diff options
| author |  Ionite <[email protected]> | 2022-11-16 16:38:06 -0500 |
|---|---|---|
| committer |  GitHub <[email protected]> | 2022-11-16 16:38:06 -0500 |
| commit | 1e086a25f2215ca573495abf87310ea38b18d922 (patch) | |
| tree | 3c894fe6e0374f59b9f72a9995e8b67007adb711 | |
| parent | Formatting (diff) | |
| parent | Merge pull request #157 from onerandomusername/allow-manual-rebuilds (diff) | |
Merge branch 'main' into bytes-output
| -rw-r--r-- | .github/CONTRIBUTING.md | 6 | ||||
| -rw-r--r-- | .github/workflows/build.yaml | 18 | ||||
| -rw-r--r-- | .github/workflows/deploy.yaml | 24 | ||||
| -rw-r--r-- | .github/workflows/lint.yaml | 12 | ||||
| -rw-r--r-- | .github/workflows/main.yaml | 1 | ||||
| -rw-r--r-- | .github/workflows/sentry_release.yaml | 4 | ||||
| -rw-r--r-- | .github/workflows/test.yaml | 30 | ||||
| -rw-r--r-- | .pre-commit-config.yaml | 9 | ||||
| -rw-r--r-- | Dockerfile | 4 | ||||
| -rw-r--r-- | Makefile | 7 | ||||
| -rw-r--r-- | config/snekbox.cfg | 6 | ||||
| -rw-r--r-- | deployment.yaml | 10 | ||||
| -rw-r--r-- | pyproject.toml | 6 | ||||
| -rw-r--r-- | requirements/coverage.pip | 6 | ||||
| -rw-r--r-- | requirements/coveralls.in | 3 | ||||
| -rw-r--r-- | requirements/coveralls.pip | 28 | ||||
| -rw-r--r-- | requirements/lint.pip | 19 | ||||
| -rw-r--r-- | requirements/pip-tools.pip | 22 | ||||
| -rw-r--r-- | requirements/requirements.pip | 16 |
19 files changed, 107 insertions, 124 deletions
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index b15a4ba..d0a6921 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -6,14 +6,15 @@ The Contributing Guidelines for Python Discord projects can be found [on our web ## Initial Setup -A Python 3.10 interpreter and `make` are required. A virtual environment is also recommended. Once that is set up, install the project's dependencies with `make setup`. +A Python 3.11 interpreter and `make` are required. A virtual environment is also recommended. Once that is set up, install the project's dependencies with `make setup`. This also installs a git pre-commit hook so that the linter runs upon a commit. Manual invocation is still possible with `make lint`. ## Running snekbox -Use `docker-compose up` to start snekbox in development mode. The optional `--build` argument can be passed to force the image to be rebuilt. +Use `docker compose up` to start snekbox in development mode. The optional `--build` argument can be passed to force the image to be rebuilt. +You must use [compose v2][Compose v2], accessed via `docker compose` (no hyphen). The container has all development dependencies. The repository on the host is mounted within the container; changes made to local files will also affect the container. @@ -63,3 +64,4 @@ Other things to look out for are breaking changes to NsJail's config format, its [readme]: ../README.md [Dockerfile]: ../Dockerfile +[Compose v2]: https://docs.docker.com/compose/compose-v2/ diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1be5d2f..d98d32f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # The version script relies on history. Fetch 100 commits to be safe. fetch-depth: 100 @@ -30,17 +30,17 @@ jobs: run: | set -eu version=$(python scripts/version.py) - echo "::set-output name=version::$version" + echo "version=$version" >> $GITHUB_OUTPUT printf "%s\n" "${version}" - # The current version (v2) of Docker's build-push action uses buildx, + # Both version 2 and 3 of Docker's build-push action uses buildx, # which comes with BuildKit. It has cache features which can speed up # the builds. See https://github.com/docker/build-push-action - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2 - name: Log in to GitHub Container Registry - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -63,8 +63,8 @@ jobs: cache_from="type=gha,scope=buildkit-${GITHUB_REF}" cache_to="${cache_from},mode=max" fi - echo "::set-output name=cache_from::${cache_from:-}" - echo "::set-output name=cache_to::${cache_to:-}" + echo "cache_from=${cache_from:-}" >> $GITHUB_OUTPUT + echo "cache_to=${cache_to:-}" >> $GITHUB_OUTPUT # Build the "DEV" version of the image, which targets the `venv` stage # and includes development dependencies. @@ -74,7 +74,7 @@ jobs: # If configured by the cache_config step, also cache the layers in # GitHub Actions. - name: Build image for linting and testing - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v3 with: context: . file: ./Dockerfile @@ -92,7 +92,7 @@ jobs: # Make the image available as an artifact so other jobs will be able to # download it. - name: Upload image archive as an artifact - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: ${{ env.artifact }} path: ${{ env.artifact }}.tar diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 82903f8..d8ad66b 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: Download image artifact - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: ${{ inputs.artifact }} @@ -27,17 +27,17 @@ jobs: run: docker load -i ${{ inputs.artifact }}.tar - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2 - name: Log in to GitHub Container Registry - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # The version script relies on history. Fetch 100 commits to be safe. fetch-depth: 100 @@ -45,7 +45,7 @@ jobs: # Build the final production image and push it to GHCR. # Tag it with both the short commit SHA and 'latest'. - name: Build final image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v3 with: context: . file: ./Dockerfile @@ -60,22 +60,26 @@ jobs: ghcr.io/python-discord/snekbox:${{ inputs.version }} # Deploy to Kubernetes. + - name: Install kubectl + uses: azure/[email protected] + with: + version: "latest" + - name: Authenticate with Kubernetes - uses: azure/k8s-set-context@v1 + uses: azure/k8s-set-context@v3 with: method: kubeconfig kubeconfig: ${{ secrets.KUBECONFIG }} - name: Deploy to Kubernetes - uses: Azure/k8s-deploy@v1 + uses: azure/k8s-deploy@v4 with: manifests: deployment.yaml images: 'ghcr.io/python-discord/snekbox:${{ inputs.version }}' - kubectl-version: 'latest' # Push the base image to GHCR, with an inline cache manifest. - name: Push base image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v3 with: context: . file: ./Dockerfile @@ -89,7 +93,7 @@ jobs: # Push the venv image to GHCR, with an inline cache manifest. - name: Push venv image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v3 with: context: . file: ./Dockerfile diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index d53738b..79856ba 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -11,13 +11,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set up Python id: python - uses: actions/setup-python@v2 + uses: actions/setup-python@v4 with: - python-version: "3.10" + python-version: "3.11" cache: pip cache-dependency-path: requirements/lint.pip @@ -25,12 +25,12 @@ jobs: run: pip install -U -r requirements/lint.pip - name: Pre-commit environment cache - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ${{ env.PRE_COMMIT_HOME }} key: "precommit-0-${{ runner.os }}-${{ env.PRE_COMMIT_HOME }}-\ - ${{ steps.python.outputs.python-version }}-\ - ${{ hashFiles('./.pre-commit-config.yaml') }}" + ${{ steps.python.outputs.python-version }}-\ + ${{ hashFiles('./.pre-commit-config.yaml') }}" # Skip the flake8 hook because the following command will run it. - name: Run pre-commit hooks diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index b581ba3..11bcabd 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -5,6 +5,7 @@ on: branches: - main pull_request: + workflow_dispatch: jobs: build: diff --git a/.github/workflows/sentry_release.yaml b/.github/workflows/sentry_release.yaml index 4135b4f..9b4109e 100644 --- a/.github/workflows/sentry_release.yaml +++ b/.github/workflows/sentry_release.yaml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # The version script relies on history. Fetch 100 commits to be safe. fetch-depth: 100 @@ -20,7 +20,7 @@ jobs: run: | set -eu version=$(python scripts/version.py) - echo "::set-output name=version::$version" + echo "version=$version" >> $GITHUB_OUTPUT printf "%s\n" "${version}" - name: Create a Sentry.io release diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 51eb0f8..acbfd1f 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: Download image artifact - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: ${{ inputs.artifact }} @@ -27,7 +27,7 @@ jobs: # Needed for the Docker Compose file. - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Memory limit tests would fail if this isn't disabled. - name: Disable swap memory @@ -39,7 +39,7 @@ jobs: id: run_tests run: | export IMAGE_SUFFIX='-venv:${{ inputs.version }}' - docker-compose run \ + docker compose run \ --rm -T -e COVERAGE_DATAFILE=.coverage.${{ matrix.os }} \ --entrypoint coverage \ snekbox \ @@ -47,7 +47,7 @@ jobs: # Upload it so the coverage from all matrix jobs can be combined later. - name: Upload coverage data - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: coverage path: .coverage.* @@ -60,20 +60,20 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v4 with: - python-version: "3.10" + python-version: "3.11" cache: pip - cache-dependency-path: requirements/coveralls.pip + cache-dependency-path: requirements/coverage.pip - name: Install dependencies - run: pip install -U -r requirements/coveralls.pip + run: pip install -U -r requirements/coverage.pip - name: Download coverage data - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: coverage @@ -83,9 +83,13 @@ jobs: - name: Display coverage report run: coverage report -m + - name: Generate lcov report + run: coverage lcov + # Comment on the PR with the coverage results and register a GitHub check # which links to the coveralls.io job. - name: Publish coverage report to coveralls.io - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: coveralls --service=github + uses: coverallsapp/[email protected] + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + path-to-lcov: ./coverage.lcov diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 620c5be..26dad6a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.2.0 + rev: v4.3.0 hooks: - id: check-merge-conflict - id: check-toml @@ -17,18 +17,17 @@ repos: hooks: - id: isort - repo: https://github.com/psf/black - rev: 22.3.0 + rev: 22.10.0 hooks: - id: black - language_version: "3.10" - repo: https://github.com/PyCQA/flake8 - rev: &flake8_version 4.0.1 + rev: &flake8_version 5.0.4 hooks: - &flake8_hook id: flake8 additional_dependencies: - flake8-annotations~=2.7 - - flake8-bugbear==22.4.25 + - flake8-bugbear==22.10.27 - flake8-docstrings~=1.4 - flake8-string-format~=0.3.0 - flake8-todo~=0.7 @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1 -FROM python:3.10-slim-buster as builder +FROM python:3.11-slim-buster as builder WORKDIR /nsjail @@ -20,7 +20,7 @@ RUN git clone -b master --single-branch https://github.com/google/nsjail.git . \ RUN make # ------------------------------------------------------------------------------ -FROM python:3.10-slim-buster as base +FROM python:3.11-slim-buster as base # Everything will be a user install to allow snekbox's dependencies to be kept # separate from the packages exposed during eval. @@ -16,7 +16,6 @@ upgrade: install-piptools $(PIP_COMPILE_CMD) -o requirements/requirements.pip \ --extra gunicorn --extra sentry pyproject.toml $(PIP_COMPILE_CMD) -o requirements/coverage.pip requirements/coverage.in - $(PIP_COMPILE_CMD) -o requirements/coveralls.pip requirements/coveralls.in $(PIP_COMPILE_CMD) -o requirements/lint.pip requirements/lint.in $(PIP_COMPILE_CMD) -o requirements/pip-tools.pip requirements/pip-tools.in @@ -27,8 +26,8 @@ lint: setup # Fix ownership of the coverage file even if tests fail & preserve exit code .PHONY: test test: - docker-compose build -q --force-rm - docker-compose run --entrypoint /bin/bash --rm snekbox -c \ + docker compose build -q --force-rm + docker compose run --entrypoint /bin/bash --rm snekbox -c \ 'coverage run -m unittest; e=$?; chown --reference=. .coverage; exit $e' .PHONY: report @@ -41,4 +40,4 @@ build: .PHONY: devsh devsh: - docker-compose run --entrypoint /bin/bash --rm snekbox + docker compose run --entrypoint /bin/bash --rm snekbox diff --git a/config/snekbox.cfg b/config/snekbox.cfg index 33970dd..aaa5d89 100644 --- a/config/snekbox.cfg +++ b/config/snekbox.cfg @@ -14,7 +14,7 @@ envar: "OPENBLAS_NUM_THREADS=5" envar: "MKL_NUM_THREADS=5" envar: "VECLIB_MAXIMUM_THREADS=5" envar: "NUMEXPR_NUM_THREADS=5" -envar: "PYTHONPATH=/snekbox/user_base/lib/python3.10/site-packages" +envar: "PYTHONPATH=/snekbox/user_base/lib/python3.11/site-packages" envar: "PYTHONIOENCODING=utf-8:strict" keep_caps: false @@ -98,8 +98,8 @@ mount { } mount { - src: "/usr/local/bin/python3.10" - dst: "/usr/local/bin/python3.10" + src: "/usr/local/bin/python3.11" + dst: "/usr/local/bin/python3.11" is_bind: true rw: false } diff --git a/deployment.yaml b/deployment.yaml index ffba386..496b9e5 100644 --- a/deployment.yaml +++ b/deployment.yaml @@ -40,17 +40,17 @@ spec: forbiddenfruit~=0.1 fuzzywuzzy~=0.18 lark~=1.1 - more-itertools~=8.14 + more-itertools~=9.0 networkx~=2.8 numpy~=1.23 - pandas~=1.4 + pandas~=1.5 pendulum~=2.1 python-dateutil~=2.8 pyyaml~=6.0 - sympy~=1.10 + sympy~=1.11 toml~=0.10 - typing-extensions~=4.3 - tzdata~=2022.2 + typing-extensions~=4.4 + tzdata~=2022.6 yarl~=1.8 volumes: - name: snekbox-user-base-volume diff --git a/pyproject.toml b/pyproject.toml index e0a3d26..a1d1ea1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -16,14 +16,14 @@ classifiers = [ "License :: OSI Approved :: MIT License", "Operating System :: POSIX :: Linux", "Programming Language :: Python :: 3 :: Only", - "Programming Language :: Python :: 3.10", + "Programming Language :: Python :: 3.11", "Topic :: Internet :: WWW/HTTP :: WSGI :: Application", "Topic :: Security", "Topic :: Software Development :: Interpreters", ] dynamic = ["version"] -requires-python = ">=3.10" +requires-python = ">=3.11" dependencies = [ # Sentry's Falcon integration relies on api_helpers (falconry/falcon#1902). "falcon>=3.0.1", @@ -64,7 +64,7 @@ relative_files = true [tool.black] line-length = 100 -target-version = ["py310"] +target-version = ["py311"] force-exclude = "snekbox/config_pb2.py" [tool.isort] diff --git a/requirements/coverage.pip b/requirements/coverage.pip index fcc14da..e28a87e 100644 --- a/requirements/coverage.pip +++ b/requirements/coverage.pip @@ -1,10 +1,8 @@ # -# This file is autogenerated by pip-compile with python 3.10 +# This file is autogenerated by pip-compile with python 3.11 # To update, run: # # pip-compile --output-file=requirements/coverage.pip requirements/coverage.in # -coverage[toml]==6.4 +coverage[toml]==6.5.0 # via -r requirements/coverage.in -tomli==2.0.1 - # via coverage diff --git a/requirements/coveralls.in b/requirements/coveralls.in deleted file mode 100644 index 28d4959..0000000 --- a/requirements/coveralls.in +++ /dev/null @@ -1,3 +0,0 @@ --c coverage.pip - -coveralls>=3.3.1 diff --git a/requirements/coveralls.pip b/requirements/coveralls.pip deleted file mode 100644 index cd16e7c..0000000 --- a/requirements/coveralls.pip +++ /dev/null @@ -1,28 +0,0 @@ -# -# This file is autogenerated by pip-compile with python 3.10 -# To update, run: -# -# pip-compile --output-file=requirements/coveralls.pip requirements/coveralls.in -# -certifi==2022.5.18.1 - # via requests -charset-normalizer==2.0.12 - # via requests -coverage[toml]==6.4 - # via - # -c requirements/coverage.pip - # coveralls -coveralls==3.3.1 - # via -r requirements/coveralls.in -docopt==0.6.2 - # via coveralls -idna==3.3 - # via requests -requests==2.27.1 - # via coveralls -tomli==2.0.1 - # via - # -c requirements/coverage.pip - # coverage -urllib3==1.26.9 - # via requests diff --git a/requirements/lint.pip b/requirements/lint.pip index a399b6f..e477369 100644 --- a/requirements/lint.pip +++ b/requirements/lint.pip @@ -1,28 +1,29 @@ # -# This file is autogenerated by pip-compile with python 3.10 +# This file is autogenerated by pip-compile with python 3.11 # To update, run: # # pip-compile --output-file=requirements/lint.pip requirements/lint.in # cfgv==3.3.1 # via pre-commit -distlib==0.3.4 +distlib==0.3.6 # via virtualenv -filelock==3.7.0 +filelock==3.8.0 # via virtualenv -identify==2.5.1 +identify==2.5.8 # via pre-commit -nodeenv==1.6.0 +nodeenv==1.7.0 # via pre-commit platformdirs==2.5.2 # via virtualenv -pre-commit==2.19.0 +pre-commit==2.20.0 # via -r requirements/lint.in pyyaml==6.0 # via pre-commit -six==1.16.0 - # via virtualenv toml==0.10.2 # via pre-commit -virtualenv==20.14.1 +virtualenv==20.16.6 # via pre-commit + +# The following packages are considered to be unsafe in a requirements file: +# setuptools diff --git a/requirements/pip-tools.pip b/requirements/pip-tools.pip index 46d53d0..55bc0df 100644 --- a/requirements/pip-tools.pip +++ b/requirements/pip-tools.pip @@ -1,19 +1,25 @@ # -# This file is autogenerated by pip-compile with python 3.10 +# This file is autogenerated by pip-compile with python 3.11 # To update, run: # # pip-compile --output-file=requirements/pip-tools.pip requirements/pip-tools.in # -click==8.1.3 +build==0.9.0 # via pip-tools -pep517==0.12.0 +click==8.1.3 # via pip-tools -pip-tools==6.6.2 - # via -r requirements/pip-tools.in -tomli==2.0.1 +colorama==0.4.6 # via - # -c requirements/coverage.pip - # pep517 + # build + # click +packaging==21.3 + # via build +pep517==0.13.0 + # via build +pip-tools==6.9.0 + # via -r requirements/pip-tools.in +pyparsing==3.0.9 + # via packaging wheel==0.37.1 # via pip-tools diff --git a/requirements/requirements.pip b/requirements/requirements.pip index 034f104..afa7746 100644 --- a/requirements/requirements.pip +++ b/requirements/requirements.pip @@ -1,12 +1,12 @@ # -# This file is autogenerated by pip-compile with python 3.10 +# This file is autogenerated by pip-compile with python 3.11 # To update, run: # # pip-compile --extra=gunicorn --extra=sentry --output-file=requirements/requirements.pip pyproject.toml # -attrs==21.4.0 +attrs==22.1.0 # via jsonschema -certifi==2022.5.18.1 +certifi==2022.9.24 # via sentry-sdk falcon==3.1.0 # via @@ -14,15 +14,15 @@ falcon==3.1.0 # snekbox (pyproject.toml) gunicorn==20.1.0 # via snekbox (pyproject.toml) -jsonschema==4.5.1 +jsonschema==4.16.0 # via snekbox (pyproject.toml) -protobuf==4.21.1 +protobuf==4.21.9 # via snekbox (pyproject.toml) -pyrsistent==0.18.1 +pyrsistent==0.19.1 # via jsonschema -sentry-sdk[falcon]==1.5.12 +sentry-sdk[falcon]==1.10.1 # via snekbox (pyproject.toml) -urllib3==1.26.9 +urllib3==1.26.12 # via sentry-sdk # The following packages are considered to be unsafe in a requirements file: |