Sulkta-Coop/crafting-table
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Dockerfile: cargo-audit/cargo-deny to /usr/local + mypy type stubs

Browse source 
Two recipe-shape gaps caught by the all-SDK lint+audit dogfood:

1. `cargo install --root /caches/cargo cargo-audit cargo-deny` lost its
   binaries at runtime because /caches/cargo is volume-shadowed by the
   host bind mount. Fix: install with `--root /usr/local` so the bins
   land in /usr/local/bin (root-owned, not volume-shadowed). Required
   USER root briefly to write to /usr/local; reverts to crafter after.

2. `mypy --strict` against any project that imports requests/PyYAML/
   setuptools fails with "Library stubs not installed" exit 1 because
   pipx-installed mypy lives in its own venv and doesn't see the
   stubs. Fix: `pipx inject mypy types-requests types-PyYAML
   types-setuptools` so the stubs land in mypy's venv.
This commit is contained in:
Kayos 2026-04-29 14:20:53 -07:00
parent 510915d3ec
commit e268986f87
1 changed files with 15 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

19
Dockerfile
View file

@ -208,9 +208,15 @@ ENV PATH=/home/crafter/.local/bin:/caches/cargo/bin:/home/crafter/.bun/bin:$PATH
# 14. Rust (rustup, stable) + cargo-audit + cargo-deny # 14. Rust (rustup, stable) + cargo-audit + cargo-deny
# ============================================================ # ============================================================
RUN curl -fsSL https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal --no-modify-path \ RUN curl -fsSL https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal --no-modify-path \
&& /caches/cargo/bin/rustup component add clippy rustfmt \ && /caches/cargo/bin/rustup component add clippy rustfmt
&& /caches/cargo/bin/cargo install cargo-audit --locked \ # Install cargo-audit + cargo-deny to /usr/local (root-owned, NOT volume-shadowed
&& /caches/cargo/bin/cargo install cargo-deny --locked # at runtime). The /caches/cargo/bin/ dir IS volume-shadowed by the host bind
# mount, so cargo install artifacts there disappear inside the live container.
USER root
RUN /home/crafter/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo install \
--locked --root /usr/local cargo-audit cargo-deny \
&& chmod 755 /usr/local/bin/cargo-audit /usr/local/bin/cargo-deny
USER crafter
# ============================================================ # ============================================================
# 15. Bun (curl install) # 15. Bun (curl install)
@ -227,7 +233,12 @@ RUN python3 -m pip install --user --break-system-packages --no-cache-dir pipx \
&& pipx install mypy \ && pipx install mypy \
&& pipx install pytest \ && pipx install pytest \
&& pipx install pip-audit \ && pipx install pip-audit \
&& pipx install semgrep && pipx install semgrep \
# mypy needs the third-party stub packages injected into its own pipx
# venv (mypy-isolated, not the system site-packages). Without these,
# `mypy --strict` against any project that imports requests/PyYAML/etc.
# fails with "Library stubs not installed for X" exit 1.
&& pipx inject mypy types-requests types-PyYAML types-setuptools
# ============================================================ # ============================================================
# Reset GOPATH to crafter-owned path BEFORE the go install runs as crafter. # Reset GOPATH to crafter-owned path BEFORE the go install runs as crafter.