Merge pull request #332 from CentrifugalBadger/fix/docker-security

chore: optimize Dockerfile security and multi-stage build

Author: stickerdaniel

.dockerignore

@@ -150,7 +150,6 @@ cython_debug/
 # Docker-specific exclusions
 .git
 .github
-README.md
 .DS_Store
 
 # DXT Extension

.python-version

@@ -1 +1 @@
-3.13
+3.14

Dockerfile

@@ -1,37 +1,33 @@
-# Use slim Python base instead of full Playwright image (saves ~300-400 MB)
-# Only Chromium is installed, not Firefox/WebKit
-FROM python:3.14-slim-bookworm@sha256:55e465cb7e50cd1d7217fcb5386aa87d0356ca2cd790872142ef68d9ef6812b4
+# -- Stage 1: Build virtual environment --
+FROM python:3.14-slim-bookworm@sha256:55e465cb7e50cd1d7217fcb5386aa87d0356ca2cd790872142ef68d9ef6812b4 AS builder
 
-# Install uv package manager
 COPY --from=ghcr.io/astral-sh/uv:latest@sha256:90bbb3c16635e9627f49eec6539f956d70746c409209041800a0280b93152823 /uv /uvx /bin/
 
-# Create non-root user first (matching original pwuser from Playwright image)
-RUN useradd -m -s /bin/bash pwuser
-
-# Set working directory and ownership
 WORKDIR /app
-RUN chown pwuser:pwuser /app
+COPY pyproject.toml uv.lock README.md ./
+RUN uv sync --frozen --no-install-project --no-dev --no-editable --compile-bytecode
 
-# Copy project files with correct ownership
-COPY --chown=pwuser:pwuser . /app
+COPY . .
+RUN uv sync --frozen --no-dev --no-editable --compile-bytecode
 
-# Install git (needed for git-based dependencies in pyproject.toml)
-RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/*
 
-# Set browser install location (Patchright reads PLAYWRIGHT_BROWSERS_PATH internally)
+# -- Stage 2: Production runtime --
+FROM python:3.14-slim-bookworm@sha256:55e465cb7e50cd1d7217fcb5386aa87d0356ca2cd790872142ef68d9ef6812b4
+
+RUN useradd -m -s /bin/bash pwuser
+
+WORKDIR /app
+
+COPY --from=builder /app/.venv /app/.venv
+ENV PATH="/app/.venv/bin:$PATH"
 ENV PLAYWRIGHT_BROWSERS_PATH=/opt/patchright
-# Install dependencies, system libs for Chromium, and patched Chromium binary
-RUN uv sync --frozen && \
-    uv run patchright install-deps chromium && \
-    uv run patchright install chromium && \
-    chmod -R 755 /opt/patchright
 
-# Fix ownership of app directory (venv created by uv)
-RUN chown -R pwuser:pwuser /app
+RUN patchright install-deps chromium && \
+    patchright install chromium && \
+    chmod -R 755 /opt/patchright && \
+    rm -rf /var/lib/apt/lists/*
 
-# Switch to non-root user
 USER pwuser
 
-# Set entrypoint and default arguments
-ENTRYPOINT ["uv", "run", "-m", "linkedin_mcp_server"]
+ENTRYPOINT ["python", "-m", "linkedin_mcp_server"]
 CMD []

pyproject.toml

@@ -3,7 +3,7 @@ name = "linkedin-scraper-mcp"
 version = "4.8.2"
 description = "MCP server for LinkedIn profile, company, and job scraping with Claude AI integration. Supports direct profile/company/job URL scraping with secure credential storage."
 readme = "README.md"
-requires-python = ">=3.12,<3.14"
+requires-python = ">=3.12,<3.15"
 authors = [
     { name = "Daniel Sticker", email = "daniel@sticker.name" }
 ]
@@ -25,6 +25,7 @@ classifiers = [
     "Programming Language :: Python :: 3",
     "Programming Language :: Python :: 3.12",
     "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
     "Topic :: Software Development :: Libraries :: Python Modules",
     "Topic :: Internet :: WWW/HTTP :: Dynamic Content",
     "Topic :: Scientific/Engineering :: Artificial Intelligence",

renovate.json

@@ -30,6 +30,13 @@
       "matchPackageNames": ["fastmcp", "mcp"],
       "matchUpdateTypes": ["minor", "patch"],
       "groupName": "MCP ecosystem"
+    },
+    {
+      "description": "Python runtime upgrades need manual validation",
+      "matchDatasources": ["docker"],
+      "matchPackageNames": ["python"],
+      "matchUpdateTypes": ["major", "minor"],
+      "enabled": false
     }
   ]
 }