FROM python:3.12-slim # ORCH-058 (Strategy B): stamp the image with the git commit it was built from so # the deploy hook can fail-close if a stale staging image would be promoted to prod # (INV-FRESH). Passed at build time via `--build-arg GIT_SHA=` (the staging # rebuild in check_staging_image_fresh / the --build-staging hook mode supplies it). # Without the build-arg the label is empty -> the hook treats it as a mismatch # (fail-closed). The OCI-standard key is read by `docker image inspect`. ARG GIT_SHA="" LABEL org.opencontainers.image.revision=$GIT_SHA WORKDIR /app RUN apt-get update -qq && apt-get install -y -qq openssh-client git && rm -rf /var/lib/apt/lists/* # git operations run as root over bind-mounted /repos (may be owned by host uid) -> trust it. RUN git config --system --add safe.directory '*' # ORCH-58: compose runs the container as uid:gid 1000:1000 (ORCH-40), but the base # image has no passwd entry for uid 1000 -> ssh/whoami fail with # "No user exists for uid 1000" (rc=255), breaking the detached self-deploy ssh # launch (ORCH-36 Phase B). Create a real user 1000 with a home dir so getpwuid() # resolves and ssh can start. RUN groupadd -g 1000 app && useradd -u 1000 -g 1000 -m -d /home/slin -s /bin/bash slin COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt COPY src/ ./src/ # ORCH-061: do NOT `COPY data/ ./data/`. `data/` is gitignored (runtime SQLite DB # + backups), so it is ABSENT in every git worktree. The staging-image rebuild of # ORCH-058 (`check_staging_image_fresh` / hook `--build-staging`) uses the task # WORKTREE as the build context, where `data/` does not exist -> `COPY data/` # fails the build (rc=1) -> deploy-staging rolls back to development (the loop this # task fixes). It is also pointless: the DB always arrives via the compose bind # mount (`./data:/app/data` prod, `./data/staging:/app/data` staging), which # overrides anything baked in (and baking the host DB into the image leaks stale # state). Just ensure the mount target exists; sqlite creates the .db file. RUN mkdir -p /app/data ENV PYTHONPATH=/app CMD ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "8500"]