Merge pull request #2 from cisagov/improvement/upstream

Pull in upstream improvements
cisagov · Nov 15, 2019 · d626d6c · d626d6c
2 parents 4f2a12a + db4220d
commit d626d6c
Show file tree

Hide file tree

Showing 10 changed files with 176 additions and 78 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,97 @@
+---
+name: build
+
+on: [push]
+
+env:
+  IMAGE_NAME: cisagov/certboto
+  PIP_CACHE_DIR: ~/.cache/pip
+  PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-python@v1
+        with:
+          python-version: 3.7
+      - name: Cache pip test requirements
+        uses: actions/cache@v1
+        with:
+          path: ${{ env.PIP_CACHE_DIR }}
+          key: "${{ runner.os }}-pip-test-\
+            ${{ hashFiles('**/requirements-test.txt') }}"
+          restore-keys: |
+            ${{ runner.os }}-pip-test-
+            ${{ runner.os }}-pip-
+      - name: Cache pre-commit hooks
+        uses: actions/cache@v1
+        with:
+          path: ${{ env.PRE_COMMIT_CACHE_DIR }}
+          key: "${{ runner.os }}-pre-commit-\
+            ${{ hashFiles('**/.pre-commit-config.yaml') }}"
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install --upgrade -r requirements-test.txt
+      - name: Run linters on all files
+        run: pre-commit run --all-files
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Determine image version
+        id: get_ver
+        run: |
+          echo "##[set-output name=version;]$(./bump_version.sh show)"
+      - name: Build docker image
+        run: |
+          version=$(./bump_version.sh show)
+          docker build \
+            --tag "$IMAGE_NAME" \
+            --build-arg GIT_COMMIT=$(git log -1 --format=%H) \
+            --build-arg GIT_REMOTE=$(git remote get-url origin) \
+            --build-arg VERSION=${{ steps.get_ver.outputs.version }} \
+            .
+      - name: Save docker image artifact
+        run: |
+          mkdir dist
+          version=$(./bump_version.sh show)
+          docker save $IMAGE_NAME:latest | gzip > dist/image.tar.gz
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v1
+        with:
+          name: dist
+          path: dist
+  test:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-python@v1
+        with:
+          python-version: 3.7
+      - name: Cache pip test requirements
+        uses: actions/cache@v1
+        with:
+          path: ${{ env.PIP_CACHE_DIR }}
+          key: "${{ runner.os }}-pip-test-\
+            ${{ hashFiles('**/requirements-test.txt') }}"
+          restore-keys: |
+            ${{ runner.os }}-pip-test-
+            ${{ runner.os }}-pip-
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install --upgrade -r requirements-test.txt
+      - name: Download docker image artifact
+        uses: actions/download-artifact@v1
+        with:
+          name: dist
+      - name: Load docker image
+        run: docker load < dist/image.tar.gz
+      - name: Run tests
+        env:
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: pytest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,53 @@
+---
+name: release
+
+on:
+  release:
+    types: [prereleased, released]
+
+env:
+  IMAGE_NAME: cisagov/certboto
+  DOCKER_PW: ${{ secrets.DOCKER_PW }}
+  DOCKER_USER: ${{ secrets.DOCKER_USER }}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-python@v1
+        with:
+          python-version: 3.7
+      - name: Determine image version
+        id: get_ver
+        run: |
+          echo "##[set-output name=version;]$(./bump_version.sh show)"
+      - name: Build Docker image
+        run: |
+          docker build \
+            --tag "$IMAGE_NAME" \
+            --build-arg GIT_COMMIT=$(git log -1 --format=%H) \
+            --build-arg GIT_REMOTE=$(git remote get-url origin) \
+            --build-arg VERSION=${{ steps.get_ver.outputs.version }} \
+            .
+      - name: Tag Docker image
+        run: |
+          IFS='.' read -r -a version_array \
+            <<< "${{ steps.get_ver.outputs.version }}"
+          docker login --username "$DOCKER_USER" --password "$DOCKER_PW"
+          docker tag "$IMAGE_NAME" "${IMAGE_NAME}:latest"
+          docker tag "$IMAGE_NAME" \
+            "${IMAGE_NAME}:${{ steps.get_ver.outputs.version }}"
+          docker tag "$IMAGE_NAME" \
+            "${IMAGE_NAME}:${version_array[0]}.${version_array[1]}"
+          docker tag "$IMAGE_NAME" "${IMAGE_NAME}:${version_array[0]}"
+      - name: Publish image to Docker Hub
+        run: |
+          IFS='.' read -r -a version_array \
+            <<< "${{ steps.get_ver.outputs.version }}"
+          docker push "${IMAGE_NAME}:latest"
+          docker push "${IMAGE_NAME}:${{ steps.get_ver.outputs.version }}"
+          docker push "${IMAGE_NAME}:${version_array[0]}.${version_array[1]}"
+          docker push "${IMAGE_NAME}:${version_array[0]}"
+      - name: Publish README.md to Docker Hub
+        run: ./push_readme.sh
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,7 +1,7 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v2.2.3
+    rev: v2.4.0
     hooks:
       - id: check-executables-have-shebangs
       - id: check-json
@@ -24,32 +24,32 @@ repos:
       - id: requirements-txt-fixer
       - id: trailing-whitespace
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.17.0
+    rev: v0.19.0
     hooks:
       - id: markdownlint
         args:
           - --config=.mdl_config.json
   - repo: https://github.com/adrienverge/yamllint
-    rev: v1.16.0
+    rev: v1.18.0
     hooks:
       - id: yamllint
   - repo: https://github.com/detailyang/pre-commit-shell
     rev: 1.0.5
     hooks:
       - id: shell-lint
   - repo: https://gitlab.com/pycqa/flake8
-    rev: 3.7.7
+    rev: 3.7.9
     hooks:
       - id: flake8
         additional_dependencies:
           - flake8-docstrings
   - repo: https://github.com/asottile/pyupgrade
-    rev: v1.19.0
+    rev: v1.25.1
     hooks:
       - id: pyupgrade
   # Run bandit on "tests" tree with a configuration
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.6.1
+    rev: 1.6.2
     hooks:
       - id: bandit
         name: bandit (tests tree)
@@ -64,11 +64,11 @@ repos:
         name: bandit (everything else)
         exclude: tests
   - repo: https://github.com/python/black
-    rev: 19.3b0
+    rev: 19.10b0
     hooks:
       - id: black
   - repo: https://github.com/ansible/ansible-lint.git
-    rev: v4.1.0a0
+    rev: v4.1.1a3
     hooks:
       - id: ansible-lint
   - repo: https://github.com/antonbabenko/pre-commit-terraform.git

diff --git a/.travis.yml b/.travis.yml
diff --git a/Dockerfile b/Dockerfile
@@ -15,7 +15,7 @@ LABEL vendor="Cyber and Infrastructure Security Agency"
 LABEL version=${VERSION}
 
 RUN apk add python3
-RUN pip3 install --upgrade pip && pip3 install awscli docopt
+RUN pip3 install --upgrade pip && pip3 install --upgrade awscli boto3 docopt
 COPY src/rebuild-symlinks.py src/entrypoint.sh src/version.txt /opt/certbot/
 COPY src/config /root/.aws/config
 RUN ln -snf /run/secrets/credentials /root/.aws/credentials

diff --git a/README.md b/README.md
@@ -1,13 +1,13 @@
 # certboto-docker 📜🤖☁️🐳 #
 
-[![Build Status](https://travis-ci.com/cisagov/certboto-docker.svg?branch=develop)](https://travis-ci.com/cisagov/certboto-docker)
+[![GitHub Build Status](https://github.com/cisagov/certboto-docker/workflows/build/badge.svg)](https://github.com/cisagov/certboto-docker/actions)
 [![Total alerts](https://img.shields.io/lgtm/alerts/g/cisagov/certboto-docker.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/cisagov/certboto-docker/alerts/)
 [![Language grade: Python](https://img.shields.io/lgtm/grade/python/g/cisagov/certboto-docker.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/cisagov/certboto-docker/context:python)
 
 ## Docker Image ##
 
-![MicroBadger Layers](https://img.shields.io/microbadger/layers/dhsncats/certboto.svg)
-![MicroBadger Size](https://img.shields.io/microbadger/image-size/dhsncats/certboto.svg)
+![MicroBadger Layers](https://img.shields.io/microbadger/layers/cisagov/certboto.svg)
+![MicroBadger Size](https://img.shields.io/microbadger/image-size/cisagov/certboto.svg)
 
 Certboto combines all the convenience of [Certbot](https://certbot.eff.org)
 with the cloudiness of [AWS S3 buckets](https://aws.amazon.com/s3/)
@@ -51,7 +51,7 @@ secrets:
 
 services:
   certboto:
-    image: dhsncats/certboto
+    image: cisagov/certboto
     init: true
     restart: "no"
     environment:
@@ -64,13 +64,13 @@ services:
         target: credentials
 ```
 
-Pull `dhsncats/certboto` from [Docker hub](https://hub.docker.com):
+Pull `cisagov/certboto` from [Docker hub](https://hub.docker.com):
 
 ```console
 docker-compose pull
 ```
 
-Or build `dhsncats/certboto` from source:
+Or build `cisagov/certboto` from source:
 
 ```console
 git clone https://github.com/cisagov/certboto-docker.git

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -15,7 +15,7 @@ services:
       # e.g., --build-arg VERSION=0.0.1
       context: .
       dockerfile: Dockerfile
-    image: dhsncats/certboto
+    image: cisagov/certboto
     init: true
     restart: "no"
     environment:
@@ -29,7 +29,7 @@ services:
 
   certboto-version:
     # Run the container to collect version information
-    image: dhsncats/certboto
+    image: cisagov/certboto
     init: true
     restart: "no"
     command: --version
diff --git a/src/entrypoint.sh b/src/entrypoint.sh
@@ -2,6 +2,9 @@
 
 set -o nounset
 set -o errexit
+# Sha-bang cannot be /bin/bash (not available), but
+# the container's /bin/sh does support pipefail.
+# shellcheck disable=SC2039
 set -o pipefail
 
 if [ "$1" = "--version" ]; then

diff --git a/src/version.txt b/src/version.txt
@@ -1 +1 @@
-__version__ = "0.0.1"
+__version__ = "0.0.2"
diff --git a/tests/container_test.py b/tests/container_test.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env pytest -vs
-"""Tests for example container."""
+"""Tests for certboto container."""
 
 import os
 import time
@@ -10,7 +10,7 @@
 ENV_VAR_VAL = "Hello World from docker-compose!"
 READY_MESSAGE = "Syncing certbot configs"
 TOKEN_ERROR_MESSAGE = "The security token included in the request is invalid"  # nosec
-TRAVIS_TAG = os.getenv("TRAVIS_TAG")
+RELEASE_TAG = os.getenv("RELEASE_TAG")
 VERSION_FILE = "src/version.txt"
 
 
@@ -54,7 +54,7 @@ def test_output(main_container):
 
 
 @pytest.mark.skipif(
-    TRAVIS_TAG in [None, ""], reason="this is not a release (TRAVIS_TAG not set)"
+    RELEASE_TAG in [None, ""], reason="this is not a release (RELEASE_TAG not set)"
 )
 def test_release_version():
     """Verify that release tag version agrees with the module version."""
@@ -63,8 +63,8 @@ def test_release_version():
         exec(f.read(), pkg_vars)  # nosec
     project_version = pkg_vars["__version__"]
     assert (
-        TRAVIS_TAG == f"v{project_version}"
-    ), "TRAVIS_TAG does not match the project version"
+        RELEASE_TAG == f"v{project_version}"
+    ), "RELEASE_TAG does not match the project version"
 
 
 def test_log_version(version_container):