[enh] container: reproducible layers (#5222)

* [enh] container: reproducible layers We are not aiming for reproducibility compliance, but we look to make most builder layers reproducible without caching at least for a short period of time (until the builder's base image changes or the child dependencies of a requirements.txt package are updated). This feature is only available on Podman. This targets https://github.com/searxng/searxng/pull/5086 main goal. * [fix] misc: apply suggestions Suggested: https://github.com/searxng/searxng/pull/5222#discussion_r2364630496 Suggested: https://github.com/searxng/searxng/pull/5222#discussion_r2364630511 * [enh] container: prevent useless layer
2025-12-22 19:50:00 +00:00 · 2025-09-20 11:33:23 +02:00
parent 164167dea0
commit b7ecc1c240
4 changed files with 27 additions and 13 deletions
--- a/container/builder.dockerfile
+++ b/container/builder.dockerfile
@@ -1,27 +1,29 @@
 FROM ghcr.io/searxng/base:searxng-builder AS builder

-COPY ./requirements*.txt ./
+ARG TIMESTAMP_VENV="0"

-ARG TIMESTAMP="0"
+COPY ./requirements.txt ./requirements-server.txt ./

-RUN --mount=type=cache,id=uv,target=/root/.cache/uv set -eux; \
+RUN --mount=type=cache,id=uv,target=/root/.cache/uv set -eux -o pipefail; \
+    export SOURCE_DATE_EPOCH="$TIMESTAMP_VENV"; \
    uv venv; \
    uv pip install --no-managed-python --compile-bytecode --requirements ./requirements.txt --requirements ./requirements-server.txt; \
    uv cache prune --ci; \
-    find ./.venv/ -exec touch -h -t $TIMESTAMP {} +
+    find ./.venv/lib/python*/site-packages/*.dist-info/ -type f -name "RECORD" -exec sort -t, -k1,1 -o {} {} \;; \
+    find ./.venv/ -exec touch -h --date="@$TIMESTAMP_VENV" {} +; \
+    unset SOURCE_DATE_EPOCH

+# use "--exclude=./searx/version_frozen.py" when actions/runner-images updates to Podman 5.0+
 COPY ./searx/ ./searx/

 ARG TIMESTAMP_SETTINGS="0"

-RUN set -eux; \
+RUN set -eux -o pipefail; \
    python -m compileall -q ./searx/; \
-    touch -c -t $TIMESTAMP_SETTINGS ./searx/settings.yml; \
    find ./searx/static/ -type f \
    \( -name "*.html" -o -name "*.css" -o -name "*.js" -o -name "*.svg" \) \
    -exec gzip -9 -k {} + \
    -exec brotli -9 -k {} + \
    -exec gzip --test {}.gz + \
    -exec brotli --test {}.br +; \
-    # Move always changing files to /usr/local/searxng/
-    mv ./searx/version_frozen.py ./
+    touch -c --date="@$TIMESTAMP_SETTINGS" ./searx/settings.yml
--- a/container/dist.dockerfile
+++ b/container/dist.dockerfile
@@ -6,7 +6,7 @@ ARG CONTAINER_IMAGE_NAME="searxng"
 COPY --chown=searxng:searxng --from=localhost/$CONTAINER_IMAGE_ORGANIZATION/$CONTAINER_IMAGE_NAME:builder /usr/local/searxng/.venv/ ./.venv/
 COPY --chown=searxng:searxng --from=localhost/$CONTAINER_IMAGE_ORGANIZATION/$CONTAINER_IMAGE_NAME:builder /usr/local/searxng/searx/ ./searx/
 COPY --chown=searxng:searxng ./container/ ./
-COPY --chown=searxng:searxng --from=localhost/$CONTAINER_IMAGE_ORGANIZATION/$CONTAINER_IMAGE_NAME:builder /usr/local/searxng/version_frozen.py ./searx/
+#COPY --chown=searxng:searxng ./searx/version_frozen.py ./searx/

 ARG CREATED="0001-01-01T00:00:00Z"
 ARG VERSION="unknown"