No description
  • Shell 88.8%
  • Dockerfile 8.9%
  • Python 2.3%
Find a file
2026-07-03 19:25:49 +02:00
.dockerignore feat: tiny program in sandbox 2026-07-03 18:57:36 +02:00
.gitignore feat: tiny program in sandbox 2026-07-03 18:57:36 +02:00
Dockerfile feat: tiny program in sandbox 2026-07-03 18:57:36 +02:00
main.py feat: tiny program in sandbox 2026-07-03 18:57:36 +02:00
README.md feat: tiny program in sandbox 2026-07-03 18:57:36 +02:00
requirements.in remove the test packagfe 2026-07-03 19:25:49 +02:00
requirements.txt remove the test packagfe 2026-07-03 19:25:49 +02:00
run.sh fix: mounts on macOS 2026-07-03 19:25:19 +02:00

Dependencies

  • do not create a .venv on the host and do not install dependencies on the host.
  • to add a dependency:
  1. Add direct dependencies to requirements.in.

  2. Regenerate requirements.txt with pinned versions and hashes:

    ./run.sh lock
    
  3. Review the diff before running the code.

  4. Build with ./run.sh build.

Note: ./run.sh lock uses a disposable Python container with network access.

lock mounts requirements.in (read-only), writes the generated lock file through a temporary output directory. The resolver currently uses pinned pip-tools==7.5.3 (PIP_TOOLS_VERSION).

Source files

By default, run.sh uses a read-only project mount with no internet access.

You can use ./run.sh net ... for operations that require outbound internet.

You can use ./run.sh shell to have get the project's file system mounted as writable inside the container (still offline).

Running

./run.sh                 # build and run python main.py
./run.sh -m mymod        # build and run python -m mymod
./run.sh cmd pytest      # run a command
./run.sh shell           # open a development shell
./run.sh net python main.py #run something with internet access
./run.sh lock            # regenerate requirements.txt
./run.sh build

Note: the image uses:

python -m pip install --require-hashes --only-binary :all: -r requirements.txt

That means every runtime dependency must be pinned with == and include hashes. It also means source distributions are rejected by default.

Editor Setup

A host .venv is optional and is not part of the default safety workflow. Use one only if your editor needs a local interpreter for language features, and avoid installing project dependencies into it unless you have intentionally accepted that host-side trust boundary (a.k.a. you really know it's safe).