[Snyk] Security upgrade tornado from 6.2 to 6.4.1 #75
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is a GitHub workflow defining a set of jobs with a set of steps. | |
# ref: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions | |
# | |
# Test build release artifacts (PyPI package, Docker images) and publish them on | |
# pushed git tags. | |
# | |
name: Release | |
on: | |
pull_request: | |
paths-ignore: | |
- "docs/**" | |
- "**.md" | |
- "**.rst" | |
- ".github/workflows/*" | |
- "!.github/workflows/release.yml" | |
push: | |
paths-ignore: | |
- "docs/**" | |
- "**.md" | |
- "**.rst" | |
- ".github/workflows/*" | |
- "!.github/workflows/release.yml" | |
branches-ignore: | |
- "dependabot/**" | |
- "pre-commit-ci-update-config" | |
tags: | |
- "**" | |
workflow_dispatch: | |
jobs: | |
build-release: | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: "3.9" | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: "14" | |
- name: install build requirements | |
run: | | |
npm install -g yarn | |
pip install --upgrade pip | |
pip install build | |
pip freeze | |
- name: build release | |
run: | | |
python -m build --sdist --wheel . | |
ls -l dist | |
- name: verify sdist | |
run: | | |
./ci/check_sdist.py dist/jupyterhub-*.tar.gz | |
- name: verify data-files are installed where they are found | |
run: | | |
pip install dist/*.whl | |
./ci/check_installed_data.py | |
- name: verify sdist can be installed without npm/yarn | |
run: | | |
docker run --rm -v $PWD/dist:/dist:ro docker.io/library/python:3.9-slim-bullseye bash -c 'pip install /dist/jupyterhub-*.tar.gz' | |
# ref: https://github.com/actions/upload-artifact#readme | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: jupyterhub-${{ github.sha }} | |
path: "dist/*" | |
if-no-files-found: error | |
- name: Publish to PyPI | |
if: startsWith(github.ref, 'refs/tags/') | |
env: | |
TWINE_USERNAME: __token__ | |
TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} | |
run: | | |
pip install twine | |
twine upload --skip-existing dist/* | |
publish-docker: | |
runs-on: ubuntu-20.04 | |
services: | |
# So that we can test this in PRs/branches | |
local-registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
steps: | |
- name: Should we push this image to a public registry? | |
run: | | |
if [ "${{ startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main') }}" = "true" ]; then | |
# Empty => Docker Hub | |
echo "REGISTRY=" >> $GITHUB_ENV | |
else | |
echo "REGISTRY=localhost:5000/" >> $GITHUB_ENV | |
fi | |
- uses: actions/checkout@v3 | |
# Setup docker to build for multiple platforms, see: | |
# https://github.com/docker/build-push-action/tree/v2.4.0#usage | |
# https://github.com/docker/build-push-action/blob/v2.4.0/docs/advanced/multi-platform.md | |
- name: Set up QEMU (for docker buildx) | |
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # associated tag: v1.0.2 | |
- name: Set up Docker Buildx (for multi-arch builds) | |
uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 | |
with: | |
# Allows pushing to registry on localhost:5000 | |
driver-opts: network=host | |
- name: Setup push rights to Docker Hub | |
# This was setup by... | |
# 1. Creating a Docker Hub service account "jupyterhubbot" | |
# 2. Creating a access token for the service account specific to this | |
# repository: https://hub.docker.com/settings/security | |
# 3. Making the account part of the "bots" team, and granting that team | |
# permissions to push to the relevant images: | |
# https://hub.docker.com/orgs/jupyterhub/teams/bots/permissions | |
# 4. Registering the username and token as a secret for this repo: | |
# https://github.com/jupyterhub/jupyterhub/settings/secrets/actions | |
if: env.REGISTRY != 'localhost:5000/' | |
run: | | |
docker login -u "${{ secrets.DOCKERHUB_USERNAME }}" -p "${{ secrets.DOCKERHUB_TOKEN }}" | |
# image: jupyterhub/jupyterhub | |
# | |
# https://github.com/jupyterhub/action-major-minor-tag-calculator | |
# If this is a tagged build this will return additional parent tags. | |
# E.g. 1.2.3 is expanded to Docker tags | |
# [{prefix}:1.2.3, {prefix}:1.2, {prefix}:1, {prefix}:latest] unless | |
# this is a backported tag in which case the newer tags aren't updated. | |
# For branches this will return the branch name. | |
# If GITHUB_TOKEN isn't available (e.g. in PRs) returns no tags []. | |
- name: Get list of jupyterhub tags | |
id: jupyterhubtags | |
uses: jupyterhub/action-major-minor-tag-calculator@v2 | |
with: | |
githubToken: ${{ secrets.GITHUB_TOKEN }} | |
prefix: "${{ env.REGISTRY }}jupyterhub/jupyterhub:" | |
defaultTag: "${{ env.REGISTRY }}jupyterhub/jupyterhub:noref" | |
branchRegex: ^\w[\w-.]*$ | |
- name: Build and push jupyterhub | |
uses: docker/build-push-action@37abcedcc1da61a57767b7588cb9d03eb57e28b3 | |
with: | |
context: . | |
platforms: linux/amd64,linux/arm64 | |
push: true | |
# tags parameter must be a string input so convert `gettags` JSON | |
# array into a comma separated list of tags | |
tags: ${{ join(fromJson(steps.jupyterhubtags.outputs.tags)) }} | |
# image: jupyterhub/jupyterhub-onbuild | |
# | |
- name: Get list of jupyterhub-onbuild tags | |
id: onbuildtags | |
uses: jupyterhub/action-major-minor-tag-calculator@v2 | |
with: | |
githubToken: ${{ secrets.GITHUB_TOKEN }} | |
prefix: "${{ env.REGISTRY }}jupyterhub/jupyterhub-onbuild:" | |
defaultTag: "${{ env.REGISTRY }}jupyterhub/jupyterhub-onbuild:noref" | |
branchRegex: ^\w[\w-.]*$ | |
- name: Build and push jupyterhub-onbuild | |
uses: docker/build-push-action@37abcedcc1da61a57767b7588cb9d03eb57e28b3 | |
with: | |
build-args: | | |
BASE_IMAGE=${{ fromJson(steps.jupyterhubtags.outputs.tags)[0] }} | |
context: onbuild | |
platforms: linux/amd64,linux/arm64 | |
push: true | |
tags: ${{ join(fromJson(steps.onbuildtags.outputs.tags)) }} | |
# image: jupyterhub/jupyterhub-demo | |
# | |
- name: Get list of jupyterhub-demo tags | |
id: demotags | |
uses: jupyterhub/action-major-minor-tag-calculator@v2 | |
with: | |
githubToken: ${{ secrets.GITHUB_TOKEN }} | |
prefix: "${{ env.REGISTRY }}jupyterhub/jupyterhub-demo:" | |
defaultTag: "${{ env.REGISTRY }}jupyterhub/jupyterhub-demo:noref" | |
branchRegex: ^\w[\w-.]*$ | |
- name: Build and push jupyterhub-demo | |
uses: docker/build-push-action@37abcedcc1da61a57767b7588cb9d03eb57e28b3 | |
with: | |
build-args: | | |
BASE_IMAGE=${{ fromJson(steps.onbuildtags.outputs.tags)[0] }} | |
context: demo-image | |
# linux/arm64 currently fails: | |
# ERROR: Could not build wheels for argon2-cffi which use PEP 517 and cannot be installed directly | |
# ERROR: executor failed running [/bin/sh -c python3 -m pip install notebook]: exit code: 1 | |
platforms: linux/amd64 | |
push: true | |
tags: ${{ join(fromJson(steps.demotags.outputs.tags)) }} | |
# image: jupyterhub/singleuser | |
# | |
- name: Get list of jupyterhub/singleuser tags | |
id: singleusertags | |
uses: jupyterhub/action-major-minor-tag-calculator@v2 | |
with: | |
githubToken: ${{ secrets.GITHUB_TOKEN }} | |
prefix: "${{ env.REGISTRY }}jupyterhub/singleuser:" | |
defaultTag: "${{ env.REGISTRY }}jupyterhub/singleuser:noref" | |
branchRegex: ^\w[\w-.]*$ | |
- name: Build and push jupyterhub/singleuser | |
uses: docker/build-push-action@37abcedcc1da61a57767b7588cb9d03eb57e28b3 | |
with: | |
build-args: | | |
JUPYTERHUB_VERSION=${{ github.ref_type == 'tag' && github.ref_name || format('git:{0}', github.sha) }} | |
context: singleuser | |
platforms: linux/amd64,linux/arm64 | |
push: true | |
tags: ${{ join(fromJson(steps.singleusertags.outputs.tags)) }} |