bad-apple/Dockerfile at master · scriptogre/bad-apple · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# BUILD STAGE: Create venv with all dependencies and the app
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FROM ghcr.io/astral-sh/uv:python3.12-bookworm AS builder

ARG ENVIRONMENT
ENV UV_COMPILE_BYTECODE=1 UV_LINK_MODE=copy

# Disable Python downloads, because we want to use the existing system interpreter across both images
ENV UV_PYTHON_DOWNLOADS=0

# Install the venv in /usr/local (rather than app's /code) to fix issues during bind mounts
ENV UV_PROJECT_ENVIRONMENT=/usr/local

WORKDIR /code

# Install dependencies
RUN --mount=type=cache,target=/root/.cache/uv \
    --mount=type=bind,source=uv.lock,target=uv.lock \
    --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
    uv sync \
      # Fail if lock file didn't change
      --frozen \
      # Don't include dev dependencies in production
      $([ "$ENVIRONMENT" = "local" ] && echo "" || echo "--no-dev") \
      # Don't install the project
      --no-install-project

COPY . /code

# Install project
RUN --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen $([ "$ENVIRONMENT" = "local" ] && echo "" || echo "--no-dev")


# - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# RUNTIME STAGE: Copy venv & app from builder, create non-root user and switch to it
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FROM python:3.12-slim-bookworm

# Copy venv & app from builder
COPY --from=builder /usr/local /usr/local
COPY --from=builder /code /code

ARG ENVIRONMENT
ENV ENVIRONMENT=${ENVIRONMENT}
ENV PATH="/usr/local/bin:$PATH" PYTHONPATH="/code" PYTHONUNBUFFERED=1

WORKDIR /code

# Create non-root user and switch to it
RUN addgroup --system non-root \
  && adduser --system --ingroup non-root non-root

USER non-root