Merge pull request #68 from kevinbackhouse/static-dockerfile

Simplify docker setup

Author: kevinbackhouse

.github/workflows/release.yml

@@ -35,7 +35,7 @@ jobs:
         id: docker_build
         run: |
           echo ${{ secrets.GHCR_TOKEN }} | docker login ghcr.io -u GitHubSecurityLab --password-stdin
-          python release_tools/publish_docker.py release.txt main.py ${{ env.REGISTRY }}/${{ env.USER }}/${{ env.IMAGE_NAME }} ${{ github.event.inputs.release_tag }}
+          python release_tools/publish_docker.py ${{ env.REGISTRY }}/${{ env.USER }}/${{ env.IMAGE_NAME }} ${{ github.event.inputs.release_tag }}
           DIGEST=$(cat /tmp/digest.txt)
           echo "digest=$DIGEST" >> $GITHUB_OUTPUT
 

docker/Dockerfile

@@ -0,0 +1,48 @@
+FROM python:3.11-slim
+
+WORKDIR /app
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y \
+    curl \
+    unzip \
+    git \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Docker CLI (debian)
+RUN apt-get update \
+    && install -m 0755 -d /etc/apt/keyrings \
+    && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
+    && chmod a+r /etc/apt/keyrings/docker.asc \
+    && echo \
+    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
+    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+    tee /etc/apt/sources.list.d/docker.list > /dev/null \
+    && apt-get update && apt-get install -y docker-ce-cli \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install GitHub CLI
+RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
+    && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+    && apt-get update \
+    && apt-get install -y gh \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install CodeQL CLI
+RUN curl -Ls -o /tmp/codeql.zip https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip \
+    && unzip /tmp/codeql.zip -d /opt \
+    && mv /opt/codeql /opt/codeql-cli \
+    && ln -s /opt/codeql-cli/codeql /usr/local/bin/codeql \
+    && rm /tmp/codeql.zip
+
+# Install seclab-taskflow-agent from PyPI
+RUN pip install seclab-taskflow-agent
+
+# Install CodeQL pack dependencies
+RUN export SECLAB_TASKFLOW_AGENT=$(python -c 'import seclab_taskflow_agent as x; print(x.__path__[0])') && \
+    codeql pack install $SECLAB_TASKFLOW_AGENT/mcp_servers/codeql/queries/mcp-cpp && \
+    codeql pack install $SECLAB_TASKFLOW_AGENT/mcp_servers/codeql/queries/mcp-js
+
+ENTRYPOINT ["python", "-m", "seclab_taskflow_agent"]

release.txt

@@ -2,13 +2,11 @@
 
 To release an updated version of the Agent perform the following steps:
 
-1. Add any newly created files or dependencies to `release.txt`.
-
-2. Release an updated Docker image:
+1. Release an updated Docker image:
 
 ```sh
 docker login ghcr.io -u YOUR_GITHUB_USERNAME
-python release_tools/publish_docker.py release.txt main.py ghcr.io/githubsecuritylab/seclab-taskflow-agent latest
+python release_tools/publish_docker.py ghcr.io/githubsecuritylab/seclab-taskflow-agent latest
 ```
 
 Note: your login password is a GitHub PAT with packages write/read/delete scope enabled.

release_tools/HOWTO.md

@@ -5,85 +5,6 @@
 import shutil
 import subprocess
 import sys
-import tempfile
-
-def read_file_list(list_path):
-    """
-    Reads a file containing file paths, ignoring empty lines and lines starting with '#'.
-    Returns a list of relative file paths.
-    """
-    with open(list_path, "r") as f:
-        lines = [line.strip() for line in f]
-    return [line for line in lines if line and not line.startswith("#")]
-
-def copy_files_to_dir(file_list, dest_dir):
-    """
-    Copies files to dest_dir, preserving their relative paths.
-    """
-    for rel_path in file_list:
-        abs_src = os.path.abspath(rel_path)
-        abs_dest = os.path.abspath(os.path.join(dest_dir, rel_path))
-        os.makedirs(os.path.dirname(abs_dest), exist_ok=True)
-        shutil.copy2(abs_src, abs_dest)
-
-def write_dockerfile(dest_dir, entrypoint):
-    """
-    Writes a Dockerfile that installs Python dependencies, GitHub CLI, and CodeQL CLI.
-    """
-    dockerfile = f'''
-FROM python:3.11-slim
-
-WORKDIR /app
-
-# Install system dependencies
-RUN apt-get update && apt-get install -y \\
-    curl \\
-    unzip \\
-    git \\
-    ca-certificates \\
-    && rm -rf /var/lib/apt/lists/*
-
-# Install Docker CLI (debian)
-RUN apt-get update \\
-    && install -m 0755 -d /etc/apt/keyrings \\
-    && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \\
-    && chmod a+r /etc/apt/keyrings/docker.asc \\
-    && echo \\
-    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \\
-    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \\
-    tee /etc/apt/sources.list.d/docker.list > /dev/null \\
-    && apt-get update && apt-get install -y docker-ce-cli \\
-    && rm -rf /var/lib/apt/lists/*
-
-# Install GitHub CLI
-RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \\
-    && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \\
-    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \\
-    && apt-get update \\
-    && apt-get install -y gh \\
-    && rm -rf /var/lib/apt/lists/*
-
-# Install CodeQL CLI
-RUN curl -Ls -o /tmp/codeql.zip https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip \\
-    && unzip /tmp/codeql.zip -d /opt \\
-    && mv /opt/codeql /opt/codeql-cli \\
-    && ln -s /opt/codeql-cli/codeql /usr/local/bin/codeql \\
-    && rm /tmp/codeql.zip
-
-COPY . /app
-
-# Install CodeQL pack dependencies
-RUN codeql pack install /app/src/seclab_taskflow_agent/mcp_servers/codeql/queries/mcp-cpp
-RUN codeql pack install /app/src/seclab_taskflow_agent/mcp_servers/codeql/queries/mcp-js
-
-# Install Python dependencies if pyproject.toml exists
-RUN pip install hatch
-RUN if [ -f pyproject.toml ]; then hatch run sync-deps; fi
-
-ENTRYPOINT ["hatch", "run", "{entrypoint}"]
-'''
-    with open(os.path.join(dest_dir, "Dockerfile"), "w") as f:
-        f.write(dockerfile)
 
 def get_image_digest(image_name, tag):
     result = subprocess.run(
@@ -111,23 +32,13 @@ def build_and_push_image(dest_dir, image_name, tag):
         f.write(digest)
 
 if __name__ == "__main__":
-    if len(sys.argv) != 5:
-        print("Usage: python build_and_publish_docker.py <file_list.txt> <entrypoint.py> <ghcr_username/repo> <tag>")
-        print("Example: python build_and_publish_docker.py files.txt main.py ghcr.io/anticomputer/my-python-app latest")
+    if len(sys.argv) != 3:
+        print("Usage: python build_and_publish_docker.py <ghcr_username/repo> <tag>")
+        print("Example: python build_and_publish_docker.py ghcr.io/anticomputer/my-python-app latest")
         sys.exit(1)
 
-    file_list_path = sys.argv[1]
-    entrypoint_py = sys.argv[2]
-    image_name = sys.argv[3]
-    tag = sys.argv[4]
-
-    # Read file paths
-    file_list = read_file_list(file_list_path)
+    image_name = sys.argv[1]
+    tag = sys.argv[2]
 
-    with tempfile.TemporaryDirectory() as build_dir:
-        # Copy files
-        copy_files_to_dir(file_list, build_dir)
-        # Write Dockerfile
-        write_dockerfile(build_dir, entrypoint_py)
-        # Build and push image
-        build_and_push_image(build_dir, image_name, tag)
+    # Build and push image
+    build_and_push_image("docker", image_name, tag)

release_tools/publish_docker.py

@@ -1,2 +1,2 @@
 #!/bin/sh
-python release_tools/publish_docker.py release.txt main ghcr.io/githubsecuritylab/seclab-taskflow-agent latest
+python release_tools/publish_docker.py ghcr.io/githubsecuritylab/seclab-taskflow-agent latest