From 2263e9f0bee02b4d3daf1702005721e662b5e63a Mon Sep 17 00:00:00 2001 From: Gabriel Mechali Date: Thu, 12 Mar 2026 15:38:11 -0400 Subject: [PATCH 1/3] Pin uv and use non-root user. --- build/Dockerfile | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 4e4f0b0..f711cc6 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,7 +1,7 @@ FROM python:3.12-slim -# Install uv. -COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv +# Install uv. Pinning version for reproducibility. +COPY --from=ghcr.io/astral-sh/uv:0.9.10 /uv /bin/uv # Set working directory WORKDIR /app @@ -12,15 +12,17 @@ COPY pyproject.toml uv.lock ./ # Copy the package directories COPY packages/ ./packages/ -# Install the dependencies, strictly from the lockfile -RUN uv sync --frozen --no-dev --no-install-project - -# Install the project itself +# Install the dependencies and the project itself +# uv sync --frozen installs everything from the lockfile. RUN uv sync --frozen --no-dev # Place the virtualenv in the PATH ENV PATH="/app/.venv/bin:$PATH" +# Create a non-root user and switch to it for security +RUN groupadd -r datacommons-runner && useradd -r -g datacommons-runner datacommons-runner +USER datacommons-runner + # Expose the API port EXPOSE 5000 From e5c7a88f366196feadbeaf4d6829ea3e7721010e Mon Sep 17 00:00:00 2001 From: Gabriel Mechali Date: Thu, 12 Mar 2026 15:52:40 -0400 Subject: [PATCH 2/3] Updates the cloudbuild sha --- build/cloudbuild.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/cloudbuild.yaml b/build/cloudbuild.yaml index 77f0db3..dbf8201 100644 --- a/build/cloudbuild.yaml +++ b/build/cloudbuild.yaml @@ -6,11 +6,11 @@ steps: - '-t' - 'us-docker.pkg.dev/datcom-ci/gcr.io/datacommons-platform:latest' - '-t' - - 'us-docker.pkg.dev/datcom-ci/gcr.io/datacommons-platform:$COMMIT_SHA' + - 'us-docker.pkg.dev/datcom-ci/gcr.io/datacommons-platform:$SHORT_SHA' - '-f' - 'build/Dockerfile' - '.' images: - 'us-docker.pkg.dev/datcom-ci/gcr.io/datacommons-platform:latest' - - 'us-docker.pkg.dev/datcom-ci/gcr.io/datacommons-platform:$COMMIT_SHA' \ No newline at end of file + - 'us-docker.pkg.dev/datcom-ci/gcr.io/datacommons-platform:$SHORT_SHA' \ No newline at end of file From 958dc83dd9d61ecb17bf815846176f4bdc0ad04a Mon Sep 17 00:00:00 2001 From: Gabriel Mechali Date: Thu, 12 Mar 2026 16:13:00 -0400 Subject: [PATCH 3/3] Address gemini comment --- build/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/Dockerfile b/build/Dockerfile index f711cc6..f5df92d 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -20,7 +20,7 @@ RUN uv sync --frozen --no-dev ENV PATH="/app/.venv/bin:$PATH" # Create a non-root user and switch to it for security -RUN groupadd -r datacommons-runner && useradd -r -g datacommons-runner datacommons-runner +RUN groupadd -r -g 1001 datacommons-runner && useradd -r -g 1001 -u 1001 datacommons-runner USER datacommons-runner # Expose the API port