- Shell 88.8%
- Dockerfile 8.9%
- Python 2.3%
| .dockerignore | ||
| .gitignore | ||
| Dockerfile | ||
| main.py | ||
| README.md | ||
| requirements.in | ||
| requirements.txt | ||
| run.sh | ||
Dependencies
- do not create a .venv on the host and do not install dependencies on the host.
- to add a dependency:
-
Add direct dependencies to
requirements.in. -
Regenerate
requirements.txtwith pinned versions and hashes:./run.sh lock -
Review the diff before running the code.
-
Build with
./run.sh build.
Note: ./run.sh lock uses a disposable Python container with network access.
lock mounts requirements.in (read-only), writes the generated lock file through a temporary output directory. The resolver currently uses pinned pip-tools==7.5.3 (PIP_TOOLS_VERSION).
Source files
By default, run.sh uses a read-only project mount with no internet access.
You can use ./run.sh net ... for operations that require outbound internet.
You can use ./run.sh shell to have get the project's file system mounted as writable inside the container (still offline).
Running
./run.sh # build and run python main.py
./run.sh -m mymod # build and run python -m mymod
./run.sh cmd pytest # run a command
./run.sh shell # open a development shell
./run.sh net python main.py #run something with internet access
./run.sh lock # regenerate requirements.txt
./run.sh build
Note: the image uses:
python -m pip install --require-hashes --only-binary :all: -r requirements.txt
That means every runtime dependency must be pinned with == and include hashes.
It also means source distributions are rejected by default.
Editor Setup
A host .venv is optional and is not part of the default safety workflow. Use
one only if your editor needs a local interpreter for language features, and
avoid installing project dependencies into it unless you have intentionally
accepted that host-side trust boundary (a.k.a. you really know it's safe).