Initial distroless versions of get-checksum and version-bump

9 months ago · a8953721ea
4 changed files with 38 additions and 15 deletions
--- a/get-checksum/.dockerignore
+++ b/get-checksum/.dockerignore
@ -0,0 +1,2 @@
				@@ -0,0 +1,2 @@
+*
+!main.py
--- a/get-checksum/Dockerfile
+++ b/get-checksum/Dockerfile
@ -1,12 +1,22 @@
				@@ -1,12 +1,22 @@
-FROM python:3-slim
+FROM debian:12-slim AS build
+RUN apt-get update && \
+    apt-get install --no-install-suggests -y --no-install-recommends python3-venv gcc libpython3-dev && \
+    python3 -m venv /venv && \
+    /venv/bin/pip install --upgrade pip setuptools wheel

-ADD . /app

-WORKDIR /app
+FROM build AS build-venv
+RUN /venv/bin/pip install --disable-pip-version-check --no-cache-dir lxml
+RUN /venv/bin/pip install --disable-pip-version-check --no-cache-dir pyyaml 
+
+FROM gcr.io/distroless/python3-debian12:nonroot AS final

-RUN pip3 install lxml --target=/app
-RUN pip3 install pyyaml --target=/app
+USER nonroot

-ENV PYTHONPATH /app
+COPY --from=build-venv /venv /venv
+# Must chown files since non-root user doesn't have access to /app to write output file
+COPY --chown=nonroot:nonroot . /app
+
+WORKDIR /app

-ENTRYPOINT [ "python", "/app/main.py" ]
+ENTRYPOINT ["/venv/bin/python3", "main.py"]
--- a/version-bump/.dockerignore
+++ b/version-bump/.dockerignore
@ -0,0 +1,2 @@
				@@ -0,0 +1,2 @@
+*
+!main.py
--- a/version-bump/Dockerfile
+++ b/version-bump/Dockerfile
@ -1,13 +1,22 @@
				@@ -1,13 +1,22 @@
-FROM python:3-slim
+FROM debian:12-slim AS build
+RUN apt-get update && \
+    apt-get install --no-install-suggests -y --no-install-recommends python3-venv gcc libpython3-dev && \
+    python3 -m venv /venv && \
+    /venv/bin/pip install --upgrade pip setuptools wheel

-ADD . /app

-WORKDIR /app
+FROM build AS build-venv
+RUN /venv/bin/pip install --disable-pip-version-check --no-cache-dir lxml
+RUN /venv/bin/pip install --disable-pip-version-check --no-cache-dir pyyaml 
+
+FROM gcr.io/distroless/python3-debian12:debug-nonroot AS final

-RUN pip3 install lxml --target=/app
-RUN pip3 install pyyaml --target=/app
+USER nonroot

-ENV PYTHONPATH /app
+COPY --from=build-venv /venv /venv
+# Must chown files since non-root user doesn't have access to /app to write output file
+COPY --chown=nonroot:nonroot . /app
+
+WORKDIR /app

-CMD ["/app/main.py"]
-ENTRYPOINT [ "python", "-u" ]
+ENTRYPOINT ["/venv/bin/python3", "main.py"]