2026-04-07 18:34:40 +00:00
|
|
|
# Use a slim Python image
|
|
|
|
|
FROM python:3.12-slim
|
|
|
|
|
|
|
|
|
|
# Install uv
|
|
|
|
|
COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
|
|
|
|
|
|
|
|
|
|
# Install system dependencies (Required for Postgres and Healthchecks)
|
|
|
|
|
RUN apt-get update && apt-get install -y \
|
|
|
|
|
libpq5 \
|
2026-04-08 14:17:58 +00:00
|
|
|
postgresql-client \
|
2026-04-07 18:34:40 +00:00
|
|
|
curl \
|
|
|
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
|
|
|
|
|
|
# Set working directory
|
|
|
|
|
WORKDIR /app
|
|
|
|
|
|
2026-07-02 06:51:02 +00:00
|
|
|
# Copy dependency files (lockfile pins exact versions — SEC-05)
|
|
|
|
|
COPY pyproject.toml uv.lock ./
|
|
|
|
|
|
|
|
|
|
# Install the locked dependency set into the system environment.
|
|
|
|
|
# `uv export --frozen` fails the build if uv.lock is out of sync with pyproject.toml,
|
|
|
|
|
# so image builds are reproducible and can't silently pull newer packages.
|
|
|
|
|
RUN uv export --frozen --no-dev --no-emit-project --format requirements-txt -o /tmp/requirements.txt \
|
|
|
|
|
&& uv pip install --system -r /tmp/requirements.txt \
|
|
|
|
|
&& rm /tmp/requirements.txt
|
2026-04-07 18:34:40 +00:00
|
|
|
|
|
|
|
|
# Copy the rest of the application
|
|
|
|
|
COPY . .
|
|
|
|
|
|
|
|
|
|
# Security: Run as a non-privileged user (standard for 24/7 telemetry)
|
|
|
|
|
RUN useradd -m telemetry-user
|
|
|
|
|
USER telemetry-user
|
|
|
|
|
|
|
|
|
|
# CMD is handled by docker-compose.yml to differentiate movement vs events
|