h2020charisma · kerberizer · Sep 25, 2024 · Aug 21, 2024 · Aug 21, 2024 · Sep 15, 2024
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+---
+version: 2
+updates:
+
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+    assignees:
+      - "kerberizer"
diff --git a/.github/workflows/test-build-publish.yml → .github/workflows/ci.yml b/.github/workflows/test-build-publish.yml → .github/workflows/ci.yml
@@ -1,5 +1,5 @@
 ---
-name: Test, build, publish Docker image
+name: CI
 
 on:  # yamllint disable-line rule:truthy
   push:
@@ -12,7 +12,7 @@ on:  # yamllint disable-line rule:truthy
   workflow_dispatch:
 
 env:
-  POETRY_VERSION: 1.8.2
+  POETRY_VERSION: 1.8.3
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
@@ -31,13 +31,14 @@ jobs:
           - '3.12'
 
     steps:
+
       - name: Checkout the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4.1.7
         with:
           submodules: recursive
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v5.2.0
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -46,22 +47,22 @@ jobs:
 
       - name: Load the cached Poetry installation
         id: cached-poetry
-        uses: actions/cache@v4
+        uses: actions/cache@v4.0.2
         with:
           path: ~/.local
           key: poetry-${{ env.POETRY_VERSION }}-py_${{ env.PYTHON_ID}}-0
 
       - name: Install Poetry
         if: steps.cached-poetry.outputs.cache-hit != 'true'
-        uses: snok/install-poetry@v1
+        uses: snok/install-poetry@v1.4.1
         with:
           version: ${{ env.POETRY_VERSION }}
           virtualenvs-create: true
           virtualenvs-in-project: true
 
       - name: Load the cached dependencies
         id: cached-deps
-        uses: actions/cache@v4
+        uses: actions/cache@v4.0.2
         with:
           path: .venv
           key: py${{ matrix.python-version }}-deps-${{ hashFiles('**/poetry.lock') }}
@@ -88,28 +89,29 @@ jobs:
       id-token: write
 
     steps:
+
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4.1.7
         with:
           submodules: recursive
 
       # Install the cosign tool except on PR
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v3.3.0
+        uses: sigstore/cosign-installer@v3.6.0
         with:
-          cosign-release: 'v2.2.3'
+          cosign-release: 'v2.4.0'
 
       # Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
+        uses: docker/setup-buildx-action@v3.6.1
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        uses: docker/login-action@v3.3.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -119,12 +121,18 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        uses: docker/metadata-action@v5.5.1
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.description=RamanChada 2 API service
+            org.opencontainers.image.licenses=MIT
+            org.opencontainers.image.title=ramanchada-api
+            org.opencontainers.image.url=https://github.com/h2020charisma/ramanchada-api/blob/main/README.md
+            org.opencontainers.image.vendor=IDEAconsult
           tags: |
-            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'develop') }}
-            type=raw,value=stable,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/develop' }}
+            type=raw,value=stable,enable=${{ github.ref == 'refs/heads/main' }}
             type=ref,event=branch
             type=ref,event=tag
             type=ref,event=pr
@@ -133,22 +141,22 @@ jobs:
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v6.7.0
         with:
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           context: .
+          labels: ${{ steps.meta.outputs.labels }}
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
 
       # Sign the resulting Docker image digest except on PRs.
       # This will only write to the public Rekor transparency log when the Docker
       # repository is public to avoid leaking data.  If you would like to publish
       # transparency data even for private images, pass --force to cosign below.
       # https://github.com/sigstore/cosign
       - name: Sign the published Docker image
-        if: ${{ github.event_name != 'pull_request' }}
+        if: github.event_name != 'pull_request'
         env:
           # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
           TAGS: ${{ steps.meta.outputs.tags }}

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.11-slim as requirements-stage
+FROM python:3.11-slim AS requirements-stage
 
 WORKDIR /tmp
 
@@ -10,24 +10,18 @@ COPY ./extern/ramanchada2 /tmp/extern/ramanchada2
 
 RUN poetry export -f requirements.txt --output requirements.txt --without=dev --without-hashes
 
-FROM tiangolo/uvicorn-gunicorn-fastapi:python3.11-slim
 
-LABEL maintainer="Luchesar ILIEV <luchesar.iliev@gmail.com>" \
-      org.opencontainers.image.created=$BUILD_DATE \
-      org.opencontainers.image.description="RamanChada 2 API service" \
-      org.opencontainers.image.revision=$VCS_REF \
-      org.opencontainers.image.schema-version="1.0" \
-      org.opencontainers.image.source="https://github.com/h2020charisma/ramanchada-api" \
-      org.opencontainers.image.title="ramanchada-api" \
-      org.opencontainers.image.url="https://github.com/h2020charisma/ramanchada-api/blob/main/README.md" \
-      org.opencontainers.image.vendor="IDEAconsult" \
-      org.opencontainers.image.version="latest"
+FROM python:3.11-slim
+
+RUN apt-get update && apt-get install -y \
+    git \
+    && rm -rf /var/lib/apt/lists/*
 
 COPY --from=requirements-stage /tmp/requirements.txt /app/requirements.txt
 COPY ./extern/pynanomapper /tmp/extern/pynanomapper
 COPY ./extern/ramanchada2 /tmp/extern/ramanchada2
 
-RUN sed -i 's/^-e //' /app/requirements.txt
+RUN sed -Ei -e 's|^-e ||' -e 's|(/pyambit.git)@\S+|\1|' /app/requirements.txt
 
 RUN pip install --no-cache-dir --upgrade -r /app/requirements.txt
 
@@ -38,8 +32,10 @@ COPY ./src/rcapi /app/rcapi
 RUN sed -i '/^upload_dir:/s|:.*|: "/var/uploads"|' /app/rcapi/config/config.yaml
 
 RUN mkdir -p /var/uploads/TEMPLATES
-
 COPY ./tests/resources/templates/dose_response.json /var/uploads/TEMPLATES/3c22a1f0-a933-4855-848d-05fcc26ceb7a.json
 
 ENV RAMANCHADA_API_CONFIG="/app/rcapi/config/config.yaml"
-ENV MODULE_NAME="rcapi.main"
+EXPOSE 80
+WORKDIR /app
+
+CMD ["uvicorn", "rcapi.main:app", "--host", "0.0.0.0", "--port", "80", "--workers", "4"]
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -60,10 +60,14 @@ services:
       - uploads-prod:/var/uploads
 
   dev:
-    image: ghcr.io/h2020charisma/ramanchada-api:develop
+    image: ghcr.io/h2020charisma/ramanchada-api:latest
     container_name: ramanchada-api-dev
     hostname: ramanchada-api-dev
     restart: unless-stopped
+    environment:
+      HS_ENDPOINT: ${HS_ENDPOINT}
+      HS_USERNAME: ${HS_USERNAME}
+      HS_PASSWORD: ${HS_PASSWORD}
     labels:
       traefik.enable: 'true'
       traefik.http.routers.ramanchada-api-dev.entrypoints: tcp80v4*,tcp443v4*,tcp80v6*,tcp443v6*

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -21,13 +21,14 @@ include = [
 
 [tool.poetry.dependencies]
 python = ">=3.9,<3.13"
-fastapi = "^0.101.0"
-python-multipart = "^0.0.6"
-pynanomapper = { path = "extern/pynanomapper", develop = true }
-ramanchada2 = { path = "extern/ramanchada2", develop = true }
 apscheduler = "^3.10.1"
+fastapi = "^0.101.0"
 h5grove = "^1.3.0"
 openpyxl = "^3.1.2"
+pynanomapper = { path = "extern/pynanomapper", develop = true }
+python-multipart = "^0.0.6"
+ramanchada2 = { path = "extern/ramanchada2", develop = true }
+uvicorn = "^0.27.1"
 
 [tool.poetry.urls]
 "Bug Tracker" = "https://github.com/h2020charisma/ramanchada-api/issues"
@@ -36,9 +37,8 @@ openpyxl = "^3.1.2"
 dev = "scripts.dev_server:main"
 
 [tool.poetry.group.dev.dependencies]
-pytest = "^8.0.1"
 httpx = "^0.27.0"
-uvicorn = "^0.27.1"
+pytest = "^8.0.1"
 
 [tool.poetry.group.jupyter.dependencies]
 jupyter = "^1.0.0"