From fa184cc2058d9eec665ece4eb212dbcbdba37130 Mon Sep 17 00:00:00 2001 From: Kevin Counihan Date: Tue, 3 Dec 2024 08:57:38 -0800 Subject: [PATCH 1/2] add DEPLOYMENT_ID env variable to prevent /status route 503s, expose google creds to app --- .../release-on-push-to-main.template.yaml | 5 +++- Dockerfile | 25 ++++++++++++------- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release-on-push-to-main.template.yaml b/.github/workflows/release-on-push-to-main.template.yaml index c40cba7..32ba63a 100644 --- a/.github/workflows/release-on-push-to-main.template.yaml +++ b/.github/workflows/release-on-push-to-main.template.yaml @@ -56,14 +56,17 @@ jobs: - name: Build and push Docker image uses: docker/build-push-action@v5 + env: + DEPLOYMENT_ID: deploy-dev.${{ steps.get-version.outputs.timestamp }}.v${{ steps.get-version.outputs.version }} with: + build-args: DEPLOYMENT_ID=${{ env.DEPLOYMENT_ID }} context: . file: ./Dockerfile push: true target: app tags: | us-docker.pkg.dev/uwit-mci-iam/containers/${template:app_name}:${{ steps.get-version.outputs.version }} - us-docker.pkg.dev/uwit-mci-iam/containers/${template:app_name}:deploy-dev.${{ steps.get-version.outputs.timestamp }}.v${{ steps.get-version.outputs.version }} + us-docker.pkg.dev/uwit-mci-iam/containers/${template:app_name}:${{ env.DEPLOYMENT_ID }} secret-files: | "gcloud_auth_credentials=${{ steps.auth.outputs.credentials_file_path }}" diff --git a/Dockerfile b/Dockerfile index e9c6a6e..d8cd1b4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,25 +1,32 @@ -FROM ghcr.io/uwit-iam/poetry:latest AS dependencies +FROM us-docker.pkg.dev/uwit-mci-iam/containers/base-python-3.9:latest AS dependencies + WORKDIR /app COPY poetry.lock pyproject.toml ./ -RUN poetry install --no-dev --no-root --no-interaction +RUN --mount=type=secret,id=gcloud_auth_credentials \ + md5sum /run/secrets/gcloud_auth_credentials +# get gcloud_auth_credentials secret from docker buildx (put in /run/secrets by default) +# install GAR keyring + setup ENV VAR per docs +# https://pypi.org/project/keyrings.google-artifactregistry-auth/ +RUN --mount=type=secret,id=gcloud_auth_credentials \ + poetry self add keyrings.google-artifactregistry-auth && \ + export GOOGLE_APPLICATION_CREDENTIALS=/run/secrets/gcloud_auth_credentials && \ + poetry install --only main --no-root --no-interaction FROM dependencies AS app -# If you change your app directory, you must also -# change the APP_MODULE here to match. Alternativel, -# you can also -# pass it into your build using `--build-arg` -# (see official docker documentation). + +ARG DEPLOYMENT_ID ARG APP_MODULE=example_app ARG FLASK_PORT=5000 ENV FLASK_ENV=development \ PYTHONPATH=${APP_MODULE} \ - FLASK_APP=${APP_MODULE}.app + FLASK_APP=${APP_MODULE}.app \ + DEPLOYMENT_ID=${DEPLOYMENT_ID} EXPOSE ${FLASK_PORT} COPY ${APP_MODULE}/ ./${APP_MODULE} # install root package now that we've copied it # we depend on the metadata for the package to return the version RUN poetry install --only-root -ENTRYPOINT ["flask", "run"] +ENTRYPOINT ["poetry", "run", "flask", "run", "--host", "0.0.0.0"] FROM app AS tests WORKDIR tests/ From 3b1c9db90e4e9f3afec5c05b27bc09b1579a752c Mon Sep 17 00:00:00 2001 From: Kevin Counihan Date: Tue, 3 Dec 2024 09:03:03 -0800 Subject: [PATCH 2/2] stop annoying workflow runs --- .github/workflows/pull-request.template.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pull-request.template.yml b/.github/workflows/pull-request.template.yml index 1d20070..c10fcfd 100644 --- a/.github/workflows/pull-request.template.yml +++ b/.github/workflows/pull-request.template.yml @@ -14,6 +14,7 @@ env: jobs: update-pr-branch-version: + if: github.repository != 'UWIT-IAM/example-flask-app' runs-on: ubuntu-latest outputs: new-version: ${{ steps.update-version.outputs.new-version }} @@ -30,6 +31,7 @@ jobs: id: update-version validate-image-quality: + if: github.repository != 'UWIT-IAM/example-flask-app' permissions: contents: write id-token: write