-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathDockerfile
84 lines (71 loc) · 3.18 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# syntax=docker/dockerfile:1.2
#################################################
#
# We need base python dependencies on both the builder and python images, so
# create base image with those installed to save installing them twice.
#
# DL3007 ignored because base-docker a) doesn't have any other tags currently,
# and b) we specifically always want to build on the latest base image, by
# design.
#
ARG BASE
# hadolint ignore=DL3007
FROM ghcr.io/opensafely-core/base-action:$BASE as base-python
RUN mkdir /workspace
WORKDIR /workspace
ARG MAJOR_VERSION
ARG BASE
# ACTION_EXEC sets the default executable for the entrypoint in the base-docker image
ENV ACTION_EXEC=python MAJOR_VERSION=${MAJOR_VERSION} BASE=${BASE}
COPY ${MAJOR_VERSION}/dependencies.txt /opt/dependencies.txt
# use space efficient utility from base image
RUN /root/docker-apt-install.sh /opt/dependencies.txt
# now we have python, set up a venv to install packages to, for isolation from
# system python libraries
# hadolint ignore=DL3059
RUN python3 -m venv /opt/venv
# "activate" the venv
ENV VIRTUAL_ENV=/opt/venv/ PATH="/opt/venv/bin:$PATH"
# We ensure up-to-date build tools (which why we ignore DL3013)
# hadolint ignore=DL3013,DL3042
RUN --mount=type=cache,target=/root/.cache python -m pip install -U pip setuptools wheel pip-tools
#################################################
#
# Next, use the base-docker-plus-python image to create a build image
FROM base-python as builder
ARG MAJOR_VERSION
# install build time dependencies
COPY ${MAJOR_VERSION}/build-dependencies.txt /opt/build-dependencies.txt
RUN /root/docker-apt-install.sh /opt/build-dependencies.txt
COPY ${MAJOR_VERSION}/requirements.txt /opt/requirements.txt
COPY ${MAJOR_VERSION}/packages.md /opt/packages.md
# Note: the mount command does two things: 1) caches across builds to speed up
# local development and 2) ensures the pip cache does not get committed to the
# layer (which is why we ignore DL3042).
# hadolint ignore=DL3042
RUN --mount=type=cache,target=/root/.cache \
python -m pip install --requirement /opt/requirements.txt
################################################
#
# Finally, build the actual image from the base-python image
FROM base-python as python
ARG MAJOR_VERSION
# Some static metadata for this specific image, as defined by:
# https://github.com/opencontainers/image-spec/blob/master/annotations.md#pre-defined-annotation-keys
# The org.opensafely.action label is used by the jobrunner to indicate this is
# an approved action image to run.
LABEL org.opencontainers.image.title="python:${MAJOR_VERSION}" \
org.opencontainers.image.description="Python action for opensafely.org" \
org.opencontainers.image.source="https://github.com/opensafely-core/python-docker" \
org.opensafely.action="python:${MAJOR_VERSION}"
# copy venv over from builder image
COPY --from=builder /opt/ /opt/
# tag with build info as the very last step, as it will never be cacheable
ARG BUILD_DATE
ARG REVISION
ARG BUILD_NUMBER
# RFC 3339.
LABEL org.opencontainers.image.created=$BUILD_DATE \
org.opencontainers.image.revision=$REVISION \
org.opencontainers.image.build=$BUILD_NUMBER \
org.opencontainers.image.version=$MAJOR_VERSION.$BUILD_NUMBER