f0c2986477
All checks were successful
CI / test (push) Successful in 16s
- deploy-hook: REVISION_LABEL/EXPECTED_REVISION (default unset -> backward-compat) - deploy-hook: fail-closed guard inspects SOURCE_IMAGE revision label before docker tag, normalises <no value>, exit 1 on empty/mismatch - deploy-hook: new --build-staging mode rebuilds staging image stamping GIT_SHA - Dockerfile: ARG GIT_SHA + LABEL org.opencontainers.image.revision=$GIT_SHA Closes TC07/TC08 (tests/test_deploy_hook_provenance.py).
22 lines
1.1 KiB
Docker
22 lines
1.1 KiB
Docker
FROM python:3.12-slim
|
|
WORKDIR /app
|
|
# ORCH-58: stamp the validated git commit into the OCI revision label so the
|
|
# deploy hook provenance guard can fail-closed on it before the prod retag.
|
|
ARG GIT_SHA
|
|
LABEL org.opencontainers.image.revision=$GIT_SHA
|
|
RUN apt-get update -qq && apt-get install -y -qq openssh-client git && rm -rf /var/lib/apt/lists/*
|
|
# git operations run as root over bind-mounted /repos (may be owned by host uid) -> trust it.
|
|
RUN git config --system --add safe.directory '*'
|
|
# ORCH-58: compose runs the container as uid:gid 1000:1000 (ORCH-40), but the base
|
|
# image has no passwd entry for uid 1000 -> ssh/whoami fail with
|
|
# "No user exists for uid 1000" (rc=255), breaking the detached self-deploy ssh
|
|
# launch (ORCH-36 Phase B). Create a real user 1000 with a home dir so getpwuid()
|
|
# resolves and ssh can start.
|
|
RUN groupadd -g 1000 app && useradd -u 1000 -g 1000 -m -d /home/slin -s /bin/bash slin
|
|
COPY requirements.txt .
|
|
RUN pip install --no-cache-dir -r requirements.txt
|
|
COPY src/ ./src/
|
|
COPY data/ ./data/
|
|
ENV PYTHONPATH=/app
|
|
CMD ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "8500"]
|