Merge pull request #298 from alphagov/apprunner-image

Main Branch for Apprunner image

.dockerignore

@@ -0,0 +1,29 @@
+#ensure these are copied
+!tmp/
+!lib/assets/
+!lib/tasks/
+!log/
+!vendor/
+
+#keep these directories but nothing in them
+lib/*
+log/*
+tmp/*
+vendor/*
+
+
+#ignore these files/directories
+.DS_Store
+.git
+.github
+.gitignore
+.rbenv-gemsets
+.ruby-version
+yarn.lock
+node_modules
+README.md
+.dockerignore
+.env.example
+manifest.yml
+test
+Dockerfile

.github/workflows/ghcr.yml

@@ -0,0 +1,74 @@
+#
+name: Create and publish a Docker image
+#todo this needs changing to be more of a manual trigger (or tied to development branch)
+on:
+  push:
+    branches:
+      - 'main'
+
+  pull_request:
+    branches:
+      - 'main'
+
+# Defines two custom environment variables for the workflow. These are used
+# for the Container registry domain, and a name for the Docker image that
+# this workflow builds.
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+# There is a single job in this workflow. It's configured to run on the latest
+# available version of Ubuntu. 
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in
+    # this job.
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Uses the `docker/login-action` action to log in to the Container
+      # registry registry using the account and password that will publish
+      # the packages. Once published, the packages are scoped to the account
+      # defined here.
+      - name: Log in to the Container registry
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # This step uses [docker/metadata-action]
+      # (https://github.com/docker/metadata-action#about) to extract tags and
+      # labels that will be applied to the specified image. The `id` "meta"
+      # allows the output of this step to be referenced in a subsequent step.
+      # The `images` value provides the base name for the tags and labels.
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # This step uses the `docker/build-push-action` action to build the
+      # image, based on your repository's `Dockerfile`. If the build
+      # succeeds, it pushes the image to GitHub Packages. It uses the
+      # `context` parameter to define the build's context as the set of files
+      # located in the specified path. For more information, see "[Usage]
+      # (https://github.com/docker/build-push-action#usage)" in the README of
+      # the `docker/build-push-action` repository. It uses the `tags` and
+      # `labels` parameters to tag and label the image with the output from
+      # the "meta" step.
+      - name: Build and push Docker image
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+          #TODO: makesure the right tags are being applied

.github/workflows/rubyandnode.yaml

@@ -7,15 +7,18 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # V2.4.0
+    - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+
     - name: Set up Ruby
-      uses: ruby/setup-ruby@e6689b4deb1cb2062ea45315001f687c0b52111b # V1.144.1
+      uses: ruby/setup-ruby@22fdc77bf4148f810455b226c90fb81b5cbc00a7
       with:
         ruby-version: '3.2'
+
     - name: Set up Node
-      uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # V3.6.0
+      uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
       with:
-        node-version: '12'
+        node-version: '20'
+
     - name: Build and test
       run: |
         bundle install --without development

.gitignore

@@ -25,3 +25,7 @@
 node_modules/
 
 yarn-error.log
+
+# emacs 
+.#*
+*.*#

.ruby-version

@@ -1 +1 @@
-3.2.0
+3.2.3

Dockerfile

@@ -0,0 +1,31 @@
+# get official nodejs/npm binaries
+FROM node:20.11-slim as nodebuilder
+WORKDIR /opt/app
+COPY package-lock.json ./
+COPY package.json ./
+RUN npm i
+
+# bundle install the gems for production
+FROM ruby:3.2.3 as rubybuilder
+RUN apt update -y \
+    && apt -y install nano \
+    && cp /usr/bin/nano /usr/local/bin/
+WORKDIR /opt/app
+COPY Gemfile Gemfile.lock ./
+RUN bundle config set --local without 'development test' \
+    && bundle install
+
+# copy required files from base images, precompile assets & cleanup
+FROM ruby:3.2.3-slim
+WORKDIR /opt/app
+COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle
+COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin
+COPY --from=nodebuilder /opt/app/node_modules /opt/app/node_modules
+RUN export PATH=$PATH:usr/local/nodebin \
+    && useradd -ms /bin/bash app
+USER app
+COPY --chown=app . ./
+RUN RAILS_ENV=production bundle exec rake assets:precompile
+
+EXPOSE 3000
+CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"]

Gemfile

@@ -1,17 +1,17 @@
 source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
-ruby '~> 3.2.0'
+ruby '~> 3.2.3'
 
 gem 'dotenv-rails', groups: [:development]
 
-gem 'lograge', '~> 0.12.0'
+gem 'lograge', '~> 0.14.0'
 gem 'logstash-event', '~> 1.2.02'
 gem 'notifications-ruby-client', '~> 5.4.0'
 gem 'octokit', '~> 6.1.0'
 gem 'omniauth-google-oauth2', '~> 1.1.1'
 gem 'omniauth-rails_csrf_protection', '~> 1.0.1'
-gem 'rails', '~> 7.0.4.3'
+gem 'rails', '~> 7.0.8'
 gem 'sassc-rails'
 gem 'webmock', '~> 3.18.1'
 gem 'webrick', '~> 1.8.1'