@@ -241,8 +241,6 @@ WORKDIR /app
241241ARG DEVCONTAINER=0
242242ENV DEVCONTAINER=${DEVCONTAINER}
243243
244- # Setup development environment in a single optimized layer
245- # PERFORMANCE: Single RUN command reduces layer count and build time
246244RUN set -eux; \
247245 # Conditionally install zsh for enhanced development experience
248246 # Only installs if DEVCONTAINER build arg is set to 1
@@ -253,15 +251,16 @@ RUN set -eux; \
253251 apt-get clean && \
254252 rm -rf /var/lib/apt/lists/*; \
255253 fi; \
254+ # Fix ownership of all application files for non-root user
255+ # SECURITY: Ensures the application runs with proper permissions
256+ COPY --from=build --chown=nonroot:nonroot /app /app
257+
258+ RUN set -eux; \
256259 # Create application cache and temporary directories
257260 # These directories are used by the bot for caching and temporary files
258261 mkdir -p /app/.cache/tldr /app/temp; \
259262 # Create user cache directories (fixes permission issues for Prisma/npm)
260263 mkdir -p /home/nonroot/.cache /home/nonroot/.npm; \
261- # Fix ownership of all application files for non-root user
262- # SECURITY: Ensures the application runs with proper permissions
263- chown -R nonroot:nonroot /app /home/nonroot/.cache /home/nonroot/.npm
264-
265264# Switch to non-root user for all subsequent operations
266265# SECURITY: Follows principle of least privilege
267266USER nonroot
@@ -368,67 +367,50 @@ COPY --from=build --chown=nonroot:nonroot /app/VERSION /app/VERSION
368367RUN ln -sf /app/.venv/bin/python /usr/local/bin/python && \
369368 ln -sf /app/.venv/bin/tux /usr/local/bin/tux
370369
371- # Setup directories and permissions before Prisma setup
372- # SECURITY: Ensures proper directory structure and permissions
373370RUN set -eux; \
374- # Fix permissions for virtual environment
375- chown -R nonroot:nonroot /app/.venv; \
376- # Create required runtime directories
377- mkdir -p /app/.cache/tldr /app/temp; \
378- # Create user cache directories (fixes permission issues for Prisma/npm)
379- mkdir -p /home/nonroot/.cache /home/nonroot/.npm; \
380- chown -R nonroot:nonroot /app/.cache /app/temp /home/nonroot/.cache /home/nonroot/.npm; \
381- # Remove npm cache to reduce scan time and image size
382- rm -rf /home/nonroot/.npm/_cacache
371+ mkdir -p /app/.cache/tldr /app/temp; \
372+ mkdir -p /home/nonroot/.cache /home/nonroot/.npm; \
373+ rm -rf /home/nonroot/.npm/_cacache_; \
374+ chown nonroot:nonroot /app/.cache /app/temp /home/nonroot/.cache /home/nonroot/.npm
383375
384- # Switch to non-root user for security and run Prisma setup
385- # SECURITY: Application runs with minimal privileges
386- # RUNTIME: Ensures Prisma binaries and client are properly configured as nonroot user
376+ # Switch to non-root user and finalize Prisma binaries
387377USER nonroot
388- RUN /app/.venv/bin/python -m prisma py fetch && \
389- /app/.venv/bin/python -m prisma generate
378+ RUN /app/.venv/bin/python -m prisma py fetch \
379+ && /app/.venv/bin/python -m prisma generate
390380
381+ USER root
391382# Aggressive cleanup and optimization after Prisma setup
392383# PERFORMANCE: Single RUN reduces layer count and enables atomic cleanup
393384# SIZE: Removes unnecessary files to minimize final image size but preserves Prisma binaries
394- USER root
395385RUN set -eux; \
396386 # VIRTUAL ENVIRONMENT CLEANUP
397387 # The following operations remove unnecessary files from the Python environment
398388 # This can reduce the size by 30-50MB without affecting functionality
399- \
400389 # Remove Python bytecode files (will be regenerated as needed)
401390 find /app/.venv -name "*.pyc" -delete; \
402391 find /app/.venv -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true; \
403- \
404392 # Remove test directories from installed packages (but preserve prisma binaries)
405393 # These directories contain test files that are not needed in production
406394 for test_dir in tests testing "*test*" ; do \
407- find /app/.venv -name "$test_dir" -type d -not -path "*/prisma*" -exec rm -rf {} + 2>/dev/null || true; \
395+ find /app/.venv -name "$test_dir" -type d -not -path "*/prisma*" -exec rm -rf {} + 2>/dev/null || true; \
408396 done; \
409- \
410397 # Remove documentation files from installed packages (but preserve prisma docs)
411398 # These files take up significant space and are not needed in production
412399 for doc_pattern in "*.md" "*.txt" "*.rst" "LICENSE*" "NOTICE*" "COPYING*" "CHANGELOG*" "README*" "HISTORY*" "AUTHORS*" "CONTRIBUTORS*" ; do \
413- find /app/.venv -name "$doc_pattern" -not -path "*/prisma*" -delete 2>/dev/null || true; \
400+ find /app/.venv -name "$doc_pattern" -not -path "*/prisma*" -delete 2>/dev/null || true; \
414401 done; \
415- \
416402 # Remove large development packages that are not needed in production
417403 # These packages (pip, setuptools, wheel) are only needed for installing packages
418404 # NOTE: Preserving packages that Prisma might need
419405 for pkg in setuptools wheel pkg_resources; do \
420- rm -rf /app/.venv/lib/python3.13/site-packages/${pkg}* 2>/dev/null || true; \
421- rm -rf /app/.venv/bin/${pkg}* 2>/dev/null || true; \
406+ rm -rf /app/.venv/lib/python3.13/site-packages/${pkg}* 2>/dev/null || true; \
407+ rm -rf /app/.venv/bin/${pkg}* 2>/dev/null || true; \
422408 done; \
423409 rm -rf /app/.venv/bin/easy_install* 2>/dev/null || true; \
424- \
425410 # Compile Python bytecode for performance optimization
426411 # PERFORMANCE: Pre-compiled bytecode improves startup time
427412 # Note: Some compilation errors are expected and ignored
428- /app/.venv/bin/python -m compileall -b -q /app/tux /app/.venv/lib/python3.13/site-packages/ 2>/dev/null || true; \
429- \
430- # Switch back to nonroot user for final ownership
431- chown -R nonroot:nonroot /app /home/nonroot
413+ /app/.venv/bin/python -m compileall -b -q /app/tux /app/.venv/lib/python3.13/site-packages 2>/dev/null || true
432414
433415# Switch back to non-root user for runtime
434416USER nonroot
0 commit comments