ISISNeutronMuon · martyngigg · Dec 15, 2025 · Dec 15, 2025 · Dec 15, 2025 · Dec 15, 2025
diff --git a/.github/workflows/docker-superset.yml b/.github/workflows/docker-superset.yml
@@ -0,0 +1,55 @@
+name: Publish a Docker image for our Superset build
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - "infra/container-images/analytics-data-platform-superset/Dockerfile"
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - "infra/container-images/analytics-data-platform-superset/Dockerfile"
+
+env:
+  REGISTRY: ghcr.io
+  ORG_NAME: isisneutronmuon
+  IMAGE_NAME: analytics-data-platform-superset
+  FQ_IMAGE_NAME: ${{ env.REGISTRY }}/${{ env.ORG_NAME }}/${{ env.IMAGE_NAME }}
+  PUBLISH: false
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: infra/container-images/${{ env.IMAGE_NAME }}
+          push: ${{ env.PUBLISH }}
+          tags: |
+            ${{ FQ_IMAGE_NAME }}:${{ github.sha }}
+            ${{ FQ_IMAGE_NAME }}:latest
+
+      # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built.
+      # See [Using artifact attestations to establish provenance for builds](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-name: ${{ FQ_IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: ${{ env.PUBLISH }}
diff --git a/infra/container-images/analytics-data-platform-superset/Dockerfile b/infra/container-images/analytics-data-platform-superset/Dockerfile
@@ -0,0 +1,22 @@
+ARG BASE_IMAGE=ghcr.io/isisneutronmuon/superset-fork:sha256-1f2019bd5a6ed81902d7c4035f0a363bceb10f60f5d9d98b4784857e2578506e
+FROM ${BASE_IMAGE}
+
+LABEL org.opencontainers.image.source=https://github.com/ISISNeutronMuon/analytics-data-platform
+LABEL org.opencontainers.image.description="Custom build of Apache Superset"
+LABEL org.opencontainers.image.licenses=MIT
+
+# Install Python requirements
+USER root
+RUN /app/docker/pip-install.sh --requires-build-essential \
+  openpyxl==3.1.5 \
+  psycopg2-binary==2.9.10 \
+  prophet==1.1.5 \
+  playwright==1.57.0 \
+  python-ldap==3.4.4 \
+  trino[sqlalchemy]==0.332.0
+
+RUN playwright install-deps && \
+    playwright install chromium
+
+# Run as superset
+USER superset
diff --git a/infra/container-images/readme.md b/infra/container-images/readme.md
@@ -0,0 +1,4 @@
+# Container Images
+
+This directory stores a set Dockerfiles for images used in the project. They are built and published
+to the GitHub container registry using [GitHub actions](../../.github/workflows).