Expected Behavior

The feature-server image should use the locked dependency versions from sdk/python/requirements/py3.11-minimal-requirements.txt (similar to how the dev image works) to ensure:

Reproducible builds: Same Feast version always produces identical images
Security: Dependencies are verified with hashes
Consistency: Production images use the same tested dependency versions as CI

Current Behavior

The production feature-server Docker image installs Feast from PyPI without using the locked dependency versions from sdk/python/requirements/, resulting in non-reproducible builds where transient dependencies are resolved at build time.

The production Dockerfile at sdk/python/feast/infra/feature_servers/multicloud/Dockerfile uses:

COPY requirements.txt requirements.txt
RUN pip install -r requirements.txt

Where requirements.txt contains:
feast[minimal] == 0.59.0

This approach:

• Installs Feast from PyPI with a pinned version
• Resolves all transient dependencies at build time to whatever versions are currently available
• Does not use the locked requirements files with pinned versions and hashes

The locked requirements files are generated using uv pip compile with hashes and are already maintained in the repository for this purpose. They should be utilized in production builds to ensure consistency.