Dockerfile

# Use Python 3.12 as the base image
FROM python:3.12

# Set working directory
WORKDIR /code

# Create a non-root user and set permissions
RUN useradd -m -u 1000 user && \
    mkdir -p /home/user/.cache/huggingface && \
    chown -R user:user /home/user/.cache /code

# Set environment variables
ENV HOME=/home/user \
    HF_HOME=/home/user/.cache/huggingface \
    PATH=/home/user/.local/bin:$PATH

# Switch to the new user
USER user

# Copy requirements and install dependencies
COPY --chown=user:user ./requirements.txt /code/requirements.txt
RUN pip install --no-cache-dir --upgrade -r /code/requirements.txt

# Copy application files
COPY --chown=user:user . /code/app

# Hugging Face Spaces does NOT support --mount=type=secret.
# Instead, access HF_TOKEN via environment variables at runtime.
CMD huggingface-cli login --token "$HF_TOKEN" --add-to-git-credential && \
    streamlit run app.py \
    --server.headless true \
    --server.enableCORS false \
    --server.enableXsrfProtection false \
    --server.fileWatcherType none