the most minimal security and build updates

Irving Popovetsky · Irving Popovetsky · commit ae51824b4198 · 2025-09-06T08:07:42.000-07:00
Signed-off-by: Irving Popovetsky &lt;irving@honeycomb.io&gt;
diff --git a/docker-build.sh b/docker-build.sh
@@ -0,0 +1,31 @@
+#!/bin/sh -ex
+
+# Build and push ARM64 image using buildx with provenance disabled
+docker buildx build \
+  --platform linux/arm64 \
+  --file docker/Dockerfile \
+  --tag 633607774026.dkr.ecr.us-east-2.amazonaws.com/pybot:arm64 \
+  --provenance=false \
+  --push .
+
+# Build and push AMD64 image using buildx with provenance disabled
+docker buildx build \
+  --platform linux/amd64 \
+  --file docker/Dockerfile \
+  --tag 633607774026.dkr.ecr.us-east-2.amazonaws.com/pybot:amd64 \
+  --provenance=false \
+  --push .
+
+# Remove existing manifest list if it exists
+docker manifest rm 633607774026.dkr.ecr.us-east-2.amazonaws.com/pybot || true
+
+# Create manifest list
+docker manifest create \
+  633607774026.dkr.ecr.us-east-2.amazonaws.com/pybot \
+  633607774026.dkr.ecr.us-east-2.amazonaws.com/pybot:amd64 \
+  633607774026.dkr.ecr.us-east-2.amazonaws.com/pybot:arm64
+
+docker manifest inspect 633607774026.dkr.ecr.us-east-2.amazonaws.com/pybot
+
+# Push the manifest
+docker manifest push 633607774026.dkr.ecr.us-east-2.amazonaws.com/pybot
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,30 +1,33 @@
 FROM python:3.7-alpine AS base
 
-FROM base as builder
+FROM base AS builder
 
-ENV PIP_DISABLE_PIP_VERSION_CHECK on
-ENV PYTHONDONTWRITEBYTECODE 1
-ENV PYTHONUNBUFFERED 1
+ENV PIP_DISABLE_PIP_VERSION_CHECK=on
+ENV PYTHONUNBUFFERED=1
 
-RUN apk update && \
-    apk add --no-cache build-base musl-dev python3-dev libffi-dev openssl-dev
+RUN apk update
+RUN apk upgrade
+RUN apk add --no-cache build-base musl-dev python3-dev libffi-dev openssl-dev
 
 RUN python -m venv /opt/venv
 # Make sure we use the virtualenv:
 ENV PATH="/opt/venv/bin:$PATH"
 
 COPY poetry.lock pyproject.toml ./
 
-RUN pip install poetry && \
-    poetry config virtualenvs.create false && \
-    poetry install --no-dev --no-interaction
+RUN pip install poetry
+RUN poetry config virtualenvs.create false
+RUN poetry install --only=main --compile --no-interaction --no-cache
 
 # The `built-image` stage is the base for all remaining images
 # Pulls all of the built dependencies from the builder stage
-FROM base as built-image
-ENV PIP_DISABLE_PIP_VERSION_CHECK on
-ENV PYTHONDONTWRITEBYTECODE 1
-ENV PYTHONUNBUFFERED 1
+FROM base AS built-image
+ENV PIP_DISABLE_PIP_VERSION_CHECK=on
+ENV PYTHONUNBUFFERED=1
+
+RUN apk update
+RUN apk upgrade
+RUN rm -rf /var/cache/apk/*
 
 # copy installed deps from builder image
 COPY --from=builder /opt/venv /opt/venv
@@ -34,12 +37,12 @@ ENV PATH="/opt/venv/bin:$PATH"
 
 # The `app` stage is used as the base for images that don't
 # need the development dependencies
-FROM built-image as app
+FROM built-image AS app
 
 COPY . /src
 WORKDIR /src
 
-# The `Prod` stage creates an image that will run the application using a
+# The `prod` stage creates an image that will run the application using a
 # production webserver and the `environments/production.py` configuration
-FROM app As Prod
+FROM app AS prod
 ENTRYPOINT ["python3", "-m", "pybot"]
