update conda store dockerfile to have prod target

.github/workflows/build_docker_image.yaml

@@ -1,11 +1,9 @@
-name: "Publish Docker Images"
+name: "Publish Dev Docker Images"
 
 on:
   push:
     branches:
       - "main"
-  release:
-    types: [created]
 
 permissions:
   id-token: write # This is required for requesting the JWT
@@ -55,20 +53,20 @@ jobs:
 
       - name: "Add Docker metadata 📝"
         id: meta
-        uses: crazy-max/ghaction-docker-meta@v5
+        uses: docker/metadata-action@v5
         with:
           images: |
             quansight/${{ matrix.docker-image }}
             quay.io/quansight/${{ matrix.docker-image }}
           tags: |
             type=ref,event=tag
-            type=ref,event=branch
             type=sha
 
       - name: "Publish Docker image 🚀"
         uses: docker/build-push-action@v5
         with:
           context: "${{ matrix.docker-image }}"
+          target: "dev"
           file: "${{ matrix.docker-image }}/Dockerfile"
           tags: |
             ${{ steps.meta.outputs.tags }}

.github/workflows/release.yaml

@@ -50,3 +50,74 @@ jobs:
         with:
           print-hash: true
         if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags/')
+
+  build_and_push_docker_image:
+    name: "Build Docker Images 🛠"
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
+    strategy:
+      matrix:
+        docker-image:
+          - conda-store
+          - conda-store-server
+    steps:
+      - name: "Checkout Repository 🛎"
+        uses: actions/checkout@v4
+
+      - name: "Retrieve secret from Vault 🗝"
+        uses: hashicorp/vault-action@v2
+        with:
+          method: jwt
+          url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200"
+          namespace: "admin/quansight"
+          role: "repository-conda-incubator-conda-store-role"
+          secrets: |
+            kv/data/repository/conda-incubator/conda-store/shared_secrets DOCKER_QUANSIGHT_USERNAME | DOCKER_USERNAME;
+            kv/data/repository/conda-incubator/conda-store/shared_secrets DOCKER_QUANSIGHT_PASSWORD | DOCKER_PASSWORD;
+            kv/data/repository/conda-incubator/conda-store/shared_secrets QUAY_QUANSIGHT_USERNAME | QUAY_USERNAME;
+            kv/data/repository/conda-incubator/conda-store/shared_secrets QUAY_QUANSIGHT_PASSWORD | QUAY_PASSWORD;
+
+      - name: "Set up Docker Buildx 🏗"
+        uses: docker/setup-buildx-action@v3
+
+      - name: "Login to Docker Hub 🐳"
+        uses: docker/login-action@v3
+        with:
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ env.DOCKER_PASSWORD }}
+
+      - name: "Login to quay.io 🐳"
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ env.QUAY_USERNAME }}
+          password: ${{ env.QUAY_PASSWORD }}
+
+      - name: "Add Docker metadata 📝"
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            quansight/${{ matrix.docker-image }}
+            quay.io/quansight/${{ matrix.docker-image }}
+          tags: |
+            type=ref,event=tag
+            type=ref,event=branch
+            type=sha
+
+      - name: "Publish Docker image 🚀"
+        uses: docker/build-push-action@v5
+        with:
+          context: "${{ matrix.docker-image }}"
+          target: "prod"
+          file: "${{ matrix.docker-image }}/Dockerfile"
+          build-args: |
+            RELEASE_VERSION=${{github.ref_name}}
+          tags: |
+            ${{ steps.meta.outputs.tags }}
+          push: true
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+        if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags/')

.github/workflows/tests.yaml

@@ -198,7 +198,7 @@ jobs:
 
       - name: Docker Meta
         id: meta
-        uses: crazy-max/ghaction-docker-meta@v5
+        uses: docker/metadata-action@v5
         with:
           images: |
             quansight/${{ matrix.docker-image }}
@@ -212,6 +212,7 @@ jobs:
           file: "${{ matrix.docker-image }}/Dockerfile"
           tags: |
             ${{ steps.meta.outputs.tags }}
+          target: "dev"
           push: false
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha

conda-store-server/Dockerfile

@@ -1,8 +1,11 @@
-FROM --platform=linux/amd64 condaforge/mambaforge:23.3.1-1
+FROM --platform=linux/amd64 condaforge/mambaforge:23.3.1-1 as base
 
 LABEL org.opencontainers.image.authors="conda-store development team"
 
+ENV PATH=/opt/conda/condabin:/opt/conda/envs/conda-store-server/bin:/opt/conda/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${PATH}
+ENV TZ=America/New_York
+
 RUN apt-get update && \
     # https://docs.anaconda.org/anaconda/install/linux/#installing-on-linux
     apt-get install -yq --no-install-recommends \
     libgl1-mesa-glx \
@@ -46,11 +49,16 @@
 RUN chown -R 1000:1000 /opt/conda-store-server/
 USER 1000:1000
 
-RUN ls -la /opt/conda-store-server/ && \
-    cd /opt/conda-store-server && \
-    /opt/conda/envs/conda-store-server/bin/pip install .
+FROM base as prod
+ARG RELEASE_VERSION
+RUN cd /opt/conda-store-server && \
+    /opt/conda/envs/conda-store-server/bin/pip install conda-store-server==${RELEASE_VERSION}
 
-ENV PATH=/opt/conda/condabin:/opt/conda/envs/conda-store-server/bin:/opt/conda/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${PATH}
-ENV TZ=America/New_York
+WORKDIR /var/lib/conda-store
+
+FROM base as dev
+
+RUN cd /opt/conda-store-server && \
+    /opt/conda/envs/conda-store-server/bin/pip install -e .
 
 WORKDIR /var/lib/conda-store

conda-store/Dockerfile

@@ -1,15 +1,17 @@
-FROM --platform=linux/amd64 condaforge/mambaforge:23.3.1-1
+FROM --platform=linux/amd64 condaforge/mambaforge:23.3.1-1 as base
 
 LABEL org.opencontainers.image.authors="conda-store development team"
 
-USER root
-
 RUN apt-get update &&  \
     apt-get install -yq --no-install-recommends curl && \
     apt-get clean && \
     rm -rf /var/cache/apt/* &&\
     rm -rf /var/lib/apt/lists/* &&\
-    rm -rf /tmp/*
+    rm -rf /tmp/*   &&\
+    groupadd -g 1000 conda-store &&\
+    useradd -M -r -s /usr/sbin/nologin -u 1000 -g 1000  conda-store && \
+    mkdir -p /opt/jupyterhub && \
+    chown -R conda-store:conda-store /opt/jupyterhub
 
 COPY environment.yaml /opt/conda-store/environment.yaml
 
@@ -19,12 +21,15 @@
 
 COPY ./ /opt/conda-store/
 
+FROM base as prod
+ARG RELEASE_VERSION
 RUN cd /opt/conda-store && \
-    pip install -e .
-
-RUN mkdir -p /opt/jupyterhub && \
-    chown -R 1000:1000 /opt/jupyterhub
-
-USER 1000:1000
+    pip install conda-store==${RELEASE_VERSION}
+USER conda-store
+WORKDIR /opt/jupyterhub
 
+FROM base as dev
+RUN cd /opt/conda-store && \
+    pip install -e .
+USER conda-store
 WORKDIR /opt/jupyterhub

docker-compose.yaml

@@ -2,7 +2,9 @@ version: "3.8"
 
 services:
   conda-store-worker:
-    build: conda-store-server
+    build:
+      context: conda-store-server
+      target: dev
     user: 1000:1000
     volumes:
       - ./tests/assets/environments:/opt/environments:ro
@@ -19,7 +21,9 @@ services:
       ]
 
   conda-store-server:
-    build: conda-store-server
+    build:
+      context: conda-store-server
+      target: dev
     user: 1000:1000
     depends_on:
       postgres:

examples/docker-without-nfs/docker-compose.yaml

@@ -28,7 +28,7 @@ services:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
 
   conda-store-worker:
-    build: ../../conda-store-server
+    image: quansight/conda-store-server
     user: 1000:1000
     volumes:
       - conda_store_data:/opt/conda-store/
@@ -48,7 +48,7 @@ services:
       ]
 
   conda-store-server:
-    build: ../../conda-store-server
+    image: quansight/conda-store-server
     user: 1000:1000
     labels:
       - "traefik.enable=true"
@@ -81,7 +81,7 @@ services:
       - "5000:5000"
 
   jupyterhub:
-    build: ../../conda-store
+    build: quansight/conda-store
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.jupyterhub.rule=Host(`conda-store.localhost`) && (Path(`/`) || PathPrefix(`/hub`) || PathPrefix(`/user`))"

examples/docker/docker-compose.yaml

@@ -39,7 +39,7 @@ services:
       - conda_store_data:/opt/conda-store/
 
   conda-store-worker:
-    build: ../../conda-store-server
+    image: quansight/conda-store-server
     user: 1000:1000
     volumes:
       - conda_store_data:/opt/conda-store/
@@ -55,7 +55,7 @@ services:
     command: ['conda-store-worker', '--config', '/etc/conda-store/conda_store_config.py']
 
   conda-store-server:
-    build: ../../conda-store-server
+    image: quansight/conda-store-server
     user: 1000:1000
     labels:
       - "traefik.enable=true"
@@ -81,19 +81,8 @@ services:
     ports:
       - "5000:5000"
 
-  redis:
-    image: redis:6.2-alpine
-    restart: always
-    ports:
-      - '6379:6379'
-    command: redis-server --save 20 1 --loglevel debug
-    healthcheck:
-      test: ["CMD", "redis-cli","ping"]
-    volumes:
-      - redis:/etc/redis
-
   jupyterhub:
-    build: ../../conda-store
+    image: quansight/conda-store
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.jupyterhub.rule=Host(`conda-store.localhost`) && (Path(`/`) || PathPrefix(`/hub`) || PathPrefix(`/user`))"