aeecleclair
diff --git a/‎.github/workflows/alpha-publish.yml‎
Lines changed: 48 additions & 0 deletions b/‎.github/workflows/alpha-publish.yml‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎.github/workflows/lintandformat.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/lintandformat.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/preprod-publish.yml‎
Lines changed: 71 additions & 0 deletions b/‎.github/workflows/preprod-publish.yml‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎.github/workflows/publish.yml‎
Lines changed: 9 additions & 33 deletions b/‎.github/workflows/publish.yml‎
Lines changed: 9 additions & 33 deletions
diff --git a/‎.github/workflows/publishbase.yml‎
Lines changed: 0 additions & 64 deletions b/‎.github/workflows/publishbase.yml‎
Lines changed: 0 additions & 64 deletions
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 4 additions & 5 deletions b/‎.github/workflows/test.yml‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎Dockerfile‎
Lines changed: 35 additions & 7 deletions b/‎Dockerfile‎
Lines changed: 35 additions & 7 deletions
diff --git a/‎Dockerfile.base‎
Lines changed: 0 additions & 12 deletions b/‎Dockerfile.base‎
Lines changed: 0 additions & 12 deletions
@@ -0,0 +1,48 @@
+name: Publish Alpha
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+jobs:
+  build-and-deploy-alpha:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          ref: "main"
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/[email protected]
+        with:
+          images: ${{ secrets.DOCKER_REGISTRY_IDENTIFER }}/hyperion
+          tags: |
+            type=raw,value=alpha
+
+      - name: Set up Docker Buildx
+        uses: docker/[email protected]
+
+      - name: Login to GitHub Container Registry
+        uses: docker/[email protected]
+        with:
+          registry: ${{ secrets.DOCKER_REGISTRY_URL }}
+          username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
+          password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
+
+      - name: Build and push preprod image
+        uses: docker/[email protected]
+        with:
+          context: .
+          platforms: linux/amd64 #,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: |
+            type=registry,ref=${{ secrets.DOCKER_REGISTRY_IDENTIFER }}/hyperion:alpha
+            type=registry,ref=${{ secrets.DOCKER_REGISTRY_IDENTIFER }}/hyperion:latest
+          cache-to: type=inline
@@ -16,14 +16,14 @@ jobs:
 
       # Setup Python (faster than using Python container)
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         id: setup-python
         with:
           python-version: "3.11"
 
       - name: Cache uv folder
         id: cache-uv
-        uses: actions/cache@v4
+        uses: actions/cache@v4.3.0
         with:
           path: ~/.cache/uv
           key: ${{ runner.os }}-python-${{ steps.setup-python.outputs.python-version }}-uv-${{ hashFiles('requirements.txt', 'requirements-dev.txt') }}
@@ -36,7 +36,7 @@ jobs:
 
       - name: Cache .ruff_cache folder
         id: ruff_cache
-        uses: actions/cache@v4
+        uses: actions/cache@v4.3.0
         with:
           path: .ruff_cache
           key: ruff_cache-${{ github.head_ref }}
@@ -48,7 +48,7 @@ jobs:
 
       - name: Cache .mypy_cache folder
         id: mypy_cache
-        uses: actions/cache@v4
+        uses: actions/cache@v4.3.0
         with:
           path: .mypy_cache
           key: mypy_cache-${{ github.head_ref }}
 
@@ -0,0 +1,71 @@
+name: Publish Preprod
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: "Branch to deploy in preprod"
+        required: true
+        default: "main"
+      preprod_env:
+        description: "Preprod environment"
+        required: true
+        type: choice
+        options:
+          - preprod-1
+          - preprod-2
+          - preprod-3
+          - preprod-4
+          - preprod-5
+          - preprod-6
+          - preprod-7
+          - preprod-8
+          - preprod-9
+        default: "preprod-1"
+
+jobs:
+  build-and-deploy-preprod:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.inputs.branch }}
+
+      - name: Set up Docker Buildx
+        uses: docker/[email protected]
+
+      - name: Login to GitHub Container Registry
+        uses: docker/[email protected]
+        with:
+          registry: ${{ secrets.DOCKER_REGISTRY_URL }}
+          username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
+          password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/[email protected]
+        with:
+          images: ${{ secrets.DOCKER_REGISTRY_URL }}/hyperion
+          tags: |
+            type=raw,value=${{ github.event.inputs.preprod_env }}
+            type=raw,value=preprod-latest,enable={{is_default_branch}}
+            type=sha,prefix={{branch}}-
+          labels: |
+            preprod.environment=${{ github.event.inputs.preprod_env }}
+            preprod.branch=${{ github.event.inputs.branch }}
+
+      - name: Build and push preprod image
+        uses: docker/[email protected]
+        with:
+          context: .
+          platforms: linux/amd64 #,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: |
+            type=registry,ref=${{ secrets.DOCKER_REGISTRY_IDENTIFER }}/hyperion:${{ github.event.inputs.preprod_env }}
+            type=registry,ref=${{ secrets.DOCKER_REGISTRY_IDENTIFER }}/hyperion:alpha
+            type=registry,ref=${{ secrets.DOCKER_REGISTRY_IDENTIFER }}/hyperion:latest
+          cache-to: type=inline
@@ -14,59 +14,35 @@ jobs:
       - name: Check out the code
         uses: actions/checkout@v5
 
-      - name: Calculate requirements md5
-        run: |
-          echo "REQUIREMENTS_MD5=$(cat requirements-common.txt | md5sum | cut -d ' ' -f 1)" >> $GITHUB_ENV
-
-      - name: Check if base image exists
-        run: |
-          HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
-              -u ${{ secrets.DOCKER_REGISTRY_USERNAME }}:${{ secrets.DOCKER_REGISTRY_PASSWORD }} \
-              -H "Accept: application/vnd.oci.image.index.v1+json" \
-              "${{ secrets.DOCKER_REGISTRY_URL }}/v2/hyperion-base/manifests/${{ env.REQUIREMENTS_MD5 }}")
-
-          echo "HTTP_CODE=$HTTP_CODE" >> $GITHUB_ENV
-
-          if [ "$HTTP_CODE" -ne 200 ]; then
-            echo "Error: Base image not found, wait for the base image to be built first"
-            exit 1
-          fi
-
-          echo "EXISTS=true" >> $GITHUB_ENV
-
       - name: Docker metadata
-        if: env.EXISTS == 'true'
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v5.8.0
         with:
           images: ${{ secrets.DOCKER_REGISTRY_IDENTIFER }}/hyperion
           tags: |
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest
 
       - name: Set up Docker Buildx
-        if: env.EXISTS == 'true'
-        uses: docker/setup-buildx-action@v3
+        uses: docker/[email protected]
 
       - name: Login to GitHub Container Registry
-        if: env.EXISTS == 'true'
-        uses: docker/login-action@v3
+        uses: docker/[email protected]
         with:
           registry: ${{ secrets.DOCKER_REGISTRY_URL }}
           username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
           password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
 
       - name: Build and push app
-        if: env.EXISTS == 'true'
-        uses: docker/build-push-action@v6
+        uses: docker/[email protected]
         with:
           context: .
           platforms: linux/amd64 #,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          build-args: |
-            REQUIREMENTS_MD5=${{env.REQUIREMENTS_MD5}}
-            DOCKER_REGISTRY_IDENTIFER=${{ secrets.DOCKER_REGISTRY_IDENTIFER }}
+          cache-from: |
+            type=registry,ref=${{ secrets.DOCKER_REGISTRY_IDENTIFER }}/hyperion:alpha
+            type=registry,ref=${{ secrets.DOCKER_REGISTRY_IDENTIFER }}/hyperion:latest
+          cache-to: type=inline
@@ -54,14 +54,14 @@ jobs:
 
       # Setup Python (faster than using Python container)
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         id: setup-python
         with:
           python-version: "3.12"
 
       - name: Cache uv folder
         id: cache-uv
-        uses: actions/cache@v4
+        uses: actions/cache@v4.3.0
         with:
           path: ~/.cache/uv
           key: ${{ runner.os }}-python-${{ steps.setup-python.outputs.python-version }}-uv-${{ hashFiles('requirements.txt', 'requirements-dev.txt') }}
@@ -74,16 +74,15 @@ jobs:
 
       - name: Cache .pytest_cache folder
         id: pytest_cache
-        uses: actions/cache@v4
+        uses: actions/cache@v4.3.0
         with:
           path: .pytest_cache
           key: pytest_cache-${{ github.head_ref }}
-      
 
       - name: Run unit tests with Postgresql
         run: python -m pytest --cov
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v5.5.1
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
@@ -1,18 +1,46 @@
-ARG REQUIREMENTS_MD5
-ARG DOCKER_REGISTRY_IDENTIFER
-FROM ${DOCKER_REGISTRY_IDENTIFER}/hyperion-base:${REQUIREMENTS_MD5}
+FROM ghcr.io/astral-sh/uv:python3.12-trixie-slim
 
+# Default number of workers; can be overridden at runtime
+ENV WORKERS=1
+
+# Update package list and install weasyprint dependencies
+RUN apt-get update && apt-get install -y \
+    weasyprint \
+    && rm -rf /var/lib/apt/lists/*
+
+# Set environment variables to optimize Python behavior in production
 ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONUNBUFFERED=1
 ENV UV_COMPILE_BYTECODE=1
-EXPOSE 8000
+
+# Create non-root user early for better security
+RUN groupadd --gid 1000 hyperion && \
+    useradd --uid 1000 --gid hyperion --shell /bin/bash --create-home hyperion
 
 WORKDIR /hyperion
 
-COPY pyproject.toml .
+# First copy only the requirements to leverage Docker cache
+COPY requirements.txt .
+
+# Install dependencies using uv (way faster than pip)
+RUN uv pip install --system --no-cache -r requirements.txt
+
+# Then copy the rest of the application code
 COPY alembic.ini .
-COPY migrations migrations/
+COPY pyproject.toml .
 COPY assets assets/
+COPY migrations migrations/
 COPY app app/
 
-ENTRYPOINT fastapi run --workers "${NB_WORKERS:-1}"
+# Change ownership of the application directory to the hyperion user
+RUN chown -R hyperion:hyperion /hyperion
+
+# Switch to non-root user
+USER hyperion
+
+# Expose port 8000
+EXPOSE 8000
+
+# Use fastapi cli as the entrypoint
+# Use sh -c to allow environment variable expansion
+ENTRYPOINT ["sh", "-c", "fastapi run --workers $WORKERS --host 0.0.0.0 --port 8000"]