-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
84 lines (64 loc) · 3.08 KB
/
Dockerfile
File metadata and controls
84 lines (64 loc) · 3.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# check=skip=SecretsUsedInArgOrEnv
# Multi-stage Docker build for bankstatements-free
# Stage 1: Builder - installs dependencies
# Stage 2: Production - minimal runtime image
FROM python:3.12-slim AS base
ARG VERSION=dev
ARG BUILD_DATE
ARG VCS_REF
# ============================================================================
# STAGE 1: Builder
# ============================================================================
FROM base AS builder
# hadolint ignore=DL3008
RUN apt-get update && apt-get install -y --no-install-recommends \
gcc \
&& rm -rf /var/lib/apt/lists/*
# gcc is builder-stage only — never reaches the production image; DL3008 suppressed.
RUN pip install --no-cache-dir --upgrade pip wheel setuptools build
COPY packages/parser-core/ ./packages/parser-core/
COPY packages/parser-free/ ./packages/parser-free/
RUN pip install --no-cache-dir ./packages/parser-core
RUN pip install --no-cache-dir ./packages/parser-free
# Expose site-packages via a stable path so the production COPY is version-agnostic
RUN python -c "import sysconfig; print(sysconfig.get_path('purelib'))" | xargs -I{} ln -s {} /pkg
# ============================================================================
# STAGE 2: Production
# ============================================================================
FROM base AS production
# hadolint ignore=DL3008
RUN apt-get update && apt-get install -y --no-install-recommends \
poppler-utils \
&& rm -rf /var/lib/apt/lists/*
# poppler-utils is runtime-critical; pinning not practical. Mitigated by Trivy CI gate.
RUN groupadd -r appuser && useradd -r -g appuser -u 1000 appuser
WORKDIR /app
# Copy installed packages using the version-agnostic symlink created in builder.
# Both stages share the same base image so the Python version always matches.
# We use --mount=type=bind to read from the builder's resolved symlink path,
# then cp into the correct versioned site-packages directory.
RUN --mount=type=bind,from=builder,source=/pkg,target=/mnt/pkg \
python -c "import sysconfig; print(sysconfig.get_path('purelib'))" | \
xargs -I{} sh -c 'mkdir -p "$1" && cp -a /mnt/pkg/. "$1/"' -- {}
COPY --from=builder /usr/local/bin/bankstatements /usr/local/bin/bankstatements
COPY entrypoint.sh .
RUN chmod +x entrypoint.sh && \
mkdir -p /app/input /app/output /app/logs && \
chown -R appuser:appuser /app
ENV PYTHONUNBUFFERED=1
ENV DO_NOT_TRACK=1
ENV TELEMETRY_DISABLED=true
ENV ANALYTICS_DISABLED=true
ENV NO_ANALYTICS=1
ENV SENTRY_DSN=""
ENV SEGMENT_WRITE_KEY=""
LABEL org.opencontainers.image.version="${VERSION}" \
org.opencontainers.image.created="${BUILD_DATE}" \
org.opencontainers.image.revision="${VCS_REF}" \
org.opencontainers.image.title="bankstatements-free" \
org.opencontainers.image.description="Bank Statement PDF Processor (Free)" \
org.opencontainers.image.source="https://github.com/longieirl/bankstatementprocessor"
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD python -c "import bankstatements_free; import bankstatements_core" || exit 1
USER appuser
ENTRYPOINT ["/app/entrypoint.sh"]