fix: Dockerfile to use Python 3.13 and COPY uv

[gcarothers]

• Don't need to install uv since we copy it from the uv image which is the recommended way to use uv in Docker.
• Copy uv.lock and pyproject.toml specifically.
• Install dependencies in a separate step before copying the rest of the project.
• Don't end up running as root, create a non-root user and switch to that user.

Description

Thank you for opening a Pull Request!
Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

• Follow the CONTRIBUTING Guide.
• Make your Pull Request title in the https://www.conventionalcommits.org/ specification.
  • Important Prefixes for release-please:
    • fix: which represents bug fixes, and correlates to a SemVer patch.
    • feat: represents a new feature, and correlates to a SemVer minor.
    • feat!:, or fix!:, refactor!:, etc., which represent a breaking change (indicated by the !) and will result in a SemVer major.
• Ensure the tests and linter pass (Run bash scripts/format.sh from the repository root to format)
• Appropriate docs were updated (if necessary)

[gemini-code-assist]

Summary of Changes

Hello @gcarothers, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the Dockerfile to modernize the build environment, enhance security, and optimize the build process. It upgrades the Python base image to 3.13, adopts a more secure and efficient method for integrating the uv package manager, and implements a non-root user for running the application. These changes collectively aim to create a more robust, secure, and performant Docker image for the application.

Highlights

• Python Version Upgrade: The Dockerfile has been updated to use Python 3.13, moving from the previous 3.10 version, ensuring the application runs on the latest stable Python release.
• Optimized uv Integration: Instead of installing uv via pip, the Dockerfile now directly copies the uv binary from its official Docker image (ghcr.io/astral-sh/uv:latest), which is the recommended and more efficient way to use uv in Docker.
• Enhanced Security with Non-Root User: The Dockerfile now creates a dedicated non-root user named 'app' and switches to it, ensuring the application runs with reduced privileges for improved security.
• Improved Build Caching and Dependency Management: The dependency installation process has been refined by copying uv.lock and pyproject.toml separately, installing dependencies, and then copying the rest of the project. This leverages Docker's build cache more effectively, speeding up subsequent builds.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request significantly improves the Dockerfile by upgrading to Python 3.13, adopting the recommended practice for using uv, and enhancing security by running as a non-root user. The changes also smartly leverage Docker's layer caching for dependencies. My review provides a few suggestions to further refine the Dockerfile by removing redundant instructions and combining layers for better optimization. I've also included an explanation regarding the validators package that should clarify its usage and allow for the removal of an unnecessary installation step.

[gcarothers]

@gemini-code-assist review

[gemini-code-assist]

Code Review

This pull request significantly improves the Dockerfile by updating to Python 3.13, adopting the recommended way of using uv, and running the application as a non-root user. The changes also leverage Docker layer caching more effectively. My review includes some critical fixes for a missing dependency and user permissions that would prevent the Docker image from building or running correctly. I've also included suggestions to improve image size, security, and build reproducibility.

[gemini-code-assist]

This sequence of commands will likely fail the Docker build. The app user does not have permission to create the /app directory in the root of the filesystem. A better approach is to create the user with a specific home directory, and then use that as the working directory. This ensures the user has the necessary permissions for subsequent COPY and RUN commands.

RUN useradd -d /app -ms /bin/sh app
USER app
WORKDIR /app

[gemini-code-assist]

Using COPY . can unnecessarily increase the image size and slow down builds by copying files not needed for runtime, such as .git, node_modules, or editor configuration files. It's a best practice to be explicit and copy only what's needed. Since pyproject.toml and uv.lock are already copied, you likely only need the backend source code here. Also, ensure a comprehensive .dockerignore file is used to exclude unwanted files from the build context.

COPY backend ./backend/

[gemini-code-assist]

Using the :latest tag for images is not recommended for production builds, as it can lead to unpredictable behavior when the image is updated. It's better to pin to a specific version (e.g., a specific digest or version tag like uv:0.1.18) to ensure reproducible builds.

[gemini-code-assist]

Code Review

This pull request significantly improves the Dockerfile by upgrading to Python 3.13, adopting the recommended method for using uv, and enhancing security by running as a non-root user. The changes to leverage Docker's layer caching for dependencies are also a great addition. However, I've identified two critical issues that need to be addressed: one is a permission error that will likely cause the Docker build to fail, and the other is a missing Python dependency (validators) that will lead to a runtime error. I've also provided a couple of suggestions to further improve the Dockerfile's efficiency and maintainability.

[gemini-code-assist]

Copying the entire context with COPY . /app can unintentionally include files that are not needed for the application to run (e.g., .git, .vscode, node_modules, etc.). This increases the image size and can be a security risk if sensitive files are included. It's a best practice to create a .dockerignore file to explicitly exclude files and directories that are not required in the final image.