build: replace rockylinux with chainguard/wolfi as a base image (#423)

### Summary
Updates the Dockerfile to use the Chainguard wolfi-base image to reduce
CVEs. Also adds a step in the docker publish job that scans the images
and checks for CVEs before publishing.

### Testing
Run `make docker-build` and  `make docker-start-api`, then try:
```
from unstructured.partition.api import partition_via_api

elements = partition_via_api(
    filename=filename,
    api_url="http://localhost:8000/general/v0/general",
    api_key="<API-KEY>",
    strategy="hi_res",
)

print("\n\n".join([str(el) for el in elements]))
```

Author: christinestraub

.github/workflows/ci.yml

@@ -112,3 +112,9 @@ jobs:
         source .venv/bin/activate
         make docker-build
         make docker-test
+    - name: Scan image
+      uses: anchore/scan-action@v3
+      with:
+        image: "pipeline-family-${{ env.PIPELINE_FAMILY }}-dev"
+        # NOTE(robinson) - revert this to medium when we bump libreoffice
+        severity-cutoff: high

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.0.71-dev0
+
+* replace rockylinux with chainguard/wolfi as a base image for `amd64`
+
 ## 0.0.70
 
 * Bump to `unstructured` 0.14.6

Dockerfile-amd64

@@ -0,0 +1,42 @@
+# syntax=docker/dockerfile:experimental
+FROM quay.io/unstructured-io/base-images:wolfi-base@sha256:6c00a236c648ffdaf196ccbc446f5c6cc9eb4e3ab9e437178abcfac710b2b373 as base
+
+# NOTE(crag): NB_USER ARG for mybinder.org compat:
+#             https://mybinder.readthedocs.io/en/latest/tutorials/dockerfile.html
+ARG NB_USER=notebook-user
+ARG NB_UID=1000
+ARG PIP_VERSION
+ARG PIPELINE_PACKAGE
+ARG PYTHON_VERSION="3.11"
+
+# Set up environment
+ENV PYTHON python${PYTHON_VERSION}
+ENV PIP ${PYTHON} -m pip
+
+WORKDIR ${HOME}
+USER ${NB_USER}
+
+ENV PYTHONPATH="${PYTHONPATH}:${HOME}"
+ENV PATH="/home/${NB_USER}/.local/bin:${PATH}"
+
+FROM base as python-deps
+COPY --chown=${NB_USER}:${NB_USER} requirements/base.txt requirements-base.txt
+RUN ${PIP} install pip==${PIP_VERSION}
+RUN ${PIP} install --no-cache -r requirements-base.txt
+
+FROM python-deps as model-deps
+RUN ${PYTHON} -c "import nltk; nltk.download('punkt')" && \
+  ${PYTHON} -c "import nltk; nltk.download('averaged_perceptron_tagger')" && \
+  ${PYTHON} -c "from unstructured.partition.model_init import initialize; initialize()"
+
+FROM model-deps as code
+COPY --chown=${NB_USER}:${NB_USER} CHANGELOG.md CHANGELOG.md
+COPY --chown=${NB_USER}:${NB_USER} logger_config.yaml logger_config.yaml
+COPY --chown=${NB_USER}:${NB_USER} prepline_${PIPELINE_PACKAGE}/ prepline_${PIPELINE_PACKAGE}/
+COPY --chown=${NB_USER}:${NB_USER} exploration-notebooks exploration-notebooks
+COPY --chown=${NB_USER}:${NB_USER} scripts/app-start.sh scripts/app-start.sh
+
+ENTRYPOINT ["scripts/app-start.sh"]
+# Expose a default port of 8000. Note: The EXPOSE instruction does not actually publish the port,
+# but some tooling will inspect containers and perform work contingent on networking support declared.
+EXPOSE 8000

Dockerfile renamed to Dockerfile-arm64

@@ -13,7 +13,7 @@
 app = FastAPI(
     title="Unstructured Pipeline API",
     summary="Partition documents with the Unstructured library",
-    version="0.0.70",
+    version="0.0.71",
     docs_url="/general/docs",
     openapi_url="/general/openapi.json",
     servers=[

prepline_general/api/app.py

@@ -713,7 +713,7 @@ def return_content_type(filename: str):
 
 
 @router.get("/general/v0/general", include_in_schema=False)
-@router.get("/general/v0.0.70/general", include_in_schema=False)
+@router.get("/general/v0.0.71/general", include_in_schema=False)
 async def handle_invalid_get_request():
     raise HTTPException(
         status_code=status.HTTP_405_METHOD_NOT_ALLOWED, detail="Only POST requests are supported."
@@ -728,7 +728,7 @@ async def handle_invalid_get_request():
     description="Description",
     operation_id="partition_parameters",
 )
-@router.post("/general/v0.0.70/general", include_in_schema=False)
+@router.post("/general/v0.0.71/general", include_in_schema=False)
 def general_partition(
     request: Request,
     # cannot use annotated type here because of a bug described here:

prepline_general/api/general.py

@@ -1,2 +1,2 @@
 name: general
-version: 0.0.70
+version: 0.0.71

preprocessing-pipeline-family.yaml

@@ -9,14 +9,17 @@ DOCKER_IMAGE="${DOCKER_IMAGE:-pipeline-family-${PIPELINE_FAMILY}-dev}"
 DOCKER_PLATFORM="${DOCKER_PLATFORM:-}"
 
 
-DOCKER_BUILD_CMD=(docker buildx build --load -f Dockerfile \
-  --build-arg PIP_VERSION="$PIP_VERSION" \
-  --build-arg BUILDKIT_INLINE_CACHE=1 \
-  --build-arg PIPELINE_PACKAGE="$PIPELINE_PACKAGE" \
-  --progress plain \
-  --target code \
-  --cache-from "$DOCKER_REPOSITORY":latest \
-  -t "$DOCKER_IMAGE" .)
+DOCKER_BUILD_CMD=(
+  docker buildx build --load -f Dockerfile-amd64
+  --build-arg PIP_VERSION="$PIP_VERSION"
+  --build-arg BUILDKIT_INLINE_CACHE=1
+  --build-arg PIPELINE_PACKAGE="$PIPELINE_PACKAGE"
+  --progress plain
+  --platform linux/amd64
+  --cache-from "$DOCKER_REPOSITORY:latest"
+  -t "$DOCKER_IMAGE"
+  .
+)
 
 # only build for specific platform if DOCKER_PLATFORM is set
 if [ -n "${DOCKER_PLATFORM:-}" ]; then