diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index cd0f26c..2d5f79d 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -12,32 +12,52 @@ jobs: - name: Create release id: release-please - uses: google-github-actions/release-please-action@v3 + uses: googleapis/release-please-action@v4.1.3 with: release-type: python - package-name: skaha - - name: Checkout - if: ${{ steps.release-please.outputs.release_created }} - uses: actions/checkout@v4.2.1 - - - name: Set up Python - if: ${{ steps.release-please.outputs.release_created }} - uses: actions/setup-python@v4 + name: Dispatch Edge Build + if: always() + uses: peter-evans/repository-dispatch@v3.0.0 with: - python-version: 3.7 + repository: shinybrar/skaha + event-type: edge-build + token: ${{ secrets.GITHUB_TOKEN }} - - name: Install dependencies + name: Dispatch Release Build if: ${{ steps.release-please.outputs.release_created }} - run: | - python -m pip install --upgrade pip - pip install --upgrade poetry + uses: peter-evans/repository-dispatch@v3.0.0 + with: + repository: shinybrar/skaha + event-type: release-build + token: ${{ secrets.GITHUB_TOKEN }} + client-payload: |- + { + "release_created": ${{ steps.release-please.outputs.release_created }}, + "upload_url": ${{ steps.release-please.outputs.upload_url }}, + "html_url": ${{ steps.release-please.outputs.html_url }}, + "tag_name": ${{ steps.release-please.outputs.tag_name }}, + "major": ${{ steps.release-please.outputs.major }}, + "minor": ${{ steps.release-please.outputs.minor }}, + "patch": ${{ steps.release-please.outputs.patch }}, + "sha": ${{ steps.release-please.outputs.sha }} + } - - name: Build and publish + name: Dispatch PYPI Release if: ${{ steps.release-please.outputs.release_created }} - env: - PYPI_USERNAME: __token__ - PYPI_PASSWORD: ${{ secrets.PYPI_TOKEN }} - run: | - poetry build - poetry publish -u $PYPI_USERNAME -p $PYPI_PASSWORD + uses: peter-evans/repository-dispatch@v3.0.0 + with: + repository: shinybrar/skaha + event-type: pypi-release + token: ${{ secrets.GITHUB_TOKEN }} + client-payload: |- + { + "release_created": ${{ steps.release-please.outputs.release_created }}, + "upload_url": ${{ steps.release-please.outputs.upload_url }}, + "html_url": ${{ steps.release-please.outputs.html_url }}, + "tag_name": ${{ steps.release-please.outputs.tag_name }}, + "major": ${{ steps.release-please.outputs.major }}, + "minor": ${{ steps.release-please.outputs.minor }}, + "patch": ${{ steps.release-please.outputs.patch }}, + "sha": ${{ steps.release-please.outputs.sha }} + } diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b1b0bcd..6705e9c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,6 +26,7 @@ jobs: tests: needs: pre-commit-checks strategy: + fail-fast: false matrix: python-version: ['3.9', '3.10', '3.11', '3.12', '3.13'] os: [ubuntu-latest] @@ -56,10 +57,16 @@ jobs: run: | echo -e "machine ${CANFAR_BASEURL}\n login ${CANFAR_USERNAME}\n password ${CANFAR_PASSWORD}" > ~/.netrc uv run cadc-get-cert --days-valid 1 --netrc-file ~/.netrc + rm ~/.netrc - name: Run tests run: | uv run pytest tests --cov --cov-report=xml --junitxml=junit.xml -o junit_family=legacy + - + name: Remove Canfar Cert + if: always() + run: | + rm -rf ~/.ssl/ - name: Upload coverage to Codecov env: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql.yml similarity index 100% rename from .github/workflows/codeql-analysis.yml rename to .github/workflows/codeql.yml diff --git a/.github/workflows/edge.yml b/.github/workflows/edge.yml new file mode 100644 index 0000000..ebb7d6d --- /dev/null +++ b/.github/workflows/edge.yml @@ -0,0 +1,85 @@ +name: Edge Container Build + +on: + repository_dispatch: + types: [edge-build] + +permissions: + contents: write + pull-requests: write + packages: write + attestations: write + id-token: write + +env: + GHCR_REGISTRY: ghcr.io + DOCKERHUB_REGISTRY: docker.io + IMAGE_NAME: shinybrar/skaha + IMAGE_TAG: edge + +jobs: + edge-build: + runs-on: ubuntu-latest + steps: + - + name: Client Payload + run: | + echo "Client Payload: ${{ github.event.client_payload }}" + - + name: Checkout Code + uses: actions/checkout@v4.2.1 + - + name: Edge Release Metadata + id: metadata + run: | + DOCKERHUB_IMAGE="${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}" >> $GITHUB_OUTPUT + GHCR_IMAGE="${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}" >> $GITHUB_OUTPUT + + - + name: Setup Docker Buildx + uses: docker/setup-buildx-action@v3.7.1 + with: + install: true + - + name: Perform Dockerhub Login + uses: docker/login-action@v3.3.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - + name: Perform GHCR Login + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - + name: Build & Push Docker Image + id: build + uses: docker/build-push-action@v6.9.0 + with: + context: . + target: production + file: Dockerfile + platforms: linux/amd64,linux/arm64 + cache-from: type=gha + cache-to: type=gha,mode=max + provenance: mode=max + sbom: true + push: true + labels: | + org.opencontainers.image.title=skaha + org.opencontainers.image.version=edge + org.opencontainers.image.description='Python Client for CANFAR Science Portal' + org.opencontainers.image.licenses=AGPL-3.0 + org.opencontainers.image.source=https://github.com/shinybrar/skaha + tags: | + ${{ steps.metadata.outputs.DOCKERHUB_IMAGE }} + ${{ steps.metadata.outputs.GHCR_IMAGE }} + - + name: Attest Container Image + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 908926b..1027bd1 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -2,7 +2,7 @@ # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. -name: Scorecard supply-chain security +name: OpenSSF Scorecard on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..395a009 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,16 @@ +FROM python:3.13-alpine as base + +FROM base as builder +COPY . /skaha +WORKDIR /skaha + +# Install UV +RUN set -ex \ + && apk add --no-cache curl \ + && curl -LsSf https://astral.sh/uv/install.sh | sh \ + && source $HOME/.cargo/env \ + && uv build + +FROM base as production +COPY --from=builder /skaha/dist /skaha/dist +RUN pip install --no-cache-dir /skaha/dist/*.whl