Merge pull request #239 from ral-facilities/release/v2.0.0

Release v2.0.0

Author: VKTB

ldap_jwt_auth/.env.example .env.exampleldap_jwt_auth/.env.example renamed to .env.example

@@ -1,11 +1,16 @@
 ## Description
+
 Enter a description of the changes here
 
 ## Testing instructions
+
 Add a set of instructions describing how the reviewer should test the code
+
 - [ ] Review code
 - [ ] Check Actions build
+- [ ] Review changes to test coverage
 - [ ] {more steps here}
 
 ## Agile board tracking
+
 closes #{issue_number}

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,6 +1,11 @@
 name: CI
 on:
   workflow_dispatch:
+    inputs:
+      push-docker-image-to-harbor:
+        description: "Push Docker Image to Harbor"
+        type: boolean
+        default: false
   pull_request:
   push:
     branches:
@@ -35,6 +40,9 @@ jobs:
           python -m pip install .[code-analysis]
           python -m pip install -r requirements.txt
 
+      - name: Run black
+        run: black --check --line-length 120 ldap_jwt_auth test
+
       - name: Run pylint
         run: pylint ldap_jwt_auth
 
@@ -45,57 +53,56 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Install python-ldap system dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y libsasl2-dev python3-dev libldap2-dev libssl-dev
-
-      - name: Set up Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
-        with:
-          python-version: "3.12"
-          cache: "pip"
-
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          python -m pip install .[test]
-          python -m pip install -r requirements.txt
-
       - name: Create logging configuration file
-        run: cp ldap_jwt_auth/logging.example.ini ldap_jwt_auth/logging.ini
+        run: cp logging.example.ini logging.ini
 
       - name: Run unit tests
-        run: pytest -c test/pytest.ini test/unit/ --cov
+        run: |
+          docker build --file Dockerfile --target test --tag ldap-jwt-auth:test .
+          docker run \
+           --name ldap-jwt-auth \
+           --volume ./logging.ini:/app/logging.ini \
+           ldap-jwt-auth:test \
+           pytest --config-file test/pytest.ini --cov ldap_jwt_auth --cov-report xml test/unit -v
+          docker cp ldap-jwt-auth:/app/coverage.xml coverage.xml
+
+      - name: Upload coverage reports to Codecov
+        if: success()
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
 
   docker:
-    # This job triggers only if all the other jobs succeed. It builds the Docker image and if successful,
-    # it pushes it to Harbor.
+    # This job triggers only if all the other jobs succeed. It builds the Docker image
+    # and if run manually from Github Actions, it pushes to Harbor.
     needs: [linting, unit-tests]
     name: Docker
     runs-on: ubuntu-latest
+    env:
+      PUSH_DOCKER_IMAGE_TO_HARBOR: ${{ inputs.push-docker-image-to-harbor != null && inputs.push-docker-image-to-harbor || 'false' }}
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: ${{ vars.HARBOR_URL }}/auth-api
+
       - name: Login to Harbor
+        if: ${{ fromJSON(env.PUSH_DOCKER_IMAGE_TO_HARBOR) }}
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
-          registry: ${{ secrets.HARBOR_URL }}
+          registry: ${{ vars.HARBOR_URL }}
           username: ${{ secrets.HARBOR_USERNAME }}
           password: ${{ secrets.HARBOR_TOKEN }}
 
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
-        with:
-          images: ${{ secrets.HARBOR_URL }}/auth-api
-
-      - name: Build and push Docker image to Harbor
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+      - name: ${{ fromJSON(env.PUSH_DOCKER_IMAGE_TO_HARBOR) && 'Build and push Docker image to Harbor' || 'Build Docker image' }}
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
-          file: ./Dockerfile.prod
-          push: true
+          push: ${{ fromJSON(env.PUSH_DOCKER_IMAGE_TO_HARBOR) }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          target: prod

.github/workflows/.ci.yml

@@ -1,7 +1,7 @@
 name: Release Build
 on:
   push:
-    tags: 'v*'
+    tags: "v*"
 
 permissions:
   contents: read
@@ -18,23 +18,23 @@ jobs:
       - name: Login to Harbor
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
-          registry: ${{ secrets.HARBOR_URL }}
+          registry: ${{ vars.HARBOR_URL }}
           username: ${{ secrets.HARBOR_USERNAME }}
           password: ${{ secrets.HARBOR_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
-          images: ${{ secrets.HARBOR_URL }}/auth-api
+          images: ${{ vars.HARBOR_URL }}/auth-api
           tags: |
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
           flavor: |
             latest=false
 
       - name: Build and push Docker image to Harbor
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: ./Dockerfile.prod

.github/workflows/release-build.yml

@@ -1,4 +1,4 @@
-ldap_jwt_auth/logging.ini
+logging.ini
 /active_usernames.txt
 keys/*
 !keys/.keep

.gitignore

@@ -1,19 +1,57 @@
-FROM python:3.12.10-alpine3.21@sha256:e5956ba054e89858c706f038a980241ea38565176619f1a2695cb9b039ea1265
+FROM python:3.12.11-alpine3.22@sha256:c610e4a94a0e8b888b4b225bfc0e6b59dee607b1e61fb63ff3926083ff617216 AS base
 
-WORKDIR /ldap-jwt-auth-run
+# Install python-ldap system dependencies
+RUN apk add --no-cache build-base openldap-dev
+
+WORKDIR /app
 
 COPY pyproject.toml requirements.txt ./
 COPY ldap_jwt_auth/ ldap_jwt_auth/
 
+
+FROM base AS dev
+
+WORKDIR /app
+
 RUN --mount=type=cache,target=/root/.cache \
     set -eux; \
     \
-    # Install python-ldap system dependencies \
-    apk add --no-cache build-base openldap-dev; \
+    pip install --no-cache-dir .[dev]; \
+    # Ensure the pinned versions of the production dependencies and subdependencies are installed \
+    pip install --no-cache-dir --requirement requirements.txt;
+
+CMD ["fastapi", "dev", "ldap_jwt_auth/main.py", "--host", "0.0.0.0", "--port", "8000"]
+
+EXPOSE 8000
+
+
+FROM dev AS test
+
+WORKDIR /app
+
+COPY test/ test/
+
+CMD ["pytest",  "--config-file", "test/pytest.ini", "-v"]
+
+
+FROM base AS prod
+
+WORKDIR /app
+
+RUN --mount=type=cache,target=/root/.cache \
+    set -eux; \
     \
-    python -m pip install .[dev]; \
+    # Ensure the package gets installed properly using the pyproject.toml file \
+    pip install --no-cache-dir .; \
     # Ensure the pinned versions of the production dependencies and subdependencies are installed \
-    python -m pip install --no-cache-dir --requirement requirements.txt;
+    pip install --no-cache-dir --requirement requirements.txt; \
+    \
+    # Create a non-root user to run as \
+    addgroup -g 500 -S ldap-jwt-auth; \
+    adduser -S -D -G ldap-jwt-auth -H -u 500 -h /app ldap-jwt-auth;
+
+USER ldap-jwt-auth
+
+CMD ["fastapi", "run", "ldap_jwt_auth/main.py", "--host", "0.0.0.0", "--port", "8000"]
 
-CMD ["uvicorn", "ldap_jwt_auth.main:app", "--host", "0.0.0.0", "--port", "8000", "--reload"]
 EXPOSE 8000