FROM google/cloud-sdk:slim AS retriever
# Get service account key from HF Spaces' secrets
# https://huggingface.co/docs/hub/spaces-sdks-docker#buildtime
RUN --mount=type=secret,id=BUILD_CREDENTIALS,mode=0444,required=true \
  --mount=type=secret,id=BUILD_ASSET_BUCKET,mode=0444,required=true \
  --mount=type=secret,id=BUILD_ASSET_NAME,mode=0444,required=true \
  cat /run/secrets/BUILD_CREDENTIALS > /tmp/creds.json && \
  /bin/gcloud auth activate-service-account --key-file=/tmp/creds.json > /dev/null 2>&1 && \
  GOOGLE_APPLICATION_CREDENTIALS=/tmp/creds.json /bin/gcloud storage cp gs://$(cat /run/secrets/BUILD_ASSET_BUCKET)/$(cat /run/secrets/BUILD_ASSET_NAME) /tmp/ > /dev/null 2>&1 && \
  rm /tmp/creds.json

FROM python:3.11-slim AS gradio
RUN useradd -m -u 1000 app
USER app
ENV HOME=/home/app \
	PATH=/home/app/.local/bin:$PATH
WORKDIR ${HOME}
COPY --from=retriever /tmp/*_linux_amd64.tar.gz ${HOME}/
RUN tar -xf *_linux_amd64.tar.gz && rm *_linux_amd64.tar.gz

COPY . .
RUN pip install --no-cache-dir -r requirements.txt
RUN --mount=type=secret,id=LLM_CREDENTIALS,mode=0444,required=true \
   cat /run/secrets/LLM_CREDENTIALS > ${HOME}/credentials.json
EXPOSE 7860

ENV GRADIO_SERVER_NAME="0.0.0.0"
CMD ["python", "app.py"]