UWIT-IAM · counik · Dec 3, 2024 · Dec 3, 2024 · Dec 3, 2024
diff --git a/.github/workflows/pull-request.template.yml b/.github/workflows/pull-request.template.yml
@@ -14,6 +14,7 @@ env:
 
 jobs:
   update-pr-branch-version:
+    if: github.repository != 'UWIT-IAM/example-flask-app'
     runs-on: ubuntu-latest
     outputs:
       new-version: ${{ steps.update-version.outputs.new-version }}
@@ -30,6 +31,7 @@ jobs:
         id: update-version
 
   validate-image-quality:
+    if: github.repository != 'UWIT-IAM/example-flask-app'
     permissions:
       contents: write
       id-token: write

diff --git a/.github/workflows/release-on-push-to-main.template.yaml b/.github/workflows/release-on-push-to-main.template.yaml
@@ -56,14 +56,17 @@ jobs:
 
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
+        env:
+          DEPLOYMENT_ID: deploy-dev.${{ steps.get-version.outputs.timestamp }}.v${{ steps.get-version.outputs.version }}
         with:
+          build-args: DEPLOYMENT_ID=${{ env.DEPLOYMENT_ID }}
           context: .
           file: ./Dockerfile
           push: true
           target: app
           tags: |
             us-docker.pkg.dev/uwit-mci-iam/containers/${template:app_name}:${{ steps.get-version.outputs.version }}
-            us-docker.pkg.dev/uwit-mci-iam/containers/${template:app_name}:deploy-dev.${{ steps.get-version.outputs.timestamp }}.v${{ steps.get-version.outputs.version }}
+            us-docker.pkg.dev/uwit-mci-iam/containers/${template:app_name}:${{ env.DEPLOYMENT_ID }}
           secret-files: |
             "gcloud_auth_credentials=${{ steps.auth.outputs.credentials_file_path }}"
 
diff --git a/Dockerfile b/Dockerfile
@@ -1,25 +1,32 @@
-FROM ghcr.io/uwit-iam/poetry:latest AS dependencies
+FROM us-docker.pkg.dev/uwit-mci-iam/containers/base-python-3.9:latest AS dependencies
+
 WORKDIR /app
 COPY poetry.lock pyproject.toml ./
-RUN poetry install --no-dev --no-root --no-interaction
+RUN --mount=type=secret,id=gcloud_auth_credentials \
+    md5sum /run/secrets/gcloud_auth_credentials
+# get gcloud_auth_credentials secret from docker buildx (put in /run/secrets by default)
+# install GAR keyring + setup ENV VAR per docs
+# https://pypi.org/project/keyrings.google-artifactregistry-auth/
+RUN --mount=type=secret,id=gcloud_auth_credentials \
+    poetry self add keyrings.google-artifactregistry-auth && \
+    export GOOGLE_APPLICATION_CREDENTIALS=/run/secrets/gcloud_auth_credentials && \
+    poetry install --only main --no-root --no-interaction
 
 FROM dependencies AS app
-# If you change your app directory, you must also
-# change the APP_MODULE here to match. Alternativel,
-# you can also
-# pass it into your build using `--build-arg`
-# (see official docker documentation).
+
+ARG DEPLOYMENT_ID
 ARG APP_MODULE=example_app
 ARG FLASK_PORT=5000
 ENV FLASK_ENV=development \
     PYTHONPATH=${APP_MODULE} \
-    FLASK_APP=${APP_MODULE}.app
+    FLASK_APP=${APP_MODULE}.app \
+    DEPLOYMENT_ID=${DEPLOYMENT_ID}
 EXPOSE ${FLASK_PORT}
 COPY ${APP_MODULE}/ ./${APP_MODULE}
 # install root package now that we've copied it
 # we depend on the metadata for the package to return the version
 RUN poetry install --only-root
-ENTRYPOINT ["flask", "run"]
+ENTRYPOINT ["poetry", "run", "flask", "run", "--host", "0.0.0.0"]
 
 FROM app AS tests
 WORKDIR tests/