Skip to content

WIP Convert to use Chainguard Python #1473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wkonitzer wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

WIP Convert to use Chainguard Python #1473

wkonitzer wants to merge 3 commits into from

Conversation

@wkonitzer
Copy link

@wkonitzer wkonitzer commented Sep 30, 2025
edited by cubic-dev-ai bot
Loading

Example PR showing how to use Chainguard Python.

Summary by cubic

Convert containers to Chainguard Python images and move to a secure, nonroot, multi-stage build. Replace the shell entrypoint with a Python entrypoint and update Compose commands and healthchecks.

  • Refactors

    • Switch to cgr.dev/tracecat.com/python (3.12-dev builder, 3.12 final) with nonroot runtime.
    • Multi-stage build with uv caching via bind mounts; venv prioritized on PATH.
    • Add scripts/entrypoint.py with optional migrations (RUN_MIGRATIONS) and default uvicorn launch.
    • Simplify install-packages.sh: install Deno with checksum, pre-cache Pyodide, create user-owned caches.
    • Update docker-compose: use “-m” for worker; healthcheck runs check_tmp.py via the venv Python.

  • Migration

    • Set RUN_MIGRATIONS=true to apply Alembic migrations on startup.
    • If overriding the container command, pass Python args after the entrypoint; it will exec them.

@wkonitzer wkonitzer marked this pull request as draft September 30, 2025 01:13
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Sep 30, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 4 files

Prompt for AI agents (all 3 issues) 

Understand the root cause of the following 3 issues and fix them.


<file name="docker-compose.local.yml">

<violation number="1" location="docker-compose.local.yml:123">
Incorrect use of python -m with a file path; -m requires a module name. This will prevent the worker from starting.</violation>
</file>

<file name="scripts/install-packages.sh">

<violation number="1" location="scripts/install-packages.sh:29">
Script relies on wget but does not ensure it&#39;s present, causing potential build failures on minimal images.</violation>

<violation number="2" location="scripts/install-packages.sh:44">
Do not skip checksum verification when retrieval fails; fail closed to prevent unverified binary installation.</violation>
</file>

Since this is your first cubic review, here's how it works:

  • cubic automatically reviews your code and comments on bugs and improvements
  • Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
  • Ask questions if you need clarification on any suggestion

React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.

scripts/install-packages.sh Outdated
if [[ -n "${DENO_SHA256}" ]]; then
echo "${DENO_SHA256} ${DENO_ZIP}" | sha256sum -c -
else
echo "WARNING: checksum unavailable; skipping verification." >&2
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Sep 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do not skip checksum verification when retrieval fails; fail closed to prevent unverified binary installation.

Prompt for AI agents 
Address the following comment on scripts/install-packages.sh at line 44:

<comment>Do not skip checksum verification when retrieval fails; fail closed to prevent unverified binary installation.</comment>

<file context>
@@ -1,118 +1,81 @@
+if [[ -n &quot;${DENO_SHA256}&quot; ]]; then
   echo &quot;${DENO_SHA256}  ${DENO_ZIP}&quot; | sha256sum -c -
+else
+  echo &quot;WARNING: checksum unavailable; skipping verification.&quot; &gt;&amp;2
 fi
 
</file context>
Suggested change
echo "WARNING: checksum unavailable; skipping verification." >&2
{ echo "ERROR: checksum unavailable; aborting." >&2; exit 1; }
Fix with Cubic

scripts/install-packages.sh
trap cleanup EXIT

# ---- wget helpers (quiet, with a few retries) ----
wget_stdout() { wget -q --tries=3 --timeout=20 -O- "$1"; }
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Sep 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Script relies on wget but does not ensure it's present, causing potential build failures on minimal images.

Prompt for AI agents 
Address the following comment on scripts/install-packages.sh at line 29:

<comment>Script relies on wget but does not ensure it&#39;s present, causing potential build failures on minimal images.</comment>

<file context>
@@ -1,118 +1,81 @@
+trap cleanup EXIT
+
+# ---- wget helpers (quiet, with a few retries) ----
+wget_stdout() { wget -q --tries=3 --timeout=20 -O- &quot;$1&quot;; }
+wget_to()     { wget -q --tries=3 --timeout=20 &quot;$1&quot; -O &quot;$2&quot;; }
+
</file context>
Fix with Cubic

@topher-lo topher-lo added build Build system and package dependency changes security Security related issue labels Sep 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

build Build system and package dependency changes security Security related issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wkonitzer @topher-lo