pipeline changes

Author: klemenfn

.github/workflows/build-docker.yml

@@ -55,7 +55,7 @@ jobs:
     - name: Build and push default image
       uses: docker/build-push-action@v5
       with:
-        context: . # Because GH actions are for kids and put protection on everything; https://stackoverflow.com/a/71159809/11276254
+        context: .
         platforms: linux/amd64,linux/arm64
         push: true
         tags: ${{ env.ALL_TAGS }}

.gitlab-ci.yml

@@ -3,7 +3,7 @@ variables:
 
 .test_template:
   stage: test
-  image: ghcr.io/astral-sh/uv:python3.14-bookworm-slim
+  image: ghcr.io/astral-sh/uv:python3.14-trixie-slim
   cache:
     key:
       files:
@@ -17,7 +17,6 @@ variables:
 
 stages:
   - test
-  - release_flare_infra
 
 test_ruff:
   extends: .test_template
@@ -48,66 +47,4 @@ test_django:
       junit: junit.xml
       coverage_report:
         coverage_format: cobertura
-        path: coverage.xml
-
-.release_flare_infra:
-  stage: release_flare_infra
-  rules:
-    - if: "$CI_COMMIT_TAG"
-
-# todo: Remove once GitHub repo is public and use images from ghcr
-release_flare_infra:auth:
-  extends: .release_flare_infra
-  image: registry.gitlab.com/flarenetwork/infra/pipeliner:latest
-  id_tokens:
-    OIDC_JOB_TOKEN:
-      aud: https://gitlab.com
-  variables:
-    GCP_PROJECT: "flare-network-shared"
-    GCP_PROJECT_NUMBER: "940168819002"
-  before_script:
-    - >
-      WORKLOAD_IDENTITY_POOL=$([ "$CI_COMMIT_REF_PROTECTED" == "true" ] &&
-      echo "cr-oidc-gitlab-protected-pool" ||
-      echo "cr-oidc-gitlab-pool")
-    - >
-      WORKLOAD_IDENTITY_POOL_PROVIDER=$([ "$CI_COMMIT_REF_PROTECTED" == "true" ] &&
-      echo "oidc-gitlab-protected" ||
-      echo "oidc-gitlab-pool-provider")
-    - >
-      SERVICE_ACCOUNT_EMAIL=$([ "$CI_COMMIT_REF_PROTECTED" == "true" ] &&
-      echo "cr-prtctd-oidc-cntnr-img-bldr@flare-network-shared.iam.gserviceaccount.com" ||
-      echo "cr-oidc-cntnr-img-bldr@flare-network-shared.iam.gserviceaccount.com")
-    - . pipeliner gcloud-setup
-  script:
-    - echo "GOOGLE_OAUTH_ACCESS_TOKEN=$GOOGLE_OAUTH_ACCESS_TOKEN" > auth.env
-  artifacts:
-    reports:
-      dotenv:
-        - auth.env
-
-release_flare_infra:
-  extends: .release_flare_infra
-  image:
-    name: gcr.io/kaniko-project/executor:v1.18.0-debug
-    entrypoint: [""]
-  needs:
-    - job: release_flare_infra:auth
-      artifacts: true
-  before_script:
-    - mkdir -p /kaniko/.docker
-    - auth_encoded=$(echo -n "oauth2accesstoken:$GOOGLE_OAUTH_ACCESS_TOKEN" | base64 | tr -d "\n")
-    - echo "{\"auths\":{\"europe-west1-docker.pkg.dev\":{\"auth\":\"$auth_encoded\",\"email\":\"not@val.id\"}}}" > /kaniko/.docker/config.json
-  script:
-    - >
-      args="--context ${CI_PROJECT_DIR}/.
-        --dockerfile ${CI_PROJECT_DIR}/Dockerfile
-        --cache=true
-        --destination europe-west1-docker.pkg.dev/flare-network-staging/containers/data-availability:latest
-        --destination europe-west1-docker.pkg.dev/flare-network-staging/containers/data-availability:${CI_COMMIT_TAG}"
-    - >-
-      if [[ $CI_COMMIT_REF_PROTECTED == "true" ]]; then
-        args="$args --destination europe-west1-docker.pkg.dev/flare-network-production/containers/data-availability:latest"
-        args="$args --destination europe-west1-docker.pkg.dev/flare-network-production/containers/data-availability:${CI_COMMIT_TAG}"
-      fi
-    - /kaniko/executor $args
+        path: coverage.xml

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.14-slim AS builder
+FROM python:3.14-slim-trixie@sha256:fb83750094b46fd6b8adaa80f66e2302ecbe45d513f6cece637a841e1025b4ca AS builder
 
 COPY --from=ghcr.io/astral-sh/uv:0.10.8 /uv /uvx /bin/
 
@@ -16,7 +16,7 @@ RUN if [ "$DEV" = "true" ]; then \
       uv sync --locked --no-dev; \
     fi
 
-FROM python:3.14-slim AS final
+FROM python:3.14-slim-trixie@sha256:fb83750094b46fd6b8adaa80f66e2302ecbe45d513f6cece637a841e1025b4ca AS final
 
 ARG DEV=false
 RUN apt-get update && \