WIP Convert to use Chainguard Python

[wkonitzer]

Example PR showing how to use Chainguard Python.

---

Summary by cubic

Convert containers to Chainguard Python images and move to a secure, nonroot, multi-stage build. Replace the shell entrypoint with a Python entrypoint and update Compose commands and healthchecks.

• Refactors

  • Switch to cgr.dev/tracecat.com/python (3.12-dev builder, 3.12 final) with nonroot runtime.
  • Multi-stage build with uv caching via bind mounts; venv prioritized on PATH.
  • Add scripts/entrypoint.py with optional migrations (RUN_MIGRATIONS) and default uvicorn launch.
  • Simplify install-packages.sh: install Deno with checksum, pre-cache Pyodide, create user-owned caches.
  • Update docker-compose: use “-m” for worker; healthcheck runs check_tmp.py via the venv Python.

• Migration

  • Set RUN_MIGRATIONS=true to apply Alembic migrations on startup.
  • If overriding the container command, pass Python args after the entrypoint; it will exec them.

[cubic-dev-ai]

3 issues found across 4 files

Prompt for AI agents (all 3 issues)

Understand the root cause of the following 3 issues and fix them.


<file name="docker-compose.local.yml">

<violation number="1" location="docker-compose.local.yml:123">
Incorrect use of python -m with a file path; -m requires a module name. This will prevent the worker from starting.</violation>
</file>

<file name="scripts/install-packages.sh">

<violation number="1" location="scripts/install-packages.sh:29">
Script relies on wget but does not ensure it&#39;s present, causing potential build failures on minimal images.</violation>

<violation number="2" location="scripts/install-packages.sh:44">
Do not skip checksum verification when retrieval fails; fail closed to prevent unverified binary installation.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Ask questions if you need clarification on any suggestion

_{React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[cubic-dev-ai]

Do not skip checksum verification when retrieval fails; fail closed to prevent unverified binary installation.

Prompt for AI agents

Address the following comment on scripts/install-packages.sh at line 44:

<comment>Do not skip checksum verification when retrieval fails; fail closed to prevent unverified binary installation.</comment>

<file context>
@@ -1,118 +1,81 @@
+if [[ -n &quot;${DENO_SHA256}&quot; ]]; then
   echo &quot;${DENO_SHA256}  ${DENO_ZIP}&quot; | sha256sum -c -
+else
+  echo &quot;WARNING: checksum unavailable; skipping verification.&quot; &gt;&amp;2
 fi
 
</file context>

Suggested change

	echo "WARNING: checksum unavailable; skipping verification." >&2
	{ echo "ERROR: checksum unavailable; aborting." >&2; exit 1; }

[cubic-dev-ai]

Script relies on wget but does not ensure it's present, causing potential build failures on minimal images.

Prompt for AI agents

Address the following comment on scripts/install-packages.sh at line 29:

<comment>Script relies on wget but does not ensure it&#39;s present, causing potential build failures on minimal images.</comment>

<file context>
@@ -1,118 +1,81 @@
+trap cleanup EXIT
+
+# ---- wget helpers (quiet, with a few retries) ----
+wget_stdout() { wget -q --tries=3 --timeout=20 -O- &quot;$1&quot;; }
+wget_to()     { wget -q --tries=3 --timeout=20 &quot;$1&quot; -O &quot;$2&quot;; }
+
</file context>