Erich Blume
0e2c10176d
## Summary - Enable OIDC + API key authentication on zot with anonymous pull preserved - Enforce tag immutability for version tags - Adopt commit-SHA-based container image tagging Details in the [[harden-zot-registry]] Mikado chain (`mise run docs-mikado harden-zot-registry`). ## Test plan - [ ] Anonymous pull still works - [ ] Unauthenticated push fails (401) - [ ] CI container builds pass with new auth and tagging - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/231
27 lines
631 B
Docker
27 lines
631 B
Docker
ARG CONTAINER_APP_VERSION=6.19.1
|
|
|
|
FROM python:3.12-slim
|
|
|
|
ARG CONTAINER_APP_VERSION
|
|
ARG DEVPI_SERVER_VERSION=${CONTAINER_APP_VERSION}
|
|
ARG DEVPI_WEB_VERSION=5.0.1
|
|
|
|
# Install devpi-server and devpi-web
|
|
RUN pip install --no-cache-dir \
|
|
devpi-server==${DEVPI_SERVER_VERSION} \
|
|
devpi-web==${DEVPI_WEB_VERSION}
|
|
|
|
# Create non-root user
|
|
RUN useradd -r -u 1000 devpi && mkdir -p /devpi && chown devpi:devpi /devpi
|
|
|
|
# Add startup script
|
|
COPY --chown=devpi:devpi start.sh /usr/local/bin/start.sh
|
|
RUN chmod +x /usr/local/bin/start.sh
|
|
|
|
USER devpi
|
|
WORKDIR /devpi
|
|
|
|
# Expose default port
|
|
EXPOSE 3141
|
|
|
|
ENTRYPOINT ["/usr/local/bin/start.sh"]
|