-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
102 lines (80 loc) · 3.42 KB
/
Dockerfile
File metadata and controls
102 lines (80 loc) · 3.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# Copyright 2026 markurtz
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
FROM python:3.10-slim-bookworm AS builder
# Set working directory
WORKDIR /app
# Install system dependencies for Python build steps
# hadolint ignore=DL3008
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential \
ca-certificates \
curl \
git \
libssl-dev \
pkg-config \
&& rm -rf /var/lib/apt/lists/*
# Install Python packaging tools
# hadolint ignore=DL3013
RUN pip install --no-cache-dir uv hatch
ARG VERSION=0.1.3.dev10+9eea393
# Copy package manifests (utilizing optional copy for Cargo files to be robust)
COPY pyproject.toml README.md LICENSE NOTICE ./
COPY scripts/ ./scripts/
# Copy source tree
COPY src/ ./src/
# Build Python wheel distributions
RUN hatch build
# ==============================================================================
# Stage 2: Runtime Stage (Minimal & Secure)
# ==============================================================================
FROM python:3.10-slim-bookworm
# Define standard OCI build parameters
ARG BUILD_DATE
ARG GIT_SHA
ARG VERSION=0.1.3.dev10+9eea393
# OCI Metadata Labels
LABEL org.opencontainers.image.created=$BUILD_DATE \
org.opencontainers.image.authors="markurtz" \
org.opencontainers.image.url="https://github.com/markurtz/git-versioned" \
org.opencontainers.image.documentation="https://markurtz.github.io/git-versioned/" \
org.opencontainers.image.source="https://github.com/markurtz/git-versioned" \
org.opencontainers.image.version=$VERSION \
org.opencontainers.image.revision=$GIT_SHA \
org.opencontainers.image.vendor="markurtz" \
org.opencontainers.image.licenses="Apache-2.0" \
org.opencontainers.image.title="git-versioned" \
org.opencontainers.image.description="Opinionated PEP 440 Python versioning for Git repos and submodules. Enforces CI/User authority and generates rich version.py files with deep metadata for auditability. Native Hatch & Setuptools support. Simple, predictable, and foolproof automation."
# Define standard production runtime environment variables
ENV APP_ENV=production \
PYTHONUNBUFFERED=1 \
PYTHONDONTWRITEBYTECODE=1
# Set working directory
WORKDIR /app
# Create a secure, non-root system user and home directory
RUN groupadd -g 10001 appgroup && \
useradd -u 10001 -g appgroup -m -d /home/appuser -s /sbin/nologin appuser
# Copy sdist/wheel package from builder and install it
COPY --from=builder /app/dist/*.whl ./
# hadolint ignore=DL3013,SC2035
RUN pip install --no-cache-dir *.whl && rm -- *.whl
# Change ownership of the runtime directory to appuser
RUN chown -R appuser:appgroup /app
# Switch to the secure non-root user
USER appuser
# Expose production port
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD python -m gitversioned --version || exit 1
# Run the installed application entrypoint
CMD ["python", "-m", "gitversioned"]