Attempt to improve image build space use

Author: abrookins

.github/workflows/publish-docker.yml

@@ -62,6 +62,18 @@ jobs:
             type=raw,value=latest,enable=${{ github.event.inputs.push_latest }}
             type=sha,prefix={{branch}}-
 
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@main
+        with:
+          # Effectively free up ~30GB of space
+          tool-cache: true
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          docker-images: true
+          swap-storage: true
+
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:

Dockerfile

@@ -1,66 +1,94 @@
-FROM python:3.12-slim
+# STAGE 1: Builder
+# We use a separate stage to compile dependencies and build artifacts.
+# This allows us to discard build tools and caches in the final image.
+FROM python:3.12-slim AS builder
+
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
 
-# Set working directory
 WORKDIR /app
 
-# Install system dependencies including Docker CLI and Redis CLI
+# Set uv environment variables for optimization
+ENV UV_COMPILE_BYTECODE=1
+ENV UV_LINK_MODE=copy
+
+# Install system dependencies required ONLY for building/fetching (like git)
+# We don't need Docker CLI here unless your build script relies on it.
 RUN apt-get update && apt-get install -y \
     git \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install dependencies
+# 1. Copy only dependency files first to leverage Docker layer caching
+COPY pyproject.toml uv.lock ./
+
+# 2. Install dependencies using cache mount.
+# --mount=type=cache prevents the uv cache (~GBs) from being saved to the image layer,
+# directly solving your "ResourceExhausted" error.
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv sync --frozen --no-dev --no-install-project
+
+# 3. Copy application code
+COPY . .
+
+# 4. Install the project itself and generate artifacts
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv sync --frozen --no-dev && \
+    mkdir -p /app/artifacts && \
+    # Attempt to build artifacts, but don't fail build if it requires runtime services
+    (uv run --no-sync redis-sre-agent pipeline prepare-sources \
+        --source-dir /app/source_documents \
+        --prepare-only \
+        --artifacts-path /app/artifacts || \
+    echo "Warning: Could not prepare source documents at build time")
+
+
+# STAGE 2: Runtime
+# This is the final image. It will be much smaller.
+FROM python:3.12-slim
+
+WORKDIR /app
+
+# Install ONLY runtime system dependencies
+# We repeat the Docker/Redis install here because they are needed at runtime.
+RUN apt-get update && apt-get install -y \
     curl \
     ca-certificates \
+    redis-tools \
     gnupg \
     lsb-release \
-    redis-tools \
     && mkdir -p /etc/apt/keyrings \
     && curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \
     && apt-get update \
     && apt-get install -y docker-ce-cli \
-    && apt-get purge -y gnupg lsb-release git \
-    && apt-get autoremove -y \
+    && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
-# Install uv
-COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
-
-# Copy dependency files and project metadata required at build time
-
-COPY pyproject.toml uv.lock ./
-COPY README.md ./
-
-# Install dependencies
-RUN uv sync --frozen --no-dev
-
-# Copy application code
-COPY . .
+# Copy the virtual environment from the builder stage
+COPY --from=builder /app/.venv /app/.venv
+COPY --from=builder /app/artifacts /app/artifacts
+COPY --from=builder /app /app
 
+# Add the virtual environment to PATH
+# This allows us to run "uvicorn" or "python" directly without "uv run"
+ENV PATH="/app/.venv/bin:$PATH"
 
-# Pre-build knowledge base artifacts for faster production startup
-# This prepares batch artifacts from source documents without requiring Redis at build time
-RUN mkdir -p /app/artifacts && \
-    uv run redis-sre-agent pipeline prepare-sources \
-        --source-dir /app/source_documents \
-        --prepare-only \
-        --artifacts-path /app/artifacts || \
-    echo "Warning: Could not prepare source documents at build time"
-
-# Copy and setup entrypoint script
+# Setup permissions
 COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
-RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh && \
+    useradd --create-home --shell /bin/bash app && \
+    groupadd -g 999 docker || true && \
+    usermod -aG docker app && \
+    chown -R app:app /app
 
-# Create non-root user and add to docker group
-RUN useradd --create-home --shell /bin/bash app \
-    && groupadd -g 999 docker || true \
-    && usermod -aG docker app \
-    && chown -R app:app /app
 USER app
 
-# Health check
 HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:8000/api/v1/health || exit 1
 
-# Use entrypoint for initialization
 ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
 
-# Default command (can be overridden)
-CMD ["uv", "run", "uvicorn", "redis_sre_agent.api.app:app", "--host", "0.0.0.0", "--port", "8000"]
+# Optimized CMD: Call uvicorn directly from the venv.
+# We don't need 'uv run' overhead in production.
+CMD ["uvicorn", "redis_sre_agent.api.app:app", "--host", "0.0.0.0", "--port", "8000"]

pyproject.toml

@@ -76,6 +76,7 @@ include = [
 ]
 
 [tool.uv]
+default-groups = []
 dev-dependencies = [
     "pytest>=7.0.0",
     "pytest-asyncio>=0.21.0",