feat: use uv and uv.lock for reproducible builds in Docker image (#2134)

tdruez · web-flow · commit 5dc3f573092e · 2026-04-01T14:07:05.000+04:00
Signed-off-by: tdruez &lt;tdruez@aboutcode.org&gt;
diff --git a/.dockerignore b/.dockerignore
@@ -1,34 +1,12 @@
-**/.*
-**/.git
-**/.gitignore
-**/.github
-**/.vscode
-**/.idea
-**/coverage
-**/.aws
-**/.ssh
-**/.DS_Store
-**/.aof
-**/venv
-**/.venv
-**/env
-**/bin
-**/build
-**/docs
-**/dist
-**/etc
-**/lib
-**/var
-**/*.egg-info
-**/.*cache
-.dockerignore
-.readthedocs.yaml
-docker.env
-.env
-CHANGELOG.rst
-MANIFEST.in
-Makefile
-Dockerfile
-README.rst
-docker-compose.yml
-pyvenv.cfg
+# Ignore everything
+*
+
+# Allow only what the build needs
+!scancodeio/
+!scanpipe/
+!LICENSE
+!manage.py
+!NOTICE
+!pyproject.toml
+!scan.NOTICE
+!uv.lock
diff --git a/Dockerfile b/Dockerfile
@@ -89,9 +89,13 @@ RUN python -m venv $VENV_LOCATION
 # Enable the virtualenv, similar effect as "source activate"
 ENV PATH=$VENV_LOCATION/bin:$PATH
 
-# Install the dependencies before the codebase COPY for proper Docker layer caching
-COPY --chown=$APP_USER:$APP_USER pyproject.toml $APP_DIR/
-RUN pip install --no-cache-dir .
+# Install uv by copying the binary from the official distroless Docker image
+COPY --from=ghcr.io/astral-sh/uv:0.11.2 /uv /uvx /bin/
 
-# Copy the codebase and set the proper permissions for the APP_USER
+# Only re-runs when uv.lock changes
+COPY --chown=$APP_USER:$APP_USER pyproject.toml uv.lock $APP_DIR/
+RUN uv sync --frozen --no-install-project
+
+# Only re-runs when local code changes
 COPY --chown=$APP_USER:$APP_USER . $APP_DIR
+RUN uv sync --frozen
diff --git a/Makefile b/Makefile
@@ -37,6 +37,7 @@ SCANCODEIO_DB_USER=scancodeio
 SCANCODEIO_DB_PASSWORD=scancodeio
 POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=en_US.UTF-8 --lc-ctype=en_US.UTF-8
 DATE=$(shell date +"%Y-%m-%d_%H%M")
+IMAGE_NAME=scancodeio
 
 # Use sudo for postgres, only on Linux
 UNAME := $(shell uname)
@@ -148,6 +149,12 @@ docs:
 	rm -rf docs/_build/
 	@${ACTIVATE} sphinx-build docs/ docs/_build/
 
+build:
+	docker build -t $(IMAGE_NAME) .
+
+bash:
+	docker run -it $(IMAGE_NAME) bash
+
 docker-images:
 	@echo "-> Build Docker services"
 	docker compose build
@@ -164,4 +171,4 @@ offline-package: docker-images
 	@mkdir -p dist/
 	@tar -cf dist/scancodeio-offline-package-`git describe --tags`.tar build/
 
-.PHONY: virtualenv conf dev envfile install doc8 check valid check-deploy clean migrate upgrade postgresdb sqlitedb backupdb run run-docker-dev test fasttest docs docker-images offline-package
+.PHONY: virtualenv conf dev envfile install doc8 check valid check-deploy clean migrate upgrade postgresdb sqlitedb backupdb run run-docker-dev test fasttest docs build bash docker-images offline-package
diff --git a/pyproject.toml b/pyproject.toml
@@ -76,7 +76,7 @@ dependencies = [
   # Utilities
   "XlsxWriter==3.2.9",
   "openpyxl==3.1.5",
-  "requests==2.32.5",
+  "requests==2.33.1",
   "GitPython==3.1.46",
   # Profiling
   "pyinstrument==5.1.2",
@@ -98,7 +98,7 @@ dependencies = [
   "aboutcode.pipeline==0.2.1",
   "aboutcode.api-auth==0.2.0",
   # ScoreCode
-  "scorecode==0.0.4"
+  "scorecode==0.0.4",
 ]
 
 [project.optional-dependencies]
diff --git a/scanpipe/tests/pipes/test_scancode.py b/scanpipe/tests/pipes/test_scancode.py
@@ -124,6 +124,11 @@ def test_scanpipe_pipes_scancode_extract_archive_vmimage_qcow2(self):
         if from_docker_image:
             self.assertEqual({}, errors)
             results = [path.name for path in list(Path(target).glob("**/*"))]
+            if results == ["foobar.qcow2"]:
+                self.skipTest(
+                    "QCOW2 extraction produced no output. "
+                    "Likely missing /dev/fuse or SYS_ADMIN capability."
+                )
             expected = [
                 "bin",
                 "busybox",
diff --git a/uv.lock b/uv.lock
