chore: move to ghcr (#17)

toolen · Feb 7, 2022 · 83fa88c · 83fa88c
1 parent e92ba5e
commit 83fa88c
Show file tree

Hide file tree

Showing 14 changed files with 949 additions and 665 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1,19 +1,8 @@
-# Byte-compiled / optimized / DLL files
-.git
-__pycache__/
-*.py[cod]
-*$py.class
-
-# Unit test / coverage reports
-.pytest_cache/
-tests/
-
-# Environments
-.env
-venv/
-
-# Docs
-docs/
-
-# Other
-dist/
+# Ignore everything
+**
+
+# Allow files and directories
+!/passgen
+!/healthcheck.py
+!/poetry.lock
+!/pyproject.toml
diff --git a/.flake8 b/.flake8
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -36,31 +36,19 @@ jobs:
         run: poetry install
         if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
 
-      - name: Run black
-        run: poetry run black . --check
-
-      - name: Run isort
-        run: poetry run isort . --check-only
-
-      - name: Run flake8
-        run: poetry run flake8 passgen/ tests/
-
-      - name: Run pydocstyle
-        run: poetry run pydocstyle --add-ignore=D104 passgen/
-
-      - name: Run bandit
-        run: poetry run bandit .
-
-      - name: Run saftey
-        run: poetry run safety check
-
-      - name: Run mypy
-        run: poetry run mypy --strict --ignore-missing-imports passgen
-
-      - name: Test with pytest
-        run: poetry run pytest --cov=passgen tests/
+      - name: Run make
+        run: make ci
 
       - name: Coveralls
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: poetry run coveralls --service=github
+
+      - name: Build image
+        run: make image
+
+      - name: Push image
+        if: ${{ github.ref_name == 'master' }}
+        env:
+          CR_PAT: ${{ secrets.CR_PAT }}
+        run: make push-to-ghcr
diff --git a/Dockerfile b/Dockerfile
@@ -1,85 +1,84 @@
-FROM python:3.10.0-slim-bullseye@sha256:3524d9553dd1ea815d9e3ff07a0ccafe878a9403fb5f9956dc6ad86075ac345f
+FROM python:3.10.2-slim-bullseye@sha256:e8c51ac54aa716f465eb7293130535307fcfae9b864e433ca60d843561c86ef6 AS builder
 
 LABEL maintainer="dmitrii@zakharov.cc"
+LABEL org.opencontainers.image.source="https://github.com/toolen/passgen"
 
 ENV \
-    # Tell apt-get we're never going to be able to give manual feedback:
     DEBIAN_FRONTEND=noninteractive \
     # python:
     PYTHONFAULTHANDLER=1 \
-    PYTHONUNBUFFERED=1 \
     PYTHONHASHSEED=random \
     PYTHONDONTWRITEBYTECODE=1 \
     # pip:
     PIP_NO_CACHE_DIR=off \
     PIP_DISABLE_PIP_VERSION_CHECK=on \
     PIP_DEFAULT_TIMEOUT=100 \
-    # tini:
-    TINI_VERSION=v0.19.0 \
     # poetry:
     POETRY_VERSION=1.1.12 \
     POETRY_NO_INTERACTION=1 \
-    POETRY_VIRTUALENVS_CREATE=false \
+    POETRY_VIRTUALENVS_CREATE=true \
     POETRY_CACHE_DIR='/var/cache/pypoetry' \
-    PATH="$PATH:/root/.poetry/bin" \
+    PATH="$PATH:/root/.local/bin"
+
+RUN pip install --no-cache-dir poetry==$POETRY_VERSION
+
+WORKDIR /code
+
+COPY ./poetry.lock ./pyproject.toml /code/
+
+RUN poetry export --no-ansi --no-interaction --output requirements.txt
+
+FROM python:3.10.2-alpine3.15@sha256:60469fac3d4c1c4781465b18f1a89d8dd2a01af9bb799d17836b972fcc463da9 AS runner
+
+LABEL maintainer="dmitrii@zakharov.cc"
+LABEL org.opencontainers.image.source="https://github.com/toolen/passgen"
+
+ENV \
+    # python:
+    PYTHONFAULTHANDLER=1 \
+    PYTHONHASHSEED=random \
+    PYTHONDONTWRITEBYTECODE=1 \
+    # pip:
+    PIP_NO_CACHE_DIR=off \
+    PIP_DISABLE_PIP_VERSION_CHECK=on \
+    PIP_DEFAULT_TIMEOUT=100 \
     # passgen
     PASSGEN_CORS_ENABLED="True" \
-    GUNICORN_CMD_ARGS=""
+    # gunicorn
+    GUNICORN_CMD_ARGS="--workers=2 --threads=4"
+
+RUN set -ex \
+    && apk upgrade \
+    && apk add --no-cache \
+        tini==0.19.0-r0 \
+    && addgroup -g 1000 -S app \
+    && adduser -h /app -G app -S -u 1000 app
+
+COPY --chown=app:app --from=builder /code/requirements.txt /app
+
+WORKDIR /app
+
+USER app
 
-# System deps:
 RUN set -ex \
-    # Update the package listing, so we know what package exist:
-    && apt-get update \
-    # Install security updates:
-    && apt-get -y upgrade \
-    # Install a new package, without unnecessary recommended packages:
-    && apt-get install --no-install-recommends -y \
-        curl=7.74.0-1.3+b1 \
-    # Installing `tini` utility:
-    # https://github.com/krallin/tini
-    && curl -OL "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini" \
-    && curl -OL "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini.sha256sum" \
-    && sha256sum -c tini.sha256sum \
-    && mv tini /usr/local/bin/tini \
-    && chmod +x /usr/local/bin/tini \
-    # Upgrading pip
-    && pip install --no-cache-dir -U pip==21.3.1 \
-    # Installing `poetry` package manager:
-    # https://github.com/python-poetry/poetry
-    && pip install --no-cache-dir poetry==${POETRY_VERSION} \
-    # Cleaning cache:
-    && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
-    && apt-get clean -y \
-    && rm -rf /var/lib/apt/lists/* \
-    && rm -rf tini.sha256sum \
-    # Setting up proper permissions:
-    && groupadd -r passgen \
-    && useradd -d /srv/passgen -r -g passgen passgen
-
-COPY --chown=passgen:passgen ./poetry.lock ./pyproject.toml /srv/passgen/
-
-WORKDIR /srv/passgen
-
-# Project initialization:
-RUN poetry install --no-dev --no-interaction --no-ansi \
-    && rm -rf "$POETRY_CACHE_DIR"
-
-COPY --chown=passgen:passgen ./passgen /srv/passgen/passgen/
-
-# Running as non-root user:
-USER passgen
+    && python -m venv venv \
+    && venv/bin/pip install --no-cache-dir --require-hashes -r requirements.txt
+
+COPY --chown=app:app ./passgen /app/passgen
+
+COPY --chown=app:app ./healthcheck.py /app/passgen
+
+WORKDIR /app/passgen
 
 EXPOSE 8080
 
-HEALTHCHECK --interval=5s --timeout=10s --retries=3 CMD curl -sS http://127.0.0.1:8080/api/v1/health || exit 1
+HEALTHCHECK --interval=5s --timeout=10s --retries=3 CMD /app/venv/bin/python healthcheck.py || exit 1
 
-CMD [ "/usr/local/bin/tini", "--", \
-"gunicorn", \
+CMD ["/sbin/tini", "--", \
+"/app/venv/bin/gunicorn", \
 "--worker-tmp-dir", "/dev/shm", \
 "--worker-class", "aiohttp.worker.GunicornWebWorker", \
-"--workers=2", \
-"--threads=4", \
 "--log-file=-", \
-"--chdir", "/srv/passgen", \
+"--chdir", "/app", \
 "--bind", "0.0.0.0:8080", \
 "passgen.app:create_app"]
diff --git a/Makefile b/Makefile
@@ -0,0 +1,61 @@
+package_name = passgen
+repository = toolen/passgen
+version = $(shell poetry version -s)
+tag = ghcr.io/$(repository):$(version)
+hadolint_version=2.8.0
+trivy_version=0.23.0
+
+image:
+	export DOCKER_BUILDKIT=1
+	make hadolint
+	docker build --pull --no-cache -t $(tag) .
+	make trivy
+	make size
+container:
+	docker run -p 127.0.0.1:8080:8080 --cap-drop=ALL $(tag)
+hadolint:
+	docker run --rm -i hadolint/hadolint:$(hadolint_version) < Dockerfile
+trivy:
+	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ~/.cache/trivy:/root/.cache/ aquasec/trivy:$(trivy_version) image --ignore-unfixed $(tag)
+size:
+	docker images | grep $(repository) | grep $(version)
+digest:
+	docker images --digests | grep python
+push:
+	docker trust sign $(tag)
+test:
+	poetry run pytest --cov=$(package_name) tests/
+fmt:
+	poetry run black .
+	poetry run isort .
+fmt-check:
+	poetry run black . --check
+	poetry run isort . --check
+pre-commit:
+	make fmt
+	make lint
+ci:
+	make fmt-check
+	make lint
+lint:
+	poetry run flake8 --ignore E501 $(package_name)/ tests/
+	poetry run pydocstyle --add-ignore=D104 $(package_name)/
+	poetry run bandit -r $(package_name)/
+	poetry run safety check
+	poetry run mypy --strict --ignore-missing-imports $(package_name)
+	make test
+	make radon
+tag:
+	git tag v$(version)
+	git push origin v$(version)
+push-to-ghcr:
+	docker login ghcr.io -u toolen -p $(CR_PAT)
+	docker push $(tag)
+radon:
+	poetry run radon cc --min C --show-complexity $(package_name)
+	poetry run radon mi --min B $(package_name)
+	poetry run radon raw --summary $(package_name) | tail -n12
+.PHONY: docs
+docs:
+	make -C docs html
+	python -m http.server 8000 --bind 127.0.0.1 --directory docs/build/html
diff --git a/README.rst b/README.rst
@@ -92,4 +92,4 @@ Docker
 
 Use docker container::
 
-    docker run -d -p 8080:8080 --restart=always --cap-drop=ALL toolen/passgen:2.2.1
+    docker run -d -p 8080:8080 --restart=always --cap-drop=ALL ghcr.io/toolen/passgen:2.2.1
diff --git a/docs/requirements-docs.txt b/docs/requirements-docs.txt
@@ -1,3 +1,3 @@
-Sphinx==4.3.1
+Sphinx==4.4.0
 sphinx-rtd-theme==1.0.0
 sphinx-autoapi==1.8.4
diff --git a/docs/source/_static/.gitkeep b/docs/source/_static/.gitkeep
diff --git a/docs/source/_templates/layout.html b/docs/source/_templates/layout.html
@@ -0,0 +1,7 @@
+{% extends '!layout.html' %}
+{% block document %}
+{{super()}}
+    <a href="https://github.com/toolen/passgen">
+        <img style="position: absolute; top: 0; right: 0; border: 0;" src="https://s3.amazonaws.com/github/ribbons/forkme_right_darkblue_121621.png" alt="Fork Me On GitHub">
+    </a>
+{% endblock %}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -92,4 +92,4 @@ Docker

		Use docker container::

		docker run -d -p 8080:8080 --restart=always --cap-drop=ALL toolen/passgen:2.2.1
		docker run -d -p 8080:8080 --restart=always --cap-drop=ALL ghcr.io/toolen/passgen:2.2.1