2026-06-18 11:19:24 -04:00
|
|
|
# Backend Dockerfile for FastAPI with Python 3.14
|
2026-07-06 10:29:31 -04:00
|
|
|
FROM python:3.14-slim AS dependencies
|
2025-10-18 09:14:10 -04:00
|
|
|
|
|
|
|
|
WORKDIR /app
|
|
|
|
|
|
|
|
|
|
COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
|
|
|
|
|
|
|
|
|
|
ENV VIRTUAL_ENV=/app/.venv
|
|
|
|
|
ENV PATH="$VIRTUAL_ENV/bin:$PATH"
|
|
|
|
|
|
|
|
|
|
COPY backend/pyproject.toml backend/uv.lock* ./
|
feat(ci): enforce runtime-validation image separation (#69)
## Summary
Implements issue #59 by enforcing a hard boundary between CI validation tooling and deployable runtime images.
This PR:
- Adds automated deployable-runtime boundary checks in CI.
- Verifies deployable backend/frontend artifacts are free of CI/development tooling.
- Documents runtime-vs-validation ownership and enforcement behavior.
## What Changed
### CI workflow enforcement
- Updated `.gitea/workflows/docker-build-main.yaml` to:
- Checkout additional verification inputs (`Dockerfile.backend`, `Dockerfile.frontend`, scripts, backend/frontend directories).
- Run `scripts/check-dockerfile-boundaries.sh`.
- Build deployable runtime images (`Dockerfile.backend`, `Dockerfile.frontend --target production`).
- Run `scripts/verify-deployable-image-purity.sh` against both images before publishing CICD image.
- Updated `.gitea/workflows/cicd-checks.yaml` to add:
- `dockerfile-boundary-check` job.
- Boundary validation execution inside the CICD validation image.
### New enforcement scripts
- Added `scripts/check-dockerfile-boundaries.sh`:
- Ensures deployable Dockerfiles do **not** reference CICD image paths (`cicd-base`, `CICD_BASE_IMAGE`, `Dockerfile.cicd*`, etc.).
- Ensures deployable Dockerfiles do **not** include disallowed CI-only tooling tokens.
- Enforces runtime base expectations:
- Backend: `python:3.14-slim`
- Frontend production target: `nginx:alpine`
- Added `scripts/verify-deployable-image-purity.sh`:
- Baseline binary checks for disallowed tooling.
- Backend-specific deep checks:
- Python module import probes for disallowed CI/dev modules.
- `pip show` package metadata checks for disallowed CI/dev packages.
- Frontend-specific deep checks:
- OS package metadata checks (`apk`/`dpkg` when available) for disallowed runtime leaks.
- Directory-based checks for development package trees (`node_modules`, `.venv`, `site-packages`, `dist-packages` in sensitive paths).
## Documentation updates
- Updated `docs/DEVELOPMENT.md`:
- Clarifies runtime-vs-validation enforcement and where checks run.
- Notes purity checks include binaries and metadata artifacts.
- Updated `docs/CICD_MULTI_STAGE_BUILD.md`:
- Adds explicit “Runtime Boundary Enforcement” section.
- Documents metadata-level purity probes.
- Updated `docs/DEPLOYABLE_RUNTIME_CONTRACT.md`:
- Replaces future-only language with current enforcement hooks.
- Documents binary + metadata-level purity enforcement.
## Acceptance Criteria Mapping
1. **Deployable backend/frontend image paths do not require CI-only tool installation**
- Enforced by:
- `scripts/check-dockerfile-boundaries.sh`
- `scripts/verify-deployable-image-purity.sh`
- `docker-build-main.yaml` pre-publish gates
2. **Checks and tests execute in dedicated validation environment(s)**
- Reinforced by:
- `cicd-checks.yaml` boundary-check job running in CICD validation image
- Existing check/test workflow usage of CICD image
3. **Workflow docs identify runtime vs validation concerns**
- Addressed via updates to:
- `docs/DEVELOPMENT.md`
- `docs/CICD_MULTI_STAGE_BUILD.md`
- `docs/DEPLOYABLE_RUNTIME_CONTRACT.md`
## Scope / Non-Goals
- Included:
- Structural separation enforcement
- Workflow-level guardrails
- Documentation clarity and traceability
- Not included:
- Full staging deployment wiring
- Security policy redesign
## Notes for Reviewers
- Main enforcement path is in `docker-build-main.yaml` before CICD image publish.
- New scripts are intentionally fail-fast and policy-oriented.
- Existing deployable Dockerfiles currently satisfy the new gates.
Co-authored-by: copilotcoder <copilotcoder@darkhelm.org>
Reviewed-on: https://dogar.darkhelm.org/DarkHelm.org/plex-playlist/pulls/69
2026-06-22 12:45:20 -04:00
|
|
|
# Hatchling resolves the readme path ../README.md relative to the backend
|
|
|
|
|
# package root (/app). Create a stub so metadata validation succeeds without
|
|
|
|
|
# requiring the file to pass through .dockerignore.
|
|
|
|
|
RUN echo '# plex-playlist' > /README.md
|
2026-07-06 10:29:31 -04:00
|
|
|
RUN uv venv "$VIRTUAL_ENV" && uv sync --frozen --no-dev
|
|
|
|
|
|
|
|
|
|
FROM python:3.14-slim AS runtime
|
|
|
|
|
|
|
|
|
|
WORKDIR /app
|
2025-10-18 09:14:10 -04:00
|
|
|
|
2026-07-06 10:29:31 -04:00
|
|
|
ENV VIRTUAL_ENV=/app/.venv
|
|
|
|
|
ENV PATH="$VIRTUAL_ENV/bin:$PATH"
|
2025-10-18 09:14:10 -04:00
|
|
|
|
2026-07-06 10:29:31 -04:00
|
|
|
COPY --from=dependencies /app/.venv /app/.venv
|
|
|
|
|
COPY backend/src ./src
|
2025-10-18 09:14:10 -04:00
|
|
|
|
|
|
|
|
EXPOSE 8000
|
|
|
|
|
|
2026-07-05 22:48:57 -04:00
|
|
|
CMD ["uvicorn", "backend.main:app", "--app-dir", "/app/src", "--host", "0.0.0.0", "--port", "8000"]
|