CI: securing service image multi-stage build

Author: k1nho

services/nsdf_intersect_service/.dockerignore

@@ -1,4 +1,6 @@
 tests
 __pycache__
-.venv
 .env
+pytest.ini
+Dockerfile
+README.md

services/nsdf_intersect_service/Dockerfile

@@ -1,20 +1,53 @@
-FROM python:3.10-slim
+FROM python:3.10-slim AS base
+
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    && rm -rf /var/lib/apt/lists/*
+
+
+# Tweak Python to run better in Docker
+ENV PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1
+
+
+# Build stage: dev & build dependencies
+FROM base AS build
+
 COPY --from=ghcr.io/astral-sh/uv:0.7.19 /uv /uvx /bin/
 
-# Set environment variables
-ENV PYTHONDONTWRITEBYTECODE=1
-ENV PYTHONUNBUFFERED=1
-ENV BOKEH_ALLOW_WS_ORIGIN="*"
+# UV_COMPILE_BYTECODE=1 is an important startup time optimization
+ENV UV_COMPILE_BYTECODE=1 UV_LINK_MODE=copy
+
+WORKDIR /app 
+
+COPY uv.lock pyproject.toml ./
+RUN --mount=type=cache,target=/root/.cache/uv \
+  uv sync --frozen --no-install-project --no-dev
+
+COPY . .
+RUN --mount=type=cache,target=/root/.cache/uv \
+  uv sync --frozen --no-dev
+
+# Runtime stage: only venv
+FROM base AS runtime
+
+WORKDIR /app
+
+# Create user and group
+RUN addgroup --gid 1001 --system nonroot && \
+    adduser --no-create-home --shell /bin/false \
+    --disabled-password --uid 1001 --system --group nonroot
+
+# Switch to non-root user
+USER nonroot:nonroot
 
-WORKDIR /usr/src/dashboard_service
-COPY ./pyproject.toml ./
-COPY ./uv.lock ./
-RUN uv sync --locked
+ENV VIRTUAL_ENV=/app/.venv \
+    PATH="/app/.venv/bin:$PATH"
 
-COPY src/nsdf_intersect_service/dashboard_service.py .
+COPY --from=build --chown=nonroot:nonroot /app ./
 COPY ./src/nsdf_intersect_service/config_dashboard.yaml /config/config_dashboard_default.yaml
 COPY ./src/nsdf_intersect_service/config_service.yaml /config/config_default.yaml
 
 EXPOSE 10043
 
-CMD ["uv", "run", "dashboard_service.py"]
+CMD ["python", "/app/src/nsdf_intersect_service/dashboard_service.py"]