# syntax=dhi.io/build:2-alpine3.23

contents:
  builds:
    - name: builder
      variant: dev
      packages:
        - python3
        - py3-pip
        - build-base

variant: runtime

contents:
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
  packages:
    - python3
    - ca-certificates

accounts:
  groups:
    - gid: 65532
      name: python
  users:
    - uid: 65532
      gid: 65532
      name: python
  run-as: python

work-dir: /app

paths:
  - path: /app
    type: directory
    uid: 65532
    gid: 65532
    permissions: 0755

environment:
  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  PYTHONUNBUFFERED: "1"
  PYTHONDONTWRITEBYTECODE: "1"

entrypoint:
  - /usr/bin/python3
  - app.py

annotations:
  org.opencontainers.image.title: "hardened-python"
  org.opencontainers.image.description: "Secure Python 3 application execution layer"