feat: exclude newer python packages.

.dockerignore

@@ -2,4 +2,5 @@
 Dockerfile
 Makefile
 .devcontainer/
-.pre-commit-config.yaml
+.pre-commit-config.yaml
+.venv

Dockerfile

@@ -11,37 +11,43 @@ ARG PIP_CERT
 ARG PIP_CLIENT_CERT
 ARG PIP_TRUSTED_HOST
 ARG PIP_INDEX_URL
+ARG PIP_EXTRA_INDEX_URL
+ARG GIT_BRANCH_NAME
+# expected to be public registry (e.g pypi.org)
 ARG UV_DEFAULT_INDEX
+# expected to be private registry
+ARG UV_INDEX_URL
 ARG UV_INSECURE_HOST
-ARG GIT_BRANCH_NAME
-ARG PIP_EXTRA_INDEX_URL
+# Ensure uv installs to the correct directory
+ENV UV_PROJECT_ENVIRONMENT=/usr/local
 
 COPY debian.txt /tmp/src/
 RUN apt-get update && \
     apt-get upgrade -y && \
     apt-get install -y --no-install-recommends \
     $(grep -vE "^\s*(#|$)" /tmp/src/debian.txt | tr "\n" " ") && \
     rm -rf /tmp/src/debian.txt /var/lib/apt/lists/*
+
 # copy all files not in .dockerignore
 COPY ./ /tmp/src
 RUN pip install uv
+
+# build and install package
+WORKDIR /tmp/src
+# Install all dependencies
+RUN uv sync --frozen --no-editable
+# Install package with version attached. (hatchling and hatch-vcs installed after sync to avoid being uninstalled)
 RUN uv pip install --system hatchling hatch-vcs
-# build package
-RUN cd /tmp/src && uv build . --out-dir /tmp/
-# install package
-RUN uv pip install --system \
-    --find-links /tmp/ \
-    # Version specified to ensure the package that was just built is installed instead of a newer version of the package.
-    azul-plugin-python==$(cd /tmp/src && hatchling version)
+RUN uv build . --out-dir /tmp/
+RUN uv pip uninstall --system azul-plugin-python
+RUN uv pip install --system --no-deps --find-links /tmp/ azul-plugin-python==$(hatchling version)
 
-# If on dev branch, install dev versions of azul packages (locate packages)
-# Note pip install --pre --upgrade --no-deps is not valid because it doesn't install the requirements of dev azul packages which are needed.
+# Upgrade to dev azul dependencies or upgrade non-dev azul dependencies depending on branch.
 RUN if [ "$GIT_BRANCH_NAME" = "refs/heads/dev" ] ; then \
-    pip freeze | grep 'azul-.*==' | cut -d "=" -f 1 | xargs -I {} uv pip install --system --find-links /tmp/ --upgrade '{}>=0.0.1.dev' ;fi
-# re-run install sdist to get correct version of current package after dev install.
-RUN if [ "$GIT_BRANCH_NAME" = "refs/heads/dev" ] ; then \
-    uv pip install --system --find-links /tmp/ azul-plugin-python==$(cd /tmp/src && hatchling version);fi
-
+    uv pip freeze | grep 'azul-.*==' | grep -v '^azul-plugin-python' | cut -d "=" -f 1 | xargs -I {} uv pip install --extra-index-url=$(UV_INDEX_URL) --system --upgrade --no-deps --prerelease allow '{}>=0.0.0-dev' \
+    else \
+    uv pip freeze | grep 'azul-.*==' | grep -v '^azul-plugin-python' | cut -d "=" -f 1 | xargs -I {} uv pip install --extra-index-url=$(UV_INDEX_URL) --system --upgrade --no-deps '{}>=0.0.0'\
+    ;fi \
 
 FROM $REGISTRY/$BASE_IMAGE:$BASE_TAG AS base
 ENV DEBIAN_FRONTEND=noninteractive
@@ -65,6 +71,7 @@ ARG PIP_CLIENT_CERT
 ARG PIP_TRUSTED_HOST
 ARG PIP_INDEX_URL
 ARG UV_DEFAULT_INDEX
+ARG UV_INDEX_URL
 ARG UV_INSECURE_HOST
 ARG PIP_EXTRA_INDEX_URL
 ARG UID=21000
@@ -85,4 +92,4 @@ RUN touch /tmp/testingpassed
 FROM base AS release
 # copy from `tester` stage to ensure testing is not skipped due to build optimisations.
 COPY --from=tester /tmp/testingpassed /tmp/
-ENTRYPOINT ["azul-plugin-python"]
+ENTRYPOINT ["azul-plugin-python"]

pyproject.toml

@@ -24,6 +24,7 @@ classifiers=[
     "Topic :: Software Development :: Libraries",
 ]
 dependencies = [
+    "azul-bedrock>=11.0.26",
     "azul-runner>=9.0.38",
     "isort>=4.3,<5.0",
     "pefile>=2024.8.26",
@@ -44,10 +45,29 @@ pyz_unpacker = "azul_plugin_python.pyinstaller_unpacker.pyz:main"
 Documentation = "https://australiancybersecuritycentre.github.io/azul/"
 Repository = "https://github.com/AustralianCyberSecurityCentre/azul-plugin-python"
 
+[tool.uv]
+package = true
+exclude-newer = "1 week"
+exclude-newer-package = { azul-bedrock = false, azul-runner = false, azul-security=false, azul-metastore = false, azul-nsrl-lookup-serve=false, azul-nsrl-lookup-server=false, azul-plugin-retrohunt = false }
+
+[tool.uv.sources]
+azul-bedrock = { index="cache"}
+azul-runner = { index="cache" }
+azul-metastore = { index="cache"}
+azul-security = { index="cache"}
+azul-nsrl-lookup-server = { index="cache"}
+azul-plugin-retrohunt = { index="cache" }
+
 [[tool.uv.index]]
-url = "https://devpi.acsc.internal/azul/stable/+simple"
+name = "pypi"
+url = "https://pypi.org/simple"
 default = true
 
+[[tool.uv.index]]
+name = "cache"
+url = "https://devpi.acsc.internal/azul/stable/"
+explicit = true
+
 [tool.hatch.version]
 source = "vcs"
 

tox.ini

@@ -12,6 +12,7 @@ skip_install = true
 passenv = 
     PIP_TRUSTED_HOST
     UV_DEFAULT_INDEX
+    UV_INDEX_URL
     UV_INSECURE_HOST
 
 # must supply this as uppercase as otherwise tests fail if proxy is set
@@ -34,6 +35,7 @@ commands =
 passenv = 
     PIP_TRUSTED_HOST
     UV_DEFAULT_INDEX
+    UV_INDEX_URL
     UV_INSECURE_HOST
     FILE_MANAGER_VIRUSTOTAL_API_KEY
     FILE_MANAGER_AZURE_STORAGE_ACCESS_KEY