Merge pull request #624 from wri/differently_named_uv_branch

Introduce UV to replace Pipenv; multi-stage Dockerfile (new PR)

.secrets.baseline

@@ -1,11 +1,14 @@
 {
-  "generated_at": "2021-01-07T20:38:34Z",
+  "version": "1.5.0",
   "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
     {
       "name": "AWSKeyDetector"
     },
     {
-      "name": "ArtifactoryDetector"
+      "name": "AzureStorageKeyDetector"
     },
     {
       "name": "Base64HighEntropyString",
@@ -17,106 +20,154 @@
     {
       "name": "CloudantDetector"
     },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
     {
       "name": "HexHighEntropyString",
-      "limit": 3
+      "limit": 3.0
     },
     {
       "name": "IbmCloudIamDetector"
     },
     {
       "name": "IbmCosHmacDetector"
     },
+    {
+      "name": "IPPublicDetector"
+    },
     {
       "name": "JwtTokenDetector"
     },
     {
-      "keyword_exclude": null,
-      "name": "KeywordDetector"
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
     },
     {
       "name": "MailchimpDetector"
     },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
     {
       "name": "PrivateKeyDetector"
     },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
     {
       "name": "SlackDetector"
     },
     {
       "name": "SoftlayerDetector"
     },
+    {
+      "name": "SquareOAuthDetector"
+    },
     {
       "name": "StripeDetector"
     },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
     {
       "name": "TwilioKeyDetector"
     }
   ],
-  "results": {
-    ".dist.env": [
-      {
-        "type": "Secret Keyword",
-        "filename": ".dist.env",
-        "hashed_secret": "7aec9744ba1554e4d38febae4278e74a5e764414",
-        "is_verified": false,
-        "line_number": 11
-      }
-    ],
-    "Pipfile.lock": [
-      {
-        "type": "Hex High Entropy String",
-        "filename": "Pipfile.lock",
-        "hashed_secret": "65e0f56a0d4d73fb32738d5290721d0020c364a9",
-        "is_verified": false,
-        "line_number": 4
-      }
-    ],
-    "docker-compose.local.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "docker-compose.local.yml",
-        "hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3",
-        "is_verified": false,
-        "line_number": 30
-      }
-    ]
-  },
-  "version": "1.5.0",
   "filters_used": [
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
     {
-      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
     },
     {
-      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
     },
     {
       "path": "detect_secrets.filters.heuristic.is_likely_id_string"
     },
     {
-      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
     },
     {
-      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
     },
     {
-      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
     },
     {
-      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
-      "min_level": 2
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
     },
     {
-      "path": "detect_secrets.filters.heuristic.is_lock_file"
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
     },
     {
-      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
     },
     {
-      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
     }
-  ]
+  ],
+  "results": {
+    ".dist.env": [
+      {
+        "type": "Secret Keyword",
+        "filename": ".dist.env",
+        "hashed_secret": "af3bf7b0c9a10babcaab769942e8c67d72e6c5bc",
+        "is_verified": false,
+        "line_number": 11
+      }
+    ],
+    "app/models/orm/migrations/versions/604bf4e66c2b_.py": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": "app/models/orm/migrations/versions/604bf4e66c2b_.py",
+        "hashed_secret": "7902fb726071170ae59f5eb7ac58a4884de741bb",
+        "is_verified": false,
+        "line_number": 15
+      }
+    ],
+    "app/models/orm/migrations/versions/ef3392e8e054_.py": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": "app/models/orm/migrations/versions/ef3392e8e054_.py",
+        "hashed_secret": "7902fb726071170ae59f5eb7ac58a4884de741bb",
+        "is_verified": false,
+        "line_number": 14
+      }
+    ],
+    "tests/routes/test_authorization.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/routes/test_authorization.py",
+        "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4",
+        "is_verified": false,
+        "line_number": 41
+      }
+    ],
+    "tests_v2/fixtures/sample_rw_geostore_response.py": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": "tests_v2/fixtures/sample_rw_geostore_response.py",
+        "hashed_secret": "51c59bd961647b91215543db15755b683eee2d0e",
+        "is_verified": false,
+        "line_number": 8
+      }
+    ]
+  },
+  "generated_at": "2025-02-09T19:49:29Z"
 }

Dockerfile

@@ -1,43 +1,98 @@
-FROM tiangolo/uvicorn-gunicorn-fastapi:python3.10-slim
+ARG ENV
+ARG PYTHON_VERSION="3.10"
+ARG USR_LOCAL_BIN=/usr/local/bin
+ARG UV_VERSION="0.5.24"
+ARG VENV_DIR=/app/.venv
 
-# Comment to trigger an image rebuild
+FROM ubuntu:noble AS build
 
-# Optional build argument for different environments
 ARG ENV
+ARG PYTHON_VERSION
+ARG USR_LOCAL_BIN
+ARG VENV_DIR
 
-RUN apt-get update -y \
-    && apt-get install --no-install-recommends -y gcc g++ libc-dev \
-        postgresql-client libpq-dev make git jq libgdal-dev \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+RUN apt-get update -qy && \
+    apt-get install -qyy \
+        -o APT::Install-Recommends=false \
+        -o APT::Install-Suggests=false \
+        ca-certificates \
+        clang \
+        curl \
+        gcc \
+        git \
+        libgdal-dev \
+        libpq-dev \
+        make
 
-RUN pip install --upgrade pip && pip install pipenv==2024.0.1
-#TODO move to pipfile when operational
-RUN pip install newrelic
+# Set uv env variables for behavior and venv directory
+ENV PATH=${USR_LOCAL_BIN}:${PATH} \
+    UV_LINK_MODE=copy \
+    UV_COMPILE_BYTECODE=1 \
+    UV_PROJECT_ENVIRONMENT=${VENV_DIR} \
+    UV_UNMANAGED_INSTALL=${USR_LOCAL_BIN}
 
-# Install python dependencies
-# Install everything for dev and test otherwise just core dependencies
-COPY Pipfile Pipfile
-COPY Pipfile.lock Pipfile.lock
+# Create a virtual environment with uv inside the container
+RUN curl -LsSf https://astral.sh/uv/${UV_VERSION}/install.sh | sh && \
+    uv venv ${VENV_DIR} --python ${PYTHON_VERSION} --seed
 
+# Copy pyproject.toml and uv.lock to a temporary directory and install
+# dependencies into the venv
+COPY pyproject.toml /_lock/
+COPY uv.lock /_lock/
 RUN if [ "$ENV" = "dev" ] || [ "$ENV" = "test" ]; then \
-        echo "Install all dependencies" \
-        && pipenv install --system --deploy --ignore-pipfile --dev; \
+        echo "Install all dependencies" && \
+        cd /_lock && \
+        uv sync --locked --no-install-project --dev; \
     else \
-        echo "Install production dependencies only" \
-        && pipenv install --system --deploy; \
+        echo "Install production dependencies only" && \
+        cd /_lock && \
+        uv sync --locked --no-install-project --no-dev; \
     fi
 
-COPY ./app /app/app
 
-COPY alembic.ini /app/alembic.ini
+# Start the runtime stage
+FROM ubuntu:noble
+
+ARG USR_LOCAL_BIN
+ARG VENV_DIR
+
+SHELL ["sh", "-exc"]
+
+ENV PATH=${VENV_DIR}/bin:${USR_LOCAL_BIN}:${PATH}
+ENV TZ=UTC
+ENV VENV_DIR=${VENV_DIR}
+
+RUN echo $TZ > /etc/timezone
+
+RUN apt-get update -qy && \
+    apt-get install -qyy \
+        -o APT::Install-Recommends=false \
+        -o APT::Install-Suggests=false \
+        expat \
+        jq \
+        libgdal-dev \
+        postgresql-client && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists && \
+    rm -rf /var/cache/apt
+
+COPY --chmod=777 wait_for_postgres.sh /usr/local/bin/wait_for_postgres.sh
+
+# Set the entry point and signal handling
+ENTRYPOINT [ "/app/start.sh" ]
+STOPSIGNAL SIGINT
+
+# Copy the pre-built `/app` directory from the build stage
+COPY --from=build --chmod=777 /app /app
+COPY --from=build --chmod=777 /root /root
 
-COPY app/settings/prestart.sh /app/prestart.sh
-COPY app/settings/start.sh /app/start.sh
 COPY newrelic.ini /app/newrelic.ini
+COPY alembic.ini /app/alembic.ini
+
+COPY --chmod=777 app/settings/gunicorn_conf.py /app/gunicorn_conf.py
+COPY --chmod=777 app/settings/prestart.sh /app/prestart.sh
+COPY --chmod=777 app/settings/start.sh /app/start.sh
 
-COPY wait_for_postgres.sh /usr/local/bin/wait_for_postgres.sh
-RUN chmod +x /usr/local/bin/wait_for_postgres.sh
-RUN chmod +x /app/start.sh
+COPY ./app /app/app
 
-ENTRYPOINT [ "/app/start.sh" ]
+WORKDIR /app