# syntax=docker/dockerfile:1.7 # --------------------------------------------------------------------------- # Stage 1: base — system dependencies shared by dev and prod # --------------------------------------------------------------------------- FROM python:3.11-slim AS base COPY --from=ghcr.io/astral-sh/uv:0.8.15 /uv /uvx /bin/ ENV PYTHONDONTWRITEBYTECODE=1 \ PYTHONUNBUFFERED=1 \ PATH="/app/.venv/bin:${PATH}" WORKDIR /app RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,target=/var/lib/apt,sharing=locked \ apt-get update && apt-get install -y --no-install-recommends \ ffmpeg \ && rm -rf /var/lib/apt/lists/* # --------------------------------------------------------------------------- # Stage 2: deps — install Python dependencies (no project code) # This layer is cached as long as pyproject.toml and uv.lock don't change. # build-essential is needed here for compiling C extensions (e.g. psycopg2) # but is NOT carried into the prod stage (prod inherits from base instead). # --------------------------------------------------------------------------- FROM base AS deps RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,target=/var/lib/apt,sharing=locked \ apt-get update && apt-get install -y --no-install-recommends \ build-essential \ && rm -rf /var/lib/apt/lists/* COPY pyproject.toml uv.lock ./ RUN --mount=type=cache,target=/root/.cache/uv \ uv sync --frozen --no-dev --no-install-project # --------------------------------------------------------------------------- # Stage 3: dev — development target (used by docker-compose) # # Does NOT install the cpv3 package into site-packages at all. The source # code is bind-mounted from the host at /app/cpv3, and Python finds it via # sys.path (WORKDIR /app is on sys.path by default for scripts run from /app). # This means: # - No second `uv sync` step that could go stale or conflict with the mount # - Hot reload works because uvicorn watches the bind-mounted directory # - No risk of importing a stale copy from site-packages # --------------------------------------------------------------------------- FROM deps AS dev # Without `uv sync` (which creates an editable .pth finder in site-packages), # Python cannot find the cpv3 package. PYTHONPATH=/app makes /app/cpv3 # discoverable as a regular package. This is the standard approach for # development containers with bind-mounted source code. ENV PYTHONPATH=/app # watchfiles is already included via uvicorn[standard] in main deps. # It is used by uvicorn --reload and by the worker auto-restart wrapper. EXPOSE 8000 CMD ["sh", "-c", "alembic upgrade head && uvicorn cpv3.main:app --host 0.0.0.0 --port 8000 --reload --reload-dir /app/cpv3"] # --------------------------------------------------------------------------- # Stage 4: prod — production target (used by CI/CD image builds) # # Inherits from base (not deps) so build-essential is excluded from the # final image (~200MB savings). Pre-compiled .venv is copied from deps. # Runs as non-root user for container security. # --------------------------------------------------------------------------- FROM base AS prod ENV UV_LINK_MODE=copy COPY --from=deps /app/.venv /app/.venv COPY pyproject.toml uv.lock ./ COPY cpv3 ./cpv3 COPY alembic ./alembic COPY alembic.ini ./ RUN --mount=type=cache,target=/root/.cache/uv \ uv sync --frozen --no-dev RUN groupadd --gid 1000 app && \ useradd --uid 1000 --gid app --create-home app RUN chown -R app:app /app USER app EXPOSE 8000 CMD ["sh", "-c", "alembic upgrade head && uvicorn cpv3.main:app --host 0.0.0.0 --port 8000"]