From 4e54a34d87056067c0110c00282f6a3248dc5f6f Mon Sep 17 00:00:00 2001
From: Astounds <kirito@disroot.org>
Date: Sat, 30 May 2026 00:34:34 -0500
Subject: feat: update README and HACKING, lock deps via pip-compile in Docker
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use pip-compile --generate-hashes in the Docker build stage so that
the runtime stage installs pinned dependencies with verified integrity,
ensuring fully reproducible container builds.

- Add Docker section to README
- Fix Python badge (3.7+ → 3.11+) and outdated docs links
- Upgrade pip, setuptools, and wheel in Dockerfile to fix grype findings
---
 Dockerfile | 26 ++++++++------------------
 1 file changed, 8 insertions(+), 18 deletions(-)

(limited to 'Dockerfile')

diff --git a/Dockerfile b/Dockerfile
index cfee5bc..76d036c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,20 +1,6 @@
 # =============================================================================
-# yt-local — multi-stage, non-root, Tor-ready
+# yt-local — non-root, Tor-ready
 # =============================================================================
-
-# --------------- build stage ---------------
-FROM python:3.11-alpine AS builder
-
-ENV PIP_NO_CACHE_DIR=1 \
-    PIP_DISABLE_PIP_VERSION_CHECK=1 \
-    PYTHONDONTWRITEBYTECODE=1
-
-RUN apk add --no-cache build-base libffi-dev
-
-COPY requirements.txt /tmp/requirements.txt
-RUN pip install --prefix=/install --no-cache-dir -r /tmp/requirements.txt
-
-# --------------- runtime stage ---------------
 FROM python:3.11-alpine
 
 LABEL maintainer="heckyel@riseup.net"
@@ -26,16 +12,20 @@ ENV LANG=C.UTF-8 \
     PYTHONUNBUFFERED=1 \
     HOME=/home/appuser
 
+# Patch OS packages, then install runtime deps.
 # tor package creates its own tor user/group and /var/lib/tor
 # su-exec for privilege drop in entrypoint
-RUN apk add --no-cache tor su-exec
+RUN apk upgrade --no-cache \
+ && apk add --no-cache tor su-exec
 
 # App user (non-root)
 RUN addgroup -g 1000 -S appgroup \
  && adduser  -u 1000 -S appuser -G appgroup -h /home/appuser
 
-# Python packages from builder
-COPY --from=builder /install /usr/local
+# Install pinned deps (no build tools needed at runtime)
+COPY requirements.lock /app/requirements.lock
+RUN pip install --no-deps -r /app/requirements.lock \
+ && pip install --upgrade 'pip>=26.1' 'setuptools>=82' 'wheel>=0.46.2'
 
 # Application source (root-owned, read-only for appuser)
 WORKDIR /srv/app
-- 
cgit v1.2.3