feat: add Dockerfile and fix PyInstaller binary build

[vitali87]

Summary

• Exclude logfire and logfire_api from PyInstaller builds to prevent inspect.getsource() crashes in frozen binaries
• Add multi-stage Dockerfile with pymgclient source build and LD_PRELOAD workaround for its incomplete static linking of zlib/zstd
• Add docker-publish.yml workflow for multi-arch (linux/amd64, linux/arm64) GHCR images on tag push
• Add .dockerignore to keep build context clean

Test plan

• Verify uv run python build_binary.py succeeds locally (logfire exclusion)
• Verify docker build -t code-graph-rag:test . builds and docker run --rm code-graph-rag:test mcp-server --help works
• After merge and tag push: verify build-binaries.yml uploads release assets
• After merge and tag push: verify docker-publish.yml pushes image to GHCR
• Submit to Glama and verify checks pass

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the project's deployment capabilities by introducing Docker support for containerization and resolving critical issues with PyInstaller binary builds. The changes ensure that the application can be reliably packaged into standalone executables and deployed within Docker environments, addressing dependency complexities and improving overall build stability.

Highlights

• PyInstaller Build Fix: Excluded logfire and logfire_api modules from PyInstaller builds to prevent inspect.getsource() crashes in frozen binaries.
• Docker Support: Introduced a multi-stage Dockerfile to containerize the application, including pymgclient source compilation and an LD_PRELOAD workaround for its static linking issues.
• Build Context Management: Added a .dockerignore file to optimize Docker build performance by excluding unnecessary files and directories.
• Dependency Versioning: Updated the uv.lock file to reflect a new version of the code-graph-rag package.

Changelog

• .dockerignore
  • Added a new file to specify patterns for files and directories to exclude from the Docker build context.
• Dockerfile
  • Added a new multi-stage Dockerfile for building and running the application.
  • Included steps for installing build dependencies like cmake and libssl-dev.
  • Configured uv to sync dependencies, including pymgclient from source.
  • Implemented an entrypoint.sh script with an LD_PRELOAD workaround for libz.so.1 and libzstd.so.1.
• build_binary.py
  • Modified the build_binary function to iterate through PYINSTALLER_EXCLUDED_MODULES and add --exclude-module arguments to the PyInstaller command.
• codebase_rag/constants.py
  • Added PYINSTALLER_ARG_EXCLUDE_MODULE constant for the PyInstaller argument.
  • Defined PYINSTALLER_EXCLUDED_MODULES list, including logfire and logfire_api.
• uv.lock
  • Updated the code-graph-rag package version from 0.0.86 to 0.0.87.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/docker-publish.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces Docker support with a multi-stage Dockerfile and fixes a PyInstaller build by excluding problematic modules. The changes are well-implemented, using good practices like multi-stage builds and creating a non-root user for security. The PyInstaller fix is also correctly implemented. I have one suggestion for the Dockerfile to ensure all necessary packages are copied to the final image, preventing potential runtime errors.

[greptile-apps]

Greptile Summary

This PR successfully adds containerization support and resolves PyInstaller binary build crashes. The implementation demonstrates careful attention to previous review feedback.

Key changes:

• Excludes logfire and logfire_api from PyInstaller to prevent inspect.getsource() failures in frozen binaries
• Adds production-ready multi-stage Dockerfile with pymgclient source build and LD_PRELOAD workaround for its incomplete static linking
• Implements multi-arch (linux/amd64, linux/arm64) GHCR image publishing workflow with proper timeout (60min) for QEMU builds
• Uses non-root user (appuser) for container security
• Comprehensive .dockerignore keeps build context clean

Previous review feedback addressed:

• ✅ Removed duplicate workflow trigger (now only release.published)
• ✅ Increased timeout from 30 to 60 minutes for multi-arch builds
• ✅ Both uv sync commands include --no-binary-package pymgclient flag
• ✅ Removed problematic MEMGRAPH_HOST=host.docker.internal environment variable

The implementation follows project conventions with proper constant extraction and clean code organization.

Confidence Score: 5/5

• This PR is safe to merge with no risk
• All previous review issues have been systematically addressed. The Docker implementation follows best practices (multi-stage builds, non-root user, minimal runtime image). PyInstaller exclusion logic is straightforward and prevents known crashes. Code changes are minimal, focused, and follow project conventions with proper constant extraction. No security concerns, no breaking changes, and comprehensive test plan provided.
• No files require special attention

Important Files Changed

Filename	Overview
.dockerignore	Added comprehensive ignore patterns for Docker build context (git files, caches, docs, env files)
.github/workflows/docker-publish.yml	Multi-arch Docker workflow with 60min timeout, fixed previous issues (removed duplicate trigger, increased timeout)
Dockerfile	Multi-stage build with pymgclient source compilation, LD_PRELOAD workaround for zlib/zstd, non-root user, all previous issues resolved
build_binary.py	Added loop to exclude logfire modules from PyInstaller, prevents inspect.getsource() crashes in frozen binaries
codebase_rag/constants.py	Added PYINSTALLER_ARG_EXCLUDE_MODULE constant and PYINSTALLER_EXCLUDED_MODULES list for logfire exclusion

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Release Published] --> B[docker-publish.yml Triggered]
    B --> C[Setup QEMU & Buildx]
    C --> D[Multi-stage Docker Build]
    D --> E[Builder Stage: uv sync deps]
    E --> F[Builder Stage: uv sync project]
    F --> G[Builder Stage: Build pymgclient from source]
    G --> H[Runtime Stage: Copy .venv & packages]
    H --> I[Runtime Stage: Create entrypoint.sh]
    I --> J{LD_PRELOAD Set for Architecture}
    J -->|x86_64| K[Load /lib/x86_64-linux-gnu libs]
    J -->|aarch64| L[Load /lib/aarch64-linux-gnu libs]
    K --> M[Build for linux/amd64 & linux/arm64]
    L --> M
    M --> N[Push to GHCR with tags]
    
    P[PyInstaller Build] --> Q[Exclude logfire modules]
    Q --> R[Prevent inspect.getsource crashes]

Loading

_{Last reviewed commit: fc55971}

[greptile-apps]

_{6 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[vitali87]

@greptile

[vitali87]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a Dockerfile for the application, which is a great addition for portability and deployment. It also includes a fix for the PyInstaller binary build by excluding problematic modules. The changes are well-structured. I've added one suggestion to optimize the Docker build process for better layer caching and a smaller final image.