Merge pull request #4 from Workable/workable-sre-6908-changes-needed-for-upgrading-base-image

Changes needed for upgrading base image

Author: dimitrisalo

.github/workflows/ci.yml

@@ -29,33 +29,7 @@ jobs:
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
           concurrent_skipping: false
 
-  lint:
-    runs-on: ubuntu-latest
-    needs: detect-noop
-    if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-
-      - name: Lint Dockerfile
-        run: make lint
-
-  unit-tests:
-    runs-on: ubuntu-latest
-    needs: detect-noop
-    if: needs.detect-noop.outputs.noop != 'true'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Run Unit Tests (Postgres)
-        run: make test.unit BACKEND=postgres IMAGE_NAME=alerta-test
-
-      - name: Run Unit Tests (MongoDB)
-        run: make test.unit BACKEND=mongodb IMAGE_NAME=alerta-test
-
   publish-artifacts:
-    needs: [lint, unit-tests]
     if: ${{ needs.detect-noop.outputs.noop != 'true' && startsWith(github.ref, 'refs/tags/workable-') }}
     permissions:
       id-token: write
@@ -66,6 +40,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
+      - name: Check secrets availability
+        id: secrets_check
+        shell: bash
+        run: |
+          echo "has_sre=${{ secrets.SRE_GCR_SA != '' }}" >> $GITHUB_OUTPUT
+          echo "has_staging=${{ secrets.STAGING_GCR_SA != '' }}" >> $GITHUB_OUTPUT
+          echo "has_production=${{ secrets.PRODUCTION_GCR_SA != '' }}" >> $GITHUB_OUTPUT
+
       - name: Get image tag
         id: container-info
         run: |
@@ -79,16 +61,27 @@ jobs:
           push: false
           tags: Workable/alerta-base:${{ steps.container-info.outputs.image-tag }}
           provenance: false
+          build-args: |
+            BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            RELEASE=9.0.4
+            VERSION=${{ steps.container-info.outputs.image-tag }}
 
       # DISTRIBUTION OF SRE IMAGE
+      - name: Skip SRE registry push
+        if: ${{ steps.secrets_check.outputs.has_sre == 'false' }}
+        run: |
+          echo "::warning title=SRE Registry Push Skipped::The SRE_GCR_SA secret is missing. Skipping image push to SRE registry."
+
       - name: Login to sre registry
+        if: ${{ steps.secrets_check.outputs.has_sre == 'true' }}
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: us-docker.pkg.dev
           username: _json_key
           password: ${{ secrets.SRE_GCR_SA }}
 
       - name: Push image to sre registry
+        if: ${{ steps.secrets_check.outputs.has_sre == 'true' }}
         env:
           REGISTRY: us-docker.pkg.dev/sre-artifacts-20e4/gcr.io
         run: |
@@ -97,14 +90,21 @@ jobs:
           docker push ${{ env.REGISTRY }}/alerta-base:${{ steps.container-info.outputs.image-tag }}
 
       # DISTRIBUTION OF STAGING IMAGE
+      - name: Skip Staging registry push
+        if: ${{ steps.secrets_check.outputs.has_staging == 'false' }}
+        run: |
+          echo "::warning title=Staging Registry Push Skipped::The STAGING_GCR_SA secret is missing. Skipping image push to Staging registry."
+
       - name: Login to staging registry
+        if: ${{ steps.secrets_check.outputs.has_staging == 'true' }}
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: us-docker.pkg.dev
           username: _json_key
           password: ${{ secrets.STAGING_GCR_SA }}
 
       - name: Push image to staging registry
+        if: ${{ steps.secrets_check.outputs.has_staging == 'true' }}
         env:
           REGISTRY: us-docker.pkg.dev/staging-artifacts-786a/gcr.io
         run: |
@@ -113,14 +113,21 @@ jobs:
           docker push ${{ env.REGISTRY }}/alerta-base:${{ steps.container-info.outputs.image-tag }}
 
       # DISTRIBUTION OF PRODUCTION IMAGE
+      - name: Skip Production registry push
+        if: ${{ steps.secrets_check.outputs.has_production == 'false' }}
+        run: |
+          echo "::warning title=Production Registry Push Skipped::The PRODUCTION_GCR_SA secret is missing. Skipping image push to Production registry."
+
       - name: Login to production registry
+        if: ${{ steps.secrets_check.outputs.has_production == 'true' }}
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: us-docker.pkg.dev
           username: _json_key
           password: ${{ secrets.PRODUCTION_GCR_SA }}
 
       - name: Push image to production registry
+        if: ${{ steps.secrets_check.outputs.has_production == 'true' }}
         env:
           REGISTRY: us-docker.pkg.dev/production-artifacts-0b0d/gcr.io
         run: |

docker-entrypoint.sh

@@ -89,7 +89,7 @@ echo Alerta WebUI  ${WEBUI_VERSION}
 
 nginx -v
 echo uwsgi $(uwsgi --version)
-mongo --version | grep MongoDB
+mongosh --version
 psql --version
 python3 --version
 /venv/bin/pip list

workable-Dockerfile

@@ -1,6 +1,6 @@
-FROM python:3.9-slim-trixie
+FROM python:3.9-slim-bookworm
 
-ENV PYTHONUNBUFFERED 1
+ENV PYTHONUNBUFFERED=1
 ENV PIP_DISABLE_PIP_VERSION_CHECK=1
 ENV PIP_NO_CACHE_DIR=1
 
@@ -53,8 +53,8 @@ RUN apt-get update && \
     apt-get -y autoremove && \
     rm -rf /var/lib/apt/lists/*
 
-RUN curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add - && \
-    echo "deb https://nginx.org/packages/debian/ buster nginx" | tee /etc/apt/sources.list.d/nginx.list && \
+RUN curl -fsSL https://nginx.org/keys/nginx_signing.key | gpg --dearmor -o /usr/share/keyrings/nginx-archive-keyring.gpg && \
+    echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/debian/ bookworm nginx" | tee /etc/apt/sources.list.d/nginx.list && \
     apt-get update && \
     apt-get install -y --no-install-recommends \
     nginx && \
@@ -63,11 +63,11 @@ RUN curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add - && \
     rm -rf /var/lib/apt/lists/*
 
 # hadolint ignore=DL3008
-RUN curl -fsSL https://www.mongodb.org/static/pgp/server-4.2.asc | apt-key add - && \
-    echo "deb https://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 main" | tee /etc/apt/sources.list.d/mongodb-org-4.2.list && \
+RUN curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | gpg --dearmor -o /usr/share/keyrings/mongodb-archive-keyring.gpg && \
+    echo "deb [signed-by=/usr/share/keyrings/mongodb-archive-keyring.gpg] https://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" | tee /etc/apt/sources.list.d/mongodb-org-7.0.list && \
     apt-get update && \
     apt-get install -y --no-install-recommends \
-    mongodb-org-shell && \
+    mongodb-mongosh && \
     apt-get -y clean && \
     apt-get -y autoremove && \
     rm -rf /var/lib/apt/lists/*
@@ -80,7 +80,7 @@ RUN pip install --no-cache-dir pip virtualenv jinja2 && \
     /venv/bin/pip install --no-cache-dir --upgrade setuptools && \
     /venv/bin/pip install --no-cache-dir --requirement /app/requirements.txt && \
     /venv/bin/pip install --no-cache-dir --requirement /app/requirements-docker.txt
-ENV PATH $PATH:/venv/bin
+ENV PATH=$PATH:/venv/bin
 
 RUN /venv/bin/pip install alerta==${CLIENT_VERSION} alerta-server==${SERVER_VERSION}
 COPY install-plugins.sh /app/install-plugins.sh
@@ -91,9 +91,9 @@ ADD https://github.com/alerta/alerta-webui/releases/download/v${WEBUI_VERSION}/a
 RUN tar zxvf /tmp/webui.tar.gz -C /tmp && \
     mv /tmp/dist /web
 
-ENV ALERTA_SVR_CONF_FILE /app/alertad.conf
-ENV ALERTA_CONF_FILE /app/alerta.conf
-ENV ALERTA_WEB_CONF_FILE /web/config.json
+ENV ALERTA_SVR_CONF_FILE=/app/alertad.conf
+ENV ALERTA_CONF_FILE=/app/alerta.conf
+ENV ALERTA_WEB_CONF_FILE=/web/config.json
 
 COPY config/templates/app/ /app
 COPY config/templates/web/ /web