wrongmove/Dockerfile

# syntax=docker/dockerfile:1

# Stage 1: Install build tools and Python dependencies
FROM python:3.13-slim AS builder

COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv

RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
    apt-get update && apt-get install -y --no-install-recommends \
    build-essential \
    gcc \
    python3-dev \
    libopencv-dev \
    libmariadb-dev

WORKDIR /app

COPY requirements.txt ./

# Install dependencies into a venv using uv (10-25x faster than pip)
RUN --mount=type=cache,target=/root/.cache/uv \
    python -m venv /app/.venv && \
    uv pip install --python /app/.venv/bin/python -r requirements.txt

# Stage 2: Runtime system dependencies (runs in parallel with builder)
FROM python:3.13-slim AS runtime-base

RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
    apt-get update && apt-get install -y --no-install-recommends \
    libglib2.0-0 \
    tesseract-ocr \
    tesseract-ocr-eng \
    libmariadb3 \
    curl

# Stage 3: Test — runtime deps + venv + test dependencies + run tests
FROM runtime-base AS test

WORKDIR /app

COPY --from=builder /app/.venv /app/.venv
ENV PATH="/app/.venv/bin:$PATH"

COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv

RUN --mount=type=cache,target=/root/.cache/uv \
    uv pip install --python /app/.venv/bin/python pytest pytest-asyncio pytest-xdist httpx aioresponses fakeredis

COPY . .

RUN pytest tests/ -x -q

# Stage 4: Final image — combine venv from builder + runtime base
FROM runtime-base AS production

RUN adduser --system --no-create-home appuser

WORKDIR /app

# Copy the venv from the builder stage
COPY --from=builder /app/.venv /app/.venv

ENV PATH="/app/.venv/bin:$PATH"

# Copy the application code
COPY . .

RUN chown -R appuser /app

USER appuser

EXPOSE 5001

HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=40s \
  CMD curl -f http://localhost:5001/api/status || exit 1

CMD ["sh", "-c", "alembic upgrade head && uvicorn api.app:app --host 0.0.0.0 --port 5001 --no-server-header"]
Optimize Dockerfile: uv, BuildKit cache mounts, non-root user, healthcheck - Replace pip with uv for 10-25x faster dependency installation - Add BuildKit cache mounts for apt and uv caches across builds - Add non-root appuser for improved container security - Add HEALTHCHECK directive for container orchestration - Add curl to runtime for healthcheck support - Remove libgl1 (unused), add syntax directive for BuildKit 2026-02-21 19:49:11 +00:00			`# syntax=docker/dockerfile:1`

Parallelise Dockerfile stages and enable CI layer caching Split runtime apt-get into a separate stage so BuildKit runs it concurrently with the builder's apt-get + pip install. Add cache_from to the Drone CI API build step to reuse layers from the previous image. 2026-02-07 11:06:35 +00:00			`# Stage 1: Install build tools and Python dependencies`
Remove unused deps and multi-stage Dockerfile with pip Drop transformers, matplotlib, geopy, and diskcache (~560MB) from dependencies — none are imported in the codebase. Replace single-stage poetry-based Docker build with a two-stage pip-based build: builder stage installs into a venv from an exported requirements.txt, runtime stage copies only the venv and app code. Eliminates poetry from the image (fixes ARM segfaults) and removes ~200MB of build tools from the final image. 2026-02-07 10:48:22 +00:00			`FROM python:3.13-slim AS builder`
dockerize 2025-05-21 21:30:00 +00:00
Optimize Dockerfile: uv, BuildKit cache mounts, non-root user, healthcheck - Replace pip with uv for 10-25x faster dependency installation - Add BuildKit cache mounts for apt and uv caches across builds - Add non-root appuser for improved container security - Add HEALTHCHECK directive for container orchestration - Add curl to runtime for healthcheck support - Remove libgl1 (unused), add syntax directive for BuildKit 2026-02-21 19:49:11 +00:00			`COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv`

			`RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \`
			`--mount=type=cache,target=/var/lib/apt/lists,sharing=locked \`
			`apt-get update && apt-get install -y --no-install-recommends \`
dockerize 2025-05-21 21:30:00 +00:00			`build-essential \`
			`gcc \`
			`python3-dev \`
			`libopencv-dev \`
Optimize Dockerfile: uv, BuildKit cache mounts, non-root user, healthcheck - Replace pip with uv for 10-25x faster dependency installation - Add BuildKit cache mounts for apt and uv caches across builds - Add non-root appuser for improved container security - Add HEALTHCHECK directive for container orchestration - Add curl to runtime for healthcheck support - Remove libgl1 (unused), add syntax directive for BuildKit 2026-02-21 19:49:11 +00:00			`libmariadb-dev`
Remove unused deps and multi-stage Dockerfile with pip Drop transformers, matplotlib, geopy, and diskcache (~560MB) from dependencies — none are imported in the codebase. Replace single-stage poetry-based Docker build with a two-stage pip-based build: builder stage installs into a venv from an exported requirements.txt, runtime stage copies only the venv and app code. Eliminates poetry from the image (fixes ARM segfaults) and removes ~200MB of build tools from the final image. 2026-02-07 10:48:22 +00:00
			`WORKDIR /app`

			`COPY requirements.txt ./`

Optimize Dockerfile: uv, BuildKit cache mounts, non-root user, healthcheck - Replace pip with uv for 10-25x faster dependency installation - Add BuildKit cache mounts for apt and uv caches across builds - Add non-root appuser for improved container security - Add HEALTHCHECK directive for container orchestration - Add curl to runtime for healthcheck support - Remove libgl1 (unused), add syntax directive for BuildKit 2026-02-21 19:49:11 +00:00			`# Install dependencies into a venv using uv (10-25x faster than pip)`
			`RUN --mount=type=cache,target=/root/.cache/uv \`
			`python -m venv /app/.venv && \`
Parallelize API tests and build, gate publish on test pass Same pattern as the frontend pipeline: build pushes to a staging tag (build-N) in parallel with tests. Tests split into unit and integration shards using a shared venv from the workspace. Publish step uses skopeo to copy the manifest to final tags (:N, :latest, :builder) only after all tests and the build succeed. Named the final Dockerfile stage 'production' so target skips the test stage. 2026-02-21 21:26:44 +00:00			`uv pip install --python /app/.venv/bin/python -r requirements.txt`
Remove unused deps and multi-stage Dockerfile with pip Drop transformers, matplotlib, geopy, and diskcache (~560MB) from dependencies — none are imported in the codebase. Replace single-stage poetry-based Docker build with a two-stage pip-based build: builder stage installs into a venv from an exported requirements.txt, runtime stage copies only the venv and app code. Eliminates poetry from the image (fixes ARM segfaults) and removes ~200MB of build tools from the final image. 2026-02-07 10:48:22 +00:00
Parallelise Dockerfile stages and enable CI layer caching Split runtime apt-get into a separate stage so BuildKit runs it concurrently with the builder's apt-get + pip install. Add cache_from to the Drone CI API build step to reuse layers from the previous image. 2026-02-07 11:06:35 +00:00			`# Stage 2: Runtime system dependencies (runs in parallel with builder)`
			`FROM python:3.13-slim AS runtime-base`
Remove unused deps and multi-stage Dockerfile with pip Drop transformers, matplotlib, geopy, and diskcache (~560MB) from dependencies — none are imported in the codebase. Replace single-stage poetry-based Docker build with a two-stage pip-based build: builder stage installs into a venv from an exported requirements.txt, runtime stage copies only the venv and app code. Eliminates poetry from the image (fixes ARM segfaults) and removes ~200MB of build tools from the final image. 2026-02-07 10:48:22 +00:00
Optimize Dockerfile: uv, BuildKit cache mounts, non-root user, healthcheck - Replace pip with uv for 10-25x faster dependency installation - Add BuildKit cache mounts for apt and uv caches across builds - Add non-root appuser for improved container security - Add HEALTHCHECK directive for container orchestration - Add curl to runtime for healthcheck support - Remove libgl1 (unused), add syntax directive for BuildKit 2026-02-21 19:49:11 +00:00			`RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \`
			`--mount=type=cache,target=/var/lib/apt/lists,sharing=locked \`
			`apt-get update && apt-get install -y --no-install-recommends \`
dockerize 2025-05-21 21:30:00 +00:00			`libglib2.0-0 \`
			`tesseract-ocr \`
			`tesseract-ocr-eng \`
Remove unused deps and multi-stage Dockerfile with pip Drop transformers, matplotlib, geopy, and diskcache (~560MB) from dependencies — none are imported in the codebase. Replace single-stage poetry-based Docker build with a two-stage pip-based build: builder stage installs into a venv from an exported requirements.txt, runtime stage copies only the venv and app code. Eliminates poetry from the image (fixes ARM segfaults) and removes ~200MB of build tools from the final image. 2026-02-07 10:48:22 +00:00			`libmariadb3 \`
Optimize Dockerfile: uv, BuildKit cache mounts, non-root user, healthcheck - Replace pip with uv for 10-25x faster dependency installation - Add BuildKit cache mounts for apt and uv caches across builds - Add non-root appuser for improved container security - Add HEALTHCHECK directive for container orchestration - Add curl to runtime for healthcheck support - Remove libgl1 (unused), add syntax directive for BuildKit 2026-02-21 19:49:11 +00:00			`curl`
dockerize 2025-05-21 21:30:00 +00:00
perf: optimize CI pipeline — eliminate double dependency installs, use local registry cache - Frontend Dockerfile: split into deps/test/builder/nginx stages so npm ci runs once (cached when package-lock.json unchanged), tests run in build - Backend Dockerfile: add test stage that runs pytest inside the build, eliminating separate test image build - .drone.yml: remove separate test steps (now inside Dockerfile builds), point cache_from/cache_repo at local registry (10.0.20.10:5000) instead of Docker Hub for faster layer cache pulls 2026-02-21 15:10:55 +00:00			`# Stage 3: Test — runtime deps + venv + test dependencies + run tests`
Cache test image to speed up CI backend test step Add a 'test' stage to Dockerfile that extends runtime-base with the venv and test dependencies (pytest, fakeredis, etc.) pre-installed. Drone CI now builds and caches this image as :test, then uses it directly for running tests — eliminating apt-get and pip install on every build. 2026-02-10 22:57:42 +00:00			`FROM runtime-base AS test`

			`WORKDIR /app`

			`COPY --from=builder /app/.venv /app/.venv`
			`ENV PATH="/app/.venv/bin:$PATH"`

Optimize Dockerfile: uv, BuildKit cache mounts, non-root user, healthcheck - Replace pip with uv for 10-25x faster dependency installation - Add BuildKit cache mounts for apt and uv caches across builds - Add non-root appuser for improved container security - Add HEALTHCHECK directive for container orchestration - Add curl to runtime for healthcheck support - Remove libgl1 (unused), add syntax directive for BuildKit 2026-02-21 19:49:11 +00:00			`COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv`

			`RUN --mount=type=cache,target=/root/.cache/uv \`
			`uv pip install --python /app/.venv/bin/python pytest pytest-asyncio pytest-xdist httpx aioresponses fakeredis`
Cache test image to speed up CI backend test step Add a 'test' stage to Dockerfile that extends runtime-base with the venv and test dependencies (pytest, fakeredis, etc.) pre-installed. Drone CI now builds and caches this image as :test, then uses it directly for running tests — eliminating apt-get and pip install on every build. 2026-02-10 22:57:42 +00:00
perf: optimize CI pipeline — eliminate double dependency installs, use local registry cache - Frontend Dockerfile: split into deps/test/builder/nginx stages so npm ci runs once (cached when package-lock.json unchanged), tests run in build - Backend Dockerfile: add test stage that runs pytest inside the build, eliminating separate test image build - .drone.yml: remove separate test steps (now inside Dockerfile builds), point cache_from/cache_repo at local registry (10.0.20.10:5000) instead of Docker Hub for faster layer cache pulls 2026-02-21 15:10:55 +00:00			`COPY . .`

			`RUN pytest tests/ -x -q`

Cache test image to speed up CI backend test step Add a 'test' stage to Dockerfile that extends runtime-base with the venv and test dependencies (pytest, fakeredis, etc.) pre-installed. Drone CI now builds and caches this image as :test, then uses it directly for running tests — eliminating apt-get and pip install on every build. 2026-02-10 22:57:42 +00:00			`# Stage 4: Final image — combine venv from builder + runtime base`
Parallelize API tests and build, gate publish on test pass Same pattern as the frontend pipeline: build pushes to a staging tag (build-N) in parallel with tests. Tests split into unit and integration shards using a shared venv from the workspace. Publish step uses skopeo to copy the manifest to final tags (:N, :latest, :builder) only after all tests and the build succeed. Named the final Dockerfile stage 'production' so target skips the test stage. 2026-02-21 21:26:44 +00:00			`FROM runtime-base AS production`
Parallelise Dockerfile stages and enable CI layer caching Split runtime apt-get into a separate stage so BuildKit runs it concurrently with the builder's apt-get + pip install. Add cache_from to the Drone CI API build step to reuse layers from the previous image. 2026-02-07 11:06:35 +00:00
Optimize Dockerfile: uv, BuildKit cache mounts, non-root user, healthcheck - Replace pip with uv for 10-25x faster dependency installation - Add BuildKit cache mounts for apt and uv caches across builds - Add non-root appuser for improved container security - Add HEALTHCHECK directive for container orchestration - Add curl to runtime for healthcheck support - Remove libgl1 (unused), add syntax directive for BuildKit 2026-02-21 19:49:11 +00:00			`RUN adduser --system --no-create-home appuser`

dockerize 2025-05-21 21:30:00 +00:00			`WORKDIR /app`

Remove unused deps and multi-stage Dockerfile with pip Drop transformers, matplotlib, geopy, and diskcache (~560MB) from dependencies — none are imported in the codebase. Replace single-stage poetry-based Docker build with a two-stage pip-based build: builder stage installs into a venv from an exported requirements.txt, runtime stage copies only the venv and app code. Eliminates poetry from the image (fixes ARM segfaults) and removes ~200MB of build tools from the final image. 2026-02-07 10:48:22 +00:00			`# Copy the venv from the builder stage`
			`COPY --from=builder /app/.venv /app/.venv`
dockerize 2025-05-21 21:30:00 +00:00
			`ENV PATH="/app/.venv/bin:$PATH"`

			`# Copy the application code`
			`COPY . .`

Optimize Dockerfile: uv, BuildKit cache mounts, non-root user, healthcheck - Replace pip with uv for 10-25x faster dependency installation - Add BuildKit cache mounts for apt and uv caches across builds - Add non-root appuser for improved container security - Add HEALTHCHECK directive for container orchestration - Add curl to runtime for healthcheck support - Remove libgl1 (unused), add syntax directive for BuildKit 2026-02-21 19:49:11 +00:00			`RUN chown -R appuser /app`

			`USER appuser`

change api port to 5001 2025-06-24 19:12:20 +00:00			`EXPOSE 5001`
Optimize Dockerfile: uv, BuildKit cache mounts, non-root user, healthcheck - Replace pip with uv for 10-25x faster dependency installation - Add BuildKit cache mounts for apt and uv caches across builds - Add non-root appuser for improved container security - Add HEALTHCHECK directive for container orchestration - Add curl to runtime for healthcheck support - Remove libgl1 (unused), add syntax directive for BuildKit 2026-02-21 19:49:11 +00:00
			`HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=40s \`
			`CMD curl -f http://localhost:5001/api/status \|\| exit 1`

Add API anti-abuse hardening: disable docs in prod, origin validator, exception handler - Disable OpenAPI docs/redoc/openapi.json when APP_ENV=production - Strip uvicorn Server header with --no-server-header in Dockerfile and docker-compose.yml - Add OriginValidatorMiddleware to reject state-changing requests from disallowed origins - Add global exception handler to prevent stack trace leakage on unhandled errors - Add tests for all new security features (OpenAPI, origin validation, exception handler, server header) 2026-02-08 20:06:46 +00:00			`CMD ["sh", "-c", "alembic upgrade head && uvicorn api.app:app --host 0.0.0.0 --port 5001 --no-server-header"]`