSH_PRIVATE_KEY from # the platform's secret store. The `environment:` source for build # secrets requires Docker Compose v2.23+. secrets: ssh_key: file: ${SSH_KEY_FILE:-/dev/null} # environment: SSH_PRIVATE_KEY volumes: uploads_data: exports_data: