From afc186fa4eed44e0d5e4c5a5f1d2b3b8ac8f0f13 Mon Sep 17 00:00:00 2001 From: ethernet Date: Fri, 8 May 2026 16:16:53 -0400 Subject: [PATCH] docker: split python dep install into cached layer above COPY . . MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Before this change, `uv pip install -e ".[all]"` ran AFTER `COPY . .`, so every commit that changed any .py file busted the layer cache and re-did the entire Python dep resolve + wheel download + native extension compile (~4-5 min on cold Docker Hub cache). Split it into two steps: 1. Before `COPY . .`: copy only pyproject.toml + uv.lock + README.md, then `uv sync --frozen --no-install-project --all-extras`. This layer is cached unless any of those three files change, so .py-only commits skip the heavy work entirely. 2. After `COPY . .` (and its downstream chmod/chown step): run `uv pip install --no-cache-dir --no-deps -e .` to create the editable link. With --no-deps this is a ~1s op — no resolution, no downloads, no compilation. Combined with the per-arch runner split in the previous commit, this should drop cache-hit build times to the sub-5-min range. --- Dockerfile | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6ed111f5b2..ee2c491c06 100644 --- a/Dockerfile +++ b/Dockerfile @@ -55,6 +55,29 @@ RUN npm install --prefer-offline --no-audit && \ (cd ui-tui && npm install --prefer-offline --no-audit) && \ npm cache clean --force +# ---------- Layer-cached Python dependency install ---------- +# Copy only pyproject.toml + uv.lock so the Python dep resolve + wheel +# download + native-extension compile layer is cached unless those inputs +# change. Before this split the Python install sat after `COPY . .`, so +# every source-only commit re-did ~4-5 min of dep work on cold builds. +# +# README.md is referenced by pyproject.toml's `readme =` field, but it's +# excluded from the build context by .dockerignore's `*.md`. uv's build +# frontend stats the readme path during dep resolution, so we `touch` an +# empty placeholder — the real README is restored by `COPY . .` below. +# +# `uv sync --frozen --no-install-project --extra all` installs only the +# deps reachable through the composite `[all]` extra (handpicked set +# intended for the production image). We do NOT use `--all-extras`: +# that would pull in `[rl]` (atroposlib + tinker + torch + wandb from +# git), `[yc-bench]` (another git dep), and `[termux-all]` (Android +# redundancy), none of which belong in the published container. +# +# The editable link is created after the source copy below. +COPY pyproject.toml uv.lock ./ +RUN touch ./README.md +RUN uv sync --frozen --no-install-project --extra all + # ---------- Source code ---------- # .dockerignore excludes node_modules, so the installs above survive. COPY --chown=hermes:hermes . . @@ -77,9 +100,10 @@ RUN chmod -R a+rX /opt/hermes && \ # Start as root so the entrypoint can usermod/groupmod + gosu. # If HERMES_UID is unset, the entrypoint drops to the default hermes user (10000). -# ---------- Python virtualenv ---------- -RUN uv venv && \ - uv pip install --no-cache-dir -e ".[all]" +# ---------- Link hermes-agent itself (editable) ---------- +# Deps are already installed in the cached layer above; `--no-deps` makes +# this a fast (~1s) egg-link creation with no resolution or downloads. +RUN uv pip install --no-cache-dir --no-deps -e "." # ---------- Runtime ---------- ENV HERMES_WEB_DIST=/opt/hermes/hermes_cli/web_dist