Skip to content

Commit

Permalink
Merge pull request #57 from shinybrar/56-feat-signed-docker-container…
Browse files Browse the repository at this point in the history
…-and-pypi-artifacts

Edge Container Image
  • Loading branch information
shinybrar authored Oct 23, 2024
2 parents 42c7403 + 062b26e commit 41752b4
Show file tree
Hide file tree
Showing 6 changed files with 150 additions and 22 deletions.
62 changes: 41 additions & 21 deletions .github/workflows/cd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,32 +12,52 @@ jobs:
-
name: Create release
id: release-please
uses: google-github-actions/release-please-action@v3
uses: googleapis/release-please-action@v4.1.3
with:
release-type: python
package-name: skaha
-
name: Checkout
if: ${{ steps.release-please.outputs.release_created }}
uses: actions/[email protected]
-
name: Set up Python
if: ${{ steps.release-please.outputs.release_created }}
uses: actions/setup-python@v4
name: Dispatch Edge Build
if: always()
uses: peter-evans/[email protected]
with:
python-version: 3.7
repository: shinybrar/skaha
event-type: edge-build
token: ${{ secrets.GITHUB_TOKEN }}
-
name: Install dependencies
name: Dispatch Release Build
if: ${{ steps.release-please.outputs.release_created }}
run: |
python -m pip install --upgrade pip
pip install --upgrade poetry
uses: peter-evans/[email protected]
with:
repository: shinybrar/skaha
event-type: release-build
token: ${{ secrets.GITHUB_TOKEN }}
client-payload: |-
{
"release_created": ${{ steps.release-please.outputs.release_created }},
"upload_url": ${{ steps.release-please.outputs.upload_url }},
"html_url": ${{ steps.release-please.outputs.html_url }},
"tag_name": ${{ steps.release-please.outputs.tag_name }},
"major": ${{ steps.release-please.outputs.major }},
"minor": ${{ steps.release-please.outputs.minor }},
"patch": ${{ steps.release-please.outputs.patch }},
"sha": ${{ steps.release-please.outputs.sha }}
}
-
name: Build and publish
name: Dispatch PYPI Release
if: ${{ steps.release-please.outputs.release_created }}
env:
PYPI_USERNAME: __token__
PYPI_PASSWORD: ${{ secrets.PYPI_TOKEN }}
run: |
poetry build
poetry publish -u $PYPI_USERNAME -p $PYPI_PASSWORD
uses: peter-evans/[email protected]
with:
repository: shinybrar/skaha
event-type: pypi-release
token: ${{ secrets.GITHUB_TOKEN }}
client-payload: |-
{
"release_created": ${{ steps.release-please.outputs.release_created }},
"upload_url": ${{ steps.release-please.outputs.upload_url }},
"html_url": ${{ steps.release-please.outputs.html_url }},
"tag_name": ${{ steps.release-please.outputs.tag_name }},
"major": ${{ steps.release-please.outputs.major }},
"minor": ${{ steps.release-please.outputs.minor }},
"patch": ${{ steps.release-please.outputs.patch }},
"sha": ${{ steps.release-please.outputs.sha }}
}
7 changes: 7 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ jobs:
tests:
needs: pre-commit-checks
strategy:
fail-fast: false
matrix:
python-version: ['3.9', '3.10', '3.11', '3.12', '3.13']
os: [ubuntu-latest]
Expand Down Expand Up @@ -56,10 +57,16 @@ jobs:
run: |
echo -e "machine ${CANFAR_BASEURL}\n login ${CANFAR_USERNAME}\n password ${CANFAR_PASSWORD}" > ~/.netrc
uv run cadc-get-cert --days-valid 1 --netrc-file ~/.netrc
rm ~/.netrc
-
name: Run tests
run: |
uv run pytest tests --cov --cov-report=xml --junitxml=junit.xml -o junit_family=legacy
-
name: Remove Canfar Cert
if: always()
run: |
rm -rf ~/.ssl/
-
name: Upload coverage to Codecov
env:
Expand Down
File renamed without changes.
85 changes: 85 additions & 0 deletions .github/workflows/edge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
name: Edge Container Build

on:
repository_dispatch:
types: [edge-build]

permissions:
contents: write
pull-requests: write
packages: write
attestations: write
id-token: write

env:
GHCR_REGISTRY: ghcr.io
DOCKERHUB_REGISTRY: docker.io
IMAGE_NAME: shinybrar/skaha
IMAGE_TAG: edge

jobs:
edge-build:
runs-on: ubuntu-latest
steps:
-
name: Client Payload
run: |
echo "Client Payload: ${{ github.event.client_payload }}"
-
name: Checkout Code
uses: actions/[email protected]
-
name: Edge Release Metadata
id: metadata
run: |
DOCKERHUB_IMAGE="${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}" >> $GITHUB_OUTPUT
GHCR_IMAGE="${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}" >> $GITHUB_OUTPUT
-
name: Setup Docker Buildx
uses: docker/[email protected]
with:
install: true
-
name: Perform Dockerhub Login
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Perform GHCR Login
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Build & Push Docker Image
id: build
uses: docker/[email protected]
with:
context: .
target: production
file: Dockerfile
platforms: linux/amd64,linux/arm64
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: mode=max
sbom: true
push: true
labels: |
org.opencontainers.image.title=skaha
org.opencontainers.image.version=edge
org.opencontainers.image.description='Python Client for CANFAR Science Portal'
org.opencontainers.image.licenses=AGPL-3.0
org.opencontainers.image.source=https://github.com/shinybrar/skaha
tags: |
${{ steps.metadata.outputs.DOCKERHUB_IMAGE }}
${{ steps.metadata.outputs.GHCR_IMAGE }}
-
name: Attest Container Image
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
2 changes: 1 addition & 1 deletion .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Scorecard supply-chain security
name: OpenSSF Scorecard
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
Expand Down
16 changes: 16 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
FROM python:3.13-alpine as base

FROM base as builder
COPY . /skaha
WORKDIR /skaha

# Install UV
RUN set -ex \
&& apk add --no-cache curl \
&& curl -LsSf https://astral.sh/uv/install.sh | sh \
&& source $HOME/.cargo/env \
&& uv build

FROM base as production
COPY --from=builder /skaha/dist /skaha/dist
RUN pip install --no-cache-dir /skaha/dist/*.whl

0 comments on commit 41752b4

Please sign in to comment.