Dockerfile.hardened

# Build stage
# hadolint ignore=DL3007
FROM docker.io/chainguard/python:latest-dev AS builder

# hadolint ignore=DL3002
USER root

WORKDIR /python
COPY pyproject.toml uv.lock README.md ./
ENV UV_COMPILE_BYTECODE=1
ENV UV_PROJECT_ENVIRONMENT=/opt/venv
ENV UV_PYTHON_INSTALL_DIR=/opt/uv/python

# uv will install python based on pyproject.toml. It won't use chainguards pythonn.
RUN uv venv /opt/venv
# hadolint ignore=DL3059
RUN uv sync --locked --no-dev --no-install-project --no-editable

# keep these layers separate from the sync above so we can change code without rebuilding the dependencies
COPY jf_agent ./jf_agent
RUN uv sync --locked --no-dev --no-editable

################################################################################
# Runtime stage
# hadolint ignore=DL3007
FROM docker.io/chainguard/wolfi-base:latest

ENV LANG=C.UTF-8
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1

ARG SHA=develop
ENV SHA="${SHA}"

ARG BUILDTIME=unknown
ENV BUILDTIME="${BUILDTIME}"

ENV VIRTUAL_ENV=/opt/venv
ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"

COPY --from=builder /opt/venv /opt/venv
COPY --from=builder /opt/uv/python /opt/uv/python

# Legacy documentation tells customers to bind-mount to /home/jf_agent/config.yml
# and /home/jf_agent/output. Chainguard's wolfi-base ships with a built-in
# nonroot user (UID 65532) whose home is /home/nonroot — we cannot rename it.
# A symlink bridges the gap: Docker (runc) resolves symlinks in mount targets,
# so --mount target=/home/jf_agent/... resolves to /home/nonroot/... correctly.
# Note: `pwd` inside the container will show /home/nonroot (the resolved path),
# not /home/jf_agent. The standard image (Dockerfile) avoids this by naming the
# user "jf_agent" directly — see that file for details.
RUN ln -s /home/nonroot /home/jf_agent

WORKDIR /home/jf_agent
USER nonroot

ENTRYPOINT ["python", "-m", "jf_agent.rollback_on_fail"]