NodeStore: Install nodestore in docker image similar to as in getsentry/self-hosted

[lfritz-seweurodrive]

NodeStore: Install nodestore in docker image similar to as in getsentry/self-hosted https://github.com/getsentry/self-hosted/blob/c858558fbfc66e8b250db293fea13f839d780587/sentry/Dockerfile#L4

Legal Boilerplate

Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.

[sentry]

Bug: The Dockerfile installs a dependency from a mutable GitHub main branch, which leads to non-reproducible builds and bypasses pinned dependencies.
_{Severity: HIGH}

Suggested Fix

Pin the dependency to a specific, immutable Git commit hash or a tagged release version instead of the main branch. This will ensure that all builds are reproducible and use a known, tested version of the dependency. For example: RUN pip install https://github.com/getsentry/sentry-nodestore-s3/archive/<COMMIT_HASH_OR_TAG>.zip.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: self-hosted/Dockerfile#L87

Potential issue: The Dockerfile installs the `sentry-nodestore-s3` dependency directly
from the `main` branch of a GitHub repository. This is a mutable reference, meaning the
code can change at any time, leading to non-reproducible builds. This `pip install`
command also bypasses the frozen dependency set established by `uv sync` earlier in the
file, creating a risk of installing incompatible package versions that could cause
runtime failures. Because the dependency version is not tracked, it would be difficult
to correlate a specific Docker image build with the version of the plugin it contains,
complicating debugging.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Unpinned dependency installed from mutable branch HEAD

Medium Severity

The pip install fetches sentry-nodestore-s3 from the main branch without pinning to a specific commit SHA or version tag. This means different builds can silently install different (and potentially broken or compromised) code. Additionally, Docker's layer cache won't detect upstream changes, leading to stale installs unless --no-cache is used. Pinning to a specific commit hash (e.g., /archive/<commit-sha>.zip) would ensure reproducible, auditable builds.

 

[getsantry]

This pull request has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you add the label WIP, I will leave it alone unless WIP is removed ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀