pypi · JacobCoffee · Apr 29, 2026 · Apr 29, 2026 · Apr 29, 2026 · Apr 29, 2026
@@ -113,9 +113,54 @@ USER docs
 
 
 
+# Install Python from a standalone build for the application image
+FROM debian:bookworm-slim AS python-standalone
+
+ENV PATH="/opt/warehouse/bin:${PATH}"
+
+ARG TARGETARCH
+ARG PYTHON_STANDALONE_AMD64_URL=https://astral-sh-dev-artifacts.s3.us-east-2.amazonaws.com/public/python/cpython-3.14.4-x86_64-unknown-linux-gnu-pgo%2Blto-1110-20260429T1133.tar.zst
+ARG PYTHON_STANDALONE_AMD64_SHA256=1988240030d33952727d828d5df699598bf6ef6d15dfd242dbc3192a413b81e4
+ARG PYTHON_STANDALONE_ARM64_URL=https://astral-sh-dev-artifacts.s3.us-east-2.amazonaws.com/public/python/cpython-3.14.4-aarch64-unknown-linux-gnu-pgo%2Blto-1110-20260429T1133.tar.zst
+ARG PYTHON_STANDALONE_ARM64_SHA256=77f5da4daceffc8c93a372b24aab57825cfbfb264061db142b6046446181f19e
+
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    set -eux \
+    && case "$TARGETARCH" in \
+        amd64) \
+            python_url="$PYTHON_STANDALONE_AMD64_URL"; \
+            python_sha256="$PYTHON_STANDALONE_AMD64_SHA256" \
+            ;; \
+        arm64) \
+            python_url="$PYTHON_STANDALONE_ARM64_URL"; \
+            python_sha256="$PYTHON_STANDALONE_ARM64_SHA256" \
+            ;; \
+        *) \
+            echo "Unsupported TARGETARCH: $TARGETARCH" >&2; \
+            exit 1 \
+            ;; \
+    esac \
+    && apt-get update \
+    && apt-get install --no-install-recommends -y \
+       ca-certificates \
+       curl \
+       zstd \
+    && curl --fail --location --show-error "$python_url" -o /tmp/python.tar.zst \
+    && echo "$python_sha256  /tmp/python.tar.zst" | sha256sum -c - \
+    && mkdir -p /opt/warehouse \
+    && tar --extract \
+           --file /tmp/python.tar.zst \
+           --use-compress-program=unzstd \
+           --strip-components=2 \
+           --directory /opt/warehouse \
+    && /opt/warehouse/bin/python3 -m pip --no-cache-dir --disable-pip-version-check install --upgrade pip \
+    && rm -rf /tmp/* /var/tmp/*
+
+
 # Now we're going to build our actual application, but not the actual production
 # image that it gets deployed into.
-FROM python:${PYTHON_IMAGE_VERSION} AS build
+FROM python-standalone AS build
 
 # Define whether we're building a production or a development image. This will
 # generally be used to control whether or not we install our development and
@@ -153,33 +198,33 @@ COPY requirements /tmp/requirements
 # otherwise this will do nothing.
 RUN --mount=type=cache,target=/root/.cache/pip \
     set -x \
-    && if [ "$DEVEL" = "yes" ]; then pip --disable-pip-version-check install -r /tmp/requirements/dev.txt; fi
+    && if [ "$DEVEL" = "yes" ]; then python3 -m pip --disable-pip-version-check install -r /tmp/requirements/dev.txt; fi
 
 RUN --mount=type=cache,target=/root/.cache/pip \
     set -x \
-    && if [ "$DEVEL" = "yes" ] && [ "$IPYTHON" = "yes" ]; then pip --disable-pip-version-check install -r /tmp/requirements/ipython.txt; fi
+    && if [ "$DEVEL" = "yes" ] && [ "$IPYTHON" = "yes" ]; then python3 -m pip --disable-pip-version-check install -r /tmp/requirements/ipython.txt; fi
 
 # Install the Python level Warehouse requirements, this is done after copying
 # the requirements but prior to copying Warehouse itself into the container so
 # that code changes don't require triggering an entire install of all of
 # Warehouse's dependencies.
 RUN --mount=type=cache,target=/root/.cache/pip \
     set -x \
-    && pip --disable-pip-version-check \
-            install --no-deps --only-binary :all: \
-                    -r /tmp/requirements/deploy.txt \
-                    -r /tmp/requirements/main.txt \
-                    $(if [ "$DEVEL" = "yes" ]; then echo '-r /tmp/requirements/tests.txt -r /tmp/requirements/lint.txt'; fi) \
-                    $(if [ "$CI" = "yes" ]; then echo '-r /tmp/requirements/docs-dev.txt -r /tmp/requirements/docs-user.txt -r /tmp/requirements/docs-blog.txt'; fi ) \
-    && pip check \
+    && python3 -m pip --disable-pip-version-check \
+                      install --no-deps --only-binary :all: \
+                      -r /tmp/requirements/deploy.txt \
+                      -r /tmp/requirements/main.txt \
+                      $(if [ "$DEVEL" = "yes" ]; then echo '-r /tmp/requirements/tests.txt -r /tmp/requirements/lint.txt'; fi) \
+                      $(if [ "$CI" = "yes" ]; then echo '-r /tmp/requirements/docs-dev.txt -r /tmp/requirements/docs-user.txt -r /tmp/requirements/docs-blog.txt'; fi ) \
+    && python3 -m pip check \
     && find /opt/warehouse -name '*.pyc' -delete
 
 
 
 
 # Now we're going to build our actual application image, which will eventually
 # pull in the static files that were built above.
-FROM python:${PYTHON_IMAGE_VERSION}
+FROM debian:bookworm-slim
 
 # Setup some basic environment variables that are ~never going to change.
 ENV PYTHONUNBUFFERED 1
@@ -230,6 +275,8 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 COPY --from=static /opt/warehouse/src/warehouse/static/dist/ /opt/warehouse/src/warehouse/static/dist/
 COPY --from=static /opt/warehouse/src/warehouse/admin/static/dist/ /opt/warehouse/src/warehouse/admin/static/dist/
 COPY --from=build /opt/warehouse/ /opt/warehouse/
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/cert.pem
 COPY . /opt/warehouse/src/
 
 # Pre-cache TLD list

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.13
+# This file is autogenerated by pip-compile with Python 3.14
 # by the following command:
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/deploy.txt requirements/deploy.in

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.13
+# This file is autogenerated by pip-compile with Python 3.14
 # by the following command:
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/dev.txt requirements/dev.in