Merge pull request #122 from ral-facilities/75_remove_nox

Containerisation best practices

Author: patrick-austin

.github/requirements.txt

@@ -1,3 +1 @@
-poetry==2.1.2
-nox==2024.3.2
 codecarbon==3.0.1

.github/workflows/ci.yaml

@@ -23,8 +23,6 @@ jobs:
     strategy:
       fail-fast: false
     runs-on: ubuntu-22.04
-    env:
-      CACHE_DIR: $HOME/.cache/docker
 
     name: Tests
     steps:
@@ -37,38 +35,19 @@ jobs:
           path: ~/.cache/pip
           key: pip-${{ hashFiles('.github/requirements.txt') }}
 
-      - name: Install Poetry & Nox
+      - name: Install runner requirements
         run: pip install -r .github/requirements.txt
 
       # Let CodeCarbon run in the background while we do everything else
       - name: Start CodeCarbon
-        run: codecarbon monitor &
+        run: codecarbon monitor --no-api > emissions.out 2>&1 &
 
       # Do this early to minimise how long we wait for the health check later on
       - name: Docker compose up
-        run: docker compose -f tests/docker-compose.yaml up -d
-
-      - name: Install python-ldap dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y libsasl2-dev python3.11-dev libldap2-dev libssl-dev
-
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.11"
-
-      - name: Load Poetry cache
-        uses: actions/cache@v4
-        with:
-          path: ~/.cache/pypoetry/virtualenvs
-          key: poetry-${{ hashFiles('poetry.lock') }}
+        run: docker compose -f docker-compose.yaml --profile dependencies up -d
 
-      - name: Load Poetry cache for Nox tests session
-        uses: actions/cache@v4
-        with:
-          path: /home/runner/work/datastore-api/datastore-api/.nox/tests*
-          key: nox-tests-${{ hashFiles('poetry.lock') }}
+      - name: Touch coverage.xml
+        run: touch coverage.xml
 
       - name: Set X509 certificate
         run: |
@@ -96,135 +75,163 @@ jobs:
       - name: Cache Docker layers
         uses: actions/cache@v4
         with:
-          path: ${{ env.CACHE_DIR }}
+          path: ${{ runner.temp }}/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ hashFiles('poetry.lock') }}
           restore-keys: |
             ${{ runner.os }}-buildx-
       
       - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          tags: datastore-api:dev
+          target: dev
+          load: true
+          cache-from: type=local,src=${{ runner.temp }}/.buildx-cache
+          cache-to: type=local,dest=${{ runner.temp }}/.buildx-cache-new,mode=max
+
+      - name: Move Cache
         run: |
-          mkdir -p "${CACHE_DIR}"
-          docker buildx build -t datastore-api:test --target test  --load \
-            --cache-from=type=local,src="${CACHE_DIR}" \
-            --cache-to=type=local,dest="${CACHE_DIR}",mode=max \
-            -f /home/runner/work/datastore-api/datastore-api/Dockerfile .
+          rm -rf ${{ runner.temp }}/.buildx-cache
+          mv ${{ runner.temp }}/.buildx-cache-new ${{ runner.temp }}/.buildx-cache
 
-      - name: Run tests via Docker container
+      - name: Run tests
         run: |
-          docker run --rm \
-            --network tests_datastore_network \
-            -v /home/runner/work/datastore-api/datastore-api//hostkey.pem:/app/hostkey.pem \
-            -v /home/runner/work/datastore-api/datastore-api//hostcert.pem:/app/hostcert.pem \
-            -w /app \
+          docker compose -f docker-compose.yaml --profile tests run \
             -e FTS3__STORAGE_ENDPOINTS__ECHO__ACCESS_KEY=${{ secrets.ECHO_S3_ACCESS_KEY }} \
             -e FTS3__STORAGE_ENDPOINTS__ECHO__SECRET_KEY=${{ secrets.ECHO_S3_SECRET_KEY }} \
-            datastore-api:test
+            tests
       
       - name: Docker compose down
-        run: docker compose -f tests/docker-compose.yaml down
+        run: docker compose -f docker-compose.yaml down
 
       - name: Upload code coverage report
         uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
-      
-      # CodeCarbon needs the keyboard interrupt signal to gracefully stop
-      - name: Stop CodeCarbon
-        run: pkill -2 codecarbon
 
       - name: Print emissions
-        run: cat emissions.csv
+        if: always()
+        run: cat emissions.out
 
 
   linting:
     runs-on: ubuntu-22.04
     name: Code Linting
     steps:
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.11"
-
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Load Pip cache
-        uses: actions/cache@v4
-        with:
-          path: ~/.cache/pip
-          key: pip-${{ hashFiles('.github/requirements.txt') }}
-
-      - name: Install Poetry & Nox
-        run: pip install -r .github/requirements.txt
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
-      - name: Load Poetry cache for Nox lint session
+      # Cache image will only be updated if poetry.lock changes
+      - name: Cache Docker layers
         uses: actions/cache@v4
         with:
-          path: /home/runner/work/datastore-api/datastore-api/.nox/lint*
-          key: nox-lint-${{ hashFiles('poetry.lock') }}
+          path: ${{ runner.temp }}/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ hashFiles('poetry.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+      
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          tags: datastore-api:dev
+          target: dev
+          load: true
+          cache-from: type=local,src=${{ runner.temp }}/.buildx-cache
+          cache-to: type=local,dest=${{ runner.temp }}/.buildx-cache-new,mode=max
+
+      - name: Move Cache
+        run: |
+          rm -rf ${{ runner.temp }}/.buildx-cache
+          mv ${{ runner.temp }}/.buildx-cache-new ${{ runner.temp }}/.buildx-cache
 
-      - name: Run Nox lint session
-        run: nox -s lint
+      - name: Run linting
+        run: docker compose -f docker-compose.yaml run lint
 
 
   formatting:
     runs-on: ubuntu-22.04
     name: Code Formatting
     steps:
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.11"
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Load Pip cache
-        uses: actions/cache@v4
-        with:
-          path: ~/.cache/pip
-          key: pip-${{ hashFiles('.github/requirements.txt') }}
-      - name: Install Poetry & Nox
-        run: pip install -r .github/requirements.txt
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
-      - name: Load Poetry cache for Nox black session
+      # Cache image will only be updated if poetry.lock changes
+      - name: Cache Docker layers
         uses: actions/cache@v4
         with:
-          path: /home/runner/work/datastore-api/datastore-api/.nox/black*
-          key: nox-black-${{ hashFiles('poetry.lock') }}
+          path: ${{ runner.temp }}/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ hashFiles('poetry.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+      
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          tags: datastore-api:dev
+          target: dev
+          load: true
+          cache-from: type=local,src=${{ runner.temp }}/.buildx-cache
+          cache-to: type=local,dest=${{ runner.temp }}/.buildx-cache-new,mode=max
+
+      - name: Move Cache
+        run: |
+          rm -rf ${{ runner.temp }}/.buildx-cache
+          mv ${{ runner.temp }}/.buildx-cache-new ${{ runner.temp }}/.buildx-cache
 
-      - name: Run Nox black session
-        run: nox -s black -- --check datastore_api tests noxfile.py
+      - name: Run formatting
+        run: docker compose -f docker-compose.yaml run format
 
 
   safety:
     runs-on: ubuntu-22.04
     name: Dependency Safety
     steps:
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.11"
-
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Load Pip cache
-        uses: actions/cache@v4
-        with:
-          path: ~/.cache/pip
-          key: pip-${{ hashFiles('.github/requirements.txt') }}
-
-      - name: Install Poetry & Nox
-        run: pip install -r .github/requirements.txt
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
-      - name: Load Poetry cache for Nox safety session
+      # Cache image will only be updated if poetry.lock changes
+      - name: Cache Docker layers
         uses: actions/cache@v4
         with:
-          path: /home/runner/work/datastore-api/datastore-api/.nox/safety*
-          key: nox-safety-${{ hashFiles('poetry.lock') }}
+          path: ${{ runner.temp }}/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ hashFiles('poetry.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+      
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          tags: datastore-api:dev
+          target: dev
+          load: true
+          cache-from: type=local,src=${{ runner.temp }}/.buildx-cache
+          cache-to: type=local,dest=${{ runner.temp }}/.buildx-cache-new,mode=max
+
+      - name: Move Cache
+        run: |
+          rm -rf ${{ runner.temp }}/.buildx-cache
+          mv ${{ runner.temp }}/.buildx-cache-new ${{ runner.temp }}/.buildx-cache
+
+      - name: Run safety
+        run: docker compose -f docker-compose.yaml run safety
 
-      - name: Run Nox safety session
-        run: nox -s safety
 
   build:
     needs: [ tests, linting, formatting, safety]
@@ -237,7 +244,19 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Docker compose up
-        run: docker compose -f tests/docker-compose.yaml up -d
+        run: docker compose -f docker-compose.yaml up -d
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Cache image will only be updated if poetry.lock changes
+      - name: Cache Docker layers
+        uses: actions/cache@v4
+        with:
+          path: ${{ runner.temp }}/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ hashFiles('poetry.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
 
       - name: Docker meta
         id: meta

.gitignore

@@ -8,7 +8,6 @@ venv/
 config.yaml
 !config.yaml.example
 .vscode/
-.nox/
 .python-version
 .coverage
 coverage.xml

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.11-slim AS base
+FROM python:3.13-slim AS base
 
 # Set environment variables
 ENV PYTHONUNBUFFERED=1
@@ -74,6 +74,7 @@ RUN poetry install --with dev
 # Copy the project files to the container and install
 COPY config.yaml.example logging.ini.example /app/
 COPY pytest.ini.docker /app/pytest.ini
+COPY .flake8 /app/.flake8
 COPY tests/ /app/tests/
 
 RUN touch hostkey.pem && \
@@ -90,19 +91,9 @@ CMD ["fastapi","run",  "--host=0.0.0.0", "--port=8000", "--reload" ,"/app/datast
 
 
 
-# ~~~Test stage: ~~~#
-#Set up testing environment
-FROM dev AS test
-
-# Run tests
-CMD ["pytest", "--config-file", "pytest.ini"]
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
-
-
-
 # ~~~Production stage: ~~~#
 # Set up production environment
-FROM python:3.11-slim AS prod
+FROM python:3.13-slim AS prod
 ENV PYTHONUNBUFFERED=1
 ENV PATH="/root/.local/bin:$PATH"
 WORKDIR /app
@@ -115,14 +106,18 @@ RUN apt-get update && \
         libcurl4 \
         curl && \
     apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
+    rm -rf /var/lib/apt/lists/* \
+    addgroup -g 500 -S datastore; \
+    adduser -S -D -G datastore -H -u 500 -h /app datastore
 
 # Copy installed Python deps and source code
 COPY --from=builder /usr/local /usr/local
 COPY pyproject.toml poetry.lock /app/
 COPY datastore_api/ /app/datastore_api/
 RUN python -m pip install .
 
+USER datastore
+
 # Expose the port the app will run on
 EXPOSE 8000