molecule-ai/molecule-ai-workspace-template-langgraph
35
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1d05d1fc66
molecule-ai-workspace-templ.../Dockerfile
Hongming Wang b44b1c4444
Some checks failed
CI / validate (push) Failing after 0s
Details
Secret scan / secret-scan (push) Failing after 0s
Details
fix(Dockerfile): upgrade pip+setuptools+wheel to clear 3 fixable HIGH CVEs 
The python:3.11-slim base ships old transitives Trivy correctly flags
as fixable HIGH:
- jaraco.context 5.3.0 → 6.1.0 (CVE-2026-23949 path traversal)
- wheel 0.45.1 → 0.46.2 (CVE-2026-24049 wheel install RCE)
- (one more truncated in the gate's log table)

Bumping pip+setuptools+wheel before requirements install upgrades these
metadata packages so the gate passes. molecule-ci#38 Phase-1.

Why this matters now: today's a2a-sdk strict-mode fix (commit e1628c4
in molecule-core) shipped to PyPI 0.1.94 (11:13). Without an image
rebuild the langgraph workspace template stays on the broken runtime
and the synthetic E2E (#2566, priority-high, failing 36+h) keeps red.
The cascade fix (molecule-core#2575) restored the dispatch path; this
unblocks the actual rebuild.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 05:53:32 -07:00

36 lines
1.3 KiB
Docker
Raw Blame History

FROM python:3.11-slim
RUN apt-get update && apt-get install -y --no-install-recommends \
curl gosu ca-certificates \
&& rm -rf /var/lib/apt/lists/*
RUN useradd -u 1000 -m -s /bin/bash agent
WORKDIR /app
# RUNTIME_VERSION is forwarded from molecule-ci's reusable publish
# workflow as a docker build-arg. Cascade-triggered builds set it to
# the exact runtime version PyPI just published. Including it as an
# ARG changes the cache key for the pip install layer below — the
# fix for the cascade cache trap that bit us 5x on 2026-04-27.
ARG RUNTIME_VERSION=
# Bump pip + setuptools + wheel BEFORE installing project deps —
# the python:3.11-slim base ships old transitives (jaraco.context 5.3.0,
# wheel 0.45.1, setuptools 65.x) that Trivy flags as fixable HIGH CVEs.
# Bumping here resolves them at the metadata layer; subsequent pip
# installs use the upgraded resolvers. molecule-ci#38 Phase-1.
RUN pip install --no-cache-dir --upgrade pip setuptools wheel
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt && \
if [ -n "${RUNTIME_VERSION}" ]; then \
pip install --no-cache-dir --upgrade "molecule-ai-workspace-runtime==${RUNTIME_VERSION}"; \
fi
COPY adapter.py .
COPY __init__.py .
ENV ADAPTER_MODULE=adapter
ENTRYPOINT ["molecule-runtime"]
Reference in New Issue View Git Blame Copy Permalink