Fix Dockerfile: uv.lock wildcard, healthcheck port expansion, CMD shell form

[Copilot]

Three correctness issues in the Dockerfile around lock file handling, runtime port resolution in the healthcheck, and shell variable expansion in the startup command.

Changes

• uv.lock* → uv.lock: Wildcard silently succeeds if the lockfile is absent, undermining --locked. Explicit copy fails the build fast if uv.lock is missing.

• HEALTHCHECK port resolution: ${PORT} inside a Python string literal is not expanded by the shell — the variable never reaches the Python process. Replaced with os.environ.get('PORT', '8080') so the port is read from the container's environment at runtime.

  # Before — ${PORT} is not substituted inside the Python string
  CMD python -c "import httpx; httpx.get('http://127.0.0.1:${PORT}/metrics/')" || exit 1
  
  # After — port resolved via os.environ inside the Python process
  CMD python -c "import os, httpx; port = os.environ.get('PORT', '8080'); httpx.get(f'http://127.0.0.1:{port}/metrics/')" || exit 1

• CMD exec form → shell form: CMD ["exec uvicorn ... --port ${PORT}"] with ENTRYPOINT ["sh", "-c"] passes the array element as a literal string with no variable expansion. Shell form CMD exec uvicorn ... --port ${PORT} lets the shell expand ${PORT} correctly.

Original prompt

Please apply the following diffs and create a pull request.
Once the PR is ready, give it a title based on the messages of the fixes being applied.

[{"message":"The wildcard pattern 'uv.lock*' will silently succeed even if uv.lock doesn't exist. If uv.lock is required for reproducible builds (as suggested by --locked flag usage), consider copying it explicitly or adding a validation step to ensure it exists.","fixFiles":[{"filePath":"Dockerfile","diff":"diff --git a/Dockerfile b/Dockerfile\n--- a/Dockerfile\n+++ b/Dockerfile\n@@ -15,7 +15,7 @@\n # Copy uv from official image for better security and updates\n COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/\n \n-COPY pyproject.toml uv.lock* ./\n+COPY pyproject.toml uv.lock ./\n \n RUN --mount=type=cache,target=/root/.cache/uv \\\n     uv sync --locked --no-install-project\n"}]},{"message":"The HEALTHCHECK command uses shell variable expansion for ${PORT}, but the python -c command won't have access to the PORT environment variable in the way it's written. The variable should be passed to the Python process or the URL should be constructed differently to ensure proper port substitution.","fixFiles":[{"filePath":"Dockerfile","diff":"diff --git a/Dockerfile b/Dockerfile\n--- a/Dockerfile\n+++ b/Dockerfile\n@@ -53,7 +53,7 @@\n EXPOSE ${PORT}\n \n HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \\\n-    CMD python -c \"import httpx; httpx.get('http://127.0.0.1:${PORT}/metrics/')\" || exit 1\n+    CMD python -c \"import os, httpx; port = os.environ.get('PORT', '8080'); httpx.get(f'http://127.0.0.1:{port}/metrics/')\" || exit 1\n \n ENTRYPOINT [\"sh\", \"-c\"]\n CMD [\"exec uvicorn asgi:app --host 0.0.0.0 --port ${PORT}\"]\n"}]},{"message":"Using ENTRYPOINT with 'sh -c' and CMD together can be problematic. The CMD array format will be passed as a single argument to sh -c, but exec form doesn't perform shell variable expansion. Consider using CMD [\\\"sh\\\", \\\"-c\\\", \\\"exec uvicorn asgi:app --host 0.0.0.0 --port ${PORT}\\\"] instead, or use the shell form for CMD.","fixFiles":[{"filePath":"Dockerfile","diff":"diff --git a/Dockerfile b/Dockerfile\n--- a/Dockerfile\n+++ b/Dockerfile\n@@ -56,4 +56,4 @@\n     CMD python -c \"import httpx; httpx.get('http://127.0.0.1:${PORT}/metrics/')\" || exit 1\n \n ENTRYPOINT [\"sh\", \"-c\"]\n-CMD [\"exec uvicorn asgi:app --host 0.0.0.0 --port ${PORT}\"]\n+CMD exec uvicorn asgi:app --host 0.0.0.0 --port ${PORT}\n"}]}]

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.