APP-9140 | Testing chainguard optimized image

Author: Aryamanz29

.github/workflows/pyatlan-chainguard.yaml

@@ -73,9 +73,7 @@ jobs:
             BUILD_TYPE="release"
             PYTHON_VERSION="3.13"
             PYATLAN_VERSION=$(cat pyatlan/version.txt)
-            PYATLAN_BRANCH=""
-            INSTALL_FROM_GIT="false"
-            echo "Release trigger detected - using latest versions"
+            echo "Release trigger detected - building from git tag v${PYATLAN_VERSION}"
           else
             # Manual dispatch: use provided inputs with defaults
             BUILD_TYPE="${{ github.event.inputs.build_type }}"
@@ -86,33 +84,28 @@ jobs:
             else
               PYTHON_VERSION="${{ github.event.inputs.python_version }}"
             fi
-
-            # Check if branch is provided (overrides version)
-            if [ -n "${{ github.event.inputs.pyatlan_branch }}" ]; then
-              PYATLAN_BRANCH="${{ github.event.inputs.pyatlan_branch }}"
-              PYATLAN_VERSION="branch-${PYATLAN_BRANCH}"
-              INSTALL_FROM_GIT="true"
-              echo "Using pyatlan branch: $PYATLAN_BRANCH"
+            
+            # Set Pyatlan version (reads from pyatlan/version.txt by default)
+            # This matches the version in the repository
+            if [ -z "${{ github.event.inputs.pyatlan_version }}" ]; then
+              PYATLAN_VERSION=$(cat pyatlan/version.txt)
+              echo "Using pyatlan version from version.txt: $PYATLAN_VERSION"
             else
-              # Set Pyatlan version (default to version.txt if empty)
-              if [ -z "${{ github.event.inputs.pyatlan_version }}" ]; then
-                PYATLAN_VERSION=$(cat pyatlan/version.txt)
-                echo "Using pyatlan version from version.txt: $PYATLAN_VERSION"
-              else
-                PYATLAN_VERSION="${{ github.event.inputs.pyatlan_version }}"
-                echo "Using specified pyatlan version: $PYATLAN_VERSION"
-              fi
-              PYATLAN_BRANCH=""
-              INSTALL_FROM_GIT="false"
+              PYATLAN_VERSION="${{ github.event.inputs.pyatlan_version }}"
+              echo "Using specified pyatlan version: $PYATLAN_VERSION"
+            fi
+            
+            # Handle branch input (if provided, will be used as commit SHA or branch name)
+            if [ -n "${{ github.event.inputs.pyatlan_branch }}" ]; then
+              echo "Note: Building from branch/commit: ${{ github.event.inputs.pyatlan_branch }}"
+              echo "This will use PYATLAN_COMMIT_SHA build arg"
             fi
           fi
 
           echo "BUILD_TYPE=$BUILD_TYPE" >> $GITHUB_ENV
           echo "PYTHON_VERSION=$PYTHON_VERSION" >> $GITHUB_ENV
           echo "PYATLAN_VERSION=$PYATLAN_VERSION" >> $GITHUB_ENV
-          echo "PYATLAN_BRANCH=$PYATLAN_BRANCH" >> $GITHUB_ENV
-          echo "INSTALL_FROM_GIT=$INSTALL_FROM_GIT" >> $GITHUB_ENV
-
+          
           # Set platforms based on build type
           if [ "$BUILD_TYPE" = "dev" ]; then
             PLATFORMS="linux/amd64"
@@ -129,13 +122,8 @@ jobs:
           echo "  - Trigger: ${{ github.event_name }}"
           echo "  - Build Type: $BUILD_TYPE"
           echo "  - Python Version: $PYTHON_VERSION"
-          echo "  - Pyatlan Version: $PYATLAN_VERSION"
-          if [ "$INSTALL_FROM_GIT" = "true" ]; then
-            echo "  - Pyatlan Branch: $PYATLAN_BRANCH"
-            echo "  - Install Method: Git (development build)"
-          else
-            echo "  - Install Method: PyPI (stable release)"
-          fi
+          echo "  - Pyatlan Version: $PYATLAN_VERSION (from git tag v${PYATLAN_VERSION})"
+          echo "  - Build Method: Multi-stage build from GitHub source"
           echo "  - Platforms: $PLATFORMS"
           echo "  - Commit Hash: $COMMIT_HASH"
 
@@ -159,22 +147,6 @@ jobs:
 
           echo "Generated image tag: ghcr.io/atlanhq/pyatlan-chainguard-base:$IMAGE_TAG"
 
-      - name: Wait for PyPI availability
-        if: env.INSTALL_FROM_GIT == 'false' && (github.event.inputs.pyatlan_version != '' || github.event_name == 'release')
-        uses: nick-fields/retry@v3
-        with:
-          max_attempts: 5
-          timeout_minutes: 3
-          command: |
-            echo "Checking if pyatlan==${{ env.PYATLAN_VERSION }} is available on PyPI..."
-            if pip index versions pyatlan | grep -q "${{ env.PYATLAN_VERSION }}"; then
-              echo "Package is available on PyPI!"
-              exit 0
-            else
-              echo "Package not available yet. Retrying..."
-              exit 1
-            fi
-
       - name: Build and push Docker image
         uses: docker/build-push-action@v6
         with:
@@ -187,8 +159,7 @@ jobs:
           build-args: |
             PYTHON_VERSION=${{ env.PYTHON_VERSION }}
             PYATLAN_VERSION=${{ env.PYATLAN_VERSION }}
-            PYATLAN_BRANCH=${{ env.PYATLAN_BRANCH }}
-            INSTALL_FROM_GIT=${{ env.INSTALL_FROM_GIT }}
+            PYATLAN_COMMIT_SHA=${{ env.COMMIT_HASH }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -197,17 +168,13 @@ jobs:
           echo "## 🐳 Chainguard Docker Image Built Successfully!" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### Image Details:" >> $GITHUB_STEP_SUMMARY
-          echo "- **Base Image:** Chainguard" >> $GITHUB_STEP_SUMMARY
+          echo "- **Base Image:** Chainguard pyatlan-golden:3.11" >> $GITHUB_STEP_SUMMARY
           echo "- **Trigger:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
           echo "- **Build Type:** ${{ env.BUILD_TYPE }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Build Method:** Multi-stage from GitHub source (no PyPI)" >> $GITHUB_STEP_SUMMARY
           echo "- **Python Version:** ${{ env.PYTHON_VERSION }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Pyatlan Version:** ${{ env.PYATLAN_VERSION }}" >> $GITHUB_STEP_SUMMARY
-          if [ "${{ env.INSTALL_FROM_GIT }}" = "true" ]; then
-            echo "- **Pyatlan Branch:** ${{ env.PYATLAN_BRANCH }}" >> $GITHUB_STEP_SUMMARY
-            echo "- **Install Method:** Git (development build)" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "- **Install Method:** PyPI (stable release)" >> $GITHUB_STEP_SUMMARY
-          fi
+          echo "- **Pyatlan Version:** ${{ env.PYATLAN_VERSION }} (git tag v${{ env.PYATLAN_VERSION }})" >> $GITHUB_STEP_SUMMARY
+          echo "- **Dependencies:** Hardened from Chainguard APK + minimal pip" >> $GITHUB_STEP_SUMMARY
           echo "- **Platforms:** ${{ env.PLATFORMS }}" >> $GITHUB_STEP_SUMMARY
           if [ "${{ env.BUILD_TYPE }}" = "dev" ]; then
             echo "- **Commit Hash:** ${{ env.COMMIT_HASH }}" >> $GITHUB_STEP_SUMMARY

Dockerfile.chainguard

@@ -1,40 +1,129 @@
+# ============================================
+# Stage 1: Builder - Clone pyatlan from GitHub
+# ============================================
+FROM cgr.dev/atlan.com/pyatlan-golden:3.11 AS builder
+
+# Build arguments
+# PYATLAN_VERSION should be passed via --build-arg
+# Default to "latest" if not specified (workflow reads from version.txt)
+ARG PYATLAN_VERSION=latest
+ARG PYATLAN_COMMIT_SHA=""
+
+USER root
+WORKDIR /tmp/build
+
+# Clone pyatlan from GitHub
+RUN echo "=== Cloning pyatlan from GitHub ===" && \
+    git clone https://github.com/atlanhq/atlan-python.git /tmp/build/atlan-python
+
+# Checkout specific version or commit
+RUN cd /tmp/build/atlan-python && \
+    if [ -n "$PYATLAN_COMMIT_SHA" ]; then \
+        echo "Checking out commit: $PYATLAN_COMMIT_SHA" && \
+        git checkout "$PYATLAN_COMMIT_SHA"; \
+    elif [ "$PYATLAN_VERSION" = "latest" ]; then \
+        echo "Using latest from main branch"; \
+    else \
+        echo "Checking out version: v$PYATLAN_VERSION" && \
+        (git checkout "v$PYATLAN_VERSION" || git checkout "$PYATLAN_VERSION"); \
+    fi && \
+    echo "Commit: $(git rev-parse HEAD)" && \
+    echo "Version: $(cat pyatlan/version.txt)"
+
+# ============================================
+# Stage 2: Final - Runtime image
+# ============================================
 FROM cgr.dev/atlan.com/pyatlan-golden:3.11
 
-# Build arguments for configurable versions
+# Build arguments for labels
 ARG PYTHON_VERSION=3.11
-ARG PYATLAN_VERSION=latest
-ARG PYATLAN_BRANCH=""
-ARG INSTALL_FROM_GIT=false
+ARG PYATLAN_COMMIT_SHA=""
 
+# Copy version.txt from builder and set PYATLAN_VERSION if not provided
+COPY --from=builder /tmp/build/atlan-python/pyatlan/version.txt /tmp/version.txt
+ARG PYATLAN_VERSION
+RUN if [ -z "$PYATLAN_VERSION" ]; then \
+        PYATLAN_VERSION=$(cat /tmp/version.txt | tr -d '\n\r'); \
+    fi && \
+    echo "Using PYATLAN_VERSION: $PYATLAN_VERSION" && \
+    echo "$PYATLAN_VERSION" > /tmp/final_version.txt
+
+USER root
 WORKDIR /app
 
 # Set UV environment variables
-# REMOVE THIS WHEN https://github.com/astral-sh/uv/issues/8635 IS FIXED
 ENV UV_NO_MANAGED_PYTHON=true \
     UV_SYSTEM_PYTHON=true
 
-# Switch to root for installation
-USER root
+# Install pyatlan dependencies from Chainguard APK (hardened packages)
+RUN apk add --no-cache \
+    py3.11-pydantic=2.12.0-r0 \
+    py3.11-pydantic-core=2.41.1-r0 \
+    py3.11-jinja2=3.1.6-r1 \
+    py3.11-tenacity=9.1.2-r2 \
+    py3.11-pytz=2025.2-r2 \
+    py3.11-python-dateutil=2.9.0-r10 \
+    py3.11-pyyaml=6.0.3-r0 \
+    py3.11-httpx=0.28.1-r2
 
-# Install pyatlan - either from PyPI or git branch
-RUN echo "Installing pyatlan==$PYATLAN_VERSION from PyPI"; \
-    uv pip install --system pyatlan==$PYATLAN_VERSION;
+# Install dependencies and pyatlan in ONE layer (copy + install + cleanup)
+# This prevents Docker from keeping source files in image layers
+RUN --mount=type=bind,from=builder,source=/tmp/build/atlan-python,target=/mnt/source,readonly \
+    # Copy source to writable location
+    cp -r /mnt/source /tmp/pyatlan-source && \
+    # Install non-APK dependencies
+    uv pip install --system --no-cache \
+        lazy_loader~=0.4 \
+        nanoid~=2.0.0 \
+        httpx-retries~=0.4.0 && \
+    # Install pyatlan with --no-deps
+    cd /tmp/pyatlan-source && \
+    uv pip install --system --no-cache --no-deps . && \
+    # Cleanup everything in same layer (source + caches + bytecode)  
+    cd / && rm -rf /tmp/pyatlan-source /root/.cache ~/.cache && \
+    rm -rf /tmp/version.txt /tmp/final_version.txt && \
+    find /usr/lib/python3.11 -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null || true && \
+    find /usr/lib/python3.11 -type f -name '*.pyc' -delete 2>/dev/null || true
 
-# Add build information as labels
-RUN if [ "$INSTALL_FROM_GIT" = "true" ]; then \
-        echo "LABEL pyatlan.source=git" >> /tmp/labels && \
-        echo "LABEL pyatlan.branch=$PYATLAN_BRANCH" >> /tmp/labels; \
-    else \
-        echo "LABEL pyatlan.source=pypi" >> /tmp/labels && \
-        echo "LABEL pyatlan.version=$PYATLAN_VERSION" >> /tmp/labels; \
-    fi && \
-    echo "LABEL python.version=$PYTHON_VERSION" >> /tmp/labels
+# Verify installation and version
+RUN EXPECTED_VERSION="$(cat /tmp/final_version.txt)" python3 <<'EOF'
+import sys
+import os
+import pyatlan
+from pyatlan.client.atlan import AtlanClient
+
+expected_version = os.environ.get("EXPECTED_VERSION", "unknown")
+
+print("=== Pyatlan Installation Verification ===")
+print(f"Installed version: {pyatlan.__version__}")
+print(f"Expected version: {expected_version}")
+
+# Version validation (skip if 'latest' was requested)
+if expected_version != "latest":
+    if pyatlan.__version__ != expected_version:
+        print(f"❌ ERROR: Version mismatch!")
+        print(f"   Expected: {expected_version}")
+        print(f"   Got: {pyatlan.__version__}")
+        sys.exit(1)
+
+print("✅ Version verified")
+print("✅ AtlanClient imported successfully")
+print("=== Build verification passed ===")
+EOF
+
+# Add build metadata as labels
+LABEL python.version="${PYTHON_VERSION}"
+LABEL pyatlan.commit_sha="${PYATLAN_COMMIT_SHA}"
+# Note: pyatlan.version label should be set by passing --build-arg PYATLAN_VERSION=$(cat pyatlan/version.txt) during build
+LABEL build.method="git-multistage"
+LABEL build.source="github"
+LABEL security.approach="apk-first-no-pypi"
 
-# Switch back to nonroot user
+# Switch to nonroot user for runtime security
 USER nonroot
 
-# Default working directory for applications
+# Default working directory
 WORKDIR /app
 
-# Default command (can be overridden by extending images)
+# Default command
 CMD ["python"]

pyproject.toml

@@ -46,7 +46,6 @@ Repository = "https://github.com/atlanhq/atlan-python"
 Documentation = "https://github.com/atlanhq/atlan-python"
 Issues = "https://github.com/atlanhq/atlan-python/issues"
 
-[dependency-groups]
 dev = [
     "mypy~=1.18.0",
     "ruff~=0.14.5",