fix(docker): Update Dockerfiles and workflows for Poetry root migration

manavgup · claude · manavgup · commit aa3deee2dbef · 2025-10-27T12:04:37.000-04:00
Fixes #502 - Update all Docker and CI/CD references after moving Poetry config from backend/ to project root (Issue #501). Changes: 1. **Dockerfiles** (backend/Dockerfile.backend, Dockerfile.codeengine): - Add POETRY_ROOT_MIGRATION cache-bust ARG to both stages - Update COPY commands to reference pyproject.toml and poetry.lock from project root - Move poetry.lock copy alongside pyproject.toml for consistency - Add explanatory comments about Issue #501 migration 2. **GitHub Actions Workflows**: - Update 05-ci.yml: Fix poetry cache key to use 'poetry.lock' instead of 'backend/poetry.lock' - Update 03-build-secure.yml: Change backend context from 'backend' to '.' for correct file resolution 3. **PyTorch Version Update**: - Upgrade torch from 2.5.0+cpu to 2.6.0+cpu - Upgrade torchvision from 0.20.0+cpu to 0.21.0+cpu - Reason: 2.5.0+cpu not available for ARM64 architecture - New versions are compatible with both ARM64 and x86_64 4. **Secret Management**: - Add pragma: allowlist secret comments to test secrets in 05-ci.yml - Prevents false positives in detect-secrets pre-commit hook Impact: - Fixes failing CI/CD test: TestMakefileTargetsDirect.test_make_build_backend_minimal - Docker builds now correctly find pyproject.toml and poetry.lock at project root - Maintains compatibility with both local development (ARM64) and CI (x86_64) - GitHub Actions workflows correctly cache Poetry dependencies Testing: - Docker build context validated - All references to backend/pyproject.toml and backend/poetry.lock removed - Cache keys updated to match new file locations 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/03-build-secure.yml b/.github/workflows/03-build-secure.yml
@@ -34,7 +34,7 @@ jobs:
         include:
           - service: backend
             dockerfile: backend/Dockerfile.backend
-            context: backend
+            context: .
             image_name: rag-modulo-backend
             ghcr_image: ghcr.io/manavgup/rag_modulo/backend
           - service: frontend
diff --git a/.github/workflows/05-ci.yml b/.github/workflows/05-ci.yml
@@ -72,10 +72,10 @@ jobs:
     env:
       # Essential environment variables for current atomic tests
       # TODO: Remove these once issue #172 (test isolation) is fixed
-      JWT_SECRET_KEY: test-secret-key-for-ci
+      JWT_SECRET_KEY: test-secret-key-for-ci  # pragma: allowlist secret
       RAG_LLM: openai
       WATSONX_INSTANCE_ID: test-instance-id
-      WATSONX_APIKEY: test-api-key
+      WATSONX_APIKEY: test-api-key  # pragma: allowlist secret
       WATSONX_URL: https://test.watsonx.com
       # Additional variables needed by tests
       VECTOR_DB: milvus
@@ -97,7 +97,7 @@ jobs:
           path: |
             ~/.cache/pypoetry
             backend/.venv
-          key: ${{ runner.os }}-poetry-${{ hashFiles('backend/poetry.lock') }}
+          key: ${{ runner.os }}-poetry-${{ hashFiles('poetry.lock') }}
           restore-keys: |
             ${{ runner.os }}-poetry-
 
diff --git a/Dockerfile.codeengine b/Dockerfile.codeengine
@@ -29,15 +29,20 @@ ENV PATH="/root/.cargo/bin:${PATH}"
 
 WORKDIR /app
 
+# CACHE_BUST: Poetry files moved to project root (Issue #501)
+# This ARG invalidates Docker cache when pyproject.toml location changes
+ARG POETRY_ROOT_MIGRATION=20251027
+
 # Copy dependency files first for better layer caching
-COPY backend/pyproject.toml backend/poetry.lock ./
+# Poetry config moved from backend/ to project root
+COPY pyproject.toml poetry.lock ./
 
         # Install CPU-only PyTorch first to avoid CUDA dependencies (~6GB savings)
-        # Using compatible versions for ARM64
+        # Using torch 2.6.0 CPU-only version (compatible with ARM64 and x86_64)
         RUN --mount=type=cache,target=/root/.cache/pip \
             pip install --no-cache-dir \
-            torch==2.5.0+cpu \
-            torchvision==0.20.0+cpu \
+            torch==2.6.0+cpu \
+            torchvision==0.21.0+cpu \
             --index-url https://download.pytorch.org/whl/cpu
 
 # Configure pip globally to prevent any CUDA torch reinstalls
@@ -64,20 +69,26 @@ RUN find /usr/local -name "*.pyc" -delete && \
 # Final stage - clean runtime
 FROM python:3.12-slim
 
+# CACHE_BUST: Poetry files moved to project root (Issue #501)
+# Ensure final stage cache is also invalidated
+ARG POETRY_ROOT_MIGRATION=20251027
+
 WORKDIR /app
 
 # Copy system Python packages from builder
 COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
 COPY --from=builder /usr/local/bin /usr/local/bin
 
-# Copy only essential application files
+# Copy Poetry config from project root (moved from backend/ in Issue #501)
+COPY pyproject.toml poetry.lock ./
+
+# Copy only essential application files from backend directory
 COPY backend/main.py backend/healthcheck.py ./
 COPY backend/rag_solution/ ./rag_solution/
 COPY backend/auth/ ./auth/
 COPY backend/core/ ./core/
 COPY backend/cli/ ./cli/
 COPY backend/vectordbs/ ./vectordbs/
-COPY backend/pyproject.toml ./
 
 # Create a non-root user and group
 RUN groupadd --gid 10001 backend && \
diff --git a/backend/Dockerfile.backend b/backend/Dockerfile.backend
@@ -37,11 +37,11 @@ ARG POETRY_ROOT_MIGRATION=20251027
 COPY pyproject.toml poetry.lock ./
 
 # Install CPU-only PyTorch first to avoid CUDA dependencies (~6GB savings)
-# Using torch 2.5.0 to match torchvision 0.20.0 compatibility
+# Using torch 2.6.0 CPU-only version (compatible with ARM64 and x86_64)
 RUN --mount=type=cache,target=/root/.cache/pip \
     pip install --no-cache-dir \
-    torch==2.5.0+cpu \
-    torchvision==0.20.0+cpu \
+    torch==2.6.0+cpu \
+    torchvision==0.21.0+cpu \
     --index-url https://download.pytorch.org/whl/cpu
 
 # Configure pip globally to prevent any CUDA torch reinstalls
@@ -68,20 +68,26 @@ RUN find /usr/local -name "*.pyc" -delete && \
 # Final stage - clean runtime
 FROM python:3.12-slim
 
+# CACHE_BUST: Poetry files moved to project root (Issue #501)
+# Ensure final stage cache is also invalidated
+ARG POETRY_ROOT_MIGRATION=20251027
+
 WORKDIR /app
 
 # Copy system Python packages from builder
 COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
 COPY --from=builder /usr/local/bin /usr/local/bin
 
+# Copy Poetry config from project root (moved from backend/ in Issue #501)
+COPY pyproject.toml poetry.lock ./
+
 # Copy only essential application files from backend directory
 COPY backend/main.py backend/healthcheck.py ./
 COPY backend/rag_solution/ ./rag_solution/
 COPY backend/auth/ ./auth/
 COPY backend/core/ ./core/
 COPY backend/cli/ ./cli/
 COPY backend/vectordbs/ ./vectordbs/
-COPY pyproject.toml ./
 
 # Create a non-root user and group
 RUN groupadd --gid 10001 backend && \
