DevOps on Man-Youhttps://man-you.ringum.net/categories/devops/Recent content in DevOps on Man-YouHugo -- gohugo.ioen-usThu, 19 Feb 2026 10:00:00 +0200Multi-arch Docker builds in GitHub Actionshttps://man-you.ringum.net/posts/multi-arch-docker/Thu, 19 Feb 2026 10:00:00 +0200https://man-you.ringum.net/posts/multi-arch-docker/<p>We needed ARM64 containers. Our Python services run on mixed infrastructure: amd64 in CI and some production clusters, arm64 on newer nodes. Building on one arch and emulating the other with QEMU was painfully slow and broke native extensions. So we added proper multi-arch builds to our GitHub Actions CI.</p> <p>It took a week to get right. Then five more fixes over two weeks as each failure mode revealed itself in production. This is what went wrong and how we fixed it.</p> <h2 id="the-setup">The setup</h2> <p>We use reusable workflows in a shared <code>Woosmap/.github</code> repo. Individual service repos call these. A <code>build-helper</code> repo (checked out at runtime) contains the actual logic as a single Node.js action that routes to TypeScript modules based on an <code>action</code> input:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/main.ts</figcaption> <div class="highlight" title="build-helper/src/main.ts"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="k">switch</span> <span class="p">(</span><span class="nx">action</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s1">&#39;build&#39;</span><span class="o">:</span> <span class="k">await</span> <span class="nx">build</span><span class="p">(</span><span class="k">await</span> <span class="nx">get_build_info</span><span class="p">());</span> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s1">&#39;publish&#39;</span><span class="o">:</span> <span class="k">await</span> <span class="nx">publish</span><span class="p">(</span><span class="k">await</span> <span class="nx">get_build_info</span><span class="p">());</span> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s1">&#39;release&#39;</span><span class="o">:</span> <span class="k">await</span> <span class="nx">release</span><span class="p">(</span><span class="k">await</span> <span class="nx">get_build_info</span><span class="p">());</span> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s1">&#39;create_manifest&#39;</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">createManifest</span><span class="p">(</span><span class="k">await</span> <span class="nx">get_build_info</span><span class="p">());</span> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s1">&#39;create_release_manifest&#39;</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">createReleaseManifests</span><span class="p">(</span><span class="k">await</span> <span class="nx">get_build_info</span><span class="p">());</span> <span class="k">break</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <p>The multi-arch matrix is generated dynamically in the workflow:</p> <figure class="code-block-figure"> <figcaption>.github/workflows/sonar_python_bender_build.yml</figcaption> <div class="highlight" title=".github/workflows/sonar_python_bender_build.yml"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">strategy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matrix</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">include</span><span class="p">:</span><span class="w"> </span><span class="l">${{ fromJson(inputs.multi_arch &amp;&amp;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="s1">&#39;[{&#34;runner&#34;:&#34;ubuntu-24.04&#34;,&#34;arch&#34;:&#34;amd64&#34;}, </span></span></span><span class="line"><span class="cl"><span class="s1"> {&#34;runner&#34;:&#34;ubuntu-24.04-arm&#34;,&#34;arch&#34;:&#34;arm64&#34;}]&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="l">|| &#39;[{&#34;runner&#34;:&#34;ubuntu-24.04&#34;,&#34;arch&#34;:&#34;amd64&#34;}]&#39;) }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">${{ matrix.runner }}</span></span></span></code></pre></div> </figure> <p>When <code>multi_arch</code> is true, two jobs run in parallel on native runners. No QEMU. An <code>ARCH_SUFFIX</code> environment variable (<code>-amd64</code> or <code>-arm64</code>) drives platform selection downstream:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/build.ts</figcaption> <div class="highlight" title="build-helper/src/build.ts"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">export</span> <span class="kd">function</span> <span class="nx">getPlatformForArch</span><span class="p">()</span><span class="o">:</span> <span class="kt">string</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">archSuffix</span> <span class="o">=</span> <span class="nx">getArchSuffix</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">archSuffix</span> <span class="o">===</span> <span class="s1">&#39;-arm64&#39;</span> <span class="o">?</span> <span class="s1">&#39;linux/arm64&#39;</span> <span class="o">:</span> <span class="s1">&#39;linux/amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <p>ARM64 jobs skip tests, coverage, and SonarCloud. Only amd64 does those. Build + push only for arm64.</p> <h2 id="problem-1-buildx-attestations">Problem 1: buildx attestations</h2> <p>Buildx 0.10+ defaults to pushing attestation manifests (SBOM, provenance) alongside your image. When you <code>docker push myimage:tag</code>, it doesn&rsquo;t push a plain image, it pushes a <strong>manifest list</strong> containing the image plus attestation layers.</p> <p>This is fine if you just pull and run. But we need to stitch arch-specific images into a multi-arch manifest:</p> <figure class="code-block-figure"> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker manifest create myimage:pr_10 <span class="se">\ </span></span></span><span class="line"><span class="cl"> --amend myimage:sha-amd64 <span class="se">\ </span></span></span><span class="line"><span class="cl"> --amend myimage:sha-arm64</span></span></code></pre></div> </figure> <p><code>docker manifest create</code> expects plain images as sources, not manifest lists. When <code>sha-amd64</code> is itself a manifest list (because of attestations), the stitching fails.</p> <p>The fix: disable attestations with <code>BUILDX_NO_DEFAULT_ATTESTATIONS=1</code>.</p> <p>Our first attempt was conditional:</p> <figure class="code-block-figure"> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Broken: empty string &#34;&#34; fails strconv.ParseBool</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">BUILDX_NO_DEFAULT_ATTESTATIONS</span><span class="p">:</span><span class="w"> </span><span class="l">${{ inputs.multi_arch &amp;&amp; &#39;1&#39; || &#39;&#39; }}</span></span></span></code></pre></div> </figure> <p>When <code>multi_arch</code> is false, this evaluates to <code>&quot;&quot;</code>. Buildx tries to parse it as a boolean via Go&rsquo;s <code>strconv.ParseBool</code>, which fails on empty string. This broke <strong>every non-multi-arch build</strong> across the organization.</p> <p>The fix was trivial, always set it to <code>1</code>:</p> <figure class="code-block-figure"> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">BUILDX_NO_DEFAULT_ATTESTATIONS</span><span class="p">:</span><span class="w"> </span><span class="m">1</span></span></span></code></pre></div> </figure> <p>Attestations aren&rsquo;t needed regardless of arch mode. An env var being set to empty is different from not being set at all: a subtle but organization-wide footgun.</p> <h2 id="problem-2-pr-number-resolution">Problem 2: PR number resolution</h2> <p>Each arch job publishes its image with a tag. We need a consistent tag so the manifest step can find both. The original design used <code>pr_X-amd64</code> / <code>pr_X-arm64</code>, where the PR number came from an API call:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/utils.ts (before)</figcaption> <div class="highlight" title="build-helper/src/utils.ts (before)"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">get_pr</span><span class="p">()</span><span class="o">:</span> <span class="nx">Promise</span><span class="p">&lt;</span><span class="nt">number</span><span class="p">&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="p">{</span><span class="nx">data</span>: <span class="kt">commit_prs</span><span class="p">}</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">oktokit</span><span class="p">.</span><span class="nx">rest</span><span class="p">.</span><span class="nx">repos</span><span class="p">.</span><span class="nx">listPullRequestsAssociatedWithCommit</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="nx">owner</span>: <span class="kt">repo</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="nx">repo</span>: <span class="kt">repo</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="nx">commit_sha</span>: <span class="kt">sha</span> </span></span><span class="line"><span class="cl"> <span class="p">})</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nx">commit_prs</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">===</span> <span class="kc">undefined</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">throw</span> <span class="k">new</span> <span class="nb">Error</span><span class="p">(</span><span class="s1">&#39;Commit has no PR&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">commit_prs</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="kt">number</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <p>The <code>listPullRequestsAssociatedWithCommit</code> API sometimes returned empty results: race conditions, merge commits, event timing. When it failed, <code>get_publish_tag()</code> silently fell back to the raw SHA:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/utils.ts (silent fallback)</figcaption> <div class="highlight" title="build-helper/src/utils.ts (silent fallback)"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">get_publish_tag</span><span class="p">()</span><span class="o">:</span> <span class="nx">Promise</span><span class="p">&lt;</span><span class="nt">string</span><span class="p">&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="sb">`pr_</span><span class="si">${</span><span class="k">await</span> <span class="nx">get_pr</span><span class="p">()</span><span class="si">}</span><span class="sb">`</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s1">&#39;GITHUB_SHA&#39;</span><span class="p">]</span> <span class="o">||</span> <span class="s1">&#39;&#39;</span> <span class="c1">// No warning! </span></span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <p>The amd64 job would tag as <code>pr_42-amd64</code> (API succeeded), the arm64 job as <code>abc123def</code> (API failed). The manifest step looked for <code>pr_42-arm64</code>, which didn&rsquo;t exist.</p> <p>Two fixes:</p> <p><strong>Read PR number from the event payload</strong>, always available, zero API calls:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/utils.ts (after)</figcaption> <div class="highlight" title="build-helper/src/utils.ts (after)"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">get_pr</span><span class="p">()</span><span class="o">:</span> <span class="nx">Promise</span><span class="p">&lt;</span><span class="nt">number</span><span class="p">&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">con</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Context</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nx">con</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">pull_request</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">con</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">pull_request</span><span class="p">.</span><span class="kt">number</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="c1">// Fallback for push events only </span></span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="p">{</span><span class="nx">data</span>: <span class="kt">commit_prs</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">oktokit</span><span class="p">.</span><span class="nx">rest</span><span class="p">.</span><span class="nx">repos</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">listPullRequestsAssociatedWithCommit</span><span class="p">({...})</span> </span></span><span class="line"><span class="cl"> <span class="c1">// ... </span></span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <p><strong>Use commit SHA for arch-suffixed images</strong>, the SHA is always the same across parallel jobs:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/publish.ts</figcaption> <div class="highlight" title="build-helper/src/publish.ts"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">docker</span><span class="p">(</span><span class="nx">image</span>: <span class="kt">string</span><span class="p">,</span> <span class="nx">name</span>: <span class="kt">string</span><span class="p">)</span><span class="o">:</span> <span class="nx">Promise</span><span class="p">&lt;</span><span class="nt">void</span><span class="p">&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">archSuffix</span> <span class="o">=</span> <span class="nx">getArchSuffix</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">sha</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s1">&#39;GITHUB_SHA&#39;</span><span class="p">]</span> <span class="o">||</span> <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">tag</span> <span class="o">=</span> <span class="nx">archSuffix</span> <span class="o">?</span> <span class="sb">`</span><span class="si">${</span><span class="nx">sha</span><span class="si">}${</span><span class="nx">archSuffix</span><span class="si">}</span><span class="sb">`</span> <span class="o">:</span> <span class="k">await</span> <span class="nx">get_publish_tag</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="c1">// ... </span></span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <p>The manifest step bridges them:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/manifest.ts</figcaption> <div class="highlight" title="build-helper/src/manifest.ts"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">manifestTag</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">get_publish_tag</span><span class="p">()</span> <span class="c1">// &#34;pr_X&#34; </span></span></span><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">sha</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s1">&#39;GITHUB_SHA&#39;</span><span class="p">]</span> <span class="o">||</span> <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">archTags</span> <span class="o">=</span> <span class="nx">ARCHITECTURES</span><span class="p">.</span><span class="nx">map</span><span class="p">(</span><span class="nx">arch</span> <span class="o">=&gt;</span> <span class="sb">`</span><span class="si">${</span><span class="nx">sha</span><span class="si">}</span><span class="sb">-</span><span class="si">${</span><span class="nx">arch</span><span class="si">}</span><span class="sb">`</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">await</span> <span class="nx">createAndPushManifest</span><span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="nx">manifestTag</span><span class="p">,</span> <span class="nx">archTags</span><span class="p">)</span></span></span></code></pre></div> </figure> <p>So the flow is: <code>{sha}-amd64</code> + <code>{sha}-arm64</code> → manifest <code>pr_X</code>. No API race, no silent fallback.</p> <h2 id="problem-3-deploy-ordering">Problem 3: deploy ordering</h2> <p>The Leela admin service deploys on every PR build. It was wired inline in the build job:</p> <figure class="code-block-figure"> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl">- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">matrix.arch == &#39;amd64&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">./helper/.github/actions/deploy</span></span></span></code></pre></div> </figure> <p>Problem: in multi-arch mode, the deploy step ran before the manifest existed. It tried to pull <code>pr_X</code>, which only gets created in a separate <code>create_manifest</code> job that depends on both arch builds completing.</p> <p>The fix adds a separate downstream job for multi-arch deploys:</p> <figure class="code-block-figure"> <figcaption>.github/workflows/sonar_python_bender_build.yml</figcaption> <div class="highlight" title=".github/workflows/sonar_python_bender_build.yml"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Inline deploy only for single-arch</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">matrix.arch == &#39;amd64&#39; &amp;&amp; !inputs.multi_arch</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">./helper/.github/actions/deploy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Multi-arch: deploy after manifest is ready</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">pr_deploy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">inputs.multi_arch</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span><span class="l">create_manifest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-24.04</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">./helper/.github/actions/deploy</span></span></span></code></pre></div> </figure> <p>Same pattern for the release workflow: deploy only after <code>create_release_manifest</code> completes.</p> <h2 id="problem-4-release-version-calculation">Problem 4: release version calculation</h2> <p>The <code>createReleaseManifests</code> function creates the multi-arch manifest for release tags. It originally called <code>get_split_version_tag()</code> to determine the version:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/release.ts (before)</figcaption> <div class="highlight" title="build-helper/src/release.ts (before)"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">tag</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">get_split_version_tag</span><span class="p">()</span> <span class="c1">// Fetches latest release, bumps version </span></span></span><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">version</span> <span class="o">=</span> <span class="sb">`</span><span class="si">${</span><span class="nx">tag</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="si">}</span><span class="sb">.</span><span class="si">${</span><span class="nx">tag</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="si">}</span><span class="sb">.</span><span class="si">${</span><span class="nx">tag</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span><span class="si">}</span><span class="sb">`</span></span></span></code></pre></div> </figure> <p><code>get_split_version_tag()</code> fetches the latest GitHub release and bumps the version based on PR labels. But <code>createReleaseManifests</code> runs <strong>after</strong> the release jobs complete. The release already happened. So <code>get_latest_tag()</code> now returns <code>v5.5.3</code> (the new release), and bumping it gives <code>v5.5.4</code>, which doesn&rsquo;t exist as a tag.</p> <p>The fix: just use <code>get_latest_tag()</code> directly.</p> <figure class="code-block-figure"> <figcaption>build-helper/src/release.ts (after)</figcaption> <div class="highlight" title="build-helper/src/release.ts (after)"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">version</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">get_latest_tag</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">version</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="s1">&#39;.&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">archTags</span> <span class="o">=</span> <span class="nx">ARCHITECTURES</span><span class="p">.</span><span class="nx">map</span><span class="p">(</span><span class="nx">arch</span> <span class="o">=&gt;</span> <span class="sb">`</span><span class="si">${</span><span class="nx">version</span><span class="si">}</span><span class="sb">-</span><span class="si">${</span><span class="nx">arch</span><span class="si">}</span><span class="sb">`</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">await</span> <span class="nx">createAndPushManifest</span><span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="nx">version</span><span class="p">,</span> <span class="nx">archTags</span><span class="p">)</span> <span class="c1">// v1.2.3 </span></span></span><span class="line"><span class="cl"><span class="k">await</span> <span class="nx">createAndPushManifest</span><span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="sb">`</span><span class="si">${</span><span class="nx">parts</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="si">}</span><span class="sb">.</span><span class="si">${</span><span class="nx">parts</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="si">}</span><span class="sb">`</span><span class="p">,</span> <span class="nx">archTags</span><span class="p">)</span> <span class="c1">// v1.2 </span></span></span><span class="line"><span class="cl"><span class="k">await</span> <span class="nx">createAndPushManifest</span><span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="nx">parts</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="nx">archTags</span><span class="p">)</span> <span class="c1">// v1 </span></span></span></code></pre></div> </figure> <p>Three manifest tags per release. Semver consumers can pin to major, minor, or patch.</p> <h2 id="the-full-tagging-flow">The full tagging flow</h2> <p>After all the fixes, the image lifecycle looks like this:</p> <figure class="code-block-figure"> <pre tabindex="0"><code>PR Build: {sha}-amd64, {sha}-arm64 → manifest: pr_X Release (per-arch): pull pr_X (Docker resolves correct arch) push v1.2.3-amd64, v1.2.3-arm64 Release Manifests: v1.2.3-amd64 + v1.2.3-arm64 → manifests: v1.2.3, v1.2, v1</code></pre> </figure> <p>Only the amd64 job creates the GitHub release to avoid duplicates:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/release.ts</figcaption> <div class="highlight" title="build-helper/src/release.ts"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">archSuffix</span> <span class="o">||</span> <span class="nx">archSuffix</span> <span class="o">===</span> <span class="s1">&#39;-amd64&#39;</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">create_release</span><span class="p">(</span><span class="nx">version</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">core</span><span class="p">.</span><span class="nx">info</span><span class="p">(</span><span class="sb">`Skipping GitHub release creation on </span><span class="si">${</span><span class="nx">archSuffix</span><span class="si">}</span><span class="sb"> build`</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <h2 id="timeline">Timeline</h2> <ol> <li><strong>Feb 4</strong>: Initial multi-arch support. Matrix strategy, arch suffix, manifest creation.</li> <li><strong>Feb 5</strong>: Deploy ordering fix. Leela deploying before manifests existed.</li> <li><strong>Feb 16</strong>: Same fix for the release/merge workflow.</li> <li><strong>Feb 17</strong>: <code>BUILDX_NO_DEFAULT_ATTESTATIONS</code> to fix attestation-poisoned manifests.</li> <li><strong>Feb 18</strong>: SHA-based arch tagging + PR number from event payload.</li> <li><strong>Feb 19</strong>: <code>BUILDX_NO_DEFAULT_ATTESTATIONS</code> empty string crash fix.</li> <li><strong>Feb 19</strong>: <code>get_latest_tag()</code> instead of <code>get_split_version_tag()</code> in release manifests.</li> </ol> <p>Five fixes in two weeks after the initial rollout. Each one discovered in production by a different failure mode.</p> <h2 id="what-id-do-differently">What I&rsquo;d do differently</h2> <p><strong>Test the non-multi-arch path.</strong> The empty string <code>strconv.ParseBool</code> crash only affected repos that hadn&rsquo;t opted into multi-arch. We tested the new feature, not the old path.</p> <p><strong>Use SHA tags from the start.</strong> The PR-number-based approach was elegant but fragile. The SHA is always consistent across parallel jobs, no API calls, no race conditions.</p> <p><strong>Make the manifest step a required downstream job.</strong> The deploy-before-manifest problem was obvious in retrospect. Any step that depends on a multi-arch manifest should be in a job that <code>needs:</code> the manifest creation job. No exceptions, no &ldquo;it works for single-arch&rdquo; shortcuts.</p> <p>Docker&rsquo;s multi-arch story is good once it works. Getting there from a single-arch CI that evolved organically over years is where the pain lives. Every assumption about &ldquo;one build produces one image&rdquo; breaks in interesting ways.</p>Migrating Python containers to Wolfi and uvhttps://man-you.ringum.net/posts/wolfi-uv/Tue, 10 Feb 2026 09:00:00 +0200https://man-you.ringum.net/posts/wolfi-uv/<p>Our Python services ran on <code>ubuntu:24.04</code> with pip-installed dependencies. It worked, but the images carried hundreds of packages we never used, Trivy scans were noisy with OS-level CVEs, and builds were slower than they needed to be. Over a couple of months we migrated to Chainguard&rsquo;s Wolfi base image and uv for dependency management. This is how it went for the maps service, the one that renders static map tiles with a C++/Python hybrid stack.</p> <h2 id="cleaning-up-dependency-management-with-uv">Cleaning up dependency management with uv</h2> <p>Before touching the base image, we sorted out the dependency mess. The maps service had drifted. <code>pyproject.toml</code> declared one set of versions, <code>uv.lock</code> referenced another, and a private package (<code>maparazzo</code>) was pinned to a version that didn&rsquo;t exist on the registry anymore.</p> <p>The first PR synced the lock file with reality and bumped <code>maparazzo</code> to a published version. The second one removed version constraints from <code>pyproject.toml</code> entirely, keeping only the lock file as the source of truth:</p> <figure class="code-block-figure"> <figcaption>pyproject.toml (before)</figcaption> <div class="highlight" title="pyproject.toml (before)"><pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="nx">dependencies</span> <span class="p">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;application_kit[fastapi]&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;fastapi&gt;=0.115.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;maparazzo==0.4.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;aiosqlite&gt;=0.20.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;valkey-glide==2.2.5&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;sniffio&gt;=1.3.1&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="c"># Dev tools</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;types-redis&gt;=4.6.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;coverage[toml]&gt;=7.6.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;pytest&gt;=8.3.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;pytest-asyncio&gt;=0.24.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;pytest-cov&gt;=6.0.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;respx&gt;=0.22.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ruff&gt;=0.8.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mypy&gt;=1.14.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="p">]</span></span></span></code></pre></div> </figure> <figure class="code-block-figure"> <figcaption>pyproject.toml (after)</figcaption> <div class="highlight" title="pyproject.toml (after)"><pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="nx">dependencies</span> <span class="p">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;application_kit[fastapi]&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;maparazzo==2.0.0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;aiosqlite&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;valkey-glide==2.2.5&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;sniffio&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">dependency-groups</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nx">dev</span> <span class="p">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;types-redis&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;coverage[toml]&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;pytest&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;pytest-asyncio&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;pytest-cov&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;respx&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ruff&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mypy&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="p">]</span></span></span></code></pre></div> </figure> <p>Two changes happened here. First, lower bounds like <code>&gt;=0.115.0</code> were dropped: the lock file already pins exact versions, so the constraints in <code>pyproject.toml</code> were just noise that could silently go stale. Second, dev tools moved to a proper <code>[dependency-groups]</code> section. This matters for the multi-stage build that comes next: <code>uv sync --no-dev</code> now skips pytest, ruff, mypy, and the rest. Previously they all shipped in the production image.</p> <p>Running <code>uv lock --upgrade</code> after removing the constraints updated 23 packages in under 3 seconds. That&rsquo;s the part of uv that makes the biggest day-to-day difference: resolving a 60-package graph is nearly instant.</p> <h2 id="the-ubuntu-dockerfile">The Ubuntu Dockerfile</h2> <p>Here&rsquo;s what we had before:</p> <figure class="code-block-figure"> <figcaption>Dockerfile (Ubuntu-based)</figcaption> <div class="highlight" title="Dockerfile (Ubuntu-based)"><pre tabindex="0" class="chroma"><code class="language-Dockerfile" data-lang="Dockerfile"><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">ubuntu:24.04</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">base</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">UV_COMPILE_BYTECODE</span><span class="o">=</span><span class="m">1</span> <span class="nv">UV_LINK_MODE</span><span class="o">=</span>copy </span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">UV_PYTHON_INSTALL_DIR</span><span class="o">=</span>/python<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">UV_PYTHON_PREFERENCE</span><span class="o">=</span>only-managed<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> --from<span class="o">=</span>ghcr.io/astral-sh/uv:latest /uv /uvx /bin/<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> uv python install 3.12<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">WORKDIR</span><span class="w"> </span><span class="s">/usr/src/app</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">UV_PROJECT_ENVIRONMENT</span><span class="o">=</span>/usr/src/venv<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> --mount<span class="o">=</span><span class="nv">type</span><span class="o">=</span>cache,target<span class="o">=</span>/root/.cache/uv <span class="se">\ </span></span></span><span class="line"><span class="cl"> --mount<span class="o">=</span><span class="nv">type</span><span class="o">=</span>bind,source<span class="o">=</span>uv.lock,target<span class="o">=</span>uv.lock <span class="se">\ </span></span></span><span class="line"><span class="cl"> --mount<span class="o">=</span><span class="nv">type</span><span class="o">=</span>bind,source<span class="o">=</span>pyproject.toml,target<span class="o">=</span>pyproject.toml <span class="se">\ </span></span></span><span class="line"><span class="cl"> uv sync --frozen --no-install-project --no-dev<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ADD</span> . /usr/src/app<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> --mount<span class="o">=</span><span class="nv">type</span><span class="o">=</span>cache,target<span class="o">=</span>/root/.cache/uv <span class="se">\ </span></span></span><span class="line"><span class="cl"> uv sync --frozen --no-dev<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">ubuntu:24.04</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ARG</span> <span class="nv">DEBIAN_FRONTEND</span><span class="o">=</span><span class="s2">&#34;noninteractive&#34;</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">PACKAGES</span><span class="o">=</span><span class="s2">&#34;ca-certificates libopengl0 libegl1 curl&#34;</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> apt-get update <span class="o">&amp;&amp;</span> apt-get install --no-install-recommends -y <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="si">${</span><span class="nv">PACKAGES</span><span class="si">}</span> <span class="o">&amp;&amp;</span> apt-get clean <span class="o">&amp;&amp;</span> apt-get autoclean <span class="o">&amp;&amp;</span> apt-get autoremove <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> rm -rf /var/lib/apt/lists/*<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> --from<span class="o">=</span>base --chown<span class="o">=</span>python:python /python /python<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> --from<span class="o">=</span>base --chown<span class="o">=</span>app:app /usr/src/venv /usr/src/venv<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> --from<span class="o">=</span>base --chown<span class="o">=</span>app:app /usr/src/app /usr/src/app<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">WORKDIR</span><span class="w"> </span><span class="s">/usr/src/app</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">PATH</span><span class="o">=</span><span class="s2">&#34;/usr/src/venv/bin:</span><span class="nv">$PATH</span><span class="s2">&#34;</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> python ./minify_styles.py<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">EXPOSE</span><span class="w"> </span><span class="s">8000</span></span></span></code></pre></div> </figure> <p>This was already using uv and multi-stage builds, which was good. But the production stage started from a fresh <code>ubuntu:24.04</code>, which pulls in <code>apt</code>, <code>dpkg</code>, <code>systemd</code> fragments, locales, and hundreds of other packages that a Python web service never touches. The <code>apt-get update &amp;&amp; apt-get install</code> dance also meant the image wasn&rsquo;t reproducible: two builds a week apart could get different package versions.</p> <p>The <code>COPY --from=ghcr.io/astral-sh/uv:latest</code> was another problem. <code>latest</code> means the uv version changes silently. If a new uv release changes lock file behavior or introduces a bug, your CI breaks with no obvious diff.</p> <h2 id="switching-to-wolfi">Switching to Wolfi</h2> <p>Wolfi is a Linux distribution built specifically for containers. No package manager bloat, no shell login infrastructure, minimal base. Chainguard maintains it and publishes daily CVE-patched images.</p> <p>The new Dockerfile:</p> <figure class="code-block-figure"> <figcaption>Dockerfile (Wolfi-based)</figcaption> <div class="highlight" title="Dockerfile (Wolfi-based)"><pre tabindex="0" class="chroma"><code class="language-Dockerfile" data-lang="Dockerfile"><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">cgr.dev/chainguard/wolfi-base</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">base</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> apk add --no-cache <span class="se">\ </span></span></span><span class="line"><span class="cl"> mesa-egl <span class="se">\ </span></span></span><span class="line"><span class="cl"> mesa-gl <span class="se">\ </span></span></span><span class="line"><span class="cl"> mesa-gbm <span class="se">\ </span></span></span><span class="line"><span class="cl"> libgcc <span class="se">\ </span></span></span><span class="line"><span class="cl"> libstdc++ <span class="se">\ </span></span></span><span class="line"><span class="cl"> bash <span class="se">\ </span></span></span><span class="line"><span class="cl"> ca-certificates-bundle<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">UV_COMPILE_BYTECODE</span><span class="o">=</span><span class="m">1</span> <span class="nv">UV_LINK_MODE</span><span class="o">=</span>copy </span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">UV_PYTHON_INSTALL_DIR</span><span class="o">=</span>/python<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">UV_PYTHON_PREFERENCE</span><span class="o">=</span>only-managed<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> --from<span class="o">=</span>ghcr.io/astral-sh/uv:0.9.18 /uv /uvx /bin/<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> uv python install 3.12<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">WORKDIR</span><span class="w"> </span><span class="s">/usr/src/app</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">UV_PROJECT_ENVIRONMENT</span><span class="o">=</span>/usr/src/venv<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> --mount<span class="o">=</span><span class="nv">type</span><span class="o">=</span>cache,target<span class="o">=</span>/root/.cache/uv,id<span class="o">=</span>uv-base <span class="se">\ </span></span></span><span class="line"><span class="cl"> --mount<span class="o">=</span><span class="nv">type</span><span class="o">=</span>bind,source<span class="o">=</span>uv.lock,target<span class="o">=</span>uv.lock <span class="se">\ </span></span></span><span class="line"><span class="cl"> --mount<span class="o">=</span><span class="nv">type</span><span class="o">=</span>bind,source<span class="o">=</span>pyproject.toml,target<span class="o">=</span>pyproject.toml <span class="se">\ </span></span></span><span class="line"><span class="cl"> uv sync --frozen --no-install-project --no-dev<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> . /usr/src/app<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> --mount<span class="o">=</span><span class="nv">type</span><span class="o">=</span>cache,target<span class="o">=</span>/root/.cache/uv,id<span class="o">=</span>uv-base <span class="se">\ </span></span></span><span class="line"><span class="cl"> uv sync --frozen --no-dev<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> /usr/src/venv/bin/python ./minify_styles.py<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">base</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">build</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> --mount<span class="o">=</span><span class="nv">type</span><span class="o">=</span>cache,target<span class="o">=</span>/root/.cache/uv,id<span class="o">=</span>uv-build <span class="se">\ </span></span></span><span class="line"><span class="cl"> uv sync --frozen<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">PATH</span><span class="o">=</span><span class="s2">&#34;/usr/src/venv/bin:</span><span class="nv">$PATH</span><span class="s2">&#34;</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">RUFF_CACHE_DIR</span><span class="o">=</span>/tmp/.ruff_cache<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">MYPY_CACHE_DIR</span><span class="o">=</span>/tmp/.mypy_cache<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">COVERAGE_FILE</span><span class="o">=</span>/tmp/.coverage<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">base</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">prod</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">PATH</span><span class="o">=</span><span class="s2">&#34;/usr/src/venv/bin:</span><span class="nv">$PATH</span><span class="s2">&#34;</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">PYTHONUNBUFFERED</span><span class="o">=</span><span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">USER</span><span class="w"> </span><span class="s">65532</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">EXPOSE</span><span class="w"> </span><span class="s">8000</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">HEALTHCHECK</span> --interval<span class="o">=</span>30s --timeout<span class="o">=</span>3s --start-period<span class="o">=</span>5s --retries<span class="o">=</span><span class="m">3</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> CMD <span class="o">[</span><span class="s2">&#34;/usr/src/app/healthcheck.sh&#34;</span><span class="o">]</span></span></span></code></pre></div> </figure> <p>A few things to unpack.</p> <h3 id="three-stages-instead-of-two">Three stages instead of two</h3> <p>The old Dockerfile had <code>base</code> (build everything) and a final production stage that copied artifacts. The new one has three:</p> <table> <thead> <tr> <th>Stage</th> <th>Purpose</th> <th>Packages</th> </tr> </thead> <tbody> <tr> <td><code>base</code></td> <td>Install runtime deps, sync production packages</td> <td>Runtime only</td> </tr> <tr> <td><code>build</code></td> <td>Extends base, adds dev deps for testing in CI</td> <td>Runtime + dev</td> </tr> <tr> <td><code>prod</code></td> <td>Extends base, sets non-root user and healthcheck</td> <td>Runtime only</td> </tr> </tbody> </table> <p>The <code>build</code> stage is what CI uses to run pytest, ruff, and mypy. The <code>prod</code> stage is what ships. Both extend <code>base</code>, so there&rsquo;s no duplication of the dependency installation step.</p> <p>The <code>build</code> stage redirects tool caches to <code>/tmp</code> because the app directory is read-only for the non-root user:</p> <figure class="code-block-figure"> <figcaption>Tool cache redirection for CI</figcaption> <div class="highlight" title="Tool cache redirection for CI"><pre tabindex="0" class="chroma"><code class="language-Dockerfile" data-lang="Dockerfile"><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">RUFF_CACHE_DIR</span><span class="o">=</span>/tmp/.ruff_cache<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">MYPY_CACHE_DIR</span><span class="o">=</span>/tmp/.mypy_cache<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">COVERAGE_FILE</span><span class="o">=</span>/tmp/.coverage</span></span></code></pre></div> </figure> <h3 id="pinned-uv-version">Pinned uv version</h3> <p><code>uv:latest</code> became <code>uv:0.9.18</code>. One line, but it eliminates an entire class of &ldquo;works on my machine&rdquo; issues. When we want to upgrade uv, we do it explicitly in a PR.</p> <h3 id="non-root-production">Non-root production</h3> <p>The <code>prod</code> stage runs as UID 65532, matching the convention from distroless images. The <code>base</code> stage still runs as root (needed for <code>apk add</code> and <code>uv python install</code>), but the production image drops privileges before the entrypoint.</p> <h3 id="minification-at-build-time">Minification at build time</h3> <p>The old Dockerfile ran <code>python ./minify_styles.py</code> in the production stage at container startup (well, at build time of the final stage, but from a fresh Ubuntu). The new one runs it in the <code>base</code> stage right after syncing dependencies. This means the minified assets are baked in and shared by both <code>build</code> and <code>prod</code>.</p> <h3 id="build-cache-isolation">Build cache isolation</h3> <p>The <code>--mount=type=cache</code> directives got <code>id=uv-base</code> and <code>id=uv-build</code> suffixes. Without these, Docker can share cache mounts between stages that run concurrently in BuildKit, which causes lock contention.</p> <h2 id="the-s5cmd-surprise">The s5cmd surprise</h2> <p>After deploying the Wolfi image, the tile generation job broke. It ran a shell script that downloaded <code>s5cmd</code> (an S3-compatible file transfer tool) at runtime:</p> <figure class="code-block-figure"> <figcaption>tile.sh (runtime download, broken)</figcaption> <div class="highlight" title="tile.sh (runtime download, broken)"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="k">if</span> ! <span class="o">[</span> -x <span class="s2">&#34;</span><span class="k">$(</span><span class="nb">command</span> -v s5cmd<span class="k">)</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> curl -L <span class="se">\ </span></span></span><span class="line"><span class="cl"> https://github.com/peak/s5cmd/releases/download/v2.2.2/s5cmd_2.2.2_Linux-64bit.tar.gz <span class="se">\ </span></span></span><span class="line"><span class="cl"> &gt; s5cmd.tar.gz </span></span><span class="line"><span class="cl"> tar -xzvf ./s5cmd.tar.gz --directory /usr/local/bin/ </span></span><span class="line"><span class="cl"> rm ./s5cmd.tar.gz </span></span><span class="line"><span class="cl"><span class="k">fi</span></span></span></code></pre></div> </figure> <p>Two problems. First, <code>curl</code> wasn&rsquo;t in the image anymore; we&rsquo;d removed it during the Wolfi migration because the application code doesn&rsquo;t need it. Second, even if <code>curl</code> was there, extracting to <code>/usr/local/bin/</code> would fail because the container runs as non-root.</p> <p>The fix was one line in the Dockerfile and deleting the download script:</p> <figure class="code-block-figure"> <figcaption>Installing s5cmd via apk</figcaption> <div class="highlight" title="Installing s5cmd via apk"><pre tabindex="0" class="chroma"><code class="language-Dockerfile" data-lang="Dockerfile"><span class="line"><span class="cl"><span class="k">RUN</span> apk add --no-cache <span class="se">\ </span></span></span><span class="line"><span class="cl"> mesa-egl <span class="se">\ </span></span></span><span class="line"><span class="cl"> mesa-gl <span class="se">\ </span></span></span><span class="line"><span class="cl"> mesa-gbm <span class="se">\ </span></span></span><span class="line"><span class="cl"> libgcc <span class="se">\ </span></span></span><span class="line"><span class="cl"> libstdc++ <span class="se">\ </span></span></span><span class="line"><span class="cl"> bash <span class="se">\ </span></span></span><span class="line"><span class="cl"> s5cmd <span class="se">\ </span></span></span><span class="line"><span class="cl"> ca-certificates-bundle</span></span></code></pre></div> </figure> <p>Wolfi has <code>s5cmd</code> v2.3.0 in its package repository, newer than the v2.2.2 being downloaded. Installing it at build time is faster, more reliable, and gets security updates through the normal <code>apk</code> channel.</p> <p>This is the kind of thing that falls out of a migration like this. Runtime downloads of binaries are a pattern that works on fat base images but breaks the moment you tighten things up. And they should break. Downloading unsigned tarballs into a running container is a supply chain risk hiding in plain sight.</p> <h2 id="scan-results">Scan results</h2> <p>After the migration, Trivy against the production image:</p> <table> <thead> <tr> <th>Severity</th> <th>Before (Ubuntu)</th> <th>After (Wolfi)</th> </tr> </thead> <tbody> <tr> <td>CRITICAL</td> <td>0</td> <td>0</td> </tr> <tr> <td>HIGH</td> <td>3</td> <td>0</td> </tr> <tr> <td>MEDIUM</td> <td>12</td> <td>0</td> </tr> <tr> <td>LOW</td> <td>27</td> <td>0</td> </tr> </tbody> </table> <p>The Ubuntu image had 42 findings, all in OS packages we never used. The Wolfi image has zero because it only contains packages we explicitly installed. The Python dependency layer had 2 findings in both cases (a starlette version that needed bumping), but the OS layer went from noisy to clean.</p> <p>Dockle (Dockerfile best-practices linter) reports one false positive: it flags <code>settings.py</code> as a potential credential file because of the filename. Suppressed with <code>dockle -af settings.py</code>.</p> <h2 id="what-made-it-work">What made it work</h2> <p>A few things that helped this go smoothly:</p> <p><strong>uv&rsquo;s dependency groups.</strong> Separating dev tools from runtime dependencies in <code>pyproject.toml</code> is what makes <code>--no-dev</code> actually useful. Before, pytest and ruff shipped in production because they were in the same flat dependency list.</p> <p><strong>Wolfi&rsquo;s package repository.</strong> Having <code>s5cmd</code>, Mesa GL libraries, and a recent <code>bash</code> available via <code>apk</code> meant we didn&rsquo;t need to maintain custom installation scripts. The packages are rebuilt daily with CVE patches.</p> <p><strong>The three-stage pattern.</strong> <code>base</code> splitting into <code>build</code> and <code>prod</code> is now our standard for Python services. CI targets <code>build</code>, production targets <code>prod</code>, and both share the same dependency installation.</p> <p><strong>Pinning uv.</strong> Sounds trivial but it removed a real source of non-determinism. <code>uv:latest</code> in a Dockerfile is the same antipattern as <code>pip install package</code> without a version: it works until it doesn&rsquo;t, and you won&rsquo;t know why.</p>