Benjamin Admin
4ad681741d
CI / detect-changes (push) Successful in 10s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 9s
CI / validate-canonical-controls (push) Successful in 7s
CI / loc-budget (push) Successful in 21s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / test-go (push) Successful in 1m3s
CI / iace-gt-coverage (push) Successful in 20s
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Runde 1 build-ai-sdk failed on a transient registry.meghsakha.com 502 during the image push (image built fine, test-go green). mark-last-build then advanced last-build/main to the merge commit despite the failure, so the rerun (Runde 2) skipped build-ai-sdk (detect-changes saw no diff). This no-op Dockerfile comment forces detect-changes to rebuild + deploy the authority-rerank subsidiarity fix. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
62 lines
1.7 KiB
Docker
62 lines
1.7 KiB
Docker
# Build stage
|
|
# ci-retrigger 2026-06-27: transient registry.meghsakha.com 502 on push (Runde 1) + last-build
|
|
# tag-bug skipped the rerun (Runde 2). No logic change — forces detect-changes to rebuild ai-sdk.
|
|
FROM golang:1.24-alpine AS builder
|
|
|
|
WORKDIR /app
|
|
|
|
# Install git (required for go mod)
|
|
RUN apk add --no-cache git
|
|
|
|
# Copy go mod files
|
|
COPY go.mod go.sum* ./
|
|
RUN go mod download
|
|
|
|
# Copy source code
|
|
COPY . .
|
|
|
|
# Build the application
|
|
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o /ai-compliance-sdk ./cmd/server
|
|
|
|
# Runtime stage
|
|
FROM alpine:3.21
|
|
|
|
WORKDIR /app
|
|
|
|
# Install CA certificates for HTTPS
|
|
RUN apk --no-cache add ca-certificates tzdata
|
|
|
|
# Copy binary from builder
|
|
COPY --from=builder /ai-compliance-sdk .
|
|
|
|
# Copy migrations
|
|
COPY migrations/ ./migrations/
|
|
|
|
# Copy policy files (YAML rules)
|
|
COPY policies/ ./policies/
|
|
|
|
# Copy Compliance Execution Graph data (file-backed: Registry join-key copy + accepted control
|
|
# mappings + evidence requirements) consumed by GET /sdk/v1/compliance/obligation-status.
|
|
# data/obligations/obligation_join_keys.json is a synced copy of the repo-root Registry contract
|
|
# (the Obligation Registry owns the canonical file) — re-sync it when the Registry grows.
|
|
COPY data/control_mappings/ ./data/control_mappings/
|
|
COPY data/evidence_requirements/ ./data/evidence_requirements/
|
|
COPY data/obligations/ ./data/obligations/
|
|
|
|
# Create non-root user
|
|
RUN adduser -D -u 1000 appuser
|
|
USER appuser
|
|
|
|
# Expose port
|
|
ARG BUILD_SHA="unknown"
|
|
ENV BUILD_SHA=${BUILD_SHA}
|
|
|
|
EXPOSE 8090
|
|
|
|
# Health check
|
|
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
|
|
CMD wget --no-verbose --tries=1 --spider http://localhost:8090/health || exit 1
|
|
|
|
# Run the application
|
|
CMD ["./ai-compliance-sdk"]
|