Add a system test for the chainguard Python image (#18460)

Should require https://github.com/astral-sh/uv/pull/18457
2026-05-06 08:56:53 -04:00 · 2026-03-20 13:13:43 -05:00
parent 00e4746cc0
commit 8093dfcaa9
2 changed files with 65 additions and 0 deletions
@@ -316,6 +316,60 @@ jobs:
      - name: "Validate global Python install"
        run: pyston scripts/check_system_python.py --uv ./uv

+  system-test-chainguard-dev:
+    timeout-minutes: 10
+    name: "python on chainguard-dev"
+    runs-on: ubuntu-latest
+    container:
+      image: cgr.dev/chainguard/python:latest-dev@sha256:db41945938344dbd06cec33c6573a42191ee3dddf2b152e454c13b20dc684c35
+      options: --user root --entrypoint /bin/sh
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: "Download binary"
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: uv-linux-libc-${{ inputs.sha }}
+
+      - name: "Prepare binary"
+        run: chmod +x ./uv
+
+      - name: "Print Python path"
+        run: echo $(which python)
+
+      - name: "Validate global Python install"
+        run: python scripts/check_system_python.py --uv ./uv
+
+  # The Chainguard distroless image has no shell, so we can't use `container:`
+  # directly. Instead, we run on ubuntu-latest and use `docker run` to execute
+  # inside the image.
+  system-test-chainguard:
+    timeout-minutes: 10
+    name: "python on chainguard"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: "Download binary"
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: uv-linux-libc-${{ inputs.sha }}
+
+      - name: "Prepare binary"
+        run: chmod +x ./uv
+
+      - name: "Validate global Python install"
+        run: |
+          docker run --rm --user root \
+            -v "${{ github.workspace }}:/app" \
+            -w /app \
+            cgr.dev/chainguard/python:latest@sha256:c789723622cfc4a6b5d604a59250e3f708d0b4bb64cabb39a17c47119a224179 \
+            scripts/check_system_python.py --uv ./uv
+
  system-test-alpine:
    timeout-minutes: 10
    name: "python on alpine"
@@ -120,6 +120,17 @@ if __name__ == "__main__":
                f"Script was ran with {our_python_path} but `python` resolves to {system_python_path}"
            )

+    # Ensure that pip is available (e.g., the Chainguard distroless image ships
+    # Python but not pip).
+    try:
+        import pip  # noqa: F401
+    except ModuleNotFoundError:
+        logging.info("pip not found, running ensurepip...")
+        subprocess.run(
+            [sys.executable, "-m", "ensurepip"],
+            check=True,
+        )
+
    # Create a temporary directory.
    with tempfile.TemporaryDirectory() as temp_dir:
        # Ensure that the package (`pylint`) isn't installed.