Skip to content

Docker image refactor #229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
grillazz merged 3 commits into from
Dec 18, 2025
Merged

Docker image refactor #229

grillazz merged 3 commits into from
Dec 18, 2025
+160 −127

Conversation

@grillazz
Copy link
Owner

@grillazz grillazz commented Dec 16, 2025

No description provided.

@grillazz grillazz requested a review from Copilot December 16, 2025 13:19
@grillazz grillazz self-assigned this Dec 16, 2025
Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the Docker configuration and updates multiple Python dependencies. The changes improve reproducibility by pinning specific versions of the Python base image and the uv package manager, while also updating various dependencies to their latest versions.

Key changes:

  • Docker base image pinned to specific version with Debian codename (python:3.14.0-slim-trixie)
  • UV package manager pinned to version 0.9.17 instead of using :latest
  • Multiple dependency updates including FastAPI, SQLAlchemy, Pydantic, and development tools

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
Dockerfile Pins Python base image to 3.14.0-slim-trixie and uv to version 0.9.17 for improved reproducibility
pyproject.toml Updates project version to 1.24.0 and bumps multiple dependency versions
uv.lock Regenerated lock file with updated dependency versions and metadata

Critical Issues Found: The uv.lock file contains numerous upload-time entries with dates in the future (ranging from November 2025 to December 2025). These dates are impossible as they haven't occurred yet relative to the January 2025 knowledge cutoff. This suggests the lock file may have been generated with incorrect system time or contains corrupted metadata that should be regenerated.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Dockerfile
ca-certificates

COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
COPY --from=ghcr.io/astral-sh/uv:0.9.17 /uv /uvx /bin/
Copy link

Copilot AI Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The COPY --from=ghcr.io/astral-sh/uv:0.9.17 /uv /uvx /bin/ line pulls and executes tooling from a third‑party container image referenced only by a mutable tag, which leaves the build and final image vulnerable if that tag is ever replaced with a malicious image. An attacker who compromises the ghcr.io/astral-sh/uv registry or the tag itself could ship a backdoored uv binary that runs during uv sync, altering dependencies or embedding malware into the application image. To harden the supply chain, reference this image by an immutable digest (or equivalent integrity-checked mechanism) rather than a mutable tag.

Copilot uses AI. Check for mistakes.
Copy link
Owner Author

@grillazz grillazz Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot open a new pull request to apply changes based on this feedback

Copilot AI mentioned this pull request Dec 18, 2025
Draft
Copy link

Copilot AI commented Dec 18, 2025

@grillazz I've opened a new pull request, #230, to work on those changes. Once the pull request is ready, I'll request review from you.

@grillazz grillazz merged commit 55c3105 into main Dec 18, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@grillazz grillazz

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@grillazz