mirror of
https://github.com/domainaware/parsedmarc.git
synced 2026-06-10 20:49:43 +00:00
Sean Whalen
b869235224
* Build multi-arch Docker images with PostgreSQL support The prebuilt image now installs the `[postgresql]` extra, so the optional PostgreSQL output backend (psycopg) works out of the box in the container without a separate `pip install` (#792). The wheel path is resolved into a variable before appending the extra so the shell doesn't treat `*.whl[postgresql]` as a bracket glob. The build workflow now sets up QEMU + Buildx and builds a multi-arch manifest for `linux/amd64` and `linux/arm64`, so the image runs natively on 64-bit ARM hosts such as a Raspberry Pi (#789). Every compiled dependency (psycopg[binary], lxml, maxminddb, cryptography) ships prebuilt aarch64 manylinux wheels, so the arm64 build adds no source-compilation step. A `pull_request` trigger (scoped to the build inputs) and `workflow_dispatch` are added so the multi-arch build can be validated on PRs and rebuilt on demand; pushes are still gated on the release event, so neither pushes images. Closes #789 Closes #792 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Bump version to 10.0.4 to publish the new images The docker workflow only pushes to the registry on a `release` event, so shipping the multi-arch + PostgreSQL-enabled image requires cutting a release. 10.0.3 is already tagged, so bump to 10.0.4 and document the Docker changes in the changelog. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Don't run the docker build on pull requests The pull_request trigger (added to validate the multi-arch build) re-ran the full ~10-minute amd64+arm64 build on every commit pushed to a docker-touching PR, because the pull_request `paths` filter matches against the PR's entire diff, not just the newest commit. That is wasteful once the build has been validated. Drop the pull_request trigger and rely on workflow_dispatch for on-demand validation (plus the existing master-push and release triggers). Also gate the registry login on the release event so that no non-release run authenticates to ghcr at all — a build can only ever be pushed from a published release. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
43 lines
1.0 KiB
Docker
43 lines
1.0 KiB
Docker
ARG BASE_IMAGE=python:3.13-slim
|
|
ARG USERNAME=parsedmarc
|
|
ARG USER_UID=1000
|
|
ARG USER_GID=$USER_UID
|
|
|
|
## build
|
|
|
|
FROM $BASE_IMAGE AS build
|
|
|
|
WORKDIR /app
|
|
|
|
RUN pip install hatch
|
|
|
|
COPY parsedmarc/ parsedmarc/
|
|
COPY README.md pyproject.toml ./
|
|
|
|
RUN hatch build
|
|
|
|
## image
|
|
|
|
FROM $BASE_IMAGE
|
|
ARG USERNAME
|
|
ARG USER_UID
|
|
ARG USER_GID
|
|
|
|
COPY --from=build /app/dist/*.whl /tmp/dist/
|
|
RUN set -ex; \
|
|
groupadd --gid ${USER_GID} ${USERNAME}; \
|
|
useradd --uid ${USER_UID} --gid ${USER_GID} -m ${USERNAME}; \
|
|
# Install the wheel with the [postgresql] extra so the prebuilt image
|
|
# ships the PostgreSQL output backend (psycopg). Resolve the globbed wheel
|
|
# path into a variable first: `*.whl[postgresql]` would otherwise be parsed
|
|
# as a shell bracket glob rather than a pip extras spec. psycopg[binary]
|
|
# has prebuilt manylinux wheels for both amd64 and arm64, so this adds no
|
|
# source-build step on either platform.
|
|
whl="$(ls /tmp/dist/*.whl)"; \
|
|
pip install "${whl}[postgresql]"; \
|
|
rm -rf /tmp/dist
|
|
|
|
USER $USERNAME
|
|
|
|
ENTRYPOINT ["parsedmarc"]
|