docker: split Dockerfile into runtime and dev targets

cailmdaley · claude · cailmdaley · commit 24c90d110a05 · 2026-04-28T14:12:16.000+02:00
Rewrites the slim-bookworm Dockerfile as a two-target multi-stage build: - runtime — minimal image for canfar batch jobs and downstream FROM clauses. Ships astromatic binaries + jupyter + fitsio extras only. - dev — runtime plus everyday CLI tools (vim, less, tmux, htop, ripgrep, fd, jq, bat, git-lfs, …) and *all* extras pre-installed via the `dev` meta-extra (test, lint, doc, release, jupyter, fitsio). Default target when `--target` is omitted; published as `:<branch>` (no suffix). Both stages share a `base` stage carrying system deps + uv + the lockfile copy, so the heavy apt + wheel resolution is cached once. Addresses Martin's PR feedback on #719: - `uv run pytest: No such file or directory` — pytest now ships in the dev image (was previously only in the never-built `--extra test`). - `uv sync --extra X: Read-only file system` — the dev image has every extra pre-baked, so live `uv sync` is no longer needed at all. As a belt-and-braces also `chmod -R go+rwX /app` so non-root users on canfar/skaha can still mutate the venv when they want to. - "no vim in the slim image" — `vim`, `less`, `tmux`, `htop`, plus a curated subset of cailmdaley/containers (rg/fd/jq/bat/…) now ship in the dev target. deploy-image.yml builds, smoke-tests, and pushes both targets: - runtime: source-extractor / weightwatcher / psfex / shapepipe_run all invoked inside the built image. - dev: vim, ripgrep, pytest verified runnable. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/deploy-image.yml b/.github/workflows/deploy-image.yml
@@ -3,7 +3,6 @@ on: [push, workflow_dispatch]
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
-  BRANCH: ${{ github.ref }}
 jobs:
   build-and-push-image:
     runs-on: ubuntu-latest
@@ -26,37 +25,86 @@ jobs:
         with:
           driver-opts: network=host
 
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
+      # Two parallel tag sets. `dev` is the default (no suffix, e.g. `:latest`,
+      # `:develop`); `runtime` carries a `-runtime` suffix.
+      - name: Tags — dev (default)
+        id: meta-dev
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
-      - name: Build and export to Docker
+      - name: Tags — runtime
+        id: meta-runtime
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          flavor: |
+            suffix=-runtime,onlatest=true
+
+      # Build runtime first (smaller, used to smoke-test pipeline binaries)
+      - name: Build runtime (load)
         uses: docker/build-push-action@v6
         with:
+          context: .
+          target: runtime
           load: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta-runtime.outputs.tags }}
+          labels: ${{ steps.meta-runtime.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-      # Smoke-test the binaries baked into the image. Catches the class of
-      # regression where the image builds but a runtime tool (sextractor,
-      # weightwatcher) is missing or unrunnable on the deployment target.
-      - name: Test — binaries
+      # Smoke-test the binaries baked into the runtime image. Catches the
+      # class of regression where the image builds but a runtime tool
+      # (sextractor, weightwatcher) is missing or unrunnable.
+      - name: Test runtime — binaries
         run: |
-          IMAGE=$(echo "${{ steps.meta.outputs.tags }}" | head -n1)
+          IMAGE=$(echo "${{ steps.meta-runtime.outputs.tags }}" | head -n1)
           docker run --rm "$IMAGE" source-extractor --version
           docker run --rm "$IMAGE" weightwatcher --version
           docker run --rm "$IMAGE" psfex --version
 
-      - name: Test — shapepipe entry point
+      - name: Test runtime — shapepipe entry point
         run: |
-          IMAGE=$(echo "${{ steps.meta.outputs.tags }}" | head -n1)
+          IMAGE=$(echo "${{ steps.meta-runtime.outputs.tags }}" | head -n1)
           docker run --rm "$IMAGE" shapepipe_run -c /app/example/config.ini
 
-      - name: Push
+      # Build dev (reuses cached `base` layer)
+      - name: Build dev (load)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: dev
+          load: true
+          tags: ${{ steps.meta-dev.outputs.tags }}
+          labels: ${{ steps.meta-dev.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # Verify the dev-only additions are present and runnable.
+      - name: Test dev — interactive tools and test extras
+        run: |
+          IMAGE=$(echo "${{ steps.meta-dev.outputs.tags }}" | head -n1)
+          docker run --rm "$IMAGE" vim --version | head -n1
+          docker run --rm "$IMAGE" rg --version | head -n1
+          docker run --rm "$IMAGE" pytest --version
+
+      # Push both targets
+      - name: Push runtime
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: runtime
+          push: true
+          tags: ${{ steps.meta-runtime.outputs.tags }}
+          labels: ${{ steps.meta-runtime.outputs.labels }}
+          cache-from: type=gha
+
+      - name: Push dev
         uses: docker/build-push-action@v6
         with:
+          context: .
+          target: dev
           push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta-dev.outputs.tags }}
+          labels: ${{ steps.meta-dev.outputs.labels }}
+          cache-from: type=gha
diff --git a/Dockerfile b/Dockerfile
@@ -1,15 +1,27 @@
-FROM python:3.12-slim-bookworm
+# syntax=docker/dockerfile:1.7
+#
+# Two-target image:
+#   --target runtime  →  minimal, for canfar batch jobs and downstream stacks
+#   --target dev      →  runtime + everyday CLI tools + all extras (test,
+#                        lint, doc, …); default if --target is omitted
+#
+# Both share the `base` stage (system deps + uv + lockfile copy), so the
+# heavy apt + wheel-resolution work is cached once.
+
+# ----------------------------------------------------------------------
+# base — system deps shared by every target
+# ----------------------------------------------------------------------
+FROM python:3.12-slim-bookworm AS base
 
-# Metadata
 LABEL maintainer="martin.kilbinger@cea.fr"
-LABEL description="ShapePipe base image — slim Python + uv-frozen deps"
 
 ENV SHELL=/bin/bash \
     QT_QPA_PLATFORM=offscreen \
     PIP_NO_CACHE_DIR=1 \
-    DEBIAN_FRONTEND=noninteractive
+    DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8
 
-# System dependencies. Three categories:
+# System dependencies — three categories:
 #  - astromatic binaries (psfex, source-extractor, weightwatcher) ship as
 #    Debian packages on bookworm; preferred over building from source.
 #  - compilers and dev libs needed to build the heavier wheels (galsim,
@@ -32,24 +44,30 @@ RUN apt-get update -y --quiet && \
         psfex source-extractor weightwatcher && \
     apt-get clean && rm -rf /var/lib/apt/lists/*
 
-# Install uv — fast, reproducible dependency resolver and installer.
-# Deps are declared in pyproject.toml; exact transitive versions are frozen
-# in uv.lock. `uv sync --frozen` installs exactly what uv.lock specifies,
+# uv — fast reproducible Python deps installer. pyproject.toml + uv.lock
+# are the SSOT; `uv sync --frozen` installs exactly what uv.lock specifies,
 # so upstream changes only land when we deliberately regenerate the lockfile.
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
 
 WORKDIR /app
 COPY pyproject.toml uv.lock /app/
 
-# Install runtime + jupyter + fitsio extras from the lockfile into /app/.venv.
-# `--no-install-project` skips installing shapepipe itself (the source isn't
-# copied yet); we install it `--no-deps` below once the source is available.
+# ----------------------------------------------------------------------
+# runtime — minimal target for batch jobs and downstream FROM clauses
+# ----------------------------------------------------------------------
+FROM base AS runtime
+LABEL description="ShapePipe runtime — slim Python + uv-frozen deps"
+
+# Lockfile-frozen Python deps + jupyter + fitsio. Test/lint/doc extras
+# are intentionally left out here; they live in the dev target.
 RUN uv sync --frozen --no-install-project --extra jupyter --extra fitsio
 
 # Copy the source and install shapepipe into the same venv.
 COPY . /app/.
-RUN chown -R root:root /app && chmod -R u+rwX /app
-RUN uv pip install --no-deps -e . && \
+# go+rwX so non-root users on canfar/skaha can read/traverse /app and
+# write into the venv when they need to (e.g. uv add for ad-hoc deps).
+RUN chmod -R go+rwX /app && \
+    uv pip install --no-deps -e . && \
     for ext in .py .sh .bash; do \
         for script in /app/scripts/*/*$ext; do \
             link_name=$(basename $script $ext); \
@@ -59,5 +77,54 @@ RUN uv pip install --no-deps -e . && \
 
 # Activate the uv-managed venv on container start so shapepipe_run etc
 # resolve against it without explicit activation.
-ENV PATH="/app/.venv/bin:${PATH}"
-ENV VIRTUAL_ENV=/app/.venv
+ENV PATH="/app/.venv/bin:${PATH}" \
+    VIRTUAL_ENV=/app/.venv
+
+# ----------------------------------------------------------------------
+# dev — everyday working environment (default target)
+# ----------------------------------------------------------------------
+FROM base AS dev
+LABEL description="ShapePipe dev — runtime + interactive CLI tools + all extras"
+
+# Interactive tools for working inside the container. Curated subset of
+# cailmdaley/containers focused on the search/edit/process loop; heavier
+# tooling (neovim, polspice, quarto, zellij) is intentionally not here.
+RUN apt-get update -y --quiet && \
+    apt-get install -y --no-install-recommends \
+        vim \
+        less \
+        tmux \
+        htop \
+        procps \
+        ripgrep \
+        fd-find \
+        jq \
+        bat \
+        curl \
+        ca-certificates \
+        git-lfs \
+        rsync \
+        unzip zip \
+        openssh-client \
+        locales && \
+    if command -v batcat >/dev/null; then ln -sf "$(command -v batcat)" /usr/local/bin/bat; fi && \
+    if command -v fdfind >/dev/null; then ln -sf "$(command -v fdfind)" /usr/local/bin/fd; fi && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# All extras pre-installed (dev = doc + jupyter + lint + release + test +
+# fitsio). Pre-installing avoids the read-only-fs failure Martin hit when
+# trying to live `uv sync --extra test` inside the runtime image on canfar.
+RUN uv sync --frozen --no-install-project --extra dev
+
+COPY . /app/.
+RUN chmod -R go+rwX /app && \
+    uv pip install --no-deps -e . && \
+    for ext in .py .sh .bash; do \
+        for script in /app/scripts/*/*$ext; do \
+            link_name=$(basename $script $ext); \
+            ln -s $script /usr/local/bin/$link_name; \
+        done; \
+    done
+
+ENV PATH="/app/.venv/bin:${PATH}" \
+    VIRTUAL_ENV=/app/.venv
