-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdockerfile
More file actions
47 lines (40 loc) · 2 KB
/
dockerfile
File metadata and controls
47 lines (40 loc) · 2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
FROM python:3.12-slim
# System packages: git for repo work, gh for GitHub API, ripgrep for grep tool,
# curl/gnupg for the gh apt repo setup. The trailing `apt-get upgrade -y` runs
# AFTER the gh repo is added and gh is installed, so it picks up security
# patches for gh too — the earlier upgrade can't, since the gh repo isn't
# configured yet at that point. Without this, a stale gh (e.g. 2.92.0) lingers
# and trivy flags it (CVE-2026-48501, fixed in gh 2.93.0). Keeping gh on latest
# at build time is the policy; this avoids a brittle per-CVE version pin.
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
git \
ca-certificates \
curl \
gnupg \
ripgrep \
&& curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
| dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
&& chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
| tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
&& apt-get update && apt-get install -y gh \
&& apt-get upgrade -y \
&& rm -rf /var/lib/apt/lists/*
# Non-root user
RUN useradd --create-home --shell /bin/bash sam
USER sam
WORKDIR /home/sam
# Python deps
COPY --chown=sam:sam src/runtime/requirements.txt /home/sam/src/runtime/requirements.txt
RUN pip install --user --break-system-packages -r /home/sam/src/runtime/requirements.txt
ENV PATH="/home/sam/.local/bin:${PATH}"
# Sam's source — copied last so code changes don't bust dep cache
COPY --chown=sam:sam . /home/sam/
# Commit SHA baked in at build time. CI passes `${{ github.sha }}` as a
# build-arg; local docker builds default to "unknown". The runtime exposes
# this via config.COMMIT_SHA and surfaces it in identity prompts and PR copy.
ARG COMMIT_SHA=unknown
ENV SAM_COMMIT_SHA=${COMMIT_SHA}
# Volume for state
VOLUME ["/data"]
CMD ["python3", "-m", "src.runtime.daemon"]