Merge pull request #191 from cisagov/improvement/pin_Python_configura…

…tion Install Python dependencies with `pipenv`
cisagov · Feb 28, 2024 · 1b3e9d8 · 1b3e9d8
2 parents 35e8753 + d42ae8f
commit 1b3e9d8
Show file tree

Hide file tree

Showing 6 changed files with 108 additions and 34 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -306,8 +306,6 @@ jobs:
         id: docker_build
         uses: docker/build-push-action@v5
         with:
-          build-args: |
-            VERSION=${{ needs.prepare.outputs.source_version }}
           cache-from: type=local,src=${{ env.BUILDX_CACHE_DIR }}
           cache-to: type=local,dest=${{ env.BUILDX_CACHE_DIR }}
           context: .
@@ -459,8 +457,6 @@ jobs:
         id: docker_build
         uses: docker/build-push-action@v5
         with:
-          build-args: |
-            VERSION=${{ needs.prepare.outputs.source_version }}
           cache-from: type=local,src=${{ env.BUILDX_CACHE_DIR }}
           cache-to: type=local,dest=${{ env.BUILDX_CACHE_DIR }}
           context: .

diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,59 @@
-ARG VERSION=unspecified
-
 # Official Docker images are in the form library/<app> while non-official
 # images are in the form <user>/<app>.
-FROM docker.io/library/python:3.12.0-alpine3.18
+FROM docker.io/library/python:3.12.0-alpine3.18 as compile-stage
+
+###
+# Unprivileged user variables
+###
+ARG CISA_USER="cisa"
+ENV CISA_HOME="/home/${CISA_USER}"
+ENV VIRTUAL_ENV="${CISA_HOME}/.venv"
+
+# Versions of the Python packages installed directly
+ENV PYTHON_PIP_VERSION=24.0
+ENV PYTHON_PIPENV_VERSION=2023.12.1
+ENV PYTHON_SETUPTOOLS_VERSION=69.1.0
+ENV PYTHON_WHEEL_VERSION=0.42.0
+
+###
+# Install the specified versions of pip, setuptools, and wheel into the system
+# Python environment; install the specified version of pipenv into the system Python
+# environment; set up a Python virtual environment (venv); and install the specified
+# versions of pip, setuptools, and wheel into the venv.
+#
+# Note that we use the --no-cache-dir flag to avoid writing to a local
+# cache.  This results in a smaller final image, at the cost of
+# slightly longer install times.
+###
+RUN python3 -m pip install --no-cache-dir --upgrade \
+        pip==${PYTHON_PIP_VERSION} \
+        setuptools==${PYTHON_SETUPTOOLS_VERSION} \
+        wheel==${PYTHON_WHEEL_VERSION} \
+    && python3 -m pip install --no-cache-dir --upgrade \
+        pipenv==${PYTHON_PIPENV_VERSION} \
+    # Manually create the virtual environment
+    && python3 -m venv ${VIRTUAL_ENV} \
+    # Ensure the core Python packages are installed in the virtual environment
+    && ${VIRTUAL_ENV}/bin/python3 -m pip install --no-cache-dir --upgrade \
+        pip==${PYTHON_PIP_VERSION} \
+        setuptools==${PYTHON_SETUPTOOLS_VERSION} \
+        wheel==${PYTHON_WHEEL_VERSION}
+
+###
+# Check the Pipfile configuration and then install the Python dependencies into
+# the virtual environment.
+#
+# Note that pipenv will install into a virtual environment if the VIRTUAL_ENV
+# environment variable is set.
+###
+WORKDIR /tmp
+COPY src/Pipfile src/Pipfile.lock ./
+RUN pipenv check --verbose \
+    && pipenv install --clear --deploy --extra-pip-args "--no-cache-dir" --verbose
 
-ARG VERSION
+# Official Docker images are in the form library/<app> while non-official
+# images are in the form <user>/<app>.
+FROM docker.io/library/python:3.12.0-alpine3.18 as build-stage
 
 ###
 # For a list of pre-defined annotation keys and value types see:
@@ -31,43 +80,22 @@ ENV CISA_GROUP=${CISA_USER}
 ENV CISA_HOME="/home/${CISA_USER}"
 ENV VIRTUAL_ENV="${CISA_HOME}/.venv"
 
-# Versions of the Python packages installed directly
-ENV PYTHON_PIP_VERSION=24.0
-ENV PYTHON_SETUPTOOLS_VERSION=69.1.0
-ENV PYTHON_WHEEL_VERSION=0.42.0
-
 ###
 # Create unprivileged user
 ###
 RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \
     && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER}
 
 ###
-# Set up a Python virtual environment (venv); install the specified versions of pip,
-# setuptools, and wheel into it; and then install the Python dependencies for
-# the application.
-#
-# Note that we use the --no-cache-dir flag to avoid writing to a local
-# cache.  This results in a smaller final image, at the cost of
-# slightly longer install times.
-###
-RUN python3 -m venv ${VIRTUAL_ENV} \
-    && ${VIRTUAL_ENV}/bin/python3 -m pip install --no-cache-dir --upgrade \
-        pip==${PYTHON_PIP_VERSION} \
-        setuptools==${PYTHON_SETUPTOOLS_VERSION} \
-        wheel==${PYTHON_WHEEL_VERSION} \
-    && ${VIRTUAL_ENV}/bin/python3 -m pip install --no-cache-dir --upgrade \
-        https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz
-
-###
-# Sym-link the Python binary in the venv to the system-wide Python and add the venv to
-# the PATH.
+# Copy in the Python virtual environment created in compile-stage, Sym-link the
+# Python binary in the venv to the system-wide Python and add the venv to the PATH.
 #
 # Note that we sym-link the Python binary in the venv to the system-wide Python so that
 # any calls to `python3` will use our virtual environment. We are using short flags
 # because the ln binary in Alpine Linux does not support long flags. The -f instructs
 # ln to remove the existing file and the -s instructs ln to create a symbolic link.
 ###
+COPY --from=compile-stage --chown=${CISA_USER}:${CISA_GROUP} ${VIRTUAL_ENV} ${VIRTUAL_ENV}
 RUN ln -fs "$(command -v python3)" "${VIRTUAL_ENV}"/bin/python3
 ENV PATH="${VIRTUAL_ENV}/bin:$PATH"
 

diff --git a/README.md b/README.md
@@ -196,7 +196,6 @@ Build the image locally using this git repository as the [build context](https:/
 
 ```console
 docker build \
-  --build-arg VERSION=0.0.1 \
   --tag cisagov/example:0.0.1 \
   https://github.com/cisagov/example.git#develop
 ```
@@ -227,7 +226,6 @@ Docker:
     docker buildx build \
       --file Dockerfile-x \
       --platform linux/amd64 \
-      --build-arg VERSION=0.0.1 \
       --output type=docker \
       --tag cisagov/example:0.0.1 .
     ```

diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -1,3 +1,4 @@
 --requirement requirements-test.txt
 ipython
+pipenv
 semver
diff --git a/src/Pipfile b/src/Pipfile
@@ -0,0 +1,13 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+# List any Python dependencies for the image here
+[packages]
+# This should match the version of the image
+example = {file = "https://github.com/cisagov/skeleton-python-library/archive/v0.0.1.tar.gz"}
+
+# This version should match the version of Python in the image
+[requires]
+python_full_version = "3.12.0"
diff --git a/src/Pipfile.lock b/src/Pipfile.lock