This guide helps you build and run the sw-metadata-bot using Docker containers.
docker build -t sw-metadata-bot:latest .docker run --rm sw-metadata-bot:latest sw-metadata-bot --helpdocker run --rm \
-v /path/to/config.json:/app/config.json:ro \
-v /path/to/outputs:/app/outputs \
sw-metadata-bot:latest \
sw-metadata-bot run-analysis --config /app/config.jsondocker run --rm \
-e GITHUB_TOKEN=your_token_here \
-v /path/to/config.json:/app/config.json:ro \
-v /path/to/outputs:/app/outputs \
sw-metadata-bot:latest \
sw-metadata-bot run-analysis --config /app/config.jsonFor easier management, use Docker Compose:
docker-compose build
docker-compose run --rm bot sw-metadata-bot --helpdocker-compose run --rm bot sw-metadata-bot run-analysis --config /app/config.jsonFor development with all dependencies (tests, linting, docs):
docker-compose build bot-dev
docker-compose run --rm bot-devInside the dev container:
# Run tests
pytest tests/
# Run linting
ruff check .
# Format code
ruff format .
# Build docs
cd docs && sphinx-build -W -b html . _build/htmlThe Dockerfile uses a multi-stage build process:
- Builder Stage: Installs dependencies using
uvpackage manager - Runtime Stage: Slim Python 3.12 image with only runtime dependencies
This approach minimizes the final image size while maintaining all functionality.
- Non-root user: Container runs as
botuser(UID 1000) for security - Minimal base image: Uses Python 3.12-slim to reduce attack surface
- Health checks: Built-in health check verifies CLI availability
- Security scanning: GitHub Actions workflow includes Trivy vulnerability scanning
Typical image sizes:
- Production: ~250-300 MB
- Development: ~600-700 MB
The workflow file .github/workflows/docker.yml provides:
- Builds and pushes Docker images on main branch and tags
- Uses GitHub Container Registry (ghcr.io)
- Implements layer caching for faster builds
- Verifies CLI is functional
- Tests all available commands
- Validates health checks
- Inspects Docker layers
- Runs Trivy vulnerability scanner
- Uploads SARIF results to GitHub Security tab
- Inspects image metadata
- Verifies non-root user
- Checks image size
Configure the bot via environment variables:
# Example with token
docker run --rm \
-e GITHUB_TOKEN=ghp_xxxx \
-e GITLAB_TOKEN=glpat_xxxx \
sw-metadata-bot:latest \
sw-metadata-bot run-analysis --config /app/config.jsonStandard mount points:
docker run --rm \
-v $(pwd)/config.json:/app/config.json:ro \
-v $(pwd)/outputs:/app/outputs \
-v $(pwd)/assets:/app/assets:ro \
sw-metadata-bot:latest# Check image exists
docker images | grep sw-metadata-bot
# View container logs
docker run --rm sw-metadata-bot:latest# Verify installation
docker run --rm sw-metadata-bot:latest python -c "import sw_metadata_bot; print('OK')"Ensure output volume has write permissions:
chmod 755 ./outputsdocker run -it --rm \
-v $(pwd):/workspace \
sw-metadata-bot:latest \
/bin/bashdocker network create bot-network
docker run --rm \
--network bot-network \
--name bot \
sw-metadata-bot:latestdocker build --build-arg PYTHON_VERSION=3.11 -t sw-metadata-bot:py311 .# Build
docker build -t ghcr.io/yourorg/sw-metadata-bot:v1.0.0 .
# Login (use PAT token)
docker login ghcr.io
# Push
docker push ghcr.io/yourorg/sw-metadata-bot:v1.0.0docker pull ghcr.io/yourorg/sw-metadata-bot:v1.0.0
docker run --rm ghcr.io/yourorg/sw-metadata-bot:v1.0.0# Build
docker-compose build
# Test
docker-compose run --rm bot pytest tests/
# Lint
docker-compose run --rm bot ruff check .
# Format
docker-compose run --rm bot ruff format .docker run -it --rm \
-v $(pwd):/workspace \
sw-metadata-bot:latest \
/bin/bash