staging -> production (#185)

Implements:
[CC-2137 NZSL: move signbank to
Poetry](https://ackama.atlassian.net/browse/CC-2137)

Now that we have the databases sync'd between production and UAT, and
the same for their S3 buckets, Micky Vale should be able to determine if
UAT is functioning safely to her satisfaction.

If she does, and approves this push, this will change production over to
using `poetry`, along with some other fixes.

.github/workflows/main.yml

@@ -13,36 +13,74 @@ jobs:
 
       - name: Check dependencies for security vulnerabilities
         uses: g-rath/check-with-osv-detector@main
-  build:
+  tests:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v1
     - run: cp example.env .env
-    - name: Build the docker-compose stack
-      run: docker-compose up -d
+    - name: Build the docker compose stack
+      run: docker compose up -d
     - name: Check running containers
       run: docker ps -a
     - name: Check logs
-      run: docker-compose logs backend
+      run: docker compose logs backend
     - name: Run test suite
-      run: docker-compose run backend bin/runtests.py
+      run: docker compose run backend bin/runtests.py
+
+  deploy_to_uat:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    needs:
+      - check-dependencies
+      - tests
+    environment:
+      name: uat
+      url: https://signbank-uat.nzsl.nz
+    steps:
+    - uses: actions/checkout@v1
+    - run: curl https://cli-assets.heroku.com/install-ubuntu.sh | sh
+    - run: cp example.env .env
+    - name: Build the docker compose stack
+      run: docker compose up -d
+    - name: Check running containers
+      run: docker ps -a
+    - name: Check logs
+      run: docker compose logs backend
     - name: Deploy app to UAT
-      if: github.ref == 'refs/heads/master'
       env:
         HEROKU_API_KEY: ${{secrets.HEROKU_UAT_API_KEY}}
         HEROKU_APP_NAME: ${{secrets.HEROKU_UAT_APP_NAME}}
       run: |
         echo $HEROKU_API_KEY | docker login --username=_ --password-stdin registry.heroku.com
-        docker tag $(docker-compose images -q backend) registry.heroku.com/$HEROKU_APP_NAME/web
+        docker tag $(docker compose images -q backend) registry.heroku.com/$HEROKU_APP_NAME/web
         docker push registry.heroku.com/$HEROKU_APP_NAME/web
         heroku container:release web -a $HEROKU_APP_NAME
+  deploy_to_production:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/production'
+    needs:
+      - check-dependencies
+      - tests
+    environment:
+      name: production
+      url: https://signbank.nzsl.nz
+    steps:
+    - uses: actions/checkout@v1
+    - run: curl https://cli-assets.heroku.com/install-ubuntu.sh | sh
+    - run: cp example.env .env
+    - name: Build the docker compose stack
+      run: docker compose up -d
+    - name: Check running containers
+      run: docker ps -a
+    - name: Check logs
+      run: docker compose logs backend
     - name: Deploy app to Production
       if: github.ref == 'refs/heads/production'
       env:
         HEROKU_API_KEY: ${{secrets.HEROKU_PRODUCTION_API_KEY}}
         HEROKU_APP_NAME: ${{secrets.HEROKU_PRODUCTION_APP_NAME}}
       run: |
         echo $HEROKU_API_KEY | docker login --username=_ --password-stdin registry.heroku.com
-        docker tag $(docker-compose images -q backend) registry.heroku.com/$HEROKU_APP_NAME/web
+        docker tag $(docker compose images -q backend) registry.heroku.com/$HEROKU_APP_NAME/web
         docker push registry.heroku.com/$HEROKU_APP_NAME/web
         heroku container:release web -a $HEROKU_APP_NAME

.osv-detector.yml

@@ -1,8 +1,9 @@
 ignore:
+  - GHSA-248v-346w-9cwc
   - GHSA-6c3j-c64m-qhgq
+  - GHSA-9mvj-f7w8-pvh2
+  - GHSA-g92j-qhmh-64v2
   - GHSA-gxr4-xjj5-5px2
   - GHSA-jpcq-cgw6-v4j6
   - GHSA-rmxg-73gg-4p98
-  - GHSA-257q-pv89-v3xv # GHSA says affected versions are jQuery v.2.2.0 until v.3.5.0
-  - GHSA-vm8q-m57g-pff3
-  - GHSA-w3h3-4rj7-4ph4
+  - GHSA-rrqc-c2jx-6jgv

Dockerfile

@@ -14,8 +14,9 @@ FROM python:3.9
 
 ENV DJANGO_SETTINGS_MODULE=signbank.settings.development
 
-CMD pip install -r requirements.txt && \
-    bin/develop.py migrate --noinput && \
+RUN pip install "poetry==1.8.3"
+
+CMD bin/develop.py migrate --noinput && \
     bin/develop.py createcachetable && \
     (\
         (test $DJANGO_SETTINGS_MODULE = 'signbank.settings.development' && \
@@ -44,8 +45,10 @@ RUN echo "APT::Install-Recommends \"0\";" >> /etc/apt/apt.conf.d/02recommends &&
 
 # Install requirements
 WORKDIR /app
-ADD requirements.txt /app
-RUN pip --no-cache-dir install --src=/opt pyinotify -r requirements.txt
+ADD pyproject.toml poetry.lock /app/
+RUN poetry config installer.max-workers 10 && \
+    poetry config virtualenvs.create false &&  \
+    poetry install -v --no-root
 
 # Copy frontend assets
 COPY --from=node /app/signbank/static/js ./signbank/static/js
@@ -55,4 +58,4 @@ COPY --from=node /app/signbank/static/css ./signbank/static/css
 ADD . /app
 
 # Collect static assets
-RUN bin/develop.py collectstatic
+RUN bin/develop.py collectstatic --no-input

docker-compose.yml

@@ -16,10 +16,20 @@ services:
         links:
             - database
             - mail
+        depends_on:
+          database:
+            condition: service_healthy
     database:
         image: postgres:14
         environment:
           - "POSTGRES_PASSWORD=postgres"
+        ports:
+          - 5432:5432
+        healthcheck:
+          test: ["CMD", "/usr/bin/pg_isready", "-h", "database", "-p", "5432", "-U", "postgres", "-d", "postgres"]
+          interval: 3s
+          timeout: 2s
+          retries: 5
     mail:
         image: djfarrelly/maildev
         ports: