From ca0a35fcefba851bd60c98274a8588902620af79 Mon Sep 17 00:00:00 2001
From: Jennifer Power <barnabei.jennifer@gmail.com>
Date: Tue, 27 Jun 2023 18:01:24 -0400
Subject: [PATCH 1/2] chore: updates Dockerfile to comply with GitHub actions
 guidelines

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
---
 Dockerfile | 85 ++++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 60 insertions(+), 25 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 2f118467..0ceb6f8c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,33 +1,68 @@
-FROM registry.access.redhat.com/ubi8/python-38:1
+FROM python:3.8.1-slim as python-base
 
-ENV POETRY_NO_INTERACTION=1
+ENV PYTHONUNBUFFERED=1 \
+    # prevents python creating .pyc files
+    PYTHONDONTWRITEBYTECODE=1 \
+    \
+    # pip
+    PIP_NO_CACHE_DIR=off \
+    PIP_DISABLE_PIP_VERSION_CHECK=on \
+    PIP_DEFAULT_TIMEOUT=100 \
+    \
+    # poetry
+    # https://python-poetry.org/docs/configuration/#using-environment-variables
+    POETRY_VERSION=1.5.1 \
+    # make poetry install to this location
+    POETRY_HOME="/opt/poetry" \
+    # make poetry create the virtual environment in the project's root
+    # it gets named `.venv`
+    POETRY_VIRTUALENVS_IN_PROJECT=true \
+    # do not ask any interactive question
+    POETRY_NO_INTERACTION=1 \
+    \
+    # paths
+    # this is where our requirements + virtual environment will live
+    PYSETUP_PATH="/trestle-bot" \
+    VENV_PATH="/trestle-bot/.venv"
 
-COPY ./ /trestle-bot
 
-WORKDIR /trestle-bot
+# prepend poetry and venv to path
+ENV PATH="$POETRY_HOME/bin:$VENV_PATH/bin:$PATH"
 
-USER root
+FROM python-base as dependencies
+RUN apt-get update \
+    && apt-get install --no-install-recommends -y \
+        # deps for building python deps
+        build-essential
 
-# Install dependencies
-RUN  python3.8 -m pip install --no-cache-dir --upgrade pipx \
-     && pipx install poetry==1.5.1 \
-     && poetry config virtualenvs.create false \
-     && poetry install --without tests,dev
+# install poetry - respects $POETRY_VERSION & $POETRY_HOME
+RUN  python3.8 -m pip install --upgrade pip \
+     && pip install poetry=="$POETRY_VERSION"
 
-RUN  chown -HR 1001:1001 /trestle-bot \
-     && chown -HR 1001:1001 /opt/app-root/src/
+# Cache runtime deps
+WORKDIR $PYSETUP_PATH
+COPY ./ $PYSETUP
 
-USER 1001
+RUN poetry install --without tests,dev
 
-ENTRYPOINT poetry run trestle-bot \
-           --markdown-path="${MARKDOWN_PATH}" \
-           --assemble-model="${ASSEMBLE_MODEL}" \
-           --ssp-index-path="${SSP_INDEX_PATH}" \
-           --commit-message="${COMMIT_MESSAGE}" \
-           --branch="${BRANCH}" \
-           --patterns="${PATTERNS}" \
-           --committer-name="${COMMIT_USER_NAME}" \
-           --committer-email="${COMMIT_USER_EMAIL}" \
-           --author-name="${AUTHOR_NAME}" \
-           --author-email="${AUTHOR_EMAIL}" \
-           --working-dir="${WORKING_DIR}"
+# final image
+FROM python-base as final
+
+COPY --from=dependencies $PYSETUP_PATH $PYSETUP_PATH
+
+RUN apt-get update \
+    && apt-get install --no-install-recommends -y git
+
+ENTRYPOINT [ "/bin/sh", "-c", "python3.8 -m trestlebot \
+           --markdown-path=${MARKDOWN_PATH} \
+           --assemble-model=${ASSEMBLE_MODEL} \
+           --ssp-index-path=${SSP_INDEX_PATH} \
+           --commit-message=${COMMIT_MESSAGE} \
+           --branch=${BRANCH} \
+           --patterns=${PATTERNS} \
+           --committer-name=${COMMIT_USER_NAME} \
+           --committer-email=${COMMIT_USER_EMAIL} \
+           --author-name=${AUTHOR_NAME} \
+           --author-email=${AUTHOR_EMAIL} \
+           --working-dir=${WORKING_DIR}" ]
+           

From 4f340f87f4e22e77ba6cb0cc8d32007a4d75c86e Mon Sep 17 00:00:00 2001
From: Jennifer Power <barnabei.jennifer@gmail.com>
Date: Tue, 27 Jun 2023 19:00:39 -0400
Subject: [PATCH 2/2] chore: adds linting fixes from KICS

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
---
 Dockerfile | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0ceb6f8c..17fd6408 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,4 @@
+# kics-scan disable=fd54f200-402c-4333-a5a4-36ef6709af2f,b03a748a-542d-44f4-bb86-9199ab4fd2d5
 FROM python:3.8.1-slim as python-base
 
 ENV PYTHONUNBUFFERED=1 \
@@ -5,7 +6,6 @@ ENV PYTHONUNBUFFERED=1 \
     PYTHONDONTWRITEBYTECODE=1 \
     \
     # pip
-    PIP_NO_CACHE_DIR=off \
     PIP_DISABLE_PIP_VERSION_CHECK=on \
     PIP_DEFAULT_TIMEOUT=100 \
     \
@@ -36,8 +36,8 @@ RUN apt-get update \
         build-essential
 
 # install poetry - respects $POETRY_VERSION & $POETRY_HOME
-RUN  python3.8 -m pip install --upgrade pip \
-     && pip install poetry=="$POETRY_VERSION"
+RUN  python3.8 -m pip install --no-cache-dir --upgrade pip \
+     && pip install --no-cache-dir poetry=="$POETRY_VERSION"
 
 # Cache runtime deps
 WORKDIR $PYSETUP_PATH
@@ -51,7 +51,9 @@ FROM python-base as final
 COPY --from=dependencies $PYSETUP_PATH $PYSETUP_PATH
 
 RUN apt-get update \
-    && apt-get install --no-install-recommends -y git
+    && apt-get install --no-install-recommends -y git \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
 
 ENTRYPOINT [ "/bin/sh", "-c", "python3.8 -m trestlebot \
            --markdown-path=${MARKDOWN_PATH} \