Merge pull request #259 from ropable/master

Cosmetic update to link form, update package versions, update GitHub workflows & base image version
dbca-wa · Nov 16, 2023 · 8c8f227 · 8c8f227
2 parents d677076 + b2c314f
commit 8c8f227
Show file tree

Hide file tree

Showing 15 changed files with 602 additions and 475 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the
+    # default location of `.github/workflows`
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/image-build-scan.yml b/.github/workflows/image-build-scan.yml
@@ -22,40 +22,58 @@ jobs:
       packages: write
       security-events: write
     steps:
+      #----------------------------------------------
+      # Checkout repo
+      #----------------------------------------------
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+      #----------------------------------------------
+      # Set up Docker BuildX environment
+      #----------------------------------------------
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
+      #----------------------------------------------
+      # Log Docker into the GitHub Container Repository
+      #----------------------------------------------
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      #----------------------------------------------
+      # Extract Docker image metadata from GitHub events
+      #----------------------------------------------
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
             latest=true
+      #----------------------------------------------
+      # Build and push Docker image (not on PR)
+      #----------------------------------------------
       - name: Build and push Docker image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
   scan:
-    name: Trivy scan
+    name: Image vulnerability scan
     runs-on: ubuntu-latest
     needs: [build]
     permissions:
       contents: read
       packages: read
       security-events: write
     steps:
+      #----------------------------------------------
+      # Run vulnerability scan on built image
+      #----------------------------------------------
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:

diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -28,37 +28,55 @@ jobs:
         ports:
           - 5672:5672
     steps:
+      #----------------------------------------------
+      # Checkout repo and set up Python
+      #----------------------------------------------
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         id: checkout-repo
       - name: Set up Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v4
         id: setup-python
         with:
-          python-version: 3.9
+          python-version: '3.10'
+      #----------------------------------------------
+      # Install GDAL into the environment
+      #----------------------------------------------
       - name: Install GDAL
         id: install-gdal
         run: |
-          sudo apt-add-repository ppa:ubuntugis/ubuntugis-unstable
+          sudo apt-add-repository --yes ppa:ubuntugis/ubuntugis-unstable
           sudo apt-get update
-          sudo apt-get install gdal-bin libgdal-dev
+          sudo apt-get install --no-install-recommends --yes gdal-bin libgdal-dev
+      #----------------------------------------------
+      # Install & configure Poetry
+      #----------------------------------------------
       - name: Install Poetry
         uses: snok/install-poetry@v1
         with:
+          version: 1.6.1
           virtualenvs-create: true
           virtualenvs-in-project: true
           installer-parallel: true
+      #----------------------------------------------
+      # Load cached venv if cache exists
+      #----------------------------------------------
       - name: Load cached venv
         id: cached-poetry-dependencies
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: .venv
           key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }}
+      #----------------------------------------------
+      # Install project dependencies if cache does not exist
+      #----------------------------------------------
       - name: Install cached dependencies
         if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
         run: poetry install --no-interaction --no-root
-      - name: Install project
-        run: poetry install --no-interaction
+      #----------------------------------------------
+      # Run migrations (we need to because we have to start
+      # the celery worker before running unit tests)
+      #----------------------------------------------
       - name: Run DB migrations
         run: |
           source .venv/bin/activate
@@ -67,9 +85,12 @@ jobs:
         run: |
           source .venv/bin/activate
           celery --app prs2 worker --loglevel error --detach
+      #----------------------------------------------
+      # Run unit tests
+      #----------------------------------------------
       - name: Run tests
         run: |
           source .venv/bin/activate
           python manage.py collectstatic
           # NOTE: we can't run tests in parallel, because setup() may break DB constraints.
-          python manage.py test --noinput --failfast --verbosity 0 --settings prs2.settings-test
+          python manage.py test --noinput --failfast --verbosity 0 --settings prs2.test-settings
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,6 @@
+# syntax=docker/dockerfile:1
 # Prepare the base environment.
-FROM python:3.10.12-slim-bookworm as builder_base_prs
+FROM python:3.10.13-slim as builder_base_prs
 MAINTAINER [email protected]
 LABEL org.opencontainers.image.source https://github.com/dbca-wa/prs
 
@@ -12,19 +13,24 @@ RUN apt-get update -y \
 # Install Python libs using Poetry.
 FROM builder_base_prs as python_libs_prs
 WORKDIR /app
-ENV POETRY_VERSION=1.5.1
-RUN pip install "poetry==$POETRY_VERSION"
-COPY poetry.lock pyproject.toml /app/
+ARG POETRY_VERSION=1.6.1
+RUN pip install poetry=="${POETRY_VERSION}"
+COPY poetry.lock pyproject.toml ./
 RUN poetry config virtualenvs.create false \
   && poetry install --no-interaction --no-ansi --only main
 
+# Create a non-root user.
+ARG UID=10001
+ARG GID=10001
+RUN groupadd -g "${GID}" appuser \
+  && useradd --no-create-home --no-log-init --uid "${UID}" --gid "${GID}" appuser
+
 # Install the project.
 FROM python_libs_prs
 COPY gunicorn.py manage.py ./
 COPY prs2 ./prs2
 RUN python manage.py collectstatic --noinput
 
-# Run the application as the www-data user.
-USER www-data
+USER ${UID}
 EXPOSE 8080
 CMD ["gunicorn", "prs2.wsgi", "--config", "gunicorn.py"]
diff --git a/Dockerfile.typesense b/Dockerfile.typesense
@@ -0,0 +1,13 @@
+# syntax=docker/dockerfile:1
+FROM typesense/typesense:0.24.1
+MAINTAINER [email protected]
+LABEL org.opencontainers.image.source https://github.com/dbca-wa/typesense
+
+# Create a non-root user.
+ARG UID=10001
+ARG GID=10001
+RUN groupadd -g "${GID}" typesense \
+  && useradd --no-create-home --no-log-init --uid "${UID}" --gid "${GID}" typesense
+
+RUN chown -R typesense:typesense /opt/typesense-server
+USER ${UID}
diff --git a/README.md b/README.md
@@ -82,11 +82,11 @@ Run a single Celery worker alongside the local webserver to test indexing:
 
 Run unit tests as follows:
 
-    poetry run python manage.py test --keepdb -v2 --settings prs2.settings-test
+    poetry run python manage.py test --keepdb -v2 --settings prs2.test-settings
 
 To run tests for e.g. models only:
 
-    poetry run python manage.py test prs2.referral.test_models --keepdb -v2 --settings prs2.settings-test
+    poetry run python manage.py test prs2.referral.test_models --keepdb -v2 --settings prs2.test-settings
 
 To obtain coverage reports: