Dockerfile: add build stage

The image currently has 840 security
vulnerabilities according to Trivy.
Many of those vulnerabilities are
in the development packages, so
add a build stage to the Dockerfile
so the development packages do not
end up in the final image. This reduces
the final image size by roughly
1/3 of its size.

Since everything is being changed,
also replace wget with curl, so we
get error messages on HTTP failures
(wget -q silences everything including
error printouts, and the behavior
cannot be overridden).

index/Dockerfile

@@ -1,25 +1,26 @@
-FROM ghcr.io/osgeo/gdal:ubuntu-small-3.10.0
+# syntax=docker/dockerfile:1
+FROM ghcr.io/osgeo/gdal:ubuntu-small-3.10.0 AS builder
+
+ARG UV=https://github.com/astral-sh/uv/releases/download/0.5.4/uv-x86_64-unknown-linux-gnu.tar.gz
 
-ENV DEBIAN_FRONTEND=noninteractive \
-    LC_ALL=C.UTF-8 \
-    LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8 \
+    LANG=C.UTF-8 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    UV_LINK_MODE=copy \
+    UV_COMPILE_BYTECODE=0 \
+    UV_PYTHON_DOWNLOADS=never \
+    UV_PYTHON=python3.12 \
+    UV_PROJECT_ENVIRONMENT=/app
 
-RUN apt-get update \
+RUN export DEBIAN_FRONTEND=noninteractive \
+    && apt-get update \
     && apt-get upgrade -y \
-    # Python virt environment
-    && apt-get install -y --no-install-recommends \
-        virtualenv \
-    && mkdir /virtualenv \
-    && virtualenv /virtualenv/python3.12 \
-    && . /virtualenv/python3.12/bin/activate \
-    # Developer convenience
     && apt-get install -y --no-install-recommends \
-        git \
-        fish \
-        wget \
         unzip \
-        # Build tools\
+        # Build tools
         build-essential \
+        libffi-dev \
         python3-dev \
         # For Psycopg2
         libpq-dev \
@@ -28,35 +29,63 @@ RUN apt-get update \
         lsb-release \
         # for shapely with --no-binary
         libgeos-dev \
-        postgresql-client-16 \
     # Cleanup
     && apt-get autoclean \
     && apt-get autoremove \
     && rm -rf /var/lib/{apt,dpkg,cache,log}
 
-ENV VIRTUAL_ENV=/virtualenv/python3.12 \
-    PATH=/virtualenv/python3.12/bin:$PATH
+WORKDIR /build
+
+ADD --checksum=sha256:c5b63d1cd0a894246195250c034f9d82d646dc8f718f1f424cec2bb1a42e7b17 --chown=root:root --chmod=644 --link $UV uv.tar.gz
+
+RUN tar xf uv.tar.gz -C /usr/local/bin --strip-components=1 --no-same-owner
+
+COPY --link pyproject.toml version.txt uv.lock /build/
+
+# Use a separate cache volume for uv on opendatacube projects, so it is
+# not inseparable from pip/poetry/npm/etc. cache stored in /root/.cache.
+RUN --mount=type=cache,id=opendatacube-uv-cache,target=/root/.cache \
+    uv sync --locked --no-dev --no-install-project \
+      --no-binary-package fiona \
+      --no-binary-package rasterio \
+      --no-binary-package shapely
+
+FROM ghcr.io/osgeo/gdal:ubuntu-small-3.10.0
+
+ENV LC_ALL=C.UTF-8 \
+    LANG=C.UTF-8 \
+    PATH=/app/bin:$PATH \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
 
-COPY requirements.txt constraints.txt version.txt /conf/
+RUN export DEBIAN_FRONTEND=noninteractive \
+    && apt-get update \
+    && apt-get upgrade -y \
+    && apt-get install -y --no-install-recommends \
+        unzip \
+        # For Psycopg2
+        libpq5 \
+        lsb-release \
+        postgresql-client-16 \
+    # Cleanup
+    && apt-get autoclean \
+    && apt-get autoremove \
+    && rm -rf /var/lib/{apt,dpkg,cache,log}
 
-RUN cat /conf/version.txt \
-  && pip install --no-cache-dir --upgrade pip \
-  && pip install --no-cache-dir \
-    -r /conf/requirements.txt \
-    -c /conf/constraints.txt
+WORKDIR /conf
 
-RUN pip freeze
+COPY --from=builder --link --chown=ubuntu:ubuntu /app /app
+COPY --from=builder --link /build/*.txt /conf/
 
 # Copy Datacube bootstrapping and other scripts
-ADD ./assets /code
-RUN wget -q https://github.com/opendatacube/datacube-dataset-config/archive/refs/heads/main.zip \
-    -O /tmp/datacube-dataset-config.zip \
+COPY --link ./assets /code
+RUN curl -L -fsS https://github.com/opendatacube/datacube-dataset-config/archive/refs/heads/main.zip \
+    -o /tmp/datacube-dataset-config.zip \
     && unzip -q /tmp/datacube-dataset-config.zip -d /tmp \
     && cp -r /tmp/datacube-dataset-config-main/odc-product-delete /code/odc-product-delete \
-    && rm -r /tmp/datacube-dataset-config-main /tmp/datacube-dataset-config.zip
-
-## Do some symlinking
-RUN ln -s /code/bootstrap-odc.sh /usr/local/bin/bootstrap-odc.sh
+    && rm -r /tmp/datacube-dataset-config-main /tmp/datacube-dataset-config.zip \
+    && ln -s /code/bootstrap-odc.sh /usr/local/bin/bootstrap-odc.sh \
+    && cat /conf/version.txt
 
 # Smoke test
 RUN s3-to-dc --help