# Hermetic Dockerfile - Reproducible builds with pinned dependencies
# Tag image with: deps-<first-8-of-sha256>
# Example: docker build -t mylab/pytorch:deps-abc123 .

FROM pytorch/pytorch:2.0.1-cuda11.8-cudnn8-runtime

# Pin system dependencies to specific versions for reproducibility
# These versions are frozen - update only after testing
RUN apt-get update && apt-get install -y --no-install-recommends \
    libblas3=3.9.0-1build1 \
    liblapack3=3.9.0-1build1 \
    libcudnn8=8.6.0.163-1+cuda11.8 \
    && rm -rf /var/lib/apt/lists/*

# Install conda environment with pinned packages
COPY deps_manifest.json /tmp/deps_manifest.json

# If using conda environment file
RUN if [ -f /tmp/deps_manifest.json ]; then \
        conda env update -n base -f /tmp/deps_manifest.json; \
    fi

# If using requirements.txt with hashes
COPY requirements.txt /tmp/requirements.txt
RUN pip install --require-hashes --no-deps -r /tmp/requirements.txt \
    || echo "Warning: Some packages may not have hashes"

# Verify installation
RUN python -c "import torch; print(f'PyTorch: {torch.__version__}')" \
    && python -c "import numpy; print(f'NumPy: {numpy.__version__}')"

# Labels for provenance
LABEL org.opencontainers.image.title="Hermetic ML Environment" \
      org.opencontainers.image.description="Reproducible ML training environment" \
      org.fetchml.deps_manifest="/tmp/deps_manifest.json" \
      org.fetchml.build_date="${BUILD_DATE}" \
      org.fetchml.git_commit="${GIT_COMMIT}"

WORKDIR /workspace
CMD ["python", "--version"]