Merge pull request #3 from h2020charisma/ops-github-actions

ops: add github actions
h2020charisma · Jun 4, 2024 · 078946f · 078946f
2 parents 2bb33f0 + feb4692
commit 078946f
Show file tree

Hide file tree

Showing 8 changed files with 325 additions and 4 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+---
+version: 2
+updates:
+
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    assignees:
+      - "kerberizer"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,195 @@
+---
+name: CI
+
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  POETRY_VERSION: 1.8.3
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+
+  test:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version:
+          - '3.9'
+          - '3.10'
+          - '3.11'
+          - '3.12'
+
+    steps:
+
+      - name: Checkout the repository
+        uses: actions/[email protected]
+
+      - name: Setup Python
+        uses: actions/[email protected]
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Get the precise Python version
+        run: echo "PYTHON_ID=$( python -VV | sha256sum | awk '{ print $1 }' )" >> "$GITHUB_ENV"
+
+      - name: Load the cached Poetry installation
+        id: cached-poetry
+        uses: actions/[email protected]
+        with:
+          path: ~/.local
+          key: poetry-${{ env.POETRY_VERSION }}-py_${{ env.PYTHON_ID}}-0
+
+      - name: Install Poetry
+        if: steps.cached-poetry.outputs.cache-hit != 'true'
+        uses: snok/[email protected]
+        with:
+          version: ${{ env.POETRY_VERSION }}
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+
+      - name: Load the cached dependencies
+        id: cached-deps
+        uses: actions/[email protected]
+        with:
+          path: .venv
+          key: py${{ matrix.python-version }}-deps-${{ hashFiles('**/poetry.lock') }}
+
+      - name: Install dependencies
+        if: steps.cached-deps.outputs.cache-hit != 'true'
+        run: poetry install --no-interaction
+
+      - name: Run pre-commit
+        run: poetry run pre-commit
+      - name: Run tests
+        env:
+          COVERAGE_FILE: .coverage.${{ matrix.python-version }}
+        run: poetry run pytest --cov
+
+      - name: Store the coverage report
+        uses: actions/[email protected]
+        with:
+          name: coverage-${{ matrix.python-version }}
+          path: .coverage.${{ matrix.python-version }}
+
+  coverage:
+
+    runs-on: ubuntu-latest
+    needs: test
+    permissions:
+      pull-requests: write
+      contents: write
+
+    steps:
+
+      - name: Checkout the repository
+        uses: actions/[email protected]
+
+      - name: Retrieve the coverage reports
+        id: download
+        uses: actions/[email protected]
+        with:
+          pattern: coverage-*
+          merge-multiple: true
+
+      - name: Process the coverage reports
+        id: coverage_processing
+        uses: py-cov-action/[email protected]
+        with:
+          COVERAGE_DATA_BRANCH: 'COVERAGE-REPORT'
+          GITHUB_TOKEN: ${{ github.token }}
+          MERGE_COVERAGE_FILES: true
+
+      - name: Store the pull request coverage comment for later posting
+        if: steps.coverage_processing.outputs.COMMENT_FILE_WRITTEN == 'true'
+        uses: actions/[email protected]
+        with:
+          name: python-coverage-comment-action
+          path: python-coverage-comment-action.txt
+
+  build:
+
+    runs-on: ubuntu-latest
+    needs: test
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/[email protected]
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v2.2.4'
+
+      # Workaround: https://github.com/docker/build-push-action/issues/461
+      - name: Setup Docker buildx
+        uses: docker/[email protected]
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        uses: docker/[email protected]
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/[email protected]
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=stable,enable=${{ github.ref == 'refs/heads/main' }}
+            type=ref,event=branch
+            type=ref,event=tag
+            type=ref,event=pr
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/[email protected]
+        with:
+          context: .
+          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
diff --git a/.github/workflows/coverage-comment.yml b/.github/workflows/coverage-comment.yml
@@ -0,0 +1,29 @@
+---
+name: Post a coverage report comment on pull requests
+
+on:  # yamllint disable-line rule:truthy
+  workflow_run:
+    workflows:
+      - 'CI'
+    types:
+      - 'completed'
+
+jobs:
+
+  comment:
+
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
+    permissions:
+      pull-requests: write
+      contents: write
+      actions: read
+
+    steps:
+
+      - name: Post the stored pull request coverage comment
+        uses: py-cov-action/[email protected]
+        with:
+          COVERAGE_DATA_BRANCH: 'COVERAGE-REPORT'
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -15,3 +15,7 @@ repos:
       - id: flake8
         additional_dependencies:
           - flake8-bugbear==24.4.26
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.35.1
+    hooks:
+      - id: yamllint
diff --git a/.yamllint.yml b/.yamllint.yml
@@ -0,0 +1,5 @@
+---
+extends: default
+rules:
+  line-length:
+    max: 119
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,42 @@
+FROM python:3.12-slim as requirements-stage
+
+WORKDIR /tmp
+
+RUN pip install poetry
+
+COPY ./pyproject.toml ./poetry.lock* /tmp/
+
+RUN poetry export -f requirements.txt --output requirements.txt --without=dev --without-hashes
+
+FROM python:3.12-slim
+
+LABEL maintainer="Luchesar ILIEV <[email protected]>" \
+      org.opencontainers.image.created=$BUILD_DATE \
+      org.opencontainers.image.description="A web-based spectra harmonization tool" \
+      org.opencontainers.image.revision=$VCS_REF \
+      org.opencontainers.image.schema-version="1.0" \
+      org.opencontainers.image.source="https://github.com/h2020charisma/spectrastream" \
+      org.opencontainers.image.title="spectrastream" \
+      org.opencontainers.image.url="https://github.com/h2020charisma/spectrastream/blob/main/README.md" \
+      org.opencontainers.image.vendor="IDEAconsult" \
+      org.opencontainers.image.version="latest"
+
+RUN apt-get update && apt-get install -y \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=requirements-stage /tmp/requirements.txt /tmp/
+
+RUN sed -i 's/^-e //' /tmp/requirements.txt \
+    && pip install --no-cache-dir --upgrade -r /tmp/requirements.txt \
+    && rm /tmp/requirements.txt
+
+COPY ./src/spectrastream  /app
+
+WORKDIR /app
+
+EXPOSE 8501
+
+HEALTHCHECK CMD curl --fail http://127.0.0.1:8501/_stcore/health
+
+ENTRYPOINT ["streamlit", "run", "app.py", "--server.port=8501", "--server.address=0.0.0.0"]
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -34,7 +34,7 @@ classifiers = [
 ]
 
 [tool.poetry.dependencies]
-python = "^3.12"
+python = "^3.9,!=3.9.7"
 streamlit = "^1.35.0"
 
 [tool.poetry.group.dev.dependencies]