Merge pull request #7 from minrk/cd

deploy from github actions

Author: minrk

.github/dependabot.yml

@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: "pypi"
+    directory: "/"
+    # needed to update requirements.txt
+    allow:
+      - dependency-type: all
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 3
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 3

.github/workflows/cd.yml

@@ -0,0 +1,77 @@
+name: Continuous Deployment
+
+# only allow one deploy workflow to be running at a time
+# serializes multiple outstanding deploys if PRs are merged before the last deploy finishes
+# ref: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#concurrency
+concurrency: deploy
+
+# Only trigger the workflow when pushing to master or a label is applied to a
+# Pull Request
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - "*.md"
+      - .pre-commit-config.yaml
+      - .github/**
+      - "!.github/workflows/cd.yml"
+
+# Global environment variables
+env:
+  KUBECTL_VERSION: "v1.29.15"
+  HELM_VERSION: "v3.12.0"
+  KUBECONFIG: secrets/ovh-kubeconfig.yaml
+  NBVIEWER_VERSION: "68472ab"
+
+jobs:
+  # In this dedicated job to deploy our staging environment we build and push
+  # images that the jobs to deploy to the production environments depend on.
+  deploy:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          cache: pip
+
+      - name: "Stage 1: Install dependencies"
+        run: |
+          pip install --upgrade setuptools pip
+          pip install --upgrade -r requirements.txt
+
+      - name: "Stage 1: Install kubectl ${{ env.KUBECTL_VERSION }}"
+        uses: azure/setup-kubectl@v4
+        with:
+          version: ${{ env.KUBECTL_VERSION }}
+
+      - name: "Stage 1: Install and setup helm ${{ env.HELM_VERSION }}"
+        run: |
+          curl -sf https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | DESIRED_VERSION=${HELM_VERSION} bash
+
+      - name: Unlock git-crypt secrets
+        uses: sliteteam/github-action-git-crypt-unlock@f99c0c6b60bb7ec30dcec033a8f0a3b3d48f21e1
+        env:
+          GIT_CRYPT_KEY: ${{ secrets.GIT_CRYPT_KEY }}
+
+      - name: get nbviewer chart
+        run: |
+          git clone https://github.com/jupyter/nbviewer
+          cd nbviewer
+          git reset "${NBVIEWER_VERSION}" --hard
+          git log -1
+
+      - name: deploy
+        run: |
+          bash deploy.sh
+
+      - name: "Test"
+        run: |
+          pytest

.gitignore

@@ -52,3 +52,5 @@ coverage.xml
 # Sphinx documentation
 docs/_build/
 
+.ipynb_checkpoints
+.DS_Store

.pre-commit-config.yaml

@@ -0,0 +1,31 @@
+exclude: "(.*/)?secrets/.*"
+
+ci:
+  # pre-commit.ci will open PRs updating our hooks once a month
+  autoupdate_schedule: monthly
+
+repos:
+  # autoformat and lint Python code
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.13.1
+    hooks:
+      - id: ruff
+        types_or:
+          - python
+        args: ["--fix", "--show-fixes"]
+      - id: ruff-format
+        types_or:
+          - python
+
+  # Autoformat: markdown, yaml, javascript (see the file .prettierignore)
+  - repo: https://github.com/rbubley/mirrors-prettier
+    rev: v3.6.2
+    hooks:
+      - id: prettier
+
+  # Autoformat and linting, misc. details
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: end-of-file-fixer
+      - id: check-executables-have-shebangs

LICENSE

@@ -21,4 +21,3 @@ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-

README.md

@@ -1,21 +1,41 @@
 # nbviewer.org-deploy
 
-Tasks for running nbviewer.org in helm, with [invoke](http://pyinvoke.org).
+Deployment repo for nbviewer.org
 
-**TODO: helm automatiion have not yet been implemented,
-but are current run via `deploy.sh`.
-This assumes the `nbviewer` repo is adjacent to this repo
-and up-to-date.**
+## Overview
+
+The nbviewer image and helm chart are defined in https://github.com/jupyter/nbviewer.
+The helm chart in that repo is not _published_ anywhere,
+so we use a local checkout.
+Helm upgrades are deployed via GitHub actions.
+
+Some _very_ infrequent manual tasks (interacting with the fastly cache layer) are scripted in `tasks.py` for use with `pyinvoke`.
+We're mostly trying to move away from that, but tasks are infrequent enough.
+Let's not add to them, though.
+
+## Automation progress
+
+- helm upgrade is now in `.github/workflows/cd.yml`
+- updating nbviewer is still manual (`config.yaml` and `cd.yaml`)
 
 ## Quickstart: upgrading nbviewer
 
-Currently assumes you have helm, kubectl
+nbviewer helm upgrades are deployed via github actions.
+The nbviewer version is current in two palaces:
+
+- the _chart_ version in `.github/workflows/cd.yml`
+- the _image_ version in `config/nbviewer.yaml`
+
+To deploy an update from nbviewer to nbviewer.org:
 
-1. clone nbviewer: `git clone https://github.com/jupyter/nbviewer`
-2. clone this repo: `git clone https://github.com/jupyter/nbviewer.org-deploy`
-3. Run helm upgrade `cd nbviewer.org-deploy; bash deploy.sh`
+1. check the latest version of the nbviewer repo (https://github.com/jupyter/nbviewer/commits)
+2. store the latest commit in `NBVIEWER_VERSION` in [.github/workflows/cd.yaml](.github/workflows/cd.yml)
+3. check the latest tag of the [nbviewer image](https://hub.docker.com/r/jupyter/nbviewer/tags)
+4. update the tag in [config/nbviewer.yaml](config/nbviewer.yaml)
 
-**NOTE: The invoke tasks.py has not been updated**
+Open a pull request, and it should be deployed to nbviewer.org upon merge.
+
+Generating these pull requests _should_ be automated, as is done [on mybinder.org-deploy](https://github.com/jupyterhub/mybinder.org-deploy/pull/3427).
 
 ## Current deployment
 
@@ -25,18 +45,8 @@ Right now, nbviewer is run on OVHCloud via helm in the namespace `nbviewer`.
 
 Python dependencies:
 
-    pip install -r requirements.txt
-
-
-### Upgrading
-
-To upgrade the deployment in-place:
-
-```
-invoke upgrade
-```
+    pip install -r requirements.in # (or requirements.txt for a locked env)
 
-This will deploy the new helm configuration
 
 ## TODO
 

config/nbviewer.yaml

@@ -15,15 +15,15 @@ memcached:
 
 nbviewer:
   extraArgs:
-  - '--cache-expiry-min=3600'
-  - '--cache-expiry-max=14400'
-  - "--content-security-policy=connect-src *" # https://github.com/jupyter/nbviewer/issues/797
-  - '--jupyter-js-widgets-version=2.1' # https://github.com/jupyter/nbviewer/issues/818
-  - '--jupyter-widgets-html-manager-version=0.15' # https://github.com/jupyter/nbviewer/issues/818
-  - >-
-    --NBViewer.extra_head_html=
-    <script defer data-domain="nbviewer.org" src="https://plausible.io/js/script.file-downloads.outbound-links.js"></script>
-    <script>window.plausible = window.plausible || function() { (window.plausible.q = window.plausible.q || []).push(arguments) }</script>
+    - "--cache-expiry-min=3600"
+    - "--cache-expiry-max=14400"
+    - "--content-security-policy=connect-src *" # https://github.com/jupyter/nbviewer/issues/797
+    - "--jupyter-js-widgets-version=2.1" # https://github.com/jupyter/nbviewer/issues/818
+    - "--jupyter-widgets-html-manager-version=0.15" # https://github.com/jupyter/nbviewer/issues/818
+    - >-
+      --NBViewer.extra_head_html=
+      <script defer data-domain="nbviewer.org" src="https://plausible.io/js/script.file-downloads.outbound-links.js"></script>
+      <script>window.plausible = window.plausible || function() { (window.plausible.q = window.plausible.q || []).push(arguments) }</script>
 
 statuspage:
   enabled: true

deploy.sh

@@ -4,23 +4,28 @@ set -euo pipefail
 # TODO: move this to CI, don't make assumptions about local repo checkouts
 
 export KUBECONFIG=$PWD/secrets/ovh-kubeconfig.yaml
-nbviewer_chart="../nbviewer/helm-chart/nbviewer"
-echo "Is $PWD/../nbviewer up to date?"
+
+nbviewer_chart="${NBVIEWER_CHART:-../nbviewer/helm-chart/nbviewer}"
+echo "Is $nbviewer_chart up to date?"
 helm dep up $nbviewer_chart
 
 upgrade="upgrade nbviewer $nbviewer_chart -f config/nbviewer.yaml -f secrets/config/nbviewer.yaml"
-helm diff -C 5 $upgrade
 
-echo "Deploy these changes? (y|[N]) "
-read confirm
+if [[ -z "${CI:-}" ]]; then
+  helm diff -C 5 $upgrade
+  echo "Deploy these changes? (y|[N]) "
+  read confirm
 
-if [[ "$confirm" == "y" || "$confirm" == "Y" ]]; then
-  echo "Upgrading..."
-  helm $upgrade
-else
-  echo "Cancelled"
-  exit 1
+  if [[ "$confirm" == "y" || "$confirm" == "Y" ]]; then
+    echo "confirmed"
+  else
+    echo "Cancelled"
+    exit 1
+  fi
 fi
 
+echo "Upgrading..."
+helm $upgrade --cleanup-on-fail
+
 # watch deployment rollout
 kubectl rollout status -w deployment/nbviewer

pyproject.toml

@@ -0,0 +1,17 @@
+
+[project]
+name = "nbviewer.org-deploy"
+
+[tool.pytest.ini_options]
+addopts = "-v"
+testpaths = [
+    "tests",
+]
+
+[tool.ruff.lint]
+select = [
+    "E9", # syntax
+    "I", # isort
+    "UP", # pyupgrade
+    "F", # flake8
+]

requirements.in

@@ -0,0 +1,2 @@
+pytest
+requests