Skip to content

fix: use lockfile for reproducible builds and correct Dockerfile port comments#365

Merged
tejaskash merged 2 commits intomainfrom
dockerfile-fixes
Feb 20, 2026
Merged

fix: use lockfile for reproducible builds and correct Dockerfile port comments#365
tejaskash merged 2 commits intomainfrom
dockerfile-fixes

Conversation

@tejaskash
Copy link
Contributor

@tejaskash tejaskash commented Feb 20, 2026
edited
Loading

Summary

  • Replace uv pip install -r pyproject.toml with a two-step uv sync --frozen approach so container builds resolve dependencies deterministically from uv.lock:

    1. uv sync --frozen --no-dev --no-install-project — installs only dependencies (cached layer)
    2. uv sync --frozen --no-dev — installs the project itself after full source COPY

    The uv.lock COPY glob (uv.lock*) is also tightened to require the lockfile (uv.lock).

  • Correct the EXPOSE port comments to match the AgentCore Runtime service contract: 8080 = HTTP Mode, 8000 = MCP Mode, 9000 = A2A Mode. The previous comments incorrectly described 8000 as a local dev server and 9000 as OpenTelemetry.

  • Dockerfile restructure: Moved USER bedrock_agentcore after both uv sync steps so the root-owned .venv remains writable during project installation. The useradd is moved earlier so --chown in COPY still works. The runtime process still runs as the non-root bedrock_agentcore user.

Test plan

  • npm run build succeeds
  • All unit tests pass (npx vitest run --project unit — 1737 passed, 0 failed)
  • Container build verified with Finch (finch build)
  • Container build verified with Podman (podman build)
  • Image runs as bedrock_agentcore user
  • Image exposes correct ports: 8080 (HTTP), 8000 (MCP), 9000 (A2A)

@tejaskash
fix: use lockfile for reproducible builds and correct port comments i…
7beb06c 
…n Dockerfile

- Use `uv sync --frozen --no-dev` instead of `uv pip install -r pyproject.toml`
  so builds resolve dependencies from uv.lock deterministically (CONT-06)
- Require uv.lock (drop glob wildcard) since frozen sync needs it
- Fix port comments to match AgentCore Runtime service contract:
  8080=HTTP, 8000=MCP, 9000=A2A (CONT-07)
@tejaskash tejaskash requested a review from a team February 20, 2026 17:13
@github-actions github-actions bot added the size/xs PR size: XS label Feb 20, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 20, 2026
edited
Loading

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 43.53% 2883 / 6623
🔵 Statements 43.12% 3038 / 7045
🔵 Functions 45.53% 607 / 1333
🔵 Branches 48.48% 1893 / 3904
Generated in workflow #476 for commit 4ef6a44 by the Vitest Coverage Report Action

@tejaskash
fix: use two-step uv sync for reproducible Docker builds
4ef6a44 
The single `uv sync` before COPY failed because hatchling needs
README.md (not yet copied). Split into two steps:
1. `uv sync --frozen --no-dev --no-install-project` — deps only
2. `uv sync --frozen --no-dev` — project install after full COPY

Also move `USER bedrock_agentcore` after both syncs so the venv
created by root remains writable for the project install step.
@github-actions github-actions bot added size/xs PR size: XS and removed size/xs PR size: XS labels Feb 20, 2026
@tejaskash tejaskash merged commit 4da0591 into main Feb 20, 2026
18 of 21 checks passed
@tejaskash tejaskash deleted the dockerfile-fixes branch February 20, 2026 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@padmak30 padmak30 padmak30 approved these changes

Assignees

No one assigned

Labels

size/xs PR size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tejaskash @padmak30