Skip to content

update python in docker files #1097

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sbryngelson merged 4 commits into from
Dec 19, 2025
Merged

update python in docker files #1097

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d9ea3c0
update python
sbryngelson Dec 19, 2025
6f441e1
Merge branch 'master' into docker-fix
sbryngelson Dec 19, 2025
d93ee7e
update dockerfile
sbryngelson Dec 19, 2025
951d670
Merge branch 'docker-fix' of https://github.com/sbryngelson/MFC into …
sbryngelson Dec 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions .github/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,19 +9,23 @@ ARG COMPILER_PATH
ARG COMPILER_LD_LIBRARY_PATH

RUN apt-get update -y && \
apt-get install -y software-properties-common ca-certificates gnupg && \
add-apt-repository ppa:deadsnakes/ppa && \
Copy link
Contributor

@qodo-code-review qodo-code-review bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Add the -y flag to the add-apt-repository command to prevent it from blocking during non-interactive builds. [possible issue, importance: 7]

Suggested change
add-apt-repository ppa:deadsnakes/ppa && \
add-apt-repository -y ppa:deadsnakes/ppa && \

apt-get update -y && \
Comment on lines +12 to +14
Copy link

Copilot AI Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Dockerfile adds the third-party ppa:deadsnakes/ppa repository and installs packages from it during the build, creating a supply chain risk: if that PPA or its signing key is compromised, attackers could ship malicious Python binaries that run with root privileges in CI and access build secrets or modify artifacts. Prefer using only official distro/python images or vendor repositories, or at minimum pin packages to trusted sources and specific versions with integrity verification to limit this attack surface.

Copilot uses AI. Check for mistakes.
if [ "$TARGET" != "gpu" ]; then \
apt-get install -y \
build-essential git make cmake gcc g++ gfortran bc\
python3 python3-venv python3-pip \
build-essential git make cmake gcc g++ gfortran bc \
python3.11 python3.11-venv python3-pip \
Comment on lines +17 to +18
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cd .github && cat -n Dockerfile | head -40

Repository: MFlowCode/MFC

Length of output: 1503

Replace python3-pip with python3.11-full to ensure pip compatibility with Python 3.11.

The generic python3-pip package is built for the base image's default Python version (3.10 on Ubuntu 22.04), not for Python 3.11. Using it as the default Python after update-alternatives can cause compatibility issues. Instead, use python3.11-full which includes the pip package manager for Python 3.11, or run python3.11 -m ensurepip after installation. This ensures pip is properly configured for the version being set as default.

🤖 Prompt for AI Agents 
.github/Dockerfile lines 17-18: replace the apt package `python3-pip` with
`python3.11-full` (or alternatively install pip for 3.11 via `python3.11 -m
ensurepip`) because `python3-pip` targets the distro default Python (3.10) and
can cause pip/version mismatches after switching to Python 3.11; update the
package list to include `python3.11-full` so pip is installed and configured for
Python 3.11, or install/ensure pip for 3.11 immediately after installing Python
3.11.

openmpi-bin libopenmpi-dev libfftw3-dev \
mpich libmpich-dev; \
else \
apt-get install -y \
build-essential git make cmake bc\
python3 python3-venv python3-pip \
build-essential git make cmake bc \
python3.11 python3.11-venv python3-pip \
libfftw3-dev \
openmpi-bin libopenmpi-dev; \
fi && \
update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 2 && \
Copy link

Copilot AI Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The priority value in update-alternatives is set to 2, which is unusually low. Standard practice is to use higher priority values (e.g., 100 or higher) to ensure the intended version takes precedence. While this may work in a container environment where only Python 3.11 is installed, consider using a more conventional priority value like 100 to follow best practices and avoid potential conflicts.

Suggested change
update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 2 && \
update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 100 && \

Copilot uses AI. Check for mistakes.
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

ENV OMPI_ALLOW_RUN_AS_ROOT=1
Expand Down