ci(compliance): address review comments

ranrubin · claude · ranrubin · commit 4d95cea3d3d3 · 2026-03-15T13:13:32.000+02:00
- Fix --builder help text: --platform is optional, defaults to linux/amd64
- Dockerfile.extract: surface extractor errors and fail build if dpkg.tsv
  is empty to prevent silent failures
- python_helper.py: add /opt/*/lib/python* glob paths for conda/virtualenv
  layouts common in ML containers
- dpkg_helper.py/python_helper.py: rename legacy mode -&gt; local mode

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/container/compliance/Dockerfile.extract b/container/compliance/Dockerfile.extract
@@ -21,7 +21,7 @@
 #   dpkg_err.txt     - stderr from dpkg extraction (for debugging)
 #   python_err.txt   - stderr from python extraction (for debugging)
 
-ARG TARGET_IMAGE
+ARG TARGET_IMAGE=scratch
 FROM ${TARGET_IMAGE} AS target
 
 FROM python:3.12-slim AS extractor
@@ -30,7 +30,10 @@ COPY extractors/helpers/dpkg_helper.py /helpers/dpkg_helper.py
 COPY extractors/helpers/python_helper.py /helpers/python_helper.py
 RUN --mount=type=bind,from=target,target=/target \
     python3 /helpers/dpkg_helper.py --root /target > /output/dpkg.tsv 2>/output/dpkg_err.txt ; \
-    python3 /helpers/python_helper.py --root /target > /output/python.tsv 2>/output/python_err.txt
+    python3 /helpers/python_helper.py --root /target > /output/python.tsv 2>/output/python_err.txt ; \
+    if [ -s /output/dpkg_err.txt ]; then echo "dpkg extraction errors:" >&2; cat /output/dpkg_err.txt >&2; fi ; \
+    if [ -s /output/python_err.txt ]; then echo "python extraction errors:" >&2; cat /output/python_err.txt >&2; fi ; \
+    [ -s /output/dpkg.tsv ] || { echo "ERROR: dpkg extraction produced no output" >&2; exit 1; }
 
 FROM scratch
 COPY --from=extractor /output/ /
diff --git a/container/compliance/extractors/helpers/dpkg_helper.py b/container/compliance/extractors/helpers/dpkg_helper.py
@@ -1,7 +1,7 @@
 # SPDX-FileCopyrightText: Copyright (c) 2024-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-# This script runs INSIDE the container (legacy mode) or against a mounted
+# This script runs INSIDE the container (local mode) or against a mounted
 # filesystem root (--root /target mode for BuildKit extraction).
 # It must be fully self-contained with zero external dependencies (only Python stdlib).
 
@@ -149,7 +149,7 @@ def main():
             license_id = get_license_for_package(pkg, root)
             print(f"{pkg}\t{version}\t{license_id}")
     else:
-        # Legacy mode: run dpkg-query inside the container
+        # Local mode: run dpkg-query inside the container
         result = subprocess.run(
             ["dpkg-query", "-W", "-f=${Package}\t${Version}\n"],
             capture_output=True,
diff --git a/container/compliance/extractors/helpers/python_helper.py b/container/compliance/extractors/helpers/python_helper.py
@@ -1,7 +1,7 @@
 # SPDX-FileCopyrightText: Copyright (c) 2024-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-# This script runs INSIDE the container (legacy mode) or against a mounted
+# This script runs INSIDE the container (local mode) or against a mounted
 # filesystem root (--root /target mode for BuildKit extraction).
 # It must be fully self-contained with zero external dependencies (only Python stdlib).
 
@@ -117,9 +117,12 @@ def main():
         search_paths += glob.glob(f"{root}/usr/lib/python*/site-packages")
         search_paths += glob.glob(f"{root}/usr/local/lib/python*/dist-packages")
         search_paths += glob.glob(f"{root}/usr/local/lib/python*/site-packages")
+        # conda / virtualenv layouts common in ML containers (e.g. /opt/conda)
+        search_paths += glob.glob(f"{root}/opt/*/lib/python*/site-packages")
+        search_paths += glob.glob(f"{root}/opt/*/lib/python*/dist-packages")
         dists = importlib.metadata.distributions(path=search_paths)
     else:
-        # Legacy mode: enumerate distributions in the running Python environment
+        # Local mode: enumerate distributions in the running Python environment
         dists = importlib.metadata.distributions()
 
     seen = set()
diff --git a/container/compliance/generate_attributions.py b/container/compliance/generate_attributions.py
@@ -200,6 +200,7 @@ def extract_all_buildx(
             f"TARGET_IMAGE={image}",
             "--output",
             f"type=local,dest={tmpdir}",
+            "--pull",  # always re-resolve target image digest from registry
             "-f",
             str(_EXTRACT_DOCKERFILE),
             str(_SCRIPT_DIR),
@@ -295,7 +296,8 @@ def parse_args() -> argparse.Namespace:
         default="",
         help=(
             "docker buildx builder name. When set, uses BuildKit filesystem extraction "
-            "(no docker run) instead of docker run. Requires --platform."
+            "(no docker run) instead of docker run. Use --platform to target a specific "
+            "architecture (defaults to linux/amd64)."
         ),
     )
     parser.add_argument(
