use pipx to isolate python packages

2023-12-14 10:53:43 +01:00 · 2023-12-14 10:53:43 +01:00 · 2803889dcd
parent 4900fddb67
commit 2803889dcd
3 changed files with 12 additions and 4 deletions
--- a/.woodpecker/build-container.yml
+++ b/.woodpecker/build-container.yml
@ -24,7 +24,6 @@ steps:
      TRIVY_NO_PROGRESS: "true"
      TRIVY_SEVERITY: HIGH,CRITICAL
      TRIVY_TIMEOUT: 1m
-      TRIVY_SKIP_FILES: /usr/local/bin/gomplate

  publish-dockerhub:
    group: container
--- a/Containerfile.multiarch
+++ b/Containerfile.multiarch
@ -33,7 +33,10 @@ ENV YAMLLINT_VERSION="${YAMLLINT_VERSION:-1.33.0}"
 # renovate: datasource=github-releases depName=yannh/kubeconform
 ENV KUBECONFORM_VERSION="${KUBECONFORM_VERSION:-v0.6.4}"

-RUN apk --update add --no-cache python3 py3-pip curl make tar git bash && \
+ENV PIPX_HOME=/opt/pipx
+ENV PIPX_BIN_DIR=/usr/local/bin
+
+RUN apk --update add --no-cache python3 pipx curl make tar git bash && \
    apk --no-cache upgrade libcrypto3 libssl3 && \
    curl -SsfL -o /usr/local/bin/gomplate "https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS}-${TARGETARCH}${TARGETVARIANT}" && \
    curl -SsfL -o /usr/local/bin/url-parser "https://github.com/thegeeklab/url-parser/releases/download/${URL_PARSER_VERSION}/url-parser-${TARGETOS}-${TARGETARCH}${TARGETVARIANT//v/-}" && \
@ -45,9 +48,11 @@ RUN apk --update add --no-cache python3 py3-pip curl make tar git bash && \
        "prettier@$PRETTIER_VERSION" \
        "spellchecker-cli@$SPELLCHECKER_VERSION" \
        "js-beautify@$JSBEAUTIFY_VERSION" && \
-    pip install -qq --no-cache-dir yamllint=="$YAMLLINT_VERSION" && \
+    pipx install --include-deps yamllint=="$YAMLLINT_VERSION" && \
+    $PIPX_HOME/shared/bin/pip install -U pip setuptools && \
    rm -rf /var/cache/apk/* && \
-    rm -rf /tmp/*
+    rm -rf /tmp/* && \
+    rm -rf /root/.cache/

 ADD overlay/ /

--- a/trivy.yaml
+++ b/trivy.yaml
@ -0,0 +1,4 @@
+---
+scan:
+  skip-files:
+    - /usr/local/bin/gomplate