python-github-runner/Containerfile at main · DeerHide/python-github-runner · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
ARG RUNNER_VERSION=2.332.0

FROM ghcr.io/actions/actions-runner:${RUNNER_VERSION} AS base

ARG APP_HOME=/home/runner

USER root

# System upgrade, Python 3.12/3.13 (deadsnakes), skopeo, buildah
# hadolint ignore=DL3008
RUN apt-get update \
    && apt-get upgrade -y \
    && apt-get install --no-install-recommends -y gnupg ca-certificates software-properties-common curl \
    && DEBIAN_FRONTEND=noninteractive add-apt-repository -y ppa:deadsnakes/ppa \
    && apt-get update \
    && apt-get install --no-install-recommends -y \
       build-essential \
       python3.12 python3.12-dev \
       python3.13 python3.13-dev \
       skopeo buildah \
    && apt-get autoremove -y \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# deadsnakes PPA does not ship python3.x-pip; bootstrap via get-pip.py.
# PEP 668 marks the environment as externally managed; --break-system-packages is
# acceptable in a container image where we own the environment.
# hadolint ignore=DL4006
RUN curl -sSL https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py \
    && python3.12 /tmp/get-pip.py --no-cache-dir --break-system-packages \
    && python3.13 /tmp/get-pip.py --no-cache-dir --break-system-packages \
    && rm /tmp/get-pip.py

# Configure buildah storage for container/rootless usage
RUN mkdir -p /etc/containers \
    && printf '[storage]\ndriver = "vfs"\n' > /etc/containers/storage.conf

# Install trivy (vulnerability scanner)
# hadolint ignore=DL3008,DL4006
RUN curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key \
      | gpg --dearmor -o /usr/share/keyrings/trivy.gpg \
    && echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" \
      | tee /etc/apt/sources.list.d/trivy.list \
    && apt-get update \
    && apt-get install --no-install-recommends -y trivy \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Install dive (container filesystem analysis)
ARG DIVE_VERSION=0.12.0
# hadolint ignore=DL3008
RUN curl -sSL -o /tmp/dive.deb \
      "https://github.com/wagoodman/dive/releases/download/v${DIVE_VERSION}/dive_${DIVE_VERSION}_linux_amd64.deb" \
    && apt-get update \
    && apt-get install --no-install-recommends -y /tmp/dive.deb \
    && rm /tmp/dive.deb \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Install hadolint (Dockerfile/Containerfile linter)
ARG HADOLINT_VERSION=2.12.0
RUN curl -sSL -o /usr/local/bin/hadolint \
      "https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-Linux-x86_64" \
    && chmod +x /usr/local/bin/hadolint

# Install yq (YAML processor)
ARG YQ_VERSION=4.45.4
RUN curl -sSL -o /usr/local/bin/yq \
      "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64" \
    && chmod +x /usr/local/bin/yq

# Install Argo Workflows CLI
ARG ARGO_VERSION=3.6.4
RUN curl -sSL -o /tmp/argo-linux-amd64.gz \
      "https://github.com/argoproj/argo-workflows/releases/download/v${ARGO_VERSION}/argo-linux-amd64.gz" \
    && gunzip /tmp/argo-linux-amd64.gz \
    && mv /tmp/argo-linux-amd64 /usr/local/bin/argo \
    && chmod +x /usr/local/bin/argo

# Install Kargo CLI
ARG KARGO_VERSION=1.9.2
RUN curl -sSL -o /usr/local/bin/kargo \
      "https://github.com/akuity/kargo/releases/download/v${KARGO_VERSION}/kargo-linux-amd64" \
    && chmod +x /usr/local/bin/kargo

# Install pack (Cloud Native Buildpacks CLI)
ARG PACK_VERSION=0.36.4
RUN curl -sSL -o /tmp/pack.tgz \
      "https://github.com/buildpacks/pack/releases/download/v${PACK_VERSION}/pack-v${PACK_VERSION}-linux.tgz" \
    && tar -xzf /tmp/pack.tgz -C /usr/local/bin/ \
    && rm /tmp/pack.tgz

# Install pre-commit
# hadolint ignore=DL3013
RUN pip3 install --no-cache-dir pre-commit

# Base stage must not end as root (hadolint DL3002)
USER runner

FROM base AS runtime

LABEL org.opencontainers.image.source=https://github.com/deerhide/python-github-runner
LABEL org.opencontainers.image.description="Python GitHub Runner"
LABEL org.opencontainers.image.licenses="MIT"
LABEL org.opencontainers.image.authors="Deerhide"
LABEL org.opencontainers.image.vendor="Deerhide"

USER runner
WORKDIR ${APP_HOME}

# Install Poetry latest version and add it to PATH
# hadolint ignore=DL4006
RUN curl -sSL https://install.python-poetry.org | python3 -

# Install UV
# hadolint ignore=DL4006
RUN curl -LsSf https://astral.sh/uv/install.sh | sh

# Add Poetry and UV to PATH
RUN echo "export PATH=\"${APP_HOME}/.local/bin:\$PATH\"" >> ~/.bashrc