activeUpdated Feb 19, 2026, 8:25 PM
Policy ID js7e1wzr556f50q6dzsx4zds7n81f348
Python production Dockerfiles must preserve reproducibility and runtime safety. Rationale: - Reproducible builds reduce drift. - Runtime-safe entrypoints reduce production-only failures. Scope: - PR review policy for Dockerfile changes under `domains/python/**` intended for deployable services. Trigger: - A PR adds or changes a deployable service Dockerfile/build flow. Approval checks: 1) Dependency installation uses locked inputs (lockfile/frozen mode or equivalent deterministic install path). 2) Runtime stage executes from an isolated runtime environment path (virtualenv or documented equivalent). 3) Runtime command uses production server mode (not local autoreload/dev server mode). Evidence: - Dockerfile diff and related scripts demonstrate deterministic install, isolated runtime path, and production entrypoint behavior. Exception path: - Allow deviation only when all are true: 1) PR description includes `Policy Exception: python-docker-reproducibility`. 2) PR explicitly marks the image as non-production (dev/tool-only). 3) PR explains why deviation does not increase production risk. Decision: - Return NOT APPROVED when trigger is met and checks fail without a valid exception.