286 pull access denied attempting to download planetmint docker image (#307)

* simplified CI workflows * added docker image publishing on gh * added arm buildxy * added CI changes * adjusted CI workflow * fixed some vulnerability by upgrading dependencies * changed Dockerfile-dev to be the default Signed-off-by: Jürgen Eckel <juergen@riddleandcode.com>
2025-10-14 00:59:17 +00:00 · 2023-01-31 09:55:19 +01:00 · 2023-01-31 09:55:19 +01:00 · 9a74a9c987
commit 9a74a9c987
parent 599f64f68c
8 changed files with 202 additions and 111 deletions
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@ -0,0 +1,170 @@
 # Copyright © 2020 Interplanetary Database Association e.V.,
 # Planetmint and IPDB software contributors.
 # SPDX-License-Identifier: (Apache-2.0 AND CC-BY-4.0)
 # Code is Apache-2.0 and docs are CC-BY-4.0
 ---
 name: CI
 on:
  push:
    branches:
      - "*"
    tags:
      - "v*.*.*"
  pull_request:
    branches:
      - "main"
 permissions: 
  packages: write
 jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: psf/black@stable
        with:
          options: "--check -l 119"
          src: "."
  audit:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Setup python
        uses: actions/setup-python@v4
        with:
          python-version: 3.9
      - name: Install pip-audit
        run: pip install --upgrade pip pip-audit 
      - name: Install dependencies
        run: pip install .
      - name: Create requirements.txt
        run: pip freeze > requirements.txt
      - name: Audit dependencies
        run: pip-audit --ignore-vuln PYSEC-2022-42969 --ignore-vuln PYSEC-2022-203 --ignore-vuln GHSA-r9hx-vwmv-q579
  test:
    needs: lint
    runs-on: ubuntu-latest
    env:
      PLANETMINT_DATABASE_BACKEND: tarantool_db
      PLANETMINT_DATABASE_HOST: localhost
      PLANETMINT_DATABASE_PORT: 3303
      PLANETMINT_SERVER_BIND: 0.0.0.0:9984
      PLANETMINT_WSSERVER_HOST: 0.0.0.0
      PLANETMINT_WSSERVER_ADVERTISED_HOST: localhost
      PLANETMINT_TENDERMINT_HOST: localhost
      PLANETMINT_TENDERMINT_PORT: 26657
    steps:
      - name: Check out repository code
        uses: actions/checkout@v3
      - name: Setup python
        uses: actions/setup-python@v4
        with:
          python-version: 3.9
      - name: Prepare OS
        run: sudo apt-get update && sudo apt-get install -y git zsh curl tarantool-common vim build-essential cmake 
      - name: Get Tendermint
        run: wget https://github.com/tendermint/tendermint/releases/download/v0.34.15/tendermint_0.34.15_linux_amd64.tar.gz && tar zxf tendermint_0.34.15_linux_amd64.tar.gz
      - name: Install Planetmint
        run: pip install -e '.[dev]'
      - name: Execute Tests
        run: make test
  release:
    needs: test
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository code
        uses: actions/checkout@v3
      - name: Setup python
        uses: actions/setup-python@v4
        with:
          python-version: 3.9
      - name: Setup poetry
        uses: Gr1N/setup-poetry@v7
      - name: Install dependencies
        run: pip install -e '.[dev]' && pip install wheel && python setup.py bdist_wheel sdist
      - name: Upload to PyPI
        run: |
          twine check dist/*
          twine upload dist/*
        env:
          TWINE_USERNAME: __token__
          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
      - name: Upload to GitHub
        uses: softprops/action-gh-release@v1
        with:
          files: dist/*
  publish-docker:
    needs: release
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-latest
    steps:
      # Get the repository's code
      - name: Checkout
        uses: actions/checkout@v2
      # https://github.com/docker/setup-qemu-action
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      # https://github.com/docker/setup-buildx-action
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v1
      - name: Login to GHCR
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GH_PACKAGE_DEPLOYMENT }}
      - name: Docker meta
        id: semver # you'll use this in the next step
        uses: docker/metadata-action@v3
        with:
          # list of Docker images to use as base name for tags
          images: |
            ghcr.io/planetmint/planetmint
          # Docker tags based on the following events/attributes
          tags: |
            type=schedule
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
            type=sha
      - name: Build and push
        uses: docker/build-push-action@v2
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.semver.outputs.tags }}
          labels: ${{ steps.semver.outputs.labels }}
          env:
          CRYPTOGRAPHY_DONT_BUILD_RUST: 1
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@ -31,6 +31,4 @@ jobs:
        run: pip freeze > requirements.txt
      - name: Audit dependencies
-        run: pip-audit
+        run: pip-audit --ignore-vuln PYSEC-2022-42969 --ignore-vuln PYSEC-2022-203 --ignore-vuln GHSA-r9hx-vwmv-q579
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -1,17 +0,0 @@
 # Copyright © 2020 Interplanetary Database Association e.V.,
 # Planetmint and IPDB software contributors.
 # SPDX-License-Identifier: (Apache-2.0 AND CC-BY-4.0)
 # Code is Apache-2.0 and docs are CC-BY-4.0
 name: Lint
 on: [push, pull_request]
 jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: psf/black@stable
        with:
          options: "--check -l 119"
          src: "."
--- a/.github/workflows/tag-release.yml
+++ b/.github/workflows/tag-release.yml
@ -1,30 +0,0 @@
 name: Deploy packages
 on: 
  push:
    tags:
      - '*'
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository code
        uses: actions/checkout@v3
      - name: Setup python
        uses: actions/setup-python@v4
        with:
          python-version: 3.9
      - name: Install dependencies
        run: pip install -e '.[dev]' && pip install wheel && python setup.py bdist_wheel sdist
      - name: Upload to TestPyPI
        run: |
          twine check dist/*
          twine upload dist/*
        env:
          TWINE_USERNAME: __token__
          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@ -1,42 +0,0 @@
 # Copyright © 2020 Interplanetary Database Association e.V.,
 # Planetmint and IPDB software contributors.
 # SPDX-License-Identifier: (Apache-2.0 AND CC-BY-4.0)
 # Code is Apache-2.0 and docs are CC-BY-4.0
 name: Unit tests 
 on: [push, pull_request]
 jobs:
  unified-unit-tests:
    runs-on: ubuntu-latest
    env:
      PLANETMINT_DATABASE_BACKEND: tarantool_db
      PLANETMINT_DATABASE_HOST: localhost
      PLANETMINT_DATABASE_PORT: 3303
      PLANETMINT_SERVER_BIND: 0.0.0.0:9984
      PLANETMINT_WSSERVER_HOST: 0.0.0.0
      PLANETMINT_WSSERVER_ADVERTISED_HOST: localhost
      PLANETMINT_TENDERMINT_HOST: localhost
      PLANETMINT_TENDERMINT_PORT: 26657
    steps:
      - name: Check out repository code
        uses: actions/checkout@v3
      - name: Setup python
        uses: actions/setup-python@v4
        with:
          python-version: 3.9
      - name: Prepare OS
        run: sudo apt-get update && sudo apt-get install -y git zsh curl tarantool-common vim build-essential cmake 
      - name: Get Tendermint
        run: wget https://github.com/tendermint/tendermint/releases/download/v0.34.15/tendermint_0.34.15_linux_amd64.tar.gz && tar zxf tendermint_0.34.15_linux_amd64.tar.gz
      - name: Install Planetmint
        run: pip install -e '.[dev]'
      - name: Execute Tests
        run: make test
--- a/40
+++ b/40
@ -1,24 +1,36 @@
-FROM python:3.9
+ARG python_version=3.9
 FROM python:${python_version}-slim
 LABEL maintainer "contact@ipdb.global"
-RUN mkdir -p /usr/src/app
+
-COPY . /usr/src/app/
+RUN apt-get update \
-WORKDIR /usr/src/app
+    && apt-get install -y git zsh curl\
-RUN apt-get -qq update \
+    && apt-get install -y tarantool-common\
-    && apt-get -y upgrade \
+    && apt-get install -y vim build-essential cmake\
-    && apt-get install -y jq vim zsh build-essential cmake\
+    && pip install -U pip \
    && pip install . \
    && apt-get autoremove \
    && apt-get clean
 ARG backend
 ARG abci_status
-VOLUME ["/data", "/certs"]
+# When developing with Python in a docker container, we are using PYTHONBUFFERED
-
+# to force stdin, stdout and stderr to be totally unbuffered and to capture logs/outputs
 ENV PYTHONUNBUFFERED 0
-ENV PLANETMINT_CONFIG_PATH /data/.planetmint
+
 ENV PLANETMINT_DATABASE_PORT 3303
 ENV PLANETMINT_DATABASE_BACKEND $backend
 ENV PLANETMINT_SERVER_BIND 0.0.0.0:9984
 ENV PLANETMINT_WSSERVER_HOST 0.0.0.0
 ENV PLANETMINT_WSSERVER_SCHEME ws
 ENV PLANETMINT_WSSERVER_ADVERTISED_HOST 0.0.0.0
 ENV PLANETMINT_WSSERVER_ADVERTISED_SCHEME ws
-ENV PLANETMINT_WSSERVER_ADVERTISED_PORT 9985
+
-ENTRYPOINT ["planetmint"]
+ENV PLANETMINT_TENDERMINT_PORT 26657
-CMD ["start"]
+
 ENV PLANETMINT_CI_ABCI ${abci_status}
 RUN mkdir -p /usr/src/app
 COPY . /usr/src/app/
 WORKDIR /usr/src/app
 RUN pip install -e .[dev]
 RUN pip install flask-cors
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -32,7 +32,7 @@ services:
      - tarantool
    build:
      context: .
-      dockerfile: Dockerfile-dev
+      dockerfile: Dockerfile
    volumes:
      - ./planetmint:/usr/src/app/planetmint
      - ./tests:/usr/src/app/tests
@ -60,7 +60,7 @@ services:
      interval: 3s
      timeout: 5s
      retries: 5
-    command: 'scripts/entrypoint.sh'
+    command: 'planetmint -l DEBUG start'
    restart: always
  tendermint:
@ -94,7 +94,7 @@ services:
      - vdocs
    build:
      context: .
-      dockerfile: Dockerfile-dev
+      dockerfile: Dockerfile
      args:
        backend: tarantool
    volumes:
--- a/setup.py
+++ b/setup.py
@ -47,7 +47,7 @@ docs_require = [
    "aafigure==0.6",
    "alabaster==0.7.12",
    "Babel==2.10.1",
-    "certifi==2021.10.8",
+    "certifi==2022.12.7",
    "charset-normalizer==2.0.12",
    "commonmark==0.9.1",
    "docutils==0.17.1",
@ -125,7 +125,7 @@ install_requires = [
    "setproctitle==1.2.2",
    "werkzeug==2.0.3",
    "nest-asyncio==1.5.5",
-    "protobuf==3.20.1",
+    "protobuf==3.20.2",
    "planetmint-ipld>=0.0.3",
    "pyasn1>=0.4.8",
    "python-decouple",