feat: enable image builds for ci

.dockerignore

@@ -0,0 +1,6 @@
+.git
+__pycache__
+*.pyc
+*.pyo
+tests/
+docs/

.github/workflows/image-build.yml

@@ -0,0 +1,33 @@
+# Attempt to build (but not push) the Docker image on Pull Requests
+name: Image build
+on:
+  pull_request:
+    branches:
+      - main
+    paths-ignore:
+      - "**.md"
+      - "docs/**"
+      - "static/**"
+      - "LICENSE"
+permissions:
+  contents: read
+jobs:
+  docker-image:
+    name: Check docker image build
+    runs-on: codegate-pipeline
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3
+      - name: Test build on x86
+        id: docker_build
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v5
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          push: false # Only attempt to build, to verify the Dockerfile is working
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/image-publish.yml

@@ -0,0 +1,75 @@
+# Post-submit and daily build and publish of the Helm chart and Docker container
+# This is a separate workflow than image-build.yml because image-build.yml is
+# run in the PR context, and those runs aren't allowed package:write permissions if
+# the source is a fork (GitHub errors and invalidates the entire workflow if you try).
+
+name: Publish Docker Image
+on:
+  push:
+    branches:
+      - main
+  schedule:
+    # Once weekly on fridays at noon
+    - cron: '00 12 * * 5'
+  # Allow for manually triggering the workflow
+  workflow_dispatch:
+jobs:
+  build-image:
+    name: Build Docker image
+    runs-on: codegate-pipeline
+    permissions:
+      contents: read
+      packages: write
+    env:
+      BASE_REPO: "ghcr.io/stacklok"
+      CODEGATE_SERVER_IMAGE: "ghcr.io/stacklok/codegate"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - name: Set up QEMU for cross-platform builds
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3
+      - name: Compute version number
+        id: version-string
+        run: |
+          DATE="$(date +%Y%m%d)"
+          COMMIT="$(git rev-parse --short HEAD)"
+          echo "tag=0.$DATE.$GITHUB_RUN_NUMBER+ref.$COMMIT" >> "$GITHUB_OUTPUT"
+      - name: Login to GHCR
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set container metadata
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
+        id: docker-metadata
+        with:
+          images: ${{ env.CODEGATE_SERVER_IMAGE }}
+          labels: |
+            org.opencontainers.image.source=${{ github.repositoryUrl }}
+            org.opencontainers.image.description="This is a container for the Stacklok Codegate server"
+            org.opencontainers.image.title="Stacklok Codegate Server"
+            org.opencontainers.image.vendor="Stacklok Inc."
+            org.opencontainers.image.version=${{ github.sha }}
+          flavor: |
+            latest=true
+          # Even if tags are floating, it's handy and user-friendly to have a
+          # matching tag for each build. This way, we can search for the digest
+          # and verify that it's the same as the digest in the Helm chart.
+          tags: |
+            type=raw,value=${{ steps.version-string.outputs.tag }}
+      - name: Build image
+        id: image-build
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          file: ./Dockerfile
+          tags: ${{ steps.docker-metadata.outputs.tags }}
+          labels: ${{ steps.docker-metadata.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+

Dockerfile

@@ -1,25 +1,17 @@
 # Builder stage: Install dependencies and build the application
-FROM python:3.13-slim AS builder
+FROM python:3.12-slim AS builder
 
 # Install system dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
     gcc \
     g++ \
     && rm -rf /var/lib/apt/lists/*
 
-# Set environment variable to ensure Python modules are installed in the correct location
-ENV PYTHONPATH=/app
-
 # Install Poetry
-RUN pip install poetry==1.8.4
-
-# Create a non-root user and switch to it
-RUN adduser --system --no-create-home codegate --uid 1000
+RUN pip install poetry==1.8.4 && rm -rf /root/.cache/pip
 
 # Set the working directory
 WORKDIR /app
-
-# Copy only the files needed for installing dependencies
 COPY pyproject.toml poetry.lock* /app/
 
 # Configure Poetry and install dependencies
@@ -30,7 +22,7 @@ RUN poetry config virtualenvs.create false && \
 COPY . /app
 
 # Runtime stage: Create the final lightweight image
-FROM python:3.13-slim AS runtime
+FROM python:3.12-slim AS runtime
 
 # Install runtime system dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -40,14 +32,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 # Create a non-root user and switch to it
 RUN adduser --system --no-create-home codegate --uid 1000
 USER codegate
+WORKDIR /app
 
 # Copy necessary artifacts from the builder stage
 COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
 COPY --from=builder /app /app
 
-# Set the working directory
-WORKDIR /app
-
 # Set the PYTHONPATH environment variable
 ENV PYTHONPATH=/app/src
 
@@ -56,5 +46,4 @@ VOLUME ["/app/weaviate_data"]
 
 # Set the container's default entrypoint
 EXPOSE 8989
-#ENTRYPOINT ["python", "-m", "src.codegate.cli", "serve", "--port", "8989", "--host", "0.0.0.0"]
-CMD ["python", "-m", "src.codegate.cli", "serve", "--port", "8989", "--host", "0.0.0.0"]
+ENTRYPOINT ["python", "-m", "src.codegate.cli", "serve", "--port", "8989", "--host", "0.0.0.0"]