From e268986f8782742593572bc264224c833eb1f9ac Mon Sep 17 00:00:00 2001 From: Kayos Date: Wed, 29 Apr 2026 14:20:53 -0700 Subject: [PATCH] Dockerfile: cargo-audit/cargo-deny to /usr/local + mypy type stubs Two recipe-shape gaps caught by the all-SDK lint+audit dogfood: 1. `cargo install --root /caches/cargo cargo-audit cargo-deny` lost its binaries at runtime because /caches/cargo is volume-shadowed by the host bind mount. Fix: install with `--root /usr/local` so the bins land in /usr/local/bin (root-owned, not volume-shadowed). Required USER root briefly to write to /usr/local; reverts to crafter after. 2. `mypy --strict` against any project that imports requests/PyYAML/ setuptools fails with "Library stubs not installed" exit 1 because pipx-installed mypy lives in its own venv and doesn't see the stubs. Fix: `pipx inject mypy types-requests types-PyYAML types-setuptools` so the stubs land in mypy's venv. --- Dockerfile | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index b69b90e..68a0409 100644 --- a/Dockerfile +++ b/Dockerfile @@ -208,9 +208,15 @@ ENV PATH=/home/crafter/.local/bin:/caches/cargo/bin:/home/crafter/.bun/bin:$PATH # 14. Rust (rustup, stable) + cargo-audit + cargo-deny # ============================================================ RUN curl -fsSL https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal --no-modify-path \ - && /caches/cargo/bin/rustup component add clippy rustfmt \ - && /caches/cargo/bin/cargo install cargo-audit --locked \ - && /caches/cargo/bin/cargo install cargo-deny --locked + && /caches/cargo/bin/rustup component add clippy rustfmt +# Install cargo-audit + cargo-deny to /usr/local (root-owned, NOT volume-shadowed +# at runtime). The /caches/cargo/bin/ dir IS volume-shadowed by the host bind +# mount, so cargo install artifacts there disappear inside the live container. +USER root +RUN /home/crafter/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo install \ + --locked --root /usr/local cargo-audit cargo-deny \ + && chmod 755 /usr/local/bin/cargo-audit /usr/local/bin/cargo-deny +USER crafter # ============================================================ # 15. Bun (curl install) @@ -227,7 +233,12 @@ RUN python3 -m pip install --user --break-system-packages --no-cache-dir pipx \ && pipx install mypy \ && pipx install pytest \ && pipx install pip-audit \ - && pipx install semgrep + && pipx install semgrep \ + # mypy needs the third-party stub packages injected into its own pipx + # venv (mypy-isolated, not the system site-packages). Without these, + # `mypy --strict` against any project that imports requests/PyYAML/etc. + # fails with "Library stubs not installed for X" exit 1. + && pipx inject mypy types-requests types-PyYAML types-setuptools # ============================================================ # Reset GOPATH to crafter-owned path BEFORE the go install runs as crafter.