🔧 (on_release.yml): Remove unnecessary echo statements from deployment script for cleaner logs and better security

♻️ (on_release.yml): Remove redundant curl command to clean up the code and improve readability

.gitea/workflows/on_release.yml

@@ -40,26 +40,16 @@ jobs:
                 "email": "'$USERNAME'",
                 "password": "'$PASSWORD'"
             }' | jq -r '.token')
-          # curl --location --silent 'https://deployer.makecodes.dev/deploy' \
-          #   --header 'Content-Type: application/json' \
-          #   --header "Authorization: Bearer $TOKEN" \
-          #   --data '{
-          #       "image": "docker.nexus.makecodes.dev/makecodes/nfe-vision",
-          #       "service": "nfe-vision_app",
-          #       "version": "${{ github.ref_name }}",
-          #       "pipeline": "${{ github.run_number }}",
-          #       "repository": "makecodes/nfe-vision"
-          #   }'
-          #   curl --location --silent 'https://deployer.makecodes.dev/deploy' \
-          #   --header 'Content-Type: application/json' \
-          #   --header "Authorization: Bearer $TOKEN" \
-          #   --data '{
-          #       "image": "docker.nexus.makecodes.dev/makecodes/nfe-vision",
-          #       "service": "nfe-vision_worker",
-          #       "version": "${{ github.ref_name }}",
-          #       "pipeline": "${{ github.run_number }}",
-          #       "repository": "makecodes/nfe-vision"
-          #   }'
+          curl --location --silent 'https://deployer.makecodes.dev/deploy' \
+            --header 'Content-Type: application/json' \
+            --header "Authorization: Bearer $TOKEN" \
+            --data '{
+                "image": "docker.nexus.makecodes.dev/mines/backend",
+                "service": "mines_backend",
+                "version": "${{ github.ref_name }}",
+                "pipeline": "${{ github.run_number }}",
+                "repository": "mines/backend"
+            }'
         env:
           USERNAME: ${{ secrets.SERVER_AUTH_USERNAME }}
           PASSWORD: ${{ secrets.SERVER_AUTH_PASSWORD }}

Dockerfile

@@ -1,52 +1,72 @@
-FROM python:3.8-slim-buster
+FROM python:3.12.6-bullseye AS base
 
-ARG SCOPE
+ARG APP_USER \
+    APP_GROUP \
+    UID \
+    GID \
+    NEXUS_USERNAME \
+    NEXUS_PASSWORD
 
-# Setup env
-ENV SCOPE=${SCOPE} \
-  # python
-  PYTHONDONTWRITEBYTECODE=1 \
-  PYTHONFAULTHANDLER=1 \
-  PYTHONUNBUFFERED=1 \
-  PYTHONHASHSEED=random \
-  LC_ALL=C.UTF-8 \
-  LANG=C.UTF-8 \
-  # pip
-  PIP_NO_CACHE_DIR=off \
-  PIP_DISABLE_PIP_VERSION_CHECK=on \
-  PIP_DEFAULT_TIMEOUT=100 \
-  # poetry:
-  POETRY_VERSION=1.1.13 \
-  POETRY_NO_INTERACTION=1 \
-  POETRY_VIRTUALENVS_CREATE=false \
-  POETRY_CACHE_DIR='/var/cache/pypoetry' \
-  POETRY_HOME='/usr/local'
+ENV APP_USER=${APP_USER:-mines} \
+    APP_GROUP=${APP_GROUP:-mines} \
+    UID=${UID:-1000} \
+    GID=${GID:-1000} \
+    PYTHONFAULTHANDLER=1 \
+    PYTHONUNBUFFERED=1 \
+    PYTHONHASHSEED=random \
+    PYTHONDONTWRITEBYTECODE=1 \
+    LC_ALL=C.UTF-8 \
+    LANG=C.UTF-8 \
+    PIP_NO_CACHE_DIR=off \
+    PIP_DISABLE_PIP_VERSION_CHECK=on \
+    PIP_DEFAULT_TIMEOUT=100 \
+    UV_LINK_MODE=copy \
+    UV_PROJECT_ENVIRONMENT=/.venv \
+    VIRTUAL_ENV=/.venv \
+    PATH="/.venv/bin:$PATH"
 
-SHELL ["/bin/bash", "-eo", "pipefail", "-c"]
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
 
-RUN apt-get update && apt-get upgrade -y \
-  && apt-get install --no-install-recommends -y \
+WORKDIR /app
+
+COPY uv.lock pyproject.toml ./
+
+# Dependências
+RUN echo "deb http://apt.postgresql.org/pub/repos/apt bullseye-pgdg main" > /etc/apt/sources.list.d/pgdg.list && \
+    curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - && \
+    apt-get update && \
+    apt-get install -y \
     bash \
-    curl \
+    clang \
     build-essential \
+    curl \
     default-libmysqlclient-dev \
+    gnupg \
+    jq \
+    libc6 \
+    libffi-dev \
+    libjpeg-dev \
+    libmariadb-dev \
     libpq-dev \
-  # Installing `poetry` package manager:
-  # https://github.com/python-poetry/poetry
-  && curl -sSL 'https://install.python-poetry.org' | python - \
-  && poetry --version \
-  # Cleaning cache:
-  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
-  && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+    libpthread-stubs0-dev \
+    libxml2-dev \
+    libxslt-dev \
+    mariadb-client \
+    zlib1g-dev && \
+    apt-get install -y --no-install-recommends gcc && \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
+    apt-get clean -y && rm -rf /var/lib/apt/lists/* && \
+    uv sync --dev && \
+    uv cache clean && \
+    . $VIRTUAL_ENV/bin/activate
 
-# Copy only requirements to cache them in docker layer
-WORKDIR /code
-COPY poetry.lock pyproject.toml /code/
 
-RUN poetry config virtualenvs.create false \
-  && poetry install $(test "$SCOPE" == production && echo "--no-dev") --no-interaction --no-ansi
+# Copia o restante do código da aplicação
+COPY . /app
 
-# Creating folders, and files for a project:
-COPY . /code
+RUN groupadd -r $APP_GROUP -g $GID && \
+    useradd -r -g $APP_GROUP -u $UID $APP_USER --shell /bin/bash --home /app
 
-CMD ["/code/commands/run-prod.sh"]
+USER $APP_USER
+
+CMD ["/app/commands/run-prod.sh"]

app/settings.py

@@ -12,7 +12,7 @@ OP_ITEM_TITLE = os.environ.get('OP_ITEM_TITLE', 'mines')
 op_env = OnePassword(SCOPE, OP_ITEM_TITLE)
 
 sentry_sdk.init(
-    dsn=op_env.get('settings.SENTRY_DSN'),
+    dsn=op_env.get('SENTRY_DSN'),
     integrations=[DjangoIntegration()],
     environment=SCOPE,
     send_default_pii=False,
@@ -23,12 +23,12 @@ sentry_sdk.init(
 BASE_DIR = Path(__file__).resolve().parent.parent
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = op_env.get('settings.SECRET_KEY')
+SECRET_KEY = op_env.get('SECRET_KEY')
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = op_env.get('settings.DEBUG', '0') in ['1', 'true']
+DEBUG = op_env.get('DEBUG', '0') in ['1', 'true']
 
-ALLOWED_HOSTS = op_env.get('settings.ALLOWED_HOSTS', '127.0.0.1,localhost').split(',')
+ALLOWED_HOSTS = op_env.get('ALLOWED_HOSTS', '127.0.0.1,localhost').split(',')
 
 # Application definition
 INSTALLED_APPS = [

app/urls.py

@@ -1,13 +1,7 @@
-from django.conf import settings
 from django.contrib import admin
 from django.urls import include, path
 
 urlpatterns = [
     path('', include('api.urls')),
+    path('admin/', admin.site.urls),
 ]
-
-# We need this only for development purpose
-if settings.DEBUG is True:
-    urlpatterns += [
-        path('admin/', admin.site.urls),
-    ]

app/utils.py

@@ -1,25 +0,0 @@
-import onepasswordconnectsdk
-from onepasswordconnectsdk.client import Client, new_client_from_environment
-
-
-def get_op_config():
-    op_client: Client = new_client_from_environment()
-
-    OP_DJANGO_SETTINGS_VARS = [
-        'database.host',
-        'database.port',
-        'database.name',
-        'database.user',
-        'database.password',
-        'settings.ALLOWED_HOSTS',
-        'settings.DEBUG',
-        'settings.SCOPE',
-        'settings.SENTRY_DSN',
-        'settings.SECRET_KEY',
-    ]
-
-    op_config_get = {}
-    for var in OP_DJANGO_SETTINGS_VARS:
-        op_config_get[var] = {'opitem': 'mines', 'opfield': var}
-
-    return onepasswordconnectsdk.load_dict(op_client, op_config_get)