Merge f6de76e into 3c513aa

release-engineering · Nov 7, 2022 · 5340bb5 · 5340bb5
2 parents 3c513aa + f6de76e
commit 5340bb5
Show file tree

Hide file tree

Showing 48 changed files with 1,934 additions and 2,147 deletions.
diff --git a/.coveragerc b/.coveragerc
@@ -0,0 +1,13 @@
+[run]
+branch = True
+include =
+    waiverdb/*
+
+[report]
+fail_under = 75
+exclude_lines =
+    pragma: no cover
+    if __name__ == .__main__.:
+omit =
+    waiverdb/wsgi.py
+    waiverdb/migrations/*
diff --git a/.github/workflows/gating.yaml b/.github/workflows/gating.yaml
@@ -15,10 +15,10 @@ jobs:
         python-version: ["3.9"]
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v3
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -38,7 +38,7 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install tox tox-gh-actions
+          pip install poetry tox tox-gh-actions
 
       - name: Test with tox
         run: tox -e py
@@ -54,6 +54,9 @@ jobs:
           pip3 install --upgrade coveralls==3.2.0
           coveralls --service=github
 
+      - name: Test building documentation with tox
+        run: tox -e docs
+
   coveralls-finish:
     name: Finish coveralls-python
     needs: tests
@@ -75,15 +78,14 @@ jobs:
         tox_env:
           - bandit
           - lint
-          - docs
 
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Set up Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v3
         with:
           python-version: "3.9"
 
@@ -104,7 +106,7 @@ jobs:
           - Dockerfile
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - uses: hadolint/hadolint-action@v1.5.0
         with:
@@ -122,14 +124,30 @@ jobs:
       IMAGE_NAME: waiverdb
       REGISTRY: quay.io/factory2
       GH_REGISTRY: ghcr.io/${{ github.actor }}
+    strategy:
+      matrix:
+        python-version: ["3.9"]
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v3
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install poetry tox tox-gh-actions podman-compose
+
+      - name: Update the Application Version
+        run: poetry version "$(./get-version.sh)"
 
       - name: Get image tag from git branch
         id: get-image-tag
         run: |
-          export TAG=$(sed 's/[^0-9a-zA-Z\-_.]/__/g' <<< "$GITHUB_REF_NAME") &&
+          export TAG=$(sed 's/[^0-9a-zA-Z_.-]/__/g' <<< "$GITHUB_REF_NAME") &&
           echo "::set-output name=tag::$TAG"
 
       - name: Build Image
@@ -142,6 +160,8 @@ jobs:
             ${{ github.ref == 'refs/heads/master' && 'latest' || '' }}
             ${{ github.sha }}
           containerfiles: Dockerfile
+          build-args: |
+            GITHUB_SHA=${{ github.sha }}
 
       - name: Log in to the image registry
         if: github.event_name == 'push' && github.actor != 'dependabot[bot]'

diff --git a/.gitignore b/.gitignore
@@ -17,3 +17,4 @@ dist
 .pytest_cache/
 docker/home/
 .idea
+.coverage
diff --git a/.readthedocs.yaml b/.readthedocs.yaml
@@ -13,4 +13,7 @@ sphinx:
 python:
    version: 3.8
    install:
-   - requirements: docs/requirements.txt
+   - method: pip
+     path: .
+     extra_requirements:
+     - docs
diff --git a/Dockerfile b/Dockerfile
@@ -1,43 +1,79 @@
-FROM registry.fedoraproject.org/fedora:34 AS builder
+FROM registry.access.redhat.com/ubi8/ubi:8.5 as builder
 
-RUN dnf -y install --nodocs --setopt=install_weak_deps=false \
-        'dnf-command(builddep)' \
-        git-core \
-        rpm-build \
-    && dnf -y clean all
+# hadolint ignore=DL3033,DL4006,SC2039,SC3040
+RUN set -exo pipefail \
+    && mkdir -p /mnt/rootfs \
+    # install builder dependencies
+    && yum install -y \
+        --setopt install_weak_deps=false \
+        --nodocs \
+        gcc \
+        krb5-devel \
+        openldap-devel \
+        python39 \
+        python39-devel \
+    # install runtime dependencies
+    && yum install -y \
+        --installroot=/mnt/rootfs \
+        --releasever=8 \
+        --setopt install_weak_deps=false \
+        --nodocs \
+        python39 \
+    && yum --installroot=/mnt/rootfs clean all \
+    && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* \
+    # https://python-poetry.org/docs/master/#installing-with-the-official-installer
+    && curl -sSL https://install.python-poetry.org | python3 - \
+    && python3 -m venv /venv
 
-COPY .git /src/.git
+ENV \
+    PIP_DEFAULT_TIMEOUT=100 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1 \
+    PIP_NO_CACHE_DIR=1 \
+    PYTHONFAULTHANDLER=1 \
+    PYTHONHASHSEED=random \
+    PYTHONUNBUFFERED=1
 
-WORKDIR /src
-RUN git reset --hard HEAD \
-    && dnf -y builddep waiverdb.spec \
-    && ./rpmbuild.sh -bb \
-    && rm /src/rpmbuild-output/*/waiverdb-cli-*
-WORKDIR /
+WORKDIR /build
+COPY . .
+# hadolint ignore=SC1091
+RUN set -ex \
+    && export PATH=/root/.local/bin:$PATH \
+    && . /venv/bin/activate \
+    && pip install --no-cache-dir -r requirements.txt \
+    && poetry build --format=wheel \
+    && version=$(poetry version --short) \
+    && pip install --no-cache-dir dist/waiverdb-"$version"-py3*.whl \
+    && deactivate \
+    && mv /venv /mnt/rootfs \
+    && mkdir -p /mnt/rootfs/app /etc/waiverdb \
+    && cp -v docker/docker-entrypoint.sh /mnt/rootfs/app/entrypoint.sh \
+    && cp conf/settings.py.example /etc/waiverdb/settings.py \
+    && cp conf/client.conf.example /etc/waiverdb/client.conf
 
-FROM registry.fedoraproject.org/fedora:34
+# --- Final image
+FROM scratch
+ARG GITHUB_SHA
 LABEL \
-    name="waiverdb" \
-    maintainer="WaiverDB developers" \
-    description="WaiverDB application" \
-    vendor="WaiverDB developers" \
-    license="GPLv2+"
+    summary="WaiverDB application" \
+    description="An engine for storing waivers against test results." \
+    maintainer="Red Hat, Inc." \
+    license="GPLv2+" \
+    url="https://github.com/release-engineering/waiverdb" \
+    vcs-type="git" \
+    vcs-ref=$GITHUB_SHA \
+    io.k8s.display-name="WaiverDB"
 
-COPY --from=builder /src/rpmbuild-output /src/rpmbuild-output
-COPY conf/settings.py.example /etc/waiverdb/settings.py
-COPY conf/client.conf.example /etc/waiverdb/client.conf
-COPY docker /docker
+ENV \
+    PYTHONFAULTHANDLER=1 \
+    PYTHONHASHSEED=random \
+    PYTHONUNBUFFERED=1 \
+    WEB_CONCURRENCY=8
 
-# Allow a non-root user to install a custom root CA at run-time
-RUN chmod g+w /etc/pki/tls/certs/ca-bundle.crt \
-    && dnf -y install \
-        python3-gunicorn \
-        python3-ldap \
-        /src/rpmbuild-output/*/*.rpm \
-    && dnf -y clean all \
-    && rm -r /src
+COPY --from=builder /mnt/rootfs/ /
+COPY --from=builder /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
+WORKDIR /app
 
 USER 1001
 EXPOSE 8080
-ENTRYPOINT ["/docker/docker-entrypoint.sh"]
-CMD ["/usr/bin/gunicorn-3", "--bind", "0.0.0.0:8080", "--access-logfile", "-", "--enable-stdio-inheritance", "waiverdb.wsgi:app"]
+ENTRYPOINT ["/app/entrypoint.sh"]
+CMD ["gunicorn", "--bind", "0.0.0.0:8080", "--access-logfile", "-", "--enable-stdio-inheritance", "waiverdb.wsgi:app"]