🔧 (on_release.yml): Remove unnecessary echo statements from deployment script for cleaner logs and better security

♻️ (on_release.yml): Remove redundant curl command to clean up the code and improve readability

.gitea/workflows/on_release.yml

@@ -3,71 +3,53 @@ name: Creates a docker image for production
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
 
 jobs:
-  build:
+  build_docker:
     name: Build the docker image
     runs-on: ubuntu-latest
     steps:
-      - name: Build started
-        uses: voxmedia/github-action-slack-notify-build@v1
-        if: success()
-        with:
-          channel: ci-notifications
-          status: STARTED
-          color: good
-        env:
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
       - name: Checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
-      - name: Log in to Docker Hub
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+      - name: Log in to Nexus Docker Hub
+        uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+          registry: docker.nexus.makecodes.dev
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        uses: docker/metadata-action@v5
         with:
-          images: redbeard/mines-backend
-      - name: Build and push Docker image
-        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
-        env:
-          SCOPE: production
+          images: docker.nexus.makecodes.dev/mines/backend
+      - name: Build and push
+        uses: docker/build-push-action@v5
         with:
           context: .
-          push: true
+          push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-      - name: Build finished
-        if: success()
-        uses: voxmedia/github-action-slack-notify-build@v1
-        with:
-          channel: ci-notifications
-          status: SUCCESS
-          color: good
+      - name: Deploy to production server
+        run: |
+          TOKEN=$(curl --silent --location 'https://auth.makecodes.dev/auth' \
+            --header 'Content-Type: application/json' \
+            --data '{
+                "email": "'$USERNAME'",
+                "password": "'$PASSWORD'"
+            }' | jq -r '.token')
+          curl --location --silent 'https://deployer.makecodes.dev/deploy' \
+            --header 'Content-Type: application/json' \
+            --header "Authorization: Bearer $TOKEN" \
+            --data '{
+                "image": "docker.nexus.makecodes.dev/mines/backend",
+                "service": "mines_backend",
+                "version": "${{ github.ref_name }}",
+                "pipeline": "${{ github.run_number }}",
+                "repository": "mines/backend"
+            }'
         env:
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-  deploy:
-    name: Deploy
-    runs-on: ubuntu-latest
-    needs:
-      - build
-    steps:
-      - name: Deploy to production
-        uses: appleboy/ssh-action@master
-        with:
-          host: ${{ secrets.SSH_HOST }}
-          username: ${{ secrets.SSH_USERNAME }}
-          password: ${{ secrets.SSH_PASSWORD }}
-          port: ${{ secrets.SSH_PORT }}
-          script: |
-            cd /media/data/apps/mines-backend
-            docker pull  redbeard/mines-backend:latest
-            docker-compose up -d app0
-            docker-compose up -d app1
-            docker exec -t mines-be0 python manage.py migrate
-            docker image prune -f
+          USERNAME: ${{ secrets.SERVER_AUTH_USERNAME }}
+          PASSWORD: ${{ secrets.SERVER_AUTH_PASSWORD }}

Dockerfile

@@ -1,52 +1,72 @@
-FROM python:3.8-slim-buster
+FROM python:3.12.6-bullseye AS base
 
-ARG SCOPE
+ARG APP_USER \
+    APP_GROUP \
+    UID \
+    GID \
+    NEXUS_USERNAME \
+    NEXUS_PASSWORD
 
-# Setup env
-ENV SCOPE=${SCOPE} \
-  # python
-  PYTHONDONTWRITEBYTECODE=1 \
-  PYTHONFAULTHANDLER=1 \
-  PYTHONUNBUFFERED=1 \
-  PYTHONHASHSEED=random \
-  LC_ALL=C.UTF-8 \
-  LANG=C.UTF-8 \
-  # pip
-  PIP_NO_CACHE_DIR=off \
-  PIP_DISABLE_PIP_VERSION_CHECK=on \
-  PIP_DEFAULT_TIMEOUT=100 \
-  # poetry:
-  POETRY_VERSION=1.1.13 \
-  POETRY_NO_INTERACTION=1 \
-  POETRY_VIRTUALENVS_CREATE=false \
-  POETRY_CACHE_DIR='/var/cache/pypoetry' \
-  POETRY_HOME='/usr/local'
+ENV APP_USER=${APP_USER:-mines} \
+    APP_GROUP=${APP_GROUP:-mines} \
+    UID=${UID:-1000} \
+    GID=${GID:-1000} \
+    PYTHONFAULTHANDLER=1 \
+    PYTHONUNBUFFERED=1 \
+    PYTHONHASHSEED=random \
+    PYTHONDONTWRITEBYTECODE=1 \
+    LC_ALL=C.UTF-8 \
+    LANG=C.UTF-8 \
+    PIP_NO_CACHE_DIR=off \
+    PIP_DISABLE_PIP_VERSION_CHECK=on \
+    PIP_DEFAULT_TIMEOUT=100 \
+    UV_LINK_MODE=copy \
+    UV_PROJECT_ENVIRONMENT=/.venv \
+    VIRTUAL_ENV=/.venv \
+    PATH="/.venv/bin:$PATH"
 
-SHELL ["/bin/bash", "-eo", "pipefail", "-c"]
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
 
-RUN apt-get update && apt-get upgrade -y \
-  && apt-get install --no-install-recommends -y \
+WORKDIR /app
+
+COPY uv.lock pyproject.toml ./
+
+# Dependências
+RUN echo "deb http://apt.postgresql.org/pub/repos/apt bullseye-pgdg main" > /etc/apt/sources.list.d/pgdg.list && \
+    curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - && \
+    apt-get update && \
+    apt-get install -y \
     bash \
-    curl \
+    clang \
     build-essential \
+    curl \
     default-libmysqlclient-dev \
+    gnupg \
+    jq \
+    libc6 \
+    libffi-dev \
+    libjpeg-dev \
+    libmariadb-dev \
     libpq-dev \
-  # Installing `poetry` package manager:
-  # https://github.com/python-poetry/poetry
-  && curl -sSL 'https://install.python-poetry.org' | python - \
-  && poetry --version \
-  # Cleaning cache:
-  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
-  && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+    libpthread-stubs0-dev \
+    libxml2-dev \
+    libxslt-dev \
+    mariadb-client \
+    zlib1g-dev && \
+    apt-get install -y --no-install-recommends gcc && \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
+    apt-get clean -y && rm -rf /var/lib/apt/lists/* && \
+    uv sync --dev && \
+    uv cache clean && \
+    . $VIRTUAL_ENV/bin/activate
 
-# Copy only requirements to cache them in docker layer
-WORKDIR /code
-COPY poetry.lock pyproject.toml /code/
 
-RUN poetry config virtualenvs.create false \
-  && poetry install $(test "$SCOPE" == production && echo "--no-dev") --no-interaction --no-ansi
+# Copia o restante do código da aplicação
+COPY . /app
 
-# Creating folders, and files for a project:
-COPY . /code
+RUN groupadd -r $APP_GROUP -g $GID && \
+    useradd -r -g $APP_GROUP -u $UID $APP_USER --shell /bin/bash --home /app
 
-CMD ["/code/commands/run-prod.sh"]
+USER $APP_USER
+
+CMD ["/app/commands/run-prod.sh"]

app/settings.py

@@ -12,7 +12,7 @@ OP_ITEM_TITLE = os.environ.get('OP_ITEM_TITLE', 'mines')
 op_env = OnePassword(SCOPE, OP_ITEM_TITLE)
 
 sentry_sdk.init(
-    dsn=op_env.get('settings.SENTRY_DSN'),
+    dsn=op_env.get('SENTRY_DSN'),
     integrations=[DjangoIntegration()],
     environment=SCOPE,
     send_default_pii=False,
@@ -23,12 +23,12 @@ sentry_sdk.init(
 BASE_DIR = Path(__file__).resolve().parent.parent
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = op_env.get('settings.SECRET_KEY')
+SECRET_KEY = op_env.get('SECRET_KEY')
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = op_env.get('settings.DEBUG', '0') in ['1', 'true']
+DEBUG = op_env.get('DEBUG', '0') in ['1', 'true']
 
-ALLOWED_HOSTS = op_env.get('settings.ALLOWED_HOSTS', '127.0.0.1,localhost').split(',')
+ALLOWED_HOSTS = op_env.get('ALLOWED_HOSTS', '127.0.0.1,localhost').split(',')
 
 # Application definition
 INSTALLED_APPS = [

app/urls.py

@@ -1,13 +1,7 @@
-from django.conf import settings
 from django.contrib import admin
 from django.urls import include, path
 
 urlpatterns = [
     path('', include('api.urls')),
+    path('admin/', admin.site.urls),
 ]
-
-# We need this only for development purpose
-if settings.DEBUG is True:
-    urlpatterns += [
-        path('admin/', admin.site.urls),
-    ]

app/utils.py

@@ -1,25 +0,0 @@
-import onepasswordconnectsdk
-from onepasswordconnectsdk.client import Client, new_client_from_environment
-
-
-def get_op_config():
-    op_client: Client = new_client_from_environment()
-
-    OP_DJANGO_SETTINGS_VARS = [
-        'database.host',
-        'database.port',
-        'database.name',
-        'database.user',
-        'database.password',
-        'settings.ALLOWED_HOSTS',
-        'settings.DEBUG',
-        'settings.SCOPE',
-        'settings.SENTRY_DSN',
-        'settings.SECRET_KEY',
-    ]
-
-    op_config_get = {}
-    for var in OP_DJANGO_SETTINGS_VARS:
-        op_config_get[var] = {'opitem': 'mines', 'opfield': var}
-
-    return onepasswordconnectsdk.load_dict(op_client, op_config_get)