From 022f03d3e89d470fb6d2efb6badfe514aec0c4b8 Mon Sep 17 00:00:00 2001 From: Brandon Allen Date: Wed, 11 Mar 2026 14:16:43 -0400 Subject: [PATCH 01/10] sec: migrate standard Dockerfiles to Chainguard golden base images MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Migrate from Docker Hub base images to ECR-mirrored Chainguard golden images: - agentex: python:3.12-slim → golden/chainguard/python:3.12-dev - agentex-ui: node:20 → golden/chainguard/node:20-dev Mirrors the pattern established in the FIPS Dockerfiles (PR #308). Co-Authored-By: Claude Opus 4.6 --- agentex-ui/Dockerfile | 33 +++++++++---------- agentex/Dockerfile | 75 +++++++++++++++++++++++++++---------------- 2 files changed, 63 insertions(+), 45 deletions(-) diff --git a/agentex-ui/Dockerfile b/agentex-ui/Dockerfile index d8e617e7..3f568e30 100644 --- a/agentex-ui/Dockerfile +++ b/agentex-ui/Dockerfile @@ -1,14 +1,15 @@ -# Use the official Node.js 20 Debian image -FROM node:20 - -# Update package lists and install Sharp dependencies -RUN apt-get update && apt-get install -y \ +# NOTE: -dev variant required at runtime for libvips (Sharp image processing) +FROM 022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/node:20-dev +ARG SOURCE_DIR=public/agentex-ui +ENTRYPOINT [] + +# Install dependencies as root +USER root +RUN apk add --no-cache \ libvips-dev \ python3 \ make \ - g++ \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* + build-base WORKDIR /app @@ -20,7 +21,7 @@ ENV NODE_ENV=production ENV NEXT_TELEMETRY_DISABLED=1 # Copy package files -COPY package.json package-lock.json ./ +COPY ${SOURCE_DIR}/package.json ${SOURCE_DIR}/package-lock.json ./ ENV npm_config_cache=/tmp/.npm RUN npm config set maxsockets 3 @@ -30,7 +31,7 @@ RUN npm config set registry https://registry.npmjs.org/ && \ npm ci --omit=dev --verbose # Copy source code (node_modules and .next excluded by .dockerignore) -COPY . . +COPY ${SOURCE_DIR} . COPY LICENSE /app/LICENSE # Build the application (creates fresh .next directory) @@ -42,15 +43,11 @@ RUN echo "=== Build verification ===" && \ echo "=== Final container structure ===" && \ ls -la /app/ -# Create non-root user (Debian syntax) -RUN groupadd --system --gid 1001 nodejs && \ - useradd --system --uid 1001 --gid nodejs nextjs - -# Change ownership of the entire app directory to nextjs user -RUN chown -R nextjs:nodejs /app +# Use Chainguard's default nonroot user (65532) +RUN chown -R 65532:65532 /app # Switch to non-root user -USER nextjs +USER nonroot EXPOSE 3000 @@ -58,4 +55,4 @@ ENV PORT=3000 ENV HOSTNAME="0.0.0.0" # Start the application -CMD ["npm", "start"] +CMD ["npm", "start"] diff --git a/agentex/Dockerfile b/agentex/Dockerfile index da6cdc59..62b09f82 100644 --- a/agentex/Dockerfile +++ b/agentex/Dockerfile @@ -1,62 +1,83 @@ -FROM python:3.12-slim AS base -COPY --from=ghcr.io/astral-sh/uv:0.6.9 /uv /uvx /bin/ +FROM 022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/python:3.12-dev AS base +ARG SOURCE_DIR=public/agentex +# Install uv package manager +COPY --from=ghcr.io/astral-sh/uv:0.6.9 /uv /uvx /bin/ -RUN apt-get update && apt-get install -y \ - htop \ - vim \ +# Install system dependencies +USER root +RUN apk add --no-cache \ curl \ - tar \ - python3-dev \ postgresql-client \ - build-essential \ - libpq-dev \ + build-base \ + libpq \ gcc \ - netcat-openbsd \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* + busybox WORKDIR /app # Copy dependency management files -COPY agentex/pyproject.toml agentex/README.md ./ +COPY ${SOURCE_DIR}/pyproject.toml ${SOURCE_DIR}/README.md ./ -# Install core dependencies -ENV UV_PROJECT_ENVIRONMENT=/usr/local -RUN uv sync +# Install core dependencies directly to system Python +RUN uv pip install --system -e . # Development stage (for docker-compose) FROM base AS dev +ARG SOURCE_DIR=public/agentex -# Install dev dependencies -RUN uv sync --group dev +# Install dev dependencies to system Python +RUN uv pip install --system --group dev . -COPY agentex/src/ ./src/ +COPY ${SOURCE_DIR}/src/ ./src/ EXPOSE 5003 ENV PYTHONPATH=/app CMD ["ddtrace-run", "uvicorn", "src.api.app:app", "--host", "0.0.0.0", "--port", "5003", "--reload"] # Docs builder stage FROM base AS docs-builder +ARG SOURCE_DIR=public/agentex # Install docs dependencies RUN uv sync --group docs -COPY agentex/docs/ docs/ -COPY agentex/src/ src/ -RUN cd docs && mkdocs build +COPY ${SOURCE_DIR}/docs/ docs/ +COPY ${SOURCE_DIR}/src/ src/ +RUN cd docs && uv run mkdocs build # Production stage -FROM base AS production +# NOTE: -dev variant required at runtime for apk (libpq, postgresql-client needed by psycopg2) +FROM 022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/python:3.12-dev AS production +ENTRYPOINT [] ARG INCLUDE_DOCS=false +ARG SOURCE_DIR=public/agentex + +# Install runtime system dependencies only (no build tools) +USER root +RUN apk add --no-cache \ + postgresql-client \ + libpq + +WORKDIR /app + +# Copy Python packages from base stage (Chainguard installs to /usr/lib/python3.12) +COPY --from=base /usr/lib/python3.12 /usr/lib/python3.12 +COPY --from=base /usr/bin /usr/bin + +# Copy application files +COPY ${SOURCE_DIR}/pyproject.toml ${SOURCE_DIR}/README.md ./ +COPY ${SOURCE_DIR}/src/ src/ +COPY ${SOURCE_DIR}/database/ database/ +COPY ${SOURCE_DIR}/logging_config.conf logging_config.conf +COPY LICENSE /app/LICENSE # Conditionally copy docs from builder stage COPY --from=docs-builder /app/docs/site /app/docs/site -COPY agentex/src/ src/ -COPY agentex/database/ database/ -COPY agentex/logging_config.conf logging_config.conf -COPY LICENSE /app/LICENSE +# Set ownership to Chainguard's default nonroot user (UID 65532) +RUN chown -R 65532:65532 /app + +USER nonroot EXPOSE 5003 ENV PYTHONPATH=/app From c5e93c14361980f8cf9925cb703299a2d015a64f Mon Sep 17 00:00:00 2001 From: Brandon Allen Date: Wed, 11 Mar 2026 14:26:37 -0400 Subject: [PATCH 02/10] fix: address Greptile review findings in agentex Dockerfile - Replace blanket COPY --from=base /usr/bin with targeted copies of only the console_scripts needed at runtime (uvicorn, ddtrace-run, python3, python3.12), preventing build tools (gcc, make) from leaking into the production image - Switch docs-builder from uv sync --group docs to uv pip install --system --group docs for deterministic builds and consistency with the rest of the Dockerfile - Use mkdocs build directly instead of uv run mkdocs build since packages are now installed to system Python Co-Authored-By: Claude Opus 4.6 --- agentex/Dockerfile | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/agentex/Dockerfile b/agentex/Dockerfile index 62b09f82..2935ac49 100644 --- a/agentex/Dockerfile +++ b/agentex/Dockerfile @@ -38,12 +38,12 @@ CMD ["ddtrace-run", "uvicorn", "src.api.app:app", "--host", "0.0.0.0", "--port", FROM base AS docs-builder ARG SOURCE_DIR=public/agentex -# Install docs dependencies -RUN uv sync --group docs +# Install docs dependencies to system Python +RUN uv pip install --system --group docs . COPY ${SOURCE_DIR}/docs/ docs/ COPY ${SOURCE_DIR}/src/ src/ -RUN cd docs && uv run mkdocs build +RUN cd docs && mkdocs build # Production stage # NOTE: -dev variant required at runtime for apk (libpq, postgresql-client needed by psycopg2) @@ -60,9 +60,13 @@ RUN apk add --no-cache \ WORKDIR /app -# Copy Python packages from base stage (Chainguard installs to /usr/lib/python3.12) +# Copy Python packages and console_scripts from base stage (Chainguard installs to /usr/lib/python3.12) COPY --from=base /usr/lib/python3.12 /usr/lib/python3.12 -COPY --from=base /usr/bin /usr/bin +# Copy only the Python-installed console_scripts (e.g. uvicorn, ddtrace-run), not build tools +COPY --from=base /usr/bin/uvicorn /usr/bin/uvicorn +COPY --from=base /usr/bin/ddtrace-run /usr/bin/ddtrace-run +COPY --from=base /usr/bin/python3 /usr/bin/python3 +COPY --from=base /usr/bin/python3.12 /usr/bin/python3.12 # Copy application files COPY ${SOURCE_DIR}/pyproject.toml ${SOURCE_DIR}/README.md ./ From bb2e7d15f1c418d76ddafe362ba051f7f5971596 Mon Sep 17 00:00:00 2001 From: Brandon Allen Date: Wed, 11 Mar 2026 14:39:32 -0400 Subject: [PATCH 03/10] fix: use BASE_IMAGE arg to allow CI/local dev without ECR auth The golden Chainguard base image requires ECR authentication which is unavailable in integration test CI (scale-agentex repo lacks the IAM role). Add configurable BASE_IMAGE ARG defaulting to golden image for production builds, with docker-compose overriding to python:3.12-alpine for local dev and CI. Also adds bash to system deps for docker-compose command compatibility. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/integration-tests.yml | 1 + agentex/Dockerfile | 7 +++++-- agentex/docker-compose.yml | 4 ++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 667bf333..6554f43c 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -3,6 +3,7 @@ name: Run Agentex Integration Tests permissions: contents: read packages: read + id-token: write on: pull_request: diff --git a/agentex/Dockerfile b/agentex/Dockerfile index 2935ac49..bc7857c1 100644 --- a/agentex/Dockerfile +++ b/agentex/Dockerfile @@ -1,4 +1,5 @@ -FROM 022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/python:3.12-dev AS base +ARG BASE_IMAGE=022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/python:3.12-dev +FROM ${BASE_IMAGE} AS base ARG SOURCE_DIR=public/agentex # Install uv package manager @@ -7,6 +8,7 @@ COPY --from=ghcr.io/astral-sh/uv:0.6.9 /uv /uvx /bin/ # Install system dependencies USER root RUN apk add --no-cache \ + bash \ curl \ postgresql-client \ build-base \ @@ -47,7 +49,8 @@ RUN cd docs && mkdocs build # Production stage # NOTE: -dev variant required at runtime for apk (libpq, postgresql-client needed by psycopg2) -FROM 022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/python:3.12-dev AS production +ARG BASE_IMAGE=022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/python:3.12-dev +FROM ${BASE_IMAGE} AS production ENTRYPOINT [] ARG INCLUDE_DOCS=false ARG SOURCE_DIR=public/agentex diff --git a/agentex/docker-compose.yml b/agentex/docker-compose.yml index da5d73d9..0025d909 100644 --- a/agentex/docker-compose.yml +++ b/agentex/docker-compose.yml @@ -154,6 +154,8 @@ services: context: .. dockerfile: agentex/Dockerfile target: dev + args: + BASE_IMAGE: python:3.12-alpine environment: - ENVIRONMENT=development - UVICORN_PORT=5003 @@ -215,6 +217,8 @@ services: context: .. dockerfile: agentex/Dockerfile target: dev + args: + BASE_IMAGE: python:3.12-alpine environment: - ENVIRONMENT=development - DATABASE_URL=postgresql://postgres:postgres@agentex-postgres:5432/agentex From d640f02c7987818464744e43ab9adcfb64013509 Mon Sep 17 00:00:00 2001 From: Brandon Allen Date: Wed, 11 Mar 2026 14:42:44 -0400 Subject: [PATCH 04/10] fix: add ECR auth to integration tests for golden base images Revert the BASE_IMAGE workaround and instead properly authenticate with ECR in CI. Adds AWS credentials config (github-action-agentex role) and egp-prod ECR login to integration-tests.yml so docker compose can pull golden Chainguard base images. Requires Terracode-Infra change to add scaleapi/scale-agentex:* to the github-action-agentex IAM role OIDC subjects. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/integration-tests.yml | 11 +++++++++++ agentex/Dockerfile | 6 ++---- agentex/docker-compose.yml | 4 ---- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 6554f43c..6f09a894 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -171,6 +171,17 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Configure AWS credentials for ECR access + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::307185671274:role/github-action-agentex + aws-region: us-west-2 + + - name: Login to egp-prod ECR for golden base images + uses: aws-actions/amazon-ecr-login@v2 + with: + registries: "022465994601" + - name: Pull agent image run: | echo "🐳 Pulling agent image: ${{ matrix.agent.image }}" diff --git a/agentex/Dockerfile b/agentex/Dockerfile index bc7857c1..8c10509c 100644 --- a/agentex/Dockerfile +++ b/agentex/Dockerfile @@ -1,5 +1,4 @@ -ARG BASE_IMAGE=022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/python:3.12-dev -FROM ${BASE_IMAGE} AS base +FROM 022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/python:3.12-dev AS base ARG SOURCE_DIR=public/agentex # Install uv package manager @@ -49,8 +48,7 @@ RUN cd docs && mkdocs build # Production stage # NOTE: -dev variant required at runtime for apk (libpq, postgresql-client needed by psycopg2) -ARG BASE_IMAGE=022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/python:3.12-dev -FROM ${BASE_IMAGE} AS production +FROM 022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/python:3.12-dev AS production ENTRYPOINT [] ARG INCLUDE_DOCS=false ARG SOURCE_DIR=public/agentex diff --git a/agentex/docker-compose.yml b/agentex/docker-compose.yml index 0025d909..da5d73d9 100644 --- a/agentex/docker-compose.yml +++ b/agentex/docker-compose.yml @@ -154,8 +154,6 @@ services: context: .. dockerfile: agentex/Dockerfile target: dev - args: - BASE_IMAGE: python:3.12-alpine environment: - ENVIRONMENT=development - UVICORN_PORT=5003 @@ -217,8 +215,6 @@ services: context: .. dockerfile: agentex/Dockerfile target: dev - args: - BASE_IMAGE: python:3.12-alpine environment: - ENVIRONMENT=development - DATABASE_URL=postgresql://postgres:postgres@agentex-postgres:5432/agentex From 5c16e67821e538e2241225506083bbbc90324b5b Mon Sep 17 00:00:00 2001 From: Brandon Allen Date: Wed, 11 Mar 2026 14:45:47 -0400 Subject: [PATCH 05/10] fix: use uv sync instead of uv pip install for dependency groups uv pip install does not support --group flag. Revert to uv sync (matching original Dockerfile) with UV_PROJECT_ENVIRONMENT=/usr for Chainguard's Python prefix. Addresses Greptile findings #3 and #4. Co-Authored-By: Claude Opus 4.6 --- agentex/Dockerfile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/agentex/Dockerfile b/agentex/Dockerfile index 8c10509c..e86a2827 100644 --- a/agentex/Dockerfile +++ b/agentex/Dockerfile @@ -20,15 +20,16 @@ WORKDIR /app # Copy dependency management files COPY ${SOURCE_DIR}/pyproject.toml ${SOURCE_DIR}/README.md ./ -# Install core dependencies directly to system Python -RUN uv pip install --system -e . +# Install core dependencies to system Python (Chainguard prefix is /usr) +ENV UV_PROJECT_ENVIRONMENT=/usr +RUN uv sync # Development stage (for docker-compose) FROM base AS dev ARG SOURCE_DIR=public/agentex # Install dev dependencies to system Python -RUN uv pip install --system --group dev . +RUN uv sync --group dev COPY ${SOURCE_DIR}/src/ ./src/ EXPOSE 5003 @@ -40,7 +41,7 @@ FROM base AS docs-builder ARG SOURCE_DIR=public/agentex # Install docs dependencies to system Python -RUN uv pip install --system --group docs . +RUN uv sync --group docs COPY ${SOURCE_DIR}/docs/ docs/ COPY ${SOURCE_DIR}/src/ src/ From ba9f09482507dfe10a1a731b5fb954be7ca24a8d Mon Sep 17 00:00:00 2001 From: Brandon Allen Date: Wed, 11 Mar 2026 15:23:08 -0400 Subject: [PATCH 06/10] sec: use minimal ECR read-only role for golden image pulls Switch from the overprivileged github-action-agentex role to the new github-action-scale-agentex-ecr-read role which only grants ECR read access to golden/* repos. Addresses Greptile review finding about excessive permissions for a public repository. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/integration-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 6f09a894..a9cc53ad 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -174,7 +174,7 @@ jobs: - name: Configure AWS credentials for ECR access uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: arn:aws:iam::307185671274:role/github-action-agentex + role-to-assume: arn:aws:iam::307185671274:role/github-action-scale-agentex-ecr-read aws-region: us-west-2 - name: Login to egp-prod ECR for golden base images From ae2eb160842215e2121df53fb06a8bd4fbc8833f Mon Sep 17 00:00:00 2001 From: Brandon Allen Date: Thu, 12 Mar 2026 11:55:56 -0400 Subject: [PATCH 07/10] fix: set SOURCE_DIR build arg in docker-compose for golden image compatibility The Dockerfile defaults SOURCE_DIR=public/agentex (for CI builds from repo root), but docker-compose builds from the scale-agentex repo root where the path is agentex/. Override the arg so integration tests can find source files. Co-Authored-By: Claude Opus 4.6 --- agentex/docker-compose.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/agentex/docker-compose.yml b/agentex/docker-compose.yml index da5d73d9..b3a935b3 100644 --- a/agentex/docker-compose.yml +++ b/agentex/docker-compose.yml @@ -154,6 +154,8 @@ services: context: .. dockerfile: agentex/Dockerfile target: dev + args: + SOURCE_DIR: agentex environment: - ENVIRONMENT=development - UVICORN_PORT=5003 @@ -215,6 +217,8 @@ services: context: .. dockerfile: agentex/Dockerfile target: dev + args: + SOURCE_DIR: agentex environment: - ENVIRONMENT=development - DATABASE_URL=postgresql://postgres:postgres@agentex-postgres:5432/agentex From cbf1edb8e6c433c55fd1ef693963043ac4ae0070 Mon Sep 17 00:00:00 2001 From: Brandon Allen Date: Thu, 12 Mar 2026 12:02:19 -0400 Subject: [PATCH 08/10] fix: clear ENTRYPOINT on dev stage for Chainguard compatibility Chainguard Python images set ENTRYPOINT ["python"], so docker-compose commands like `bash -c "..."` get interpreted as `python bash -c "..."`. Clear the entrypoint on the dev stage so shell commands work correctly. Co-Authored-By: Claude Opus 4.6 --- agentex/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/agentex/Dockerfile b/agentex/Dockerfile index e86a2827..86783969 100644 --- a/agentex/Dockerfile +++ b/agentex/Dockerfile @@ -26,6 +26,7 @@ RUN uv sync # Development stage (for docker-compose) FROM base AS dev +ENTRYPOINT [] ARG SOURCE_DIR=public/agentex # Install dev dependencies to system Python From bdff780016a5d4245ea8cdfd5631dd76a7637021 Mon Sep 17 00:00:00 2001 From: Brandon Allen Date: Thu, 12 Mar 2026 12:11:09 -0400 Subject: [PATCH 09/10] fix: remove busybox and scope id-token to job level MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove busybox from base stage apk install — Chainguard deliberately excludes it to minimize attack surface; bash alone is sufficient - Move id-token: write from workflow-level to run-integration-tests job only, following principle of least privilege (Greptile review) Co-Authored-By: Claude Opus 4.6 --- .github/workflows/integration-tests.yml | 5 ++++- agentex/Dockerfile | 3 +-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index a9cc53ad..61c6b045 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -3,7 +3,6 @@ name: Run Agentex Integration Tests permissions: contents: read packages: read - id-token: write on: pull_request: @@ -154,6 +153,10 @@ jobs: name: "Run Integration Tests - ${{ matrix.agent.agent_name }}" runs-on: ubuntu-latest needs: discover-agent-images + permissions: + id-token: write + contents: read + packages: read strategy: fail-fast: false # Continue testing other agents even if one fails matrix: diff --git a/agentex/Dockerfile b/agentex/Dockerfile index 86783969..598668f8 100644 --- a/agentex/Dockerfile +++ b/agentex/Dockerfile @@ -12,8 +12,7 @@ RUN apk add --no-cache \ postgresql-client \ build-base \ libpq \ - gcc \ - busybox + gcc WORKDIR /app From 88218f610be8f0736cbb211380f325dda29b5161 Mon Sep 17 00:00:00 2001 From: Brandon Allen Date: Thu, 12 Mar 2026 12:44:29 -0400 Subject: [PATCH 10/10] fix: exclude dev dependencies from production image Use `uv sync --no-dev` in base stage so dev-only packages (test runners, linters, debug tools) don't leak into production via the COPY --from=base of /usr/lib/python3.12. Dev stage still gets them via `uv sync --group dev`. Co-Authored-By: Claude Opus 4.6 --- agentex/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agentex/Dockerfile b/agentex/Dockerfile index 598668f8..ea3e8d5b 100644 --- a/agentex/Dockerfile +++ b/agentex/Dockerfile @@ -21,7 +21,7 @@ COPY ${SOURCE_DIR}/pyproject.toml ${SOURCE_DIR}/README.md ./ # Install core dependencies to system Python (Chainguard prefix is /usr) ENV UV_PROJECT_ENVIRONMENT=/usr -RUN uv sync +RUN uv sync --no-dev # Development stage (for docker-compose) FROM base AS dev