From 09995c3671891e8f3a5c891f061aeac3a0841ca3 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 19 Nov 2024 10:12:18 -0800 Subject: [PATCH] Eric/cus 10 add automation for deploying to test pypi and prod (#32) * github actions for test and release automation --- .github/workflows/docker-stable.yml | 37 +++++++ .github/workflows/pr-preview.yml | 154 ++++++++++++++++++++++++++++ .github/workflows/release.yml | 99 ++++++++++++++++++ .github/workflows/version-check.yml | 90 ++++++++++++++++ .gitignore | 3 +- Dockerfile | 6 +- pyproject.toml | 4 +- socketsecurity/__init__.py | 2 +- 8 files changed, 390 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/docker-stable.yml create mode 100644 .github/workflows/pr-preview.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/version-check.yml diff --git a/.github/workflows/docker-stable.yml b/.github/workflows/docker-stable.yml new file mode 100644 index 0000000..0f113b0 --- /dev/null +++ b/.github/workflows/docker-stable.yml @@ -0,0 +1,37 @@ +name: Mark Release as Stable +on: + workflow_dispatch: + inputs: + version: + description: 'Version to mark as stable (e.g., 1.2.3)' + required: true + +jobs: + stable: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Check if version exists in PyPI + id: version_check + run: | + if ! curl -s -f https://pypi.org/pypi/socketsecurity/${{ inputs.version }}/json > /dev/null; then + echo "Error: Version ${{ inputs.version }} not found on PyPI" + exit 1 + fi + echo "Version ${{ inputs.version }} found on PyPI - proceeding with release" + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build & Push Stable Docker + uses: docker/build-push-action@v5 + with: + push: true + platforms: linux/amd64,linux/arm64 + tags: socketdev/cli:stable + build-args: | + CLI_VERSION=${{ inputs.version }} \ No newline at end of file diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml new file mode 100644 index 0000000..8fdd667 --- /dev/null +++ b/.github/workflows/pr-preview.yml @@ -0,0 +1,154 @@ +name: PR Preview +on: + pull_request: + types: [opened, synchronize] + +jobs: + preview: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Set preview version + run: | + BASE_VERSION=$(grep -o "__version__.*" socketsecurity/__init__.py | awk '{print $3}' | tr -d "'") + PREVIEW_VERSION="${BASE_VERSION}.dev${{ github.event.pull_request.number }}${{ github.event.pull_request.commits }}" + echo "VERSION=${PREVIEW_VERSION}" >> $GITHUB_ENV + + # Update version in __init__.py + echo "__version__ = \"${PREVIEW_VERSION}\"" > socketsecurity/__init__.py.tmp + cat socketsecurity/__init__.py | grep -v "__version__" >> socketsecurity/__init__.py.tmp + mv socketsecurity/__init__.py.tmp socketsecurity/__init__.py + + # Verify the change + echo "Updated version in __init__.py:" + cat socketsecurity/__init__.py | grep "__version__" + + - name: Check if version exists on Test PyPI + id: version_check + env: + VERSION: ${{ env.VERSION }} + run: | + if curl -s -f https://test.pypi.org/pypi/socketsecurity/$VERSION/json > /dev/null; then + echo "Version ${VERSION} already exists on Test PyPI" + echo "exists=true" >> $GITHUB_OUTPUT + else + echo "Version ${VERSION} not found on Test PyPI" + echo "exists=false" >> $GITHUB_OUTPUT + fi + + - name: Build package + if: steps.version_check.outputs.exists != 'true' + run: | + pip install build + python -m build + + - name: Restore original version + if: always() + run: | + BASE_VERSION=$(echo $VERSION | cut -d'.' -f1-3) + echo "__version__ = \"${BASE_VERSION}\"" > socketsecurity/__init__.py.tmp + cat socketsecurity/__init__.py | grep -v "__version__" >> socketsecurity/__init__.py.tmp + mv socketsecurity/__init__.py.tmp socketsecurity/__init__.py + + - name: Publish to Test PyPI + if: steps.version_check.outputs.exists != 'true' + uses: pypa/gh-action-pypi-publish@v1.8.11 + with: + repository-url: https://test.pypi.org/legacy/ + password: ${{ secrets.TEST_PYPI_TOKEN }} + verbose: true + + - name: Comment on PR + if: steps.version_check.outputs.exists != 'true' + uses: actions/github-script@v7 + env: + VERSION: ${{ env.VERSION }} + with: + script: | + const version = process.env.VERSION; + const prNumber = context.payload.pull_request.number; + const owner = context.repo.owner; + const repo = context.repo.repo; + // Find existing bot comments + const comments = await github.rest.issues.listComments({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: prNumber, + }); + + const botComment = comments.data.find(comment => + comment.user.type === 'Bot' && + comment.body.includes('🚀 Preview package published!') + ); + + const comment = ` + 🚀 Preview package published! + + Install with: + \`\`\`bash + pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==${version} + \`\`\` + + Docker image: \`socketdev/cli:pr-${prNumber}\` + `; + + if (botComment) { + // Update existing comment + await github.rest.issues.updateComment({ + owner: owner, + repo: repo, + comment_id: botComment.id, + body: comment + }); + } else { + // Create new comment + await github.rest.issues.createComment({ + owner: owner, + repo: repo, + issue_number: prNumber, + body: comment + }); + } + + - name: Verify package is available + if: steps.version_check.outputs.exists != 'true' + id: verify_package + env: + VERSION: ${{ env.VERSION }} + run: | + for i in {1..30}; do + if pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==${VERSION}; then + echo "Package ${VERSION} is now available and installable on Test PyPI" + pip uninstall -y socketsecurity + echo "success=true" >> $GITHUB_OUTPUT + exit 0 + fi + echo "Attempt $i: Package not yet installable, waiting 20s... (${i}/30)" + sleep 20 + done + echo "success=false" >> $GITHUB_OUTPUT + exit 1 + + - name: Login to Docker Hub + if: steps.verify_package.outputs.success == 'true' + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build & Push Docker Preview + if: steps.verify_package.outputs.success == 'true' + uses: docker/build-push-action@v5 + env: + VERSION: ${{ env.VERSION }} + with: + push: true + tags: socketdev/cli:pr-${{ github.event.pull_request.number }} + build-args: | + CLI_VERSION=${{ env.VERSION }} + PIP_INDEX_URL=https://test.pypi.org/simple + PIP_EXTRA_INDEX_URL=https://pypi.org/simple \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..1004ce6 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,99 @@ +name: Release +on: + push: + tags: + - 'v*' + +jobs: + release: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Get Version + id: version + run: | + RAW_VERSION=$(python -c "from socketsecurity import __version__; print(__version__)") + echo "VERSION=$RAW_VERSION" >> $GITHUB_ENV + if [ "v$RAW_VERSION" != "${{ github.ref_name }}" ]; then + echo "Error: Git tag (${{ github.ref_name }}) does not match package version (v$RAW_VERSION)" + exit 1 + fi + + - name: Check if version exists on PyPI + id: version_check + env: + VERSION: ${{ env.VERSION }} + run: | + if curl -s -f https://pypi.org/pypi/socketsecurity/$VERSION/json > /dev/null; then + echo "Version ${VERSION} already exists on PyPI" + echo "pypi_exists=true" >> $GITHUB_OUTPUT + else + echo "Version ${VERSION} not found on PyPI - proceeding with PyPI deployment" + echo "pypi_exists=false" >> $GITHUB_OUTPUT + fi + + - name: Check Docker image existence + id: docker_check + env: + VERSION: ${{ env.VERSION }} + run: | + if curl -s -f "https://hub.docker.com/v2/repositories/socketdev/cli/tags/${{ env.VERSION }}" > /dev/null; then + echo "Docker image socketdev/cli:${VERSION} already exists" + echo "docker_exists=true" >> $GITHUB_OUTPUT + else + echo "docker_exists=false" >> $GITHUB_OUTPUT + fi + + - name: Build package + if: steps.version_check.outputs.pypi_exists != 'true' + run: | + pip install build + python -m build + + - name: Publish to PyPI + if: steps.version_check.outputs.pypi_exists != 'true' + uses: pypa/gh-action-pypi-publish@v1.8.11 + with: + password: ${{ secrets.PYPI_TOKEN }} + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Verify package is installable + id: verify_package + env: + VERSION: ${{ env.VERSION }} + run: | + for i in {1..30}; do + if pip install socketsecurity==${VERSION}; then + echo "Package ${VERSION} is now available and installable on PyPI" + pip uninstall -y socketsecurity + echo "success=true" >> $GITHUB_OUTPUT + exit 0 + fi + echo "Attempt $i: Package not yet installable, waiting 20s... (${i}/30)" + sleep 20 + done + echo "success=false" >> $GITHUB_OUTPUT + exit 1 + + - name: Build & Push Docker + if: | + steps.verify_package.outputs.success == 'true' && + steps.docker_check.outputs.docker_exists != 'true' + uses: docker/build-push-action@v5 + env: + VERSION: ${{ env.VERSION }} + with: + push: true + platforms: linux/amd64,linux/arm64 + tags: | + socketdev/cli:latest + socketdev/cli:${{ env.VERSION }} \ No newline at end of file diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml new file mode 100644 index 0000000..96cdc09 --- /dev/null +++ b/.github/workflows/version-check.yml @@ -0,0 +1,90 @@ +name: Version Check +on: + pull_request: + types: [opened, synchronize] + paths: + - 'socketsecurity/**' + - 'setup.py' + - 'pyproject.toml' + +jobs: + check_version: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Fetch all history for all branches + + - name: Check version increment + id: version_check + run: | + # Get version from current PR + PR_VERSION=$(grep -o "__version__.*" socketsecurity/__init__.py | awk '{print $3}' | tr -d "'") + echo "PR_VERSION=$PR_VERSION" >> $GITHUB_ENV + + # Get version from main branch + git checkout origin/main + MAIN_VERSION=$(grep -o "__version__.*" socketsecurity/__init__.py | awk '{print $3}' | tr -d "'") + echo "MAIN_VERSION=$MAIN_VERSION" >> $GITHUB_ENV + + # Compare versions using Python + python3 -c " + from packaging import version + pr_ver = version.parse('${PR_VERSION}') + main_ver = version.parse('${MAIN_VERSION}') + if pr_ver <= main_ver: + print(f'❌ Version must be incremented! Main: {main_ver}, PR: {pr_ver}') + exit(1) + print(f'✅ Version properly incremented from {main_ver} to {pr_ver}') + " + + - name: Manage PR Comment + uses: actions/github-script@v7 + if: always() + env: + MAIN_VERSION: ${{ env.MAIN_VERSION }} + PR_VERSION: ${{ env.PR_VERSION }} + CHECK_RESULT: ${{ steps.version_check.outcome }} + with: + script: | + const success = process.env.CHECK_RESULT === 'success'; + const prNumber = context.payload.pull_request.number; + const owner = context.repo.owner; + const repo = context.repo.repo; + const comments = await github.rest.issues.listComments({ + owner: owner, + repo: repo, + issue_number: prNumber, + }); + + const versionComment = comments.data.find(comment => + comment.user.type === 'Bot' && + comment.body.includes('Version Check') + ); + + if (versionComment) { + if (success) { + // Delete the warning comment if check passes + await github.rest.issues.deleteComment({ + owner: owner, + repo: repo, + comment_id: versionComment.id + }); + } else { + // Update existing warning + await github.rest.issues.updateComment({ + owner: owner, + repo: repo, + comment_id: versionComment.id, + body: `❌ **Version Check Failed**\n\nPlease increment...` + }); + } + } else if (!success) { + // Create new warning comment only if check fails + await github.rest.issues.createComment({ + owner: owner, + repo: repo, + issue_number: prNumber, + body: `❌ **Version Check Failed**\n\nPlease increment...` + }); + } \ No newline at end of file diff --git a/.gitignore b/.gitignore index 5738fef..405a91f 100644 --- a/.gitignore +++ b/.gitignore @@ -19,4 +19,5 @@ markdown_security_temp.md *.pyc test.py *.cpython-312.pyc` -file_generator.py \ No newline at end of file +file_generator.py +.env.local \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 569e2fd..949ec58 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,12 @@ FROM python:3-alpine LABEL org.opencontainers.image.authors="socket.dev" ARG CLI_VERSION +ARG PIP_INDEX_URL=https://pypi.org/simple +ARG PIP_EXTRA_INDEX_URL=https://pypi.org/simple + RUN apk update \ && apk add --no-cache git nodejs npm yarn -RUN pip install socketsecurity --upgrade \ + +RUN pip install --index-url ${PIP_INDEX_URL} --extra-index-url ${PIP_EXTRA_INDEX_URL} socketsecurity==$CLI_VERSION \ && socketcli -v \ && socketcli -v | grep -q $CLI_VERSION \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index 2c8ddf8..7ff90d9 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -10,9 +10,8 @@ dependencies = [ 'requests', 'mdutils', 'prettytable', - 'argparse', 'GitPython', - 'packaging' + 'packaging', ] readme = "README.md" description = "Socket Security CLI for CI/CD" @@ -32,6 +31,7 @@ classifiers = [ "Programming Language :: Python :: 3.12", ] + [project.scripts] socketcli = "socketsecurity.socketcli:cli" diff --git a/socketsecurity/__init__.py b/socketsecurity/__init__.py index 554e76e..9a1ba0c 100644 --- a/socketsecurity/__init__.py +++ b/socketsecurity/__init__.py @@ -1,2 +1,2 @@ __author__ = 'socket.dev' -__version__ = '1.0.32' +__version__ = '1.0.36'