google · lvaylet · May 16, 2024 · May 16, 2024 · May 16, 2024 · May 16, 2024
diff --git a/.dockerignore b/.dockerignore
@@ -1,19 +1,48 @@
 # Git
-.git
+.git/
 .gitignore
 .gitattributes
-.github
+.github/
 
 # Docker
 Dockerfile
 .dockerignore
+.docker/
+docker-compose.yml
 
 # Byte-compiled / optimized / DLL files
 **/__pycache__/
 **/*.py[cod]
 
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+env/
 build/
+develop-eggs/
 dist/
+downloads/
+eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
 
 # Testing / Linting
 .mypy_cache/
@@ -22,17 +51,43 @@ dist/
 .ruff_cache/
 .coverage
 tests/
+htmlcov/
+.tox/
+.coverage
+.cache
+nosetests.xml
+coverage.xml
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
 
 # Documentation
 docs/
 
+# PyBuilder
+target/
+
 # Configuration
 .env
 
 # Virtual Environments
 .venv/
 venv/
 
+# PyCharm
+.idea
+
+# Python mode for VIM
+.ropeproject
+**/.ropeproject
+
+# Vim swap files
+**/*.swp
+
 # VS Code
 .vscode/
 

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -11,8 +11,8 @@ updates:
       interval: daily
     rebase-strategy: disabled
     commit-message:
-      prefix: fix  # production dependency group
-      prefix-development: chore  # development dependency group
+      prefix: fix # production dependency group
+      prefix-development: chore # development dependency group
       include: scope
   - package-ecosystem: github-actions
     directory: /

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,68 +9,82 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest]
-        architecture: ['x64']
-        python-version: ['3.8', '3.9', '3.10', '3.11']
+        architecture: ["x64"]
+        python-version: ["3.8", "3.9", "3.10", "3.11"]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
           architecture: ${{ matrix.architecture }}
-
+      - uses: eifinger/setup-rye@v3
+        id: setup-rye
+      - name: Pin python-version ${{ matrix.python-version }}
+        run: |
+          rye pin ${{ matrix.python-version }}
       - name: Install dependencies
-        run: make install
-
+        run: |
+          make install
       - name: Lint
-        run: make lint
+        run: |
+          make lint
 
   unit:
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-latest]
-        architecture: ['x64']
-        python-version: ['3.8', '3.9', '3.10', '3.11']
+        architecture: ["x64"]
+        python-version: ["3.8", "3.9", "3.10", "3.11"]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
           architecture: ${{ matrix.architecture }}
-
+      - uses: eifinger/setup-rye@v3
+        id: setup-rye
+      - name: Pin python-version ${{ matrix.python-version }}
+        run: |
+          rye pin ${{ matrix.python-version }}
       - name: Install dependencies
-        run: make install
-
+        run: |
+          make install
       - name: Run unit tests
-        run: make unit
         env:
           MIN_VALID_EVENTS: "10"
           GOOGLE_APPLICATION_CREDENTIALS: tests/unit/fixtures/fake_credentials.json
-
-      - name: Run coverage report
-        run: make coverage
+        run: |
+          make unit
 
   audit:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
-          python-version: '${{ vars.PYTHON_VERSION }}'
-
+          python-version: "${{ vars.PYTHON_VERSION }}"
+      - uses: eifinger/setup-rye@v3
+        id: setup-rye
+      - name: Pin python-version ${{ vars.PYTHON_VERSION }}
+        run: rye pin ${{ vars.PYTHON_VERSION }}
       - name: Install dependencies
-        run: make install
-
+        run: |
+          make install
       - name: Audit for CVEs
-        run: make audit
+        run: |
+          make audit
 
   docker:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: docker-practice/actions-setup-docker@master
-
+      - uses: docker-practice/actions-setup-docker@master # TODO Is it the best GitHub Action for Docker builds?
       - name: Build Docker image
-        run: make docker_build
+        run: |
+          make docker_build
+      - name: Confirm the image runs as expected
+        run: |
+          docker run slo-generator:latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,8 +12,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
-          python-version: '${{ vars.PYTHON_VERSION }}'
-          architecture: 'x64'
+          python-version: "${{ vars.PYTHON_VERSION }}"
+          architecture: "x64"
 
       - name: Run all tests
         run: make

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -10,9 +10,9 @@ on:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: '37 19 * * 2'
+    - cron: "37 19 * * 2"
   push:
-    branches: [ "master" ]
+    branches: ["master"]
 
 # Declare default permissions as read only.
 permissions: read-all

diff --git a/.gitignore b/.gitignore
@@ -28,7 +28,6 @@ client_secrets.json
 *_flymake.py
 .DS_Store
 .eggs/
-.python-version
 .idea
 node_modules/
 *.code-workspace

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -7,18 +7,18 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
-- repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.6.0
-  hooks:
-    - id: trailing-whitespace
-    - id: end-of-file-fixer
-    - id: check-yaml
-    - id: check-added-large-files
-- repo: https://github.com/astral-sh/ruff-pre-commit
-  # Ruff version.
-  rev: v0.4.4
-  hooks:
-    # Run the linter.
-    - id: ruff
-    # Run the formatter.
-    - id: ruff-format
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    # Ruff version.
+    rev: v0.4.4
+    hooks:
+      # Run the linter.
+      - id: ruff
+      # Run the formatter.
+      - id: ruff-format
diff --git a/.python-version b/.python-version
@@ -0,0 +1 @@
+3.11.9
diff --git a/Dockerfile b/Dockerfile
@@ -1,30 +1,111 @@
-# Copyright 2019 Google LLC
-
+# Copyright 2024 Google LLC
+#
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
-
+#
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# As the SLO Generator is an installable package, let's build it then install it in a
+# multi-stage Docker image. This way, the image has a small size and behaves exactly
+# like a user installation.
+#
+# Usage:
+#   docker build . --tag slo-generator:latest --build-arg PYTHON_VERSION=$(cat .python-version)
+#   docker run slo-generator:latest
+#
+# References:
+# - https://rye-up.com/guide/docker/#container-from-a-python-package
+# - https://testdriven.io/blog/docker-best-practices/
+# - https://rye-up.com/guide/publish/#build
+# - https://sogo.dev/posts/2023/11/rye-with-docker
+
 # Define the default Python version used in production.
-# This is usually the most recent supported version at https://devguide.python.org/versions/.
+# This is usually the latest supported version at https://devguide.python.org/versions/.
+# When using `rye`, it is usually set to the contents of `.python-version`, for example
+# with `docker build --build-arg PYTHON_VERSION=$(cat .python-version) <...>`.
 # !! Make sure to propagate any new value to the `PYTHON_VERSION` variable in:
 # GitHub > Settings > Secrets and variables > Actions > Variables > Repository variables
-ARG PYTHON_VERSION=3.11
+# FIXME Reuse the contents of `.python-version` in CI too, for a single source of truth.
+ARG PYTHON_VERSION
+
+FROM python:${PYTHON_VERSION}-slim-bookworm AS wheel_builder
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+        curl \
+        make \
+        build-essential \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+
+# Run container processes with a non-root user.
+RUN useradd wheel --create-home
+USER wheel
+WORKDIR /home/wheel/app
+
+# Install Rye.
+ENV RYE_HOME /home/wheel/.rye
+ENV PATH ${RYE_HOME}/shims:${PATH}
+RUN curl -sSf https://rye-up.com/get | RYE_NO_AUTO_INSTALL=1 RYE_INSTALL_OPTION="--yes" bash
+
+# Leverage Docker's caching by only copying the minimum files required for `rye sync`.
+COPY --chown=wheel:wheel \
+     pyproject.toml \
+     requirements.lock \
+     requirements-dev.lock \
+     .python-version \
+     README.md \
+     Makefile \
+     ./
+
+# Prevent Python from writing `.pyc` files.
+ENV PYTHONDONTWRITEBYTECODE=1
+# Keep Python from buffering `stdout` and `stderr` to avoid situations where the
+# application crashes without emitting any logs due to buffering.
+ENV PYTHONUNBUFFERED=1
+
+# Update the dependencies in the virtual environment (except the dev ones, not required
+# in the wheel). Do not update the lockfiles, to make sure the wheel uses the Python
+# version and the packages defined in Git (in `.python-version` or `requirements.lock`).
+RUN rye sync --all-features --no-lock --no-dev
+
+# Copy the remaining files.
+COPY --chown=wheel:wheel src ./src
+
+# Build the sdist and wheel targets in `./dist/`.
+RUN make build
+
+###########################################################
 
 FROM python:${PYTHON_VERSION}-alpine
 
-WORKDIR /app
+# Run container processes with a non-root user.
+RUN adduser -D app
+USER app
+WORKDIR /home/app
+
+# Retrieve the wheel generated by the builder above.
+COPY --from=wheel_builder \
+     /home/wheel/app/dist/slo_generator-*-py3-none-any.whl \
+     .
 
-COPY . ./
+# Preemptively add `~/.local/bin` to `PATH` to avoid warnings on `pip install --user`.
+ENV PATH /home/app/.local/bin:${PATH}
 
-RUN pip install --no-cache-dir ."[ \
+# Install the package like a standard user would do, with all the optional features.
+# $(ls <...>) retrieves the wheel name dynamically, as it depends on the package version.
+RUN PYTHONDONTWRITEBYTECODE=1 \
+    pip install \
+    --user \
+    --no-cache-dir \
+    "$(ls slo_generator-*-py3-none-any.whl)[ \
         api, \
         bigquery, \
         cloud_monitoring, \