fix(docker): build publishable image on python:3.13-slim#74
Merged
Conversation
The image never published: the Dockerfile built FROM dhi.io/python:3.13, a distroless base with no /bin/sh, so `RUN pip install` died with `exec: "/bin/sh": ... no such file or directory` on every tag. Drop the hardened distroless base (it solved a network-service threat model this CLI image doesn't have, can't pin Python 3.13, and republishes licensed DHI layers to public registries). Build multistage on python:3.13-slim: builder installs the wheel into a venv, runtime copies only the venv. Install the wheel (not -e .) so package-data (prompts, tasks.json) is bundled and no source tree is needed at runtime. /workspace stays a bind-mount point for the caller's repo. Publish to Docker Hub (heyderekp/codeforerunner) alongside GHCR; the DHI registry login is gone. DOCKER_USERNAME/DOCKER_PASSWORD are repurposed as Docker Hub username + PAT. Closes #72
The workflow shape test asserted a dhi.io login, which encoded the broken distroless setup. Assert the new targets instead: a ghcr.io login, a Docker Hub login (default docker.io registry), no dhi.io, and both image names in the metadata. Refs #72
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
CodeQL py/incomplete-url-substring-sanitization fired on `"ghcr.io" in <x>`. Compare login registries with == and match full image refs against the parsed metadata-action images list instead. Refs #72
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The container image has never published —
docker-publishfailed on every tag because the Dockerfile builtFROM dhi.io/python:3.13, a distroless base with no/bin/sh, soRUN pip installdied withexec: "/bin/sh": ... no such file or directory.Fix per #72:
python:3.13-slim(has a shell, pins 3.13, freely redistributable)./opt/venv; runtime copies only the venv. Install.(not-e .) so package-data (prompts/**,tasks.json) is bundled and no source tree is needed at runtime./workspacestays a bind-mount point (forerunnerruns againstPath.cwd()).heyderekp/codeforerunner+ GHCR; DHI login removed;DOCKER_USERNAME/DOCKER_PASSWORDrepurposed as Hub username + PAT.Verification
docker build .succeeds (previously failed at theRUNstep).docker run --rm -v "$PWD:/workspace" <img> doctorruns against the mounted repo:4 ok, 2 warn, 0 error.docker compose build forerunnerbuilds clean.Human prerequisite before next tag
Create Hub repo
heyderekp/codeforerunner, generate a Read/Write PAT, set repo secretsDOCKER_USERNAME=heyderekpandDOCKER_PASSWORD=<PAT>. Docker publish only runs onv*.*.*tags, so this can't be validated by PR CI.Closes #72
🤖 Generated with Claude Code