Update docker image

[dmitry-mukhin]

• switch to alpine
• update python to 3.14
• update pyuploadcare to 6.x

Description

Checklist

• Tests (if applicable)
• Documentation (if applicable)
• Changelog stub (or use conventional commit messages)

Summary by CodeRabbit

• New Features

  • Added docker-up make target for simplified container startup.

• Documentation

  • Updated README with new addon sections (AWS object recognition, ClamAV scanning, background removal).
  • Updated baseline requirements to Python 3.14 and Django 4.2.10.

• Chores

  • Bumped project version to 5.1.0 and updated dependencies.
  • Simplified Docker setup and updated CI/toolchain to target Python 3.14.
  • Removed custom type-checking overrides.

[coderabbitai]

Walkthrough

Updates project to Python 3.14, changes Docker base image to an Alpine-based uv image and simplifies Dockerfile, bumps project version to 5.1.0, adjusts dev tooling (removes mypy, updates linters/formatters), expands README with addon sections, and adds a Makefile docker-up target. Also updates CI Python version.

Changes

Cohort / File(s)	Summary
Docker & Build Dockerfile	Switched base image to ghcr.io/astral-sh/uv:python3.14-alpine3.23, removed apt-based system package steps and external uv copy, simplified copy/sync steps and removed --frozen flag. WORKDIR, EXPOSE, ENTRYPOINT unchanged.
Project Metadata & Packaging pyproject.toml	Bumped version 5.0.1→5.1.0, raised requires-python to >=3.14.3,<4.0, replaced pyuploadcare git spec with pyuploadcare>=6.2.1,<7.0.0, updated dev dependency pins and Black target to py314.
Type Checking / Tooling Config mypy.ini, pyproject.toml	Removed [mypy] and [mypy-*.migrations.*] blocks from mypy.ini. Removed mypy from dev deps and added/updated flake8/isort/black entries in pyproject.toml.
Documentation README.md	Raised Python baseline to 3.14 and Django to 4.2.10, restructured table of contents into nested ordered lists, added addon sections (Object recognition, ClamAV, Background removing), and updated external Uploadcare links and minor formatting.
Developer UX Makefile	Added docker-up target that runs docker compose up.
CI Workflow .github/workflows/test.yml	Changed Python version in the setup-uv step from 3.12 to 3.14.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Update docker image' is vague and generic. While it is related to the main change (updating the Docker base image to Alpine with Python 3.14), it doesn't clearly convey the scope of changes—which includes Python version updates, dependency changes, and infrastructure modifications beyond just the Docker image.	Consider a more descriptive title such as 'Update Docker image to Alpine with Python 3.14 and upgrade dependencies' to better reflect the comprehensive nature of these changes.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/update-python

---

No actionable comments were generated in the recent review. 🎉

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• JIRA integration encountered authorization issues. Please disconnect and reconnect the integration in the CodeRabbit UI.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Fix all issues with AI agents

In `@Dockerfile`:
- Around line 7-9: The Dockerfile currently only copies pyproject.toml and runs
"uv sync --no-dev --no-install-project", which allows dependency resolution to
vary between builds; update the Dockerfile to also COPY the lockfile (uv.lock)
into /app before running the sync and pass the --frozen flag to the "uv sync"
command so it fails on any mismatch and enforces reproducible installs (refer to
the COPY pyproject.toml line and the RUN uv sync --no-dev --no-install-project
command when making the change).
- Around line 1-2: Add a non-root user in the Dockerfile to avoid running the
container as root: create a new group and user (e.g., group add/appgroup and
user add/appuser with a fixed UID/GID like 1000), create and chown a home or app
directory (WORKDIR) to that user, and switch to that user with USER before the
final image runtime; reference the existing base image line ("FROM
ghcr.io/astral-sh/uv:python3.14-alpine3.23") and ensure any files or directories
created earlier in the Dockerfile are chowned to the new user so the runtime
does not require root privileges.

In `@Makefile`:
- Line 9: The Makefile's lint target still invokes mypy ("uv run mypy
--namespace-packages --show-error-codes ./app") but mypy was removed from dev
dependencies; update the Makefile to stop referencing mypy or re-add mypy to dev
dependencies—specifically remove the "uv run mypy ..." line (or the mypy step
within the lint target) so the lint target no longer calls mypy, or
alternatively restore mypy to pyproject.toml dev-dependencies if you intend to
keep static type checks.

In `@README.md`:
- Line 4: The README statement "The project is based on Python 3.14 and Django
4.2.10." conflicts with the dependency specifier '>=4.2.28,<5' in
pyproject.toml; update the README to either match the pyproject.toml minimum
(e.g., "Django >=4.2.28, <5") or use a general phrasing like "Django 4.2.x" so
the documentation and the pyproject.toml spec (the '>=4.2.28,<5' string) are
consistent.
- Around line 205-206: The README contains a typo: the phrase "adddata" should
be replaced with the correct term "appdata" to match usage elsewhere (see
existing reference "appdata"); update the sentence "After all corresponding part
of file's `adddata` is rendered" to use `appdata` instead so documentation is
consistent across the README.

🧹 Nitpick comments (1)

pyproject.toml (1)

6-6: Very specific Python version constraint.

>=3.14.3 is unusually specific for a minimum version. Typically >=3.14 would suffice unless there's a specific bug fix in 3.14.3 that's required. This may unnecessarily restrict users on 3.14.0-3.14.2.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add a non-root user for improved security.

The container runs as root by default, which is a security risk. Static analysis (Trivy DS-0002) flagged this. Add a non-root user to reduce the attack surface.

Proposed fix to add non-root user

 # python-alpine with uv
 FROM ghcr.io/astral-sh/uv:python3.14-alpine3.23

 WORKDIR /app

 COPY app/ /app/
 COPY pyproject.toml /app/
+COPY uv.lock /app/

-RUN uv sync --no-dev --no-install-project
+RUN uv sync --frozen --no-dev --no-install-project

+RUN adduser -D appuser && chown -R appuser:appuser /app
+USER appuser

 EXPOSE 8000
 ENTRYPOINT ["/app/start.sh"]

🧰 Tools

🪛 Trivy (0.69.1)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

In `@Dockerfile` around lines 1 - 2, Add a non-root user in the Dockerfile to
avoid running the container as root: create a new group and user (e.g., group
add/appgroup and user add/appuser with a fixed UID/GID like 1000), create and
chown a home or app directory (WORKDIR) to that user, and switch to that user
with USER before the final image runtime; reference the existing base image line
("FROM ghcr.io/astral-sh/uv:python3.14-alpine3.23") and ensure any files or
directories created earlier in the Dockerfile are chowned to the new user so the
runtime does not require root privileges.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Missing uv.lock and --frozen flag risks non-reproducible builds.

Without copying uv.lock and using --frozen, each build may resolve different dependency versions, leading to inconsistent deployments. Consider restoring the lockfile copy and the --frozen flag for reproducible builds.

Proposed fix

 COPY pyproject.toml /app/
+COPY uv.lock /app/

-RUN uv sync --no-dev --no-install-project
+RUN uv sync --frozen --no-dev --no-install-project

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	COPY pyproject.toml /app/
	RUN uv sync --frozen --no-dev --no-install-project
	RUN uv sync --no-dev --no-install-project
	COPY pyproject.toml /app/
	COPY uv.lock /app/
	RUN uv sync --frozen --no-dev --no-install-project

🤖 Prompt for AI Agents

In `@Dockerfile` around lines 7 - 9, The Dockerfile currently only copies
pyproject.toml and runs "uv sync --no-dev --no-install-project", which allows
dependency resolution to vary between builds; update the Dockerfile to also COPY
the lockfile (uv.lock) into /app before running the sync and pass the --frozen
flag to the "uv sync" command so it fails on any mismatch and enforces
reproducible installs (refer to the COPY pyproject.toml line and the RUN uv sync
--no-dev --no-install-project command when making the change).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

mypy removed from dev dependencies but still referenced in Makefile.

The lint target still runs mypy, but according to pyproject.toml changes, mypy has been removed from the dev dependencies. This will cause the lint command to fail.

Either remove the mypy step from the Makefile or restore mypy in dev dependencies.

Proposed fix to remove mypy from lint target

 lint:
 	uv run black --check .
 	uv run isort --check .
 	uv run flake8 .
-	uv run mypy --namespace-packages --show-error-codes ./app

🤖 Prompt for AI Agents

In `@Makefile` at line 9, The Makefile's lint target still invokes mypy ("uv run
mypy --namespace-packages --show-error-codes ./app") but mypy was removed from
dev dependencies; update the Makefile to stop referencing mypy or re-add mypy to
dev dependencies—specifically remove the "uv run mypy ..." line (or the mypy
step within the lint target) so the lint target no longer calls mypy, or
alternatively restore mypy to pyproject.toml dev-dependencies if you intend to
keep static type checks.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Django version mismatch with pyproject.toml.

README states Django 4.2.10, but pyproject.toml specifies >=4.2.28,<5. Consider updating to reflect the actual minimum version or use a more general statement like "Django 4.2.x".

🤖 Prompt for AI Agents

In `@README.md` at line 4, The README statement "The project is based on Python
3.14 and Django 4.2.10." conflicts with the dependency specifier '>=4.2.28,<5'
in pyproject.toml; update the README to either match the pyproject.toml minimum
(e.g., "Django >=4.2.28, <5") or use a general phrasing like "Django 4.2.x" so
the documentation and the pyproject.toml spec (the '>=4.2.28,<5' string) are
consistent.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Typo: "adddata" should be "appdata".

The text mentions adddata but the correct term used elsewhere in the README (line 127) is appdata.

Proposed fix

-After all corresponding part of file's `adddata` is rendered
+After all corresponding part of file's `appdata` is rendered

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	After all corresponding part of file's `adddata` is rendered
	and you can get into full file information if needed
	After all corresponding part of file's `appdata` is rendered
	and you can get into full file information if needed

🤖 Prompt for AI Agents

In `@README.md` around lines 205 - 206, The README contains a typo: the phrase
"adddata" should be replaced with the correct term "appdata" to match usage
elsewhere (see existing reference "appdata"); update the sentence "After all
corresponding part of file's `adddata` is rendered" to use `appdata` instead so
documentation is consistent across the README.