oss-review-toolkit · janniclas · Sep 22, 2025 · Sep 30, 2025 · Sep 30, 2025 · Oct 21, 2025
@@ -17,15 +17,17 @@ NUGET_INSPECTOR_VERSION=0.9.12
 PHP_VERSION=8.3
 PIP_VERSION=25.2.0
 PYENV_GIT_TAG=v2.6.3
+PYTHON_CLICK_VERSION=8.2.1
 PYTHON_INSPECTOR_VERSION=0.14.4
 PYTHON_PIPENV_VERSION=2023.12.1
 PYTHON_POETRY_VERSION=2.1.3
 PYTHON_POETRY_PLUGIN_EXPORT_VERSION=1.9.0
 PYTHON_SETUPTOOLS_VERSION=74.1.3
-PYTHON_VERSION=3.13.5
+PYTHON_VERSION=3.13.7
 RUBY_VERSION=3.4.4
 RUST_VERSION=1.90.0
 SBT_VERSION=1.10.0
 SCANCODE_VERSION=32.4.1
 SWIFT_VERSION=6.0.3
 UBUNTU_VERSION=jammy
+UV_VERSION=0.9.3
@@ -8,7 +8,7 @@ on:
     branches:
       - main
     tags:
-      - "[0-9]+.[0-9]+.[0-9]+"
+      - '[0-9]+.[0-9]+.[0-9]+'
   workflow_dispatch:
 
 env:
@@ -32,6 +32,8 @@ jobs:
         run: |
           ORT_VERSION=$(./gradlew -q printVersion)
           echo "ORT_VERSION=${ORT_VERSION}" >> $GITHUB_ENV
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: Login to GitHub Container Registry
@@ -63,6 +65,7 @@ jobs:
           cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache
           cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache,mode=max
           build-args: ORT_VERSION=${{ env.ORT_VERSION }}
+          platforms: linux/amd64,linux/arm64
           sbom: true
       - name: Build 'ort' Docker Image
         if: ${{ github.event_name == 'pull_request' }}
@@ -73,6 +76,7 @@ jobs:
           labels: ${{ steps.meta-ort.outputs.labels }}
           cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache
           build-args: ORT_VERSION=${{ env.ORT_VERSION }}
+          platforms: linux/amd64,linux/arm64
           sbom: true
       - name: Extract Metadata for 'ort-minimal' Docker Image
         id: meta-ort-minimal
@@ -98,6 +102,7 @@ jobs:
           target: minimal
           cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache
           build-args: ORT_VERSION=${{ env.ORT_VERSION }}
+          platforms: linux/amd64,linux/arm64
           sbom: true
       - name: Print Disk Space
         run: df -h
@@ -115,56 +115,47 @@ WORKDIR $HOME
 ENTRYPOINT [ "/bin/bash" ]
 
 #------------------------------------------------------------------------
-# PYTHON - Build Python as a separate component with pyenv
-FROM base AS pythonbuild
+# PYTHON - Install Python binaries from astral-sh
+FROM base AS python_install
 
-ARG CONAN_VERSION
 ARG CONAN2_VERSION
+ARG CONAN_VERSION
 ARG PIP_VERSION
-ARG PYENV_GIT_TAG
+ARG PYTHON_CLICK_VERSION
 ARG PYTHON_INSPECTOR_VERSION
 ARG PYTHON_PIPENV_VERSION
 ARG PYTHON_POETRY_PLUGIN_EXPORT_VERSION
 ARG PYTHON_POETRY_VERSION
 ARG PYTHON_SETUPTOOLS_VERSION
 ARG PYTHON_VERSION
 ARG SCANCODE_VERSION
+ARG UV_VERSION
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
+ENV PYTHON_INSTALL_ROOT=/opt/python
+ENV PATH=$PATH:$PYTHON_INSTALL_ROOT/bin:$PYTHON_INSTALL_ROOT/conan2/bin
+
+RUN ARCH=$(arch | sed s/aarch64/arm64/) \
+    && astral_release="20250918" \
+    && download_url="https://github.com/astral-sh/python-build-standalone/releases/download/${astral_release}" \
+    && mkdir -p $PYTHON_INSTALL_ROOT \
+    && arch="x86_64" \
+    && if [ "$ARCH" == "arm64" ]; then \
+    arch="aarch64"; \
+    fi \
+    && curl -L "${download_url}/cpython-${PYTHON_VERSION}+${astral_release}-${arch}-unknown-linux-gnu-install_only_stripped.tar.gz" | tar -C /opt -xz
+
+# This is required mostly because scancode-mini requirements
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     sudo apt-get update -qq \
     && DEBIAN_FRONTEND=noninteractive sudo apt-get install -y --no-install-recommends \
-    libreadline-dev \
-    libgdbm-dev \
-    libsqlite3-dev \
-    libssl-dev \
-    libbz2-dev \
-    liblzma-dev \
-    tk-dev \
+    libicu-dev \
+    pkg-config \
+    clang \
     && sudo rm -rf /var/lib/apt/lists/*
 
-ENV PYENV_ROOT=/opt/python
-ENV PATH=$PATH:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PYENV_ROOT/conan2/bin
-RUN curl -kSs https://pyenv.run | bash \
-    && pyenv install -v $PYTHON_VERSION \
-    && pyenv global $PYTHON_VERSION
-
-RUN ARCH=$(arch | sed s/aarch64/arm64/) \
-    &&  if [ "$ARCH" == "arm64" ]; then \
-    pip install -U scancode-toolkit-mini==$SCANCODE_VERSION; \
-    else \
-    curl -Os https://raw.githubusercontent.com/nexB/scancode-toolkit/v$SCANCODE_VERSION/requirements.txt; \
-    pip install -U --constraint requirements.txt scancode-toolkit==$SCANCODE_VERSION setuptools==$PYTHON_SETUPTOOLS_VERSION; \
-    rm requirements.txt; \
-    fi
-
-# Extract ScanCode license texts to a directory.
-RUN scancode-license-data --path /opt/scancode-license-data \
-    && find /opt/scancode-license-data -type f -not -name "*.LICENSE" -exec rm -f {} + \
-    && rm -rf /opt/scancode-license-data/static
-
 RUN pip install --no-cache-dir -U \
     pip=="$PIP_VERSION" \
     wheel \
@@ -175,19 +166,33 @@ RUN pip install --no-cache-dir -U \
     poetry=="$PYTHON_POETRY_VERSION" \
     poetry-plugin-export=="$PYTHON_POETRY_PLUGIN_EXPORT_VERSION" \
     python-inspector=="$PYTHON_INSPECTOR_VERSION" \
-    setuptools=="$PYTHON_SETUPTOOLS_VERSION"
-RUN mkdir /tmp/conan2 && cd /tmp/conan2 \
-    && wget https://github.com/conan-io/conan/releases/download/$CONAN2_VERSION/conan-$CONAN2_VERSION-linux-x86_64.tgz \
-    && tar -xvf conan-$CONAN2_VERSION-linux-x86_64.tgz\
+    click==$PYTHON_CLICK_VERSION \
+    setuptools=="$PYTHON_SETUPTOOLS_VERSION" \
+    uv=="$UV_VERSION"
+
+RUN ARCH=$(arch | sed s/aarch64/arm64/) \
+    && if [ "$ARCH" == "arm64" ]; then \
+    pip install -U scancode-toolkit-mini==$SCANCODE_VERSION; \
+    else \
+    pip install -U scancode-toolkit==$SCANCODE_VERSION; \
+    fi
+
+# # Extract ScanCode license texts to a directory.
+# RUN ARCH=$(arch | sed s/aarch64/arm64/) \
+#     if [ "$ARCH" == "arm64" ]; then \
+#     echo "Not av ailable for Arm due distutils problem";
+# else \
+#     scancode-license-data --path /opt/scancode-license-data; \
+#     find /opt/scancode-license-data -type f -not -name "*.LICENSE" -exec rm -f {} + \; \
+#     fi
+
+RUN mkdir -p $PYTHON_INSTALL_ROOT/conan2 \
+    && curl -L https://github.com/conan-io/conan/releases/download/$CONAN2_VERSION/conan-$CONAN2_VERSION-linux-x86_64.tgz | tar -C $PYTHON_INSTALL_ROOT/conan2 -zvx bin \
     # Rename the Conan 2 executable to "conan2" to be able to call both Conan version from the package manager.
-    && mkdir $PYENV_ROOT/conan2 && mv /tmp/conan2/bin $PYENV_ROOT/conan2/ \
-    && mv $PYENV_ROOT/conan2/bin/conan $PYENV_ROOT/conan2/bin/conan2
+    && mv $PYTHON_INSTALL_ROOT/conan2/bin/conan $PYTHON_INSTALL_ROOT/conan2/bin/conan2
 
 FROM scratch AS python
-COPY --from=pythonbuild /opt/python /opt/python
-
-FROM scratch AS scancode-license-data
-COPY --from=pythonbuild /opt/scancode-license-data /opt/scancode-license-data
+COPY --from=python_install /opt/python /opt/python
 
 #------------------------------------------------------------------------
 # NODEJS - Build NodeJS as a separate component with nvm
@@ -483,9 +488,9 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     && sudo rm -rf /var/lib/apt/lists/*
 
 # Python
-ENV PYENV_ROOT=/opt/python
-ENV PATH=$PATH:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PYENV_ROOT/conan2/bin
-COPY --from=python --chown=$USER:$USER $PYENV_ROOT $PYENV_ROOT
+ENV PYTHON_INSTALL_ROOT=/opt/python
+ENV PATH=$PATH:$PYTHON_INSTALL_ROOT/shims:$PYTHON_INSTALL_ROOT/bin:$PYTHON_INSTALL_ROOT/conan2/bin
+COPY --from=python --chown=$USER:$USER $PYTHON_INSTALL_ROOT $PYTHON_INSTALL_ROOT
 
 # NodeJS
 ENV NVM_DIR=/opt/nvm
@@ -510,8 +515,6 @@ ENV GEM_HOME=/var/tmp/gem
 ENV PATH=$PATH:$RBENV_ROOT/bin:$RBENV_ROOT/shims:$RBENV_ROOT/plugins/ruby-install/bin
 COPY --from=ruby --chown=$USER:$USER $RBENV_ROOT $RBENV_ROOT
 
-COPY --from=scancode-license-data --chown=$USER:$USER /opt/scancode-license-data /opt/scancode-license-data
-
 #------------------------------------------------------------------------
 # Container with all supported package managers.
 FROM minimal-tools AS all-tools