@sw-tsdk/connector 3.24.0 → 3.25.0-next.330d718

package/lib/templates/python_310_definition_fips/Dockerfile

@@ -1,6 +1,4 @@
 # syntax=docker/dockerfile:1.2
-ARG COMPILE_BASE=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.10-latest
-
 ARG PYTHON_DEV_IMAGE=quay.io/swimlane-connectors/connector-python-dev-definition-base-fips:3.10-latest
 
 ARG RUNNER_IMAGE_NAME=quay.io/swimlane-connectors/connector-python-runner-definition-base-fips:3.10-latest
@@ -12,8 +10,7 @@ FROM ${PYTHON_DEV_IMAGE} AS builder
 USER root
 
 # Carry over pre-installed swimlane SDK packages from the compile-fips base
-COPY --from=${COMPILE_BASE} /usr/local/lib /usr/local/lib
-COPY --from=${COMPILE_BASE} /usr/local/bin /usr/local/bin
+COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.10-latest /usr/lib/python3.10/site-packages /usr/lib/python3.10/site-packages
 
 # Run compile-time OS package installs and custom scripts
 COPY compile.* /scripts/
@@ -21,10 +18,17 @@ RUN if [ $(stat -c %s "/scripts/compile.txt") -ne 0 ]; then apk add --no-cache $
 RUN if [ $(stat -c %s "/scripts/compile.sh") -ne 0 ]; then chmod +x /scripts/compile.sh && /scripts/compile.sh; fi
 
 # Run runner-time OS package installs and custom scripts here too,
-# since the final runner FIPS image has no shell
+# since the final runner FIPS image has no shell.
+# OS packages are installed into an isolated root (/runner-os-pkgs) so they can
+# be selectively copied to the distroless runtime stage without leaking dev toolchain.
 COPY runner.* /scripts/
-RUN if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache $(cat /scripts/runner.txt); fi
-RUN if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && /scripts/runner.sh; fi
+RUN mkdir -p /runner-os-pkgs && \
+    if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache --root /runner-os-pkgs --initdb $(cat /scripts/runner.txt); fi
+# RUNNER_FS is a staging directory that mirrors the runtime filesystem.
+# runner.sh should write any runtime files (certs, configs, apk packages) under
+# $RUNNER_FS so they are copied to the distroless runtime image correctly.
+RUN mkdir -p /runner-fs && \
+    if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && RUNNER_FS=/runner-fs /scripts/runner.sh; fi
 
 RUN rm -rf /scripts
 
@@ -35,19 +39,31 @@ RUN pip install --target /connector-deps -r requirements.txt
 
 # Stage 3: runtime-image — minimal distroless FIPS image, no shell, only copy artifacts
 FROM ${RUNNER_IMAGE_NAME} AS runtime-image
-USER root
 ARG ASSET_KEYS
 ENV ASSET_KEYS=$ASSET_KEYS
 
+# Copy runner OS packages installed in the isolated root during the builder stage.
+COPY --from=builder /runner-os-pkgs /
+
+# Copy any runtime files staged by runner.sh (certs, configs, etc.) into the image.
+COPY --from=builder /runner-fs /
+
+# Copy compile-fips base packages (e.g. connector_definition_runner, pylint, black, etc.)
+# from the builder stage so they are available at runtime.
+COPY --from=builder /usr/lib/python3.10/site-packages /usr/lib/python3.10/site-packages/
+
 # Copy only the connector-specific packages into site-packages.
 # The runner's own FIPS Python installation remains intact.
-COPY --from=builder /connector-deps /usr/local/lib/python3.10/site-packages/
+COPY --from=builder /connector-deps /usr/lib/python3.10/site-packages/
 
 COPY connector /app
 WORKDIR /app
+USER nonroot
 ENTRYPOINT ["python", "run.py"]
 
 FROM ${RUNTIME_IMAGE} AS connector-image
+COPY --from=builder /bin/busybox /bin/sh
+COPY --from=builder /bin/busybox /bin/sleep
 {{#each labels}}
 LABEL {{{@key}}}="{{{this}}}"
 {{/each}}

package/lib/templates/python_311_definition_fips/Dockerfile

@@ -1,6 +1,4 @@
 # syntax=docker/dockerfile:1.2
-ARG COMPILE_BASE=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.11-latest
-
 ARG PYTHON_DEV_IMAGE=quay.io/swimlane-connectors/connector-python-dev-definition-base-fips:3.11-latest
 
 ARG RUNNER_IMAGE_NAME=quay.io/swimlane-connectors/connector-python-runner-definition-base-fips:3.11-latest
@@ -12,8 +10,7 @@ FROM ${PYTHON_DEV_IMAGE} AS builder
 USER root
 
 # Carry over pre-installed swimlane SDK packages from the compile-fips base
-COPY --from=${COMPILE_BASE} /usr/local/lib /usr/local/lib
-COPY --from=${COMPILE_BASE} /usr/local/bin /usr/local/bin
+COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.11-latest /usr/lib/python3.11/site-packages /usr/lib/python3.11/site-packages
 
 # Run compile-time OS package installs and custom scripts
 COPY compile.* /scripts/
@@ -21,10 +18,23 @@ RUN if [ $(stat -c %s "/scripts/compile.txt") -ne 0 ]; then apk add --no-cache $
 RUN if [ $(stat -c %s "/scripts/compile.sh") -ne 0 ]; then chmod +x /scripts/compile.sh && /scripts/compile.sh; fi
 
 # Run runner-time OS package installs and custom scripts here too,
-# since the final runner FIPS image has no shell
+# since the final runner FIPS image has no shell.
+# OS packages are installed into an isolated root (/runner-os-pkgs) so they can
+# be selectively copied to the distroless runtime stage without leaking dev toolchain.
 COPY runner.* /scripts/
-RUN if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache $(cat /scripts/runner.txt); fi
-RUN if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && /scripts/runner.sh; fi
+RUN mkdir -p /runner-os-pkgs/etc/apk/keys && \
+    cp /etc/apk/repositories /runner-os-pkgs/etc/apk/repositories && \
+    cp /etc/apk/keys/* /runner-os-pkgs/etc/apk/keys/ && \
+    if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache --root /runner-os-pkgs --initdb $(cat /scripts/runner.txt); fi && \
+    rm -rf /runner-os-pkgs/etc/passwd \
+           /runner-os-pkgs/etc/group \
+           /runner-os-pkgs/etc/shadow \
+           /runner-os-pkgs/etc/apk
+# RUNNER_FS is a staging directory that mirrors the runtime filesystem.
+# runner.sh should write any runtime files (certs, configs, apk packages) under
+# $RUNNER_FS so they are copied to the distroless runtime image correctly.
+RUN mkdir -p /runner-fs && \
+    if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && RUNNER_FS=/runner-fs /scripts/runner.sh; fi
 
 RUN rm -rf /scripts
 
@@ -35,19 +45,31 @@ RUN pip install --target /connector-deps -r requirements.txt
 
 # Stage 3: runtime-image — minimal distroless FIPS image, no shell, only copy artifacts
 FROM ${RUNNER_IMAGE_NAME} AS runtime-image
-USER root
 ARG ASSET_KEYS
 ENV ASSET_KEYS=$ASSET_KEYS
 
+# Copy runner OS packages installed in the isolated root during the builder stage.
+COPY --from=builder /runner-os-pkgs /
+
+# Copy any runtime files staged by runner.sh (certs, configs, etc.) into the image.
+COPY --from=builder /runner-fs /
+
+# Copy compile-fips base packages (e.g. connector_definition_runner, pylint, black, etc.)
+# from the builder stage so they are available at runtime.
+COPY --from=builder /usr/lib/python3.11/site-packages /usr/lib/python3.11/site-packages/
+
 # Copy only the connector-specific packages into site-packages.
 # The runner's own FIPS Python installation remains intact.
-COPY --from=builder /connector-deps /usr/local/lib/python3.11/site-packages/
+COPY --from=builder /connector-deps /usr/lib/python3.11/site-packages/
 
 COPY connector /app
 WORKDIR /app
+USER nonroot
 ENTRYPOINT ["python", "run.py"]
 
 FROM ${RUNTIME_IMAGE} AS connector-image
+COPY --from=builder /bin/busybox /bin/sh
+COPY --from=builder /bin/busybox /bin/sleep
 {{#each labels}}
 LABEL {{{@key}}}="{{{this}}}"
 {{/each}}

package/lib/templates/python_312_definition_fips/Dockerfile

@@ -1,6 +1,4 @@
 # syntax=docker/dockerfile:1.2
-ARG COMPILE_BASE=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.12-latest
-
 ARG PYTHON_DEV_IMAGE=quay.io/swimlane-connectors/connector-python-dev-definition-base-fips:3.12-latest
 
 ARG RUNNER_IMAGE_NAME=quay.io/swimlane-connectors/connector-python-runner-definition-base-fips:3.12-latest
@@ -12,8 +10,7 @@ FROM ${PYTHON_DEV_IMAGE} AS builder
 USER root
 
 # Carry over pre-installed swimlane SDK packages from the compile-fips base
-COPY --from=${COMPILE_BASE} /usr/local/lib /usr/local/lib
-COPY --from=${COMPILE_BASE} /usr/local/bin /usr/local/bin
+COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.12-latest /usr/lib/python3.12/site-packages /usr/lib/python3.12/site-packages
 
 # Run compile-time OS package installs and custom scripts
 COPY compile.* /scripts/
@@ -21,10 +18,17 @@ RUN if [ $(stat -c %s "/scripts/compile.txt") -ne 0 ]; then apk add --no-cache $
 RUN if [ $(stat -c %s "/scripts/compile.sh") -ne 0 ]; then chmod +x /scripts/compile.sh && /scripts/compile.sh; fi
 
 # Run runner-time OS package installs and custom scripts here too,
-# since the final runner FIPS image has no shell
+# since the final runner FIPS image has no shell.
+# OS packages are installed into an isolated root (/runner-os-pkgs) so they can
+# be selectively copied to the distroless runtime stage without leaking dev toolchain.
 COPY runner.* /scripts/
-RUN if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache $(cat /scripts/runner.txt); fi
-RUN if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && /scripts/runner.sh; fi
+RUN mkdir -p /runner-os-pkgs && \
+    if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache --root /runner-os-pkgs --initdb $(cat /scripts/runner.txt); fi
+# RUNNER_FS is a staging directory that mirrors the runtime filesystem.
+# runner.sh should write any runtime files (certs, configs, apk packages) under
+# $RUNNER_FS so they are copied to the distroless runtime image correctly.
+RUN mkdir -p /runner-fs && \
+    if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && RUNNER_FS=/runner-fs /scripts/runner.sh; fi
 
 RUN rm -rf /scripts
 
@@ -35,19 +39,31 @@ RUN pip install --target /connector-deps -r requirements.txt
 
 # Stage 3: runtime-image — minimal distroless FIPS image, no shell, only copy artifacts
 FROM ${RUNNER_IMAGE_NAME} AS runtime-image
-USER root
 ARG ASSET_KEYS
 ENV ASSET_KEYS=$ASSET_KEYS
 
+# Copy runner OS packages installed in the isolated root during the builder stage.
+COPY --from=builder /runner-os-pkgs /
+
+# Copy any runtime files staged by runner.sh (certs, configs, etc.) into the image.
+COPY --from=builder /runner-fs /
+
+# Copy compile-fips base packages (e.g. connector_definition_runner, pylint, black, etc.)
+# from the builder stage so they are available at runtime.
+COPY --from=builder /usr/lib/python3.12/site-packages /usr/lib/python3.12/site-packages/
+
 # Copy only the connector-specific packages into site-packages.
 # The runner's own FIPS Python installation remains intact.
-COPY --from=builder /connector-deps /usr/local/lib/python3.12/site-packages/
+COPY --from=builder /connector-deps /usr/lib/python3.12/site-packages/
 
 COPY connector /app
 WORKDIR /app
+USER nonroot
 ENTRYPOINT ["python", "run.py"]
 
 FROM ${RUNTIME_IMAGE} AS connector-image
+COPY --from=builder /bin/busybox /bin/sh
+COPY --from=builder /bin/busybox /bin/sleep
 {{#each labels}}
 LABEL {{{@key}}}="{{{this}}}"
 {{/each}}

package/lib/templates/python_313_definition/Dockerfile

@@ -0,0 +1,38 @@
+# syntax=docker/dockerfile:1.2
+ARG BASE_COMPILE_IMAGE_NAME=quay.io/swimlane/connector-python-compile-definition-base:3.13-latest
+ARG RUNNER_IMAGE_NAME=quay.io/swimlane/connector-python-runner-definition-base:3.13-latest
+ARG RUNTIME_IMAGE=runtime-image
+ARG DEBUG=false
+FROM ${BASE_COMPILE_IMAGE_NAME} AS compile-image
+
+COPY compile.* /scripts/
+RUN if [ $(stat -c %s  "/scripts/compile.txt") -ne 0 ]; then apt-get update &&  xargs -a /scripts/compile.txt apt-get install -y --no-install-recommends; fi
+RUN if [ $(stat -c %s  "/scripts/compile.sh") -ne 0 ]; then chmod +x /scripts/compile.sh && /scripts/compile.sh; fi
+RUN rm -rf /scripts
+
+# Install OS packages
+COPY requirements.txt .
+RUN pip install --user -r requirements.txt
+
+FROM ${RUNNER_IMAGE_NAME} AS runtime-image
+ARG ASSET_KEYS
+ENV ASSET_KEYS=$ASSET_KEYS
+RUN if [ -z "$DEBUG" ] ; then echo 'DEBUG not enabled' ; else echo 'DEBUG is enabled'; pip install debugpy ; fi
+COPY runner.* /scripts/
+
+RUN if [ $(stat -c %s  "/scripts/runner.txt") -ne 0 ]; then apt-get update && xargs -a /scripts/runner.txt apt-get install -y --no-install-recommends; fi
+RUN if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && /scripts/runner.sh; fi
+RUN rm -rf /scripts
+
+COPY --from=compile-image /root/.local /root/.local
+
+ENV PATH=/root/.local/bin:$PATH
+
+COPY connector /app
+WORKDIR app/
+ENTRYPOINT ["python", "run.py"]
+
+FROM ${RUNTIME_IMAGE} AS connector-image
+{{#each labels}}
+LABEL {{{@key}}}="{{{this}}}"
+{{/each}}

package/lib/templates/python_313_definition_fips/Dockerfile

@@ -0,0 +1,69 @@
+# syntax=docker/dockerfile:1.2
+ARG PYTHON_DEV_IMAGE=quay.io/swimlane-connectors/connector-python-dev-definition-base-fips:3.13-latest
+
+ARG RUNNER_IMAGE_NAME=quay.io/swimlane-connectors/connector-python-runner-definition-base-fips:3.13-latest
+ARG RUNTIME_IMAGE=runtime-image
+
+# Stage 1: builder — dev image has shell, apk, and pip for all build-time operations.
+# The final FIPS image is distroless (no shell), so ALL RUN commands must happen here.
+FROM ${PYTHON_DEV_IMAGE} AS builder
+USER root
+
+# Carry over pre-installed swimlane SDK packages from the compile-fips base
+COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.13-latest /usr/lib/python3.13/site-packages /usr/lib/python3.13/site-packages
+
+# Run compile-time OS package installs and custom scripts
+COPY compile.* /scripts/
+RUN if [ $(stat -c %s "/scripts/compile.txt") -ne 0 ]; then apk add --no-cache $(cat /scripts/compile.txt); fi
+RUN if [ $(stat -c %s "/scripts/compile.sh") -ne 0 ]; then chmod +x /scripts/compile.sh && /scripts/compile.sh; fi
+
+# Run runner-time OS package installs and custom scripts here too,
+# since the final runner FIPS image has no shell.
+# OS packages are installed into an isolated root (/runner-os-pkgs) so they can
+# be selectively copied to the distroless runtime stage without leaking dev toolchain.
+COPY runner.* /scripts/
+RUN mkdir -p /runner-os-pkgs && \
+    if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache --root /runner-os-pkgs --initdb $(cat /scripts/runner.txt); fi
+# RUNNER_FS is a staging directory that mirrors the runtime filesystem.
+# runner.sh should write any runtime files (certs, configs, apk packages) under
+# $RUNNER_FS so they are copied to the distroless runtime image correctly.
+RUN mkdir -p /runner-fs && \
+    if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && RUNNER_FS=/runner-fs /scripts/runner.sh; fi
+
+RUN rm -rf /scripts
+
+# Install connector Python dependencies into an isolated location.
+# This avoids overwriting the runner's FIPS-compliant /usr/local/lib entirely.
+COPY requirements.txt .
+RUN pip install --target /connector-deps -r requirements.txt
+
+# Stage 3: runtime-image — minimal distroless FIPS image, no shell, only copy artifacts
+FROM ${RUNNER_IMAGE_NAME} AS runtime-image
+ARG ASSET_KEYS
+ENV ASSET_KEYS=$ASSET_KEYS
+
+# Copy runner OS packages installed in the isolated root during the builder stage.
+COPY --from=builder /runner-os-pkgs /
+
+# Copy any runtime files staged by runner.sh (certs, configs, etc.) into the image.
+COPY --from=builder /runner-fs /
+
+# Copy compile-fips base packages (e.g. connector_definition_runner, pylint, black, etc.)
+# from the builder stage so they are available at runtime.
+COPY --from=builder /usr/lib/python3.13/site-packages /usr/lib/python3.13/site-packages/
+
+# Copy only the connector-specific packages into site-packages.
+# The runner's own FIPS Python installation remains intact.
+COPY --from=builder /connector-deps /usr/lib/python3.13/site-packages/
+
+COPY connector /app
+WORKDIR /app
+USER nonroot
+ENTRYPOINT ["python", "run.py"]
+
+FROM ${RUNTIME_IMAGE} AS connector-image
+COPY --from=builder /bin/busybox /bin/sh
+COPY --from=builder /bin/busybox /bin/sleep
+{{#each labels}}
+LABEL {{{@key}}}="{{{this}}}"
+{{/each}}

package/lib/templates/python_314_definition/Dockerfile

@@ -0,0 +1,38 @@
+# syntax=docker/dockerfile:1.2
+ARG BASE_COMPILE_IMAGE_NAME=quay.io/swimlane/connector-python-compile-definition-base:3.14-latest
+ARG RUNNER_IMAGE_NAME=quay.io/swimlane/connector-python-runner-definition-base:3.14-latest
+ARG RUNTIME_IMAGE=runtime-image
+ARG DEBUG=false
+FROM ${BASE_COMPILE_IMAGE_NAME} AS compile-image
+
+COPY compile.* /scripts/
+RUN if [ $(stat -c %s  "/scripts/compile.txt") -ne 0 ]; then apt-get update &&  xargs -a /scripts/compile.txt apt-get install -y --no-install-recommends; fi
+RUN if [ $(stat -c %s  "/scripts/compile.sh") -ne 0 ]; then chmod +x /scripts/compile.sh && /scripts/compile.sh; fi
+RUN rm -rf /scripts
+
+# Install OS packages
+COPY requirements.txt .
+RUN pip install --user -r requirements.txt
+
+FROM ${RUNNER_IMAGE_NAME} AS runtime-image
+ARG ASSET_KEYS
+ENV ASSET_KEYS=$ASSET_KEYS
+RUN if [ -z "$DEBUG" ] ; then echo 'DEBUG not enabled' ; else echo 'DEBUG is enabled'; pip install debugpy ; fi
+COPY runner.* /scripts/
+
+RUN if [ $(stat -c %s  "/scripts/runner.txt") -ne 0 ]; then apt-get update && xargs -a /scripts/runner.txt apt-get install -y --no-install-recommends; fi
+RUN if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && /scripts/runner.sh; fi
+RUN rm -rf /scripts
+
+COPY --from=compile-image /root/.local /root/.local
+
+ENV PATH=/root/.local/bin:$PATH
+
+COPY connector /app
+WORKDIR app/
+ENTRYPOINT ["python", "run.py"]
+
+FROM ${RUNTIME_IMAGE} AS connector-image
+{{#each labels}}
+LABEL {{{@key}}}="{{{this}}}"
+{{/each}}

package/lib/templates/python_314_definition_fips/Dockerfile

@@ -0,0 +1,69 @@
+# syntax=docker/dockerfile:1.2
+ARG PYTHON_DEV_IMAGE=quay.io/swimlane-connectors/connector-python-dev-definition-base-fips:3.14-latest
+
+ARG RUNNER_IMAGE_NAME=quay.io/swimlane-connectors/connector-python-runner-definition-base-fips:3.14-latest
+ARG RUNTIME_IMAGE=runtime-image
+
+# Stage 1: builder — dev image has shell, apk, and pip for all build-time operations.
+# The final FIPS image is distroless (no shell), so ALL RUN commands must happen here.
+FROM ${PYTHON_DEV_IMAGE} AS builder
+USER root
+
+# Carry over pre-installed swimlane SDK packages from the compile-fips base
+COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.14-latest /usr/lib/python3.14/site-packages /usr/lib/python3.14/site-packages
+
+# Run compile-time OS package installs and custom scripts
+COPY compile.* /scripts/
+RUN if [ $(stat -c %s "/scripts/compile.txt") -ne 0 ]; then apk add --no-cache $(cat /scripts/compile.txt); fi
+RUN if [ $(stat -c %s "/scripts/compile.sh") -ne 0 ]; then chmod +x /scripts/compile.sh && /scripts/compile.sh; fi
+
+# Run runner-time OS package installs and custom scripts here too,
+# since the final runner FIPS image has no shell.
+# OS packages are installed into an isolated root (/runner-os-pkgs) so they can
+# be selectively copied to the distroless runtime stage without leaking dev toolchain.
+COPY runner.* /scripts/
+RUN mkdir -p /runner-os-pkgs && \
+    if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache --root /runner-os-pkgs --initdb $(cat /scripts/runner.txt); fi
+# RUNNER_FS is a staging directory that mirrors the runtime filesystem.
+# runner.sh should write any runtime files (certs, configs, apk packages) under
+# $RUNNER_FS so they are copied to the distroless runtime image correctly.
+RUN mkdir -p /runner-fs && \
+    if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && RUNNER_FS=/runner-fs /scripts/runner.sh; fi
+
+RUN rm -rf /scripts
+
+# Install connector Python dependencies into an isolated location.
+# This avoids overwriting the runner's FIPS-compliant /usr/local/lib entirely.
+COPY requirements.txt .
+RUN pip install --target /connector-deps -r requirements.txt
+
+# Stage 3: runtime-image — minimal distroless FIPS image, no shell, only copy artifacts
+FROM ${RUNNER_IMAGE_NAME} AS runtime-image
+ARG ASSET_KEYS
+ENV ASSET_KEYS=$ASSET_KEYS
+
+# Copy runner OS packages installed in the isolated root during the builder stage.
+COPY --from=builder /runner-os-pkgs /
+
+# Copy any runtime files staged by runner.sh (certs, configs, etc.) into the image.
+COPY --from=builder /runner-fs /
+
+# Copy compile-fips base packages (e.g. connector_definition_runner, pylint, black, etc.)
+# from the builder stage so they are available at runtime.
+COPY --from=builder /usr/lib/python3.14/site-packages /usr/lib/python3.14/site-packages/
+
+# Copy only the connector-specific packages into site-packages.
+# The runner's own FIPS Python installation remains intact.
+COPY --from=builder /connector-deps /usr/lib/python3.14/site-packages/
+
+COPY connector /app
+WORKDIR /app
+USER nonroot
+ENTRYPOINT ["python", "run.py"]
+
+FROM ${RUNTIME_IMAGE} AS connector-image
+COPY --from=builder /bin/busybox /bin/sh
+COPY --from=builder /bin/busybox /bin/sleep
+{{#each labels}}
+LABEL {{{@key}}}="{{{this}}}"
+{{/each}}

package/lib/templates/python_39_definition_fips/Dockerfile

@@ -1,6 +1,4 @@
 # syntax=docker/dockerfile:1.2
-ARG COMPILE_BASE=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.9-latest
-
 ARG PYTHON_DEV_IMAGE=quay.io/swimlane-connectors/connector-python-dev-definition-base-fips:3.9-latest
 
 ARG RUNNER_IMAGE_NAME=quay.io/swimlane-connectors/connector-python-runner-definition-base-fips:3.9-latest
@@ -12,8 +10,7 @@ FROM ${PYTHON_DEV_IMAGE} AS builder
 USER root
 
 # Carry over pre-installed swimlane SDK packages from the compile-fips base
-COPY --from=${COMPILE_BASE} /usr/local/lib /usr/local/lib
-COPY --from=${COMPILE_BASE} /usr/local/bin /usr/local/bin
+COPY --from=quay.io/swimlane-connectors/connector-python-compile-definition-base-fips:3.9-latest /usr/lib/python3.9/site-packages /usr/lib/python3.9/site-packages
 
 # Run compile-time OS package installs and custom scripts
 COPY compile.* /scripts/
@@ -21,10 +18,23 @@ RUN if [ $(stat -c %s "/scripts/compile.txt") -ne 0 ]; then apk add --no-cache $
 RUN if [ $(stat -c %s "/scripts/compile.sh") -ne 0 ]; then chmod +x /scripts/compile.sh && /scripts/compile.sh; fi
 
 # Run runner-time OS package installs and custom scripts here too,
-# since the final runner FIPS image has no shell
+# since the final runner FIPS image has no shell.
+# OS packages are installed into an isolated root (/runner-os-pkgs) so they can
+# be selectively copied to the distroless runtime stage without leaking dev toolchain.
 COPY runner.* /scripts/
-RUN if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache $(cat /scripts/runner.txt); fi
-RUN if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && /scripts/runner.sh; fi
+RUN mkdir -p /runner-os-pkgs/etc/apk/keys && \
+    cp /etc/apk/repositories /runner-os-pkgs/etc/apk/repositories && \
+    cp /etc/apk/keys/* /runner-os-pkgs/etc/apk/keys/ && \
+    if [ $(stat -c %s "/scripts/runner.txt") -ne 0 ]; then apk add --no-cache --root /runner-os-pkgs --initdb $(cat /scripts/runner.txt); fi && \
+    rm -rf /runner-os-pkgs/etc/passwd \
+           /runner-os-pkgs/etc/group \
+           /runner-os-pkgs/etc/shadow \
+           /runner-os-pkgs/etc/apk
+# RUNNER_FS is a staging directory that mirrors the runtime filesystem.
+# runner.sh should write any runtime files (certs, configs, apk packages) under
+# $RUNNER_FS so they are copied to the distroless runtime image correctly.
+RUN mkdir -p /runner-fs && \
+    if [ $(stat -c %s "/scripts/runner.sh") -ne 0 ]; then chmod +x /scripts/runner.sh && RUNNER_FS=/runner-fs /scripts/runner.sh; fi
 
 RUN rm -rf /scripts
 
@@ -35,19 +45,31 @@ RUN pip install --target /connector-deps -r requirements.txt
 
 # Stage 3: runtime-image — minimal distroless FIPS image, no shell, only copy artifacts
 FROM ${RUNNER_IMAGE_NAME} AS runtime-image
-USER root
 ARG ASSET_KEYS
 ENV ASSET_KEYS=$ASSET_KEYS
 
+# Copy runner OS packages installed in the isolated root during the builder stage.
+COPY --from=builder /runner-os-pkgs /
+
+# Copy any runtime files staged by runner.sh (certs, configs, etc.) into the image.
+COPY --from=builder /runner-fs /
+
+# Copy compile-fips base packages (e.g. connector_definition_runner, pylint, black, etc.)
+# from the builder stage so they are available at runtime.
+COPY --from=builder /usr/lib/python3.9/site-packages /usr/lib/python3.9/site-packages/
+
 # Copy only the connector-specific packages into site-packages.
 # The runner's own FIPS Python installation remains intact.
-COPY --from=builder /connector-deps /usr/local/lib/python3.9/site-packages/
+COPY --from=builder /connector-deps /usr/lib/python3.9/site-packages/
 
 COPY connector /app
 WORKDIR /app
+USER nonroot
 ENTRYPOINT ["python", "run.py"]
 
 FROM ${RUNTIME_IMAGE} AS connector-image
+COPY --from=builder /bin/busybox /bin/sh
+COPY --from=builder /bin/busybox /bin/sleep
 {{#each labels}}
 LABEL {{{@key}}}="{{{this}}}"
 {{/each}}

package/package.json

@@ -9,9 +9,9 @@
     "@oclif/core": "2.8.5",
     "@oclif/plugin-help": "5.2.9",
     "@oclif/plugin-plugins": "3.1.2",
-    "@sw-tsdk/common": "3.24.0",
-    "@sw-tsdk/core": "3.24.0",
-    "@sw-tsdk/docker": "3.24.0",
+    "@sw-tsdk/common": "3.25.0-next.330d718",
+    "@sw-tsdk/core": "3.25.0-next.330d718",
+    "@sw-tsdk/docker": "3.25.0-next.330d718",
     "@swimlane/connector-interfaces": "1.11.0",
     "@swimlane/cosign": "1.4.1",
     "archiver": "5.3.1",
@@ -66,6 +66,6 @@
     "test": "jest --passWithNoTests"
   },
   "types": "lib/index.d.ts",
-  "version": "3.24.0",
-  "gitHead": "14d0d788cc686d8463f0a2b0b07265b83ae535d3"
+  "version": "3.25.0-next.330d718",
+  "gitHead": "330d718891162eb8b0698d9af9d11cf89ab958ab"
 }