Merge pull request #778 from atlanhq/APP-9140

 APP-10279 | Publish pyatlan with chainguard golden image for each release

Author: Aryamanz29

.github/workflows/pyatlan-chainguard.yaml

@@ -73,9 +73,7 @@ jobs:
             BUILD_TYPE="release"
             PYTHON_VERSION="3.13"
             PYATLAN_VERSION=$(cat pyatlan/version.txt)
-            PYATLAN_BRANCH=""
-            INSTALL_FROM_GIT="false"
-            echo "Release trigger detected - using latest versions"
+            echo "Release trigger detected - building from git tag v${PYATLAN_VERSION}"
           else
             # Manual dispatch: use provided inputs with defaults
             BUILD_TYPE="${{ github.event.inputs.build_type }}"
@@ -86,58 +84,60 @@ jobs:
             else
               PYTHON_VERSION="${{ github.event.inputs.python_version }}"
             fi
-
-            # Check if branch is provided (overrides version)
-            if [ -n "${{ github.event.inputs.pyatlan_branch }}" ]; then
-              PYATLAN_BRANCH="${{ github.event.inputs.pyatlan_branch }}"
-              PYATLAN_VERSION="branch-${PYATLAN_BRANCH}"
-              INSTALL_FROM_GIT="true"
-              echo "Using pyatlan branch: $PYATLAN_BRANCH"
+            
+            # Set Pyatlan version (reads from pyatlan/version.txt by default)
+            # This matches the version in the repository
+            if [ -z "${{ github.event.inputs.pyatlan_version }}" ]; then
+              PYATLAN_VERSION=$(cat pyatlan/version.txt)
+              echo "Using pyatlan version from version.txt: $PYATLAN_VERSION"
             else
-              # Set Pyatlan version (default to version.txt if empty)
-              if [ -z "${{ github.event.inputs.pyatlan_version }}" ]; then
-                PYATLAN_VERSION=$(cat pyatlan/version.txt)
-                echo "Using pyatlan version from version.txt: $PYATLAN_VERSION"
-              else
-                PYATLAN_VERSION="${{ github.event.inputs.pyatlan_version }}"
-                echo "Using specified pyatlan version: $PYATLAN_VERSION"
-              fi
-              PYATLAN_BRANCH=""
-              INSTALL_FROM_GIT="false"
+              PYATLAN_VERSION="${{ github.event.inputs.pyatlan_version }}"
+              echo "Using specified pyatlan version: $PYATLAN_VERSION"
+            fi
+            
+            # Handle branch input (if provided, will be used as commit SHA or branch name)
+            if [ -n "${{ github.event.inputs.pyatlan_branch }}" ]; then
+              echo "Note: Building from branch/commit: ${{ github.event.inputs.pyatlan_branch }}"
+              echo "This will use PYATLAN_COMMIT_SHA build arg"
             fi
           fi
 
           echo "BUILD_TYPE=$BUILD_TYPE" >> $GITHUB_ENV
           echo "PYTHON_VERSION=$PYTHON_VERSION" >> $GITHUB_ENV
           echo "PYATLAN_VERSION=$PYATLAN_VERSION" >> $GITHUB_ENV
-          echo "PYATLAN_BRANCH=$PYATLAN_BRANCH" >> $GITHUB_ENV
-          echo "INSTALL_FROM_GIT=$INSTALL_FROM_GIT" >> $GITHUB_ENV
-
+          
           # Set platforms based on build type
           if [ "$BUILD_TYPE" = "dev" ]; then
             PLATFORMS="linux/amd64"
           else
             PLATFORMS="linux/amd64,linux/arm64"
           fi
           echo "PLATFORMS=$PLATFORMS" >> $GITHUB_ENV
-
-          # Generate commit hash for dev builds
+          
+          # Generate commit hash for dev builds (for image tagging only)
           COMMIT_HASH=$(git rev-parse --short HEAD)
           echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV
-
+          
+          # Set PYATLAN_COMMIT_SHA only if pyatlan_branch input is provided
+          # Otherwise, leave empty to let Dockerfile use version tag
+          if [ -n "${{ github.event.inputs.pyatlan_branch }}" ]; then
+            echo "PYATLAN_COMMIT_SHA=${{ github.event.inputs.pyatlan_branch }}" >> $GITHUB_ENV
+          else
+            echo "PYATLAN_COMMIT_SHA=" >> $GITHUB_ENV
+          fi
+          
           echo "Build parameters:"
           echo "  - Trigger: ${{ github.event_name }}"
           echo "  - Build Type: $BUILD_TYPE"
           echo "  - Python Version: $PYTHON_VERSION"
-          echo "  - Pyatlan Version: $PYATLAN_VERSION"
-          if [ "$INSTALL_FROM_GIT" = "true" ]; then
-            echo "  - Pyatlan Branch: $PYATLAN_BRANCH"
-            echo "  - Install Method: Git (development build)"
+          if [ -n "${{ github.event.inputs.pyatlan_branch }}" ]; then
+            echo "  - Pyatlan Source: git commit/branch ${{ github.event.inputs.pyatlan_branch }}"
           else
-            echo "  - Install Method: PyPI (stable release)"
+            echo "  - Pyatlan Source: git tag v${PYATLAN_VERSION}"
           fi
+          echo "  - Build Method: Multi-stage build from GitHub source"
           echo "  - Platforms: $PLATFORMS"
-          echo "  - Commit Hash: $COMMIT_HASH"
+          echo "  - Image Tag Suffix: $COMMIT_HASH"
 
       - name: Generate image tags
         id: generate-tags
@@ -159,22 +159,6 @@ jobs:
 
           echo "Generated image tag: ghcr.io/atlanhq/pyatlan-chainguard-base:$IMAGE_TAG"
 
-      - name: Wait for PyPI availability
-        if: env.INSTALL_FROM_GIT == 'false' && (github.event.inputs.pyatlan_version != '' || github.event_name == 'release')
-        uses: nick-fields/retry@v3
-        with:
-          max_attempts: 5
-          timeout_minutes: 3
-          command: |
-            echo "Checking if pyatlan==${{ env.PYATLAN_VERSION }} is available on PyPI..."
-            if pip index versions pyatlan | grep -q "${{ env.PYATLAN_VERSION }}"; then
-              echo "Package is available on PyPI!"
-              exit 0
-            else
-              echo "Package not available yet. Retrying..."
-              exit 1
-            fi
-
       - name: Build and push Docker image
         uses: docker/build-push-action@v6
         with:
@@ -187,8 +171,7 @@ jobs:
           build-args: |
             PYTHON_VERSION=${{ env.PYTHON_VERSION }}
             PYATLAN_VERSION=${{ env.PYATLAN_VERSION }}
-            PYATLAN_BRANCH=${{ env.PYATLAN_BRANCH }}
-            INSTALL_FROM_GIT=${{ env.INSTALL_FROM_GIT }}
+            PYATLAN_COMMIT_SHA=${{ env.PYATLAN_COMMIT_SHA }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -197,20 +180,20 @@ jobs:
           echo "## 🐳 Chainguard Docker Image Built Successfully!" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### Image Details:" >> $GITHUB_STEP_SUMMARY
-          echo "- **Base Image:** Chainguard" >> $GITHUB_STEP_SUMMARY
+          echo "- **Base Image:** Chainguard pyatlan-golden:3.11" >> $GITHUB_STEP_SUMMARY
           echo "- **Trigger:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
           echo "- **Build Type:** ${{ env.BUILD_TYPE }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Build Method:** Multi-stage from GitHub source (no PyPI)" >> $GITHUB_STEP_SUMMARY
           echo "- **Python Version:** ${{ env.PYTHON_VERSION }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Pyatlan Version:** ${{ env.PYATLAN_VERSION }}" >> $GITHUB_STEP_SUMMARY
-          if [ "${{ env.INSTALL_FROM_GIT }}" = "true" ]; then
-            echo "- **Pyatlan Branch:** ${{ env.PYATLAN_BRANCH }}" >> $GITHUB_STEP_SUMMARY
-            echo "- **Install Method:** Git (development build)" >> $GITHUB_STEP_SUMMARY
+          if [ -n "${{ env.PYATLAN_COMMIT_SHA }}" ]; then
+            echo "- **Pyatlan Source:** Git commit/branch ${{ env.PYATLAN_COMMIT_SHA }}" >> $GITHUB_STEP_SUMMARY
           else
-            echo "- **Install Method:** PyPI (stable release)" >> $GITHUB_STEP_SUMMARY
+            echo "- **Pyatlan Source:** Git tag v${{ env.PYATLAN_VERSION }}" >> $GITHUB_STEP_SUMMARY
           fi
+          echo "- **Dependencies:** Hardened from Chainguard APK + minimal pip" >> $GITHUB_STEP_SUMMARY
           echo "- **Platforms:** ${{ env.PLATFORMS }}" >> $GITHUB_STEP_SUMMARY
           if [ "${{ env.BUILD_TYPE }}" = "dev" ]; then
-            echo "- **Commit Hash:** ${{ env.COMMIT_HASH }}" >> $GITHUB_STEP_SUMMARY
+            echo "- **Image Tag Suffix:** ${{ env.COMMIT_HASH }}" >> $GITHUB_STEP_SUMMARY
           fi
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### Available Tag:" >> $GITHUB_STEP_SUMMARY

Dockerfile.chainguard

@@ -1,38 +1,166 @@
-FROM cgr.dev/atlan.com/python:3.11
+# ============================================
+# Stage 1: Builder - Clone pyatlan from GitHub
+# ============================================
+FROM cgr.dev/atlan.com/pyatlan-golden:3.11 AS builder
 
-# Build arguments for configurable versions
-ARG PYTHON_VERSION=3.11
+# Build arguments
+# PYATLAN_VERSION should be passed via --build-arg
+# Default to "latest" if not specified (workflow reads from version.txt)
 ARG PYATLAN_VERSION=latest
-ARG PYATLAN_BRANCH=""
-ARG INSTALL_FROM_GIT=false
+ARG PYATLAN_COMMIT_SHA=""
 
-WORKDIR /app
+USER root
+WORKDIR /tmp/build
+
+# Install git and build tools
+RUN apk add --no-cache git py3.11-build
 
-# Install pyatlan - either from PyPI or git branch
-RUN --mount=type=cache,target=/root/.cache/uv \
-    if [ "$INSTALL_FROM_GIT" = "true" ]; then \
-        echo "Installing pyatlan from git branch: $PYATLAN_BRANCH"; \
-        uv pip install --system "git+https://github.com/atlanhq/atlan-python.git@$PYATLAN_BRANCH"; \
+# Clone pyatlan from GitHub
+RUN echo "=== Cloning pyatlan from GitHub ===" && \
+    git clone https://github.com/atlanhq/atlan-python.git /tmp/build/atlan-python
+
+# Checkout specific version or commit
+RUN cd /tmp/build/atlan-python && \
+    if [ -n "$PYATLAN_COMMIT_SHA" ]; then \
+        echo "Checking out commit: $PYATLAN_COMMIT_SHA" && \
+        git checkout "$PYATLAN_COMMIT_SHA"; \
     elif [ "$PYATLAN_VERSION" = "latest" ]; then \
-        echo "Installing latest pyatlan from PyPI"; \
-        uv pip install --system pyatlan; \
+        echo "Using latest from main branch"; \
     else \
-        echo "Installing pyatlan==$PYATLAN_VERSION from PyPI"; \
-        uv pip install --system pyatlan==$PYATLAN_VERSION; \
-    fi
-
-# Add build information as labels
-RUN if [ "$INSTALL_FROM_GIT" = "true" ]; then \
-        echo "LABEL pyatlan.source=git" >> /tmp/labels && \
-        echo "LABEL pyatlan.branch=$PYATLAN_BRANCH" >> /tmp/labels; \
+        echo "Checking out version: v$PYATLAN_VERSION" && \
+        (git checkout "v$PYATLAN_VERSION" || git checkout "$PYATLAN_VERSION"); \
+    fi && \
+    echo "Commit: $(git rev-parse HEAD)" && \
+    echo "Version: $(cat pyatlan/version.txt)" && \
+    # Build wheel in builder stage (smaller than copying full source)
+    python3 -m build --wheel --outdir /tmp/wheels . && \
+    # Preserve version.txt before removing source
+    cp pyatlan/version.txt /tmp/version.txt && \
+    # Remove everything except the wheel and version.txt
+    cd /tmp && \
+    rm -rf /tmp/build/atlan-python && \
+    echo "Built wheel: $(ls -lh /tmp/wheels/*.whl)" && \
+    echo "Preserved version: $(cat /tmp/version.txt)"
+
+# ============================================
+# Stage 2: Final - Runtime image
+# ============================================
+FROM cgr.dev/atlan.com/pyatlan-golden:3.11
+
+# Build arguments for labels
+ARG PYTHON_VERSION=3.11
+ARG PYATLAN_COMMIT_SHA=""
+
+# Copy version.txt from builder and set PYATLAN_VERSION if not provided
+COPY --from=builder /tmp/version.txt /tmp/version.txt
+ARG PYATLAN_VERSION
+RUN echo "=== Debug: Version setup ===" && \
+    echo "Build arg PYATLAN_VERSION: '$PYATLAN_VERSION'" && \
+    echo "Contents of version.txt: '$(cat /tmp/version.txt)'" && \
+    if [ -z "$PYATLAN_VERSION" ]; then \
+        PYATLAN_VERSION=$(cat /tmp/version.txt | tr -d '\n\r'); \
+        echo "Using version from file: $PYATLAN_VERSION"; \
     else \
-        echo "LABEL pyatlan.source=pypi" >> /tmp/labels && \
-        echo "LABEL pyatlan.version=$PYATLAN_VERSION" >> /tmp/labels; \
+        echo "Using build arg version: $PYATLAN_VERSION"; \
     fi && \
-    echo "LABEL python.version=$PYTHON_VERSION" >> /tmp/labels
+    echo "Final PYATLAN_VERSION: $PYATLAN_VERSION" && \
+    echo "$PYATLAN_VERSION" > /tmp/final_version.txt && \
+    echo "Contents of final_version.txt: '$(cat /tmp/final_version.txt)'"
+
+USER root
+WORKDIR /app
+
+# Set UV environment variables
+ENV UV_NO_MANAGED_PYTHON=true \
+    UV_SYSTEM_PYTHON=true
+
+# Install pyatlan dependencies from Chainguard APK (hardened packages)
+RUN apk add --no-cache \
+    py3.11-pydantic=2.12.5-r0 \
+    py3.11-jinja2=3.1.6-r1 \
+    py3.11-tenacity=9.1.2-r2 \
+    py3.11-pytz=2025.2-r2 \
+    py3.11-python-dateutil=2.9.0-r10 \
+    py3.11-pyyaml=6.0.3-r0 \
+    py3.11-httpx=0.28.1-r2
+
+# Copy only the wheel from builder (much smaller than full source)
+COPY --from=builder /tmp/wheels/*.whl /tmp/
+
+# Install dependencies + pyatlan wheel + cleanup in ONE layer
+RUN uv pip install --system --no-cache \
+        lazy-loader~=0.4 \
+        nanoid~=2.0.0 \
+        authlib~=1.6.0 \
+        httpx-retries~=0.4.0 && \
+    # Install pyatlan wheel with --no-deps
+    uv pip install --system --no-cache --no-deps /tmp/*.whl && \
+    # Cleanup everything EXCEPT version files (needed for verification)
+    cd / && rm -rf /tmp/*.whl /root/.cache ~/.cache && \
+    find /usr/lib/python3.11 -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null || true && \
+    find /usr/lib/python3.11 -type f -name '*.pyc' -delete 2>/dev/null || true
+
+# Verify installation and version
+RUN echo "=== Debug: Checking version files ===" && \
+    ls -la /tmp/ && \
+    echo "Contents of final_version.txt:" && \
+    cat /tmp/final_version.txt && \
+    echo "=== Starting verification ===" && \
+    EXPECTED_VERSION="$(cat /tmp/final_version.txt)" python3 <<'EOF'
+import sys
+import os
+
+expected_version = os.environ.get("EXPECTED_VERSION", "unknown")
+print("=== Pyatlan Installation Verification ===")
+print(f"Expected version from env: {expected_version}")
+
+try:
+    import pyatlan
+    print(f"✅ PyAtlan imported successfully")
+    print(f"Installed version: {pyatlan.__version__}")
+    
+    # Try importing AtlanClient
+    from pyatlan.client.atlan import AtlanClient
+    print(f"✅ AtlanClient imported successfully")
+    
+    # Version validation (skip if 'latest' was requested)
+    if expected_version != "latest" and expected_version != "unknown":
+        if pyatlan.__version__ != expected_version:
+            print(f"❌ ERROR: Version mismatch!")
+            print(f"   Expected: {expected_version}")
+            print(f"   Got: {pyatlan.__version__}")
+            sys.exit(1)
+        else:
+            print("✅ Version verified")
+    else:
+        print("✅ Version validation skipped (latest or unknown)")
+        
+    print("=== Build verification passed ===")
+    
+except ImportError as e:
+    print(f"❌ Import error: {e}")
+    sys.exit(1)
+except Exception as e:
+    print(f"❌ Unexpected error: {e}")
+    sys.exit(1)
+EOF
+
+# Final cleanup of temporary version files
+RUN rm -rf /tmp/version.txt /tmp/final_version.txt
+
+# Add build metadata as labels
+LABEL python.version="${PYTHON_VERSION}"
+LABEL pyatlan.commit_sha="${PYATLAN_COMMIT_SHA}"
+# Note: pyatlan.version label should be set by passing --build-arg PYATLAN_VERSION=$(cat pyatlan/version.txt) during build
+LABEL build.method="git-multistage"
+LABEL build.source="github"
+LABEL security.approach="apk-first-no-pypi"
+
+# Switch to nonroot user for runtime security
+USER nonroot
 
-# Default working directory for applications
+# Default working directory
 WORKDIR /app
 
-# Default command (can be overridden by extending images)
+# Default command
 CMD ["python"]