step 6 (A2): switch space to sdk:docker, install cadgenbench from private LeForge via GH_PAT build secret

The HF Spaces Gradio SDK can't substitute Space secrets into requirements.txt
at build time (only at runtime), and embedding the literal token in
requirements.txt is a no-go (would land in git history of the Space).

Switching to sdk: docker collapses two open Step 6 sub-decisions into one
small change:

(A2) private GitHub dep install -- handled by `RUN --mount=type=secret`
in the Dockerfile; the PAT (Space secret GH_PAT) is mounted at
/run/secrets/GH_PAT for that one RUN and never lands in any layer.

(D) Playwright/Chromium for STEP -> PNG rendering -- handled by
`playwright install --with-deps chromium` in the same Dockerfile.

Layer ordering optimises rebuild speed: OS deps + requirements.txt deps
+ Chromium come early (stable), cadgenbench from git comes mid (bumps
on each commit), app.py + results.jsonl come last (changes most).

Front-matter: sdk: gradio -> sdk: docker, drop sdk_version + app_file
(Docker SDK uses Dockerfile CMD), add app_port: 7860. .dockerignore
keeps legacy/'s 19 MB out of the build context.

GH_PAT set on the Space via HfApi().add_space_secret(...) -- fine-grained
GitHub PAT, read-only Contents on MichaelRabinovich/LeForge, 1-year
expiry. Mirrors at /tmp/gh_pat locally for `docker build --secret`.

Co-authored-by: Cursor <cursoragent@cursor.com>

.dockerignore

@@ -0,0 +1,11 @@
+# Build context exclusions for `docker build` (HF Space + local).
+# COPY directives in the Dockerfile are explicit so this is purely a
+# build-speed optimisation: prevents sending 19 MB of legacy HTML and
+# any local caches to the daemon on every build.
+.git
+.gitattributes
+.gitignore
+__pycache__
+*.pyc
+.DS_Store
+legacy/

Dockerfile

@@ -0,0 +1,69 @@
+# syntax=docker/dockerfile:1.7
+#
+# Hugging Face Space (sdk: docker) for the CADGenBench leaderboard.
+#
+# HF builds this server-side on each git push. Local smoke test:
+#
+#     docker buildx build --platform linux/amd64 \
+#         --secret id=GH_PAT,src=/tmp/gh_pat \
+#         -t cadgenbench-space-test .
+#
+# The GH_PAT mount is a fine-grained GitHub PAT, read-only on
+# MichaelRabinovich/LeForge, used only by the `pip install cadgenbench`
+# step below. It never lands in an image layer, env var, or disk file
+# in the final image. The same value lives on the Space as a Settings
+# Secret (mirrors /tmp/gh_pat locally).
+
+FROM python:3.12-slim-bookworm
+
+ENV PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1 \
+    PLAYWRIGHT_BROWSERS_PATH=/opt/ms-playwright \
+    GRADIO_SERVER_NAME=0.0.0.0 \
+    GRADIO_SERVER_PORT=7860
+
+# OS deps:
+#   git, ca-certificates           -> pip install from git+https://
+#   libgl1, libglib2.0-0, libsm6,
+#   libxext6, libxrender1,         -> OCP / build123d / Pillow runtime
+#   libgomp1, libfontconfig1
+# Chromium's own runtime libs are added by `playwright install --with-deps`
+# below, so they aren't repeated here.
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        git ca-certificates \
+        libgl1 libglib2.0-0 libsm6 libxext6 libxrender1 libgomp1 libfontconfig1 \
+    && rm -rf /var/lib/apt/lists/*
+
+# Space-side Python deps (gradio, pandas, huggingface_hub, datasets).
+COPY requirements.txt /tmp/requirements.txt
+RUN pip install --no-cache-dir -r /tmp/requirements.txt \
+    && rm /tmp/requirements.txt
+
+# Playwright + headless Chromium for cadgenbench's STEP -> PNG renderer
+# (cadgenbench.common.viewer wraps tcv-screenshots -> playwright). Browsers
+# land in /opt/ms-playwright (world-readable) so the non-root runtime user
+# below can find them via PLAYWRIGHT_BROWSERS_PATH. ~200 MB layer.
+RUN pip install --no-cache-dir playwright \
+    && playwright install --with-deps chromium
+
+# cadgenbench from the private GitHub repo, pinned to a commit. The PAT
+# mount is visible only inside this single RUN: not embedded in any layer,
+# not exposed as env, not written to disk after the layer commits. Bumping
+# CADGENBENCH_SHA is the one-line path to picking up a new cadgenbench.
+ARG CADGENBENCH_SHA=d7e0468
+RUN --mount=type=secret,id=GH_PAT,mode=0400,required=true \
+    pip install --no-cache-dir \
+        "cadgenbench @ git+https://$(cat /run/secrets/GH_PAT)@github.com/MichaelRabinovich/LeForge.git@${CADGENBENCH_SHA}"
+
+# Drop privileges. HF Spaces conventionally run as uid 1000 with
+# WORKDIR /home/user/app.
+RUN useradd -m -u 1000 user \
+    && mkdir -p /home/user/app \
+    && chown -R user:user /home/user/app
+USER user
+WORKDIR /home/user/app
+COPY --chown=user:user app.py results.jsonl ./
+
+EXPOSE 7860
+CMD ["python", "app.py"]

README.md

@@ -3,9 +3,8 @@ title: CADGenBench Leaderboard
 emoji: 🔧
 colorFrom: indigo
 colorTo: pink
-sdk: gradio
-sdk_version: 6.14.0
-app_file: app.py
+sdk: docker
+app_port: 7860
 pinned: true
 short_description: Leaderboard for AI-driven CAD generation
 ---