Merge pull request #43 from MITLibraries/in-1500-new-workflows

* Updates For New Shared Workflows
* Updates to address some CI errors

Author: cabutlermit

.github/workflows/ci.yml

@@ -1,5 +1,9 @@
 name: CI
-on: push
+on:
+  pull_request:
+    paths-ignore:
+      - '.github/**'
+
 jobs:
   test:
     uses: mitlibraries/.github/.github/workflows/python-shared-test.yml@main

.github/workflows/dev-build.yml

@@ -1,7 +1,10 @@
-### This is the Terraform-generated dev-build.yml workflow for the browsertrix-harvester-dev app repository ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the document     ###
-### If the container requires any additional pre-build commands, uncomment and edit      ###
-### the PREBUILD line at the end of the document.                                        ###
+### This is the Terraform-generated dev-build.yml workflow for the         ###
+### browsertrix-harvester-dev app repository.                              ###
+### If this is a Lambda repo, uncomment the FUNCTION line at the end of    ###
+### the document. If the container requires any additional pre-build       ###
+### commands, uncomment and edit the PREBUILD line at the end of the       ###
+### document.                                                              ###
+
 name: Dev Container Build and Deploy
 on:
   workflow_dispatch:
@@ -11,14 +14,47 @@ on:
     paths-ignore:
       - '.github/**'
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
+  prep:
+    name: Prep for Build
+    runs-on: ubuntu-latest
+    outputs: 
+      cpuarch: ${{ steps.setarch.outputs.cpuarch }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Set CPU Architecture
+        id: setarch
+        run: |
+          echo "### :abacus: Architecture Selection" >> $GITHUB_STEP_SUMMARY
+          if [[ -f .aws-architecture ]]; then
+            ARCH=$(cat .aws-architecture)
+            echo "\`$ARCH\` was read from \`.aws-architecture\` and passed to the deploy job." >> $GITHUB_STEP_SUMMARY
+          else
+            ARCH="linux/amd64"
+            echo "No \`.aws-architecture\` file, so default \`$ARCH\` was passed to the deploy job." >> $GITHUB_STEP_SUMMARY
+          fi
+          if [[ "$ARCH" != "linux/arm64" && "$ARCH" != "linux/amd64" ]]; then
+            echo "$ARCH is INVALID architecture!"
+            echo "$ARCH is INVALID architecture!" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "cpuarch=$ARCH" >> $GITHUB_OUTPUT
+
   deploy:
-    name: Dev Container Deploy
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-dev.yml@main
+    needs: prep
+    name: Dev Deploy
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-dev.yml@main
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"
       GHA_ROLE: "browsertrix-harvester-gha-dev"
       ECR: "browsertrix-harvester-dev"
+      CPU_ARCH: ${{ needs.prep.outputs.cpuarch }}
       # FUNCTION: ""
-      # PREBUILD:
+      # PREBUILD: 

.github/workflows/prod-promote.yml

@@ -1,21 +1,57 @@
-### This is the Terraform-generated prod-promote.yml workflow for the browsertrix-harvester-prod repository. ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the document.         ###
+### This is the Terraform-generated prod-promote.yml workflow for the      ###
+### browsertrix-harvester-prod repository.                                                ###
+### If this is a Lambda repo, uncomment the FUNCTION line at the end of    ###
+### the document.                                                          ###
+
 name: Prod Container Promote
 on:
   workflow_dispatch:
   release:
     types: [published]
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
+  prep:
+    name: Prep for Promote
+    runs-on: ubuntu-latest
+    outputs: 
+      cpuarch: ${{ steps.setarch.outputs.cpuarch }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Set CPU Architecture
+        id: setarch
+        run: |
+          echo "### :abacus: Architecture Selection" >> $GITHUB_STEP_SUMMARY
+          if [[ -f .aws-architecture ]]; then
+            ARCH=$(cat .aws-architecture)
+            echo "\`$ARCH\` was read from \`.aws-architecture\` and passed to the deploy job." >> $GITHUB_STEP_SUMMARY
+          else
+            ARCH="linux/amd64"
+            echo "No \`.aws-architecture\` file, so default \`$ARCH\` was passed to the deploy job." >> $GITHUB_STEP_SUMMARY
+          fi
+          if [[ "$ARCH" != "linux/arm64" && "$ARCH" != "linux/amd64" ]]; then
+            echo "$ARCH is INVALID architecture!"
+            echo "$ARCH is INVALID architecture!" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "cpuarch=$ARCH" >> $GITHUB_OUTPUT
+
   deploy:
-    name: Prod Container Promote
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-promote-prod.yml@main
+    needs: prep
+    name: Deploy
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-promote-prod.yml@main
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"
       GHA_ROLE_STAGE: browsertrix-harvester-gha-stage
       GHA_ROLE_PROD: browsertrix-harvester-gha-prod
       ECR_STAGE: "browsertrix-harvester-stage"
       ECR_PROD: "browsertrix-harvester-prod"
+      CPU_ARCH: ${{ needs.prep.outputs.cpuarch }}
       # FUNCTION: ""
 

.github/workflows/stage-build.yml

@@ -1,7 +1,10 @@
-### This is the Terraform-generated dev-build.yml workflow for the browsertrix-harvester-stage app repository ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the document     ###
-### If the container requires any additional pre-build commands, uncomment and edit      ###
-### the PREBUILD line at the end of the document.                                        ###
+### This is the Terraform-generated stage-build.yml workflow for the       ###
+### browsertrix-harvester-stage app repository.                            ###
+### If this is a Lambda repo, uncomment the FUNCTION line at the end of    ###
+### the document. If the container requires any additional pre-build       ###
+### commands, uncomment and edit the PREBUILD line at the end of the       ###
+### document.                                                              ###
+
 name: Stage Container Build and Deploy
 on:
   workflow_dispatch:
@@ -11,14 +14,47 @@ on:
     paths-ignore:
       - '.github/**'
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
+  prep:
+    name: Prep for Build
+    runs-on: ubuntu-latest
+    outputs: 
+      cpuarch: ${{ steps.setarch.outputs.cpuarch }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Set CPU Architecture
+        id: setarch
+        run: |
+          echo "### :abacus: Architecture Selection" >> $GITHUB_STEP_SUMMARY
+          if [[ -f .aws-architecture ]]; then
+            ARCH=$(cat .aws-architecture)
+            echo "\`$ARCH\` was read from \`.aws-architecture\` and passed to the deploy job." >> $GITHUB_STEP_SUMMARY
+          else
+            ARCH="linux/amd64"
+            echo "No \`.aws-architecture\` file, so default \`$ARCH\` was passed to the deploy job." >> $GITHUB_STEP_SUMMARY
+          fi
+          if [[ "$ARCH" != "linux/arm64" && "$ARCH" != "linux/amd64" ]]; then
+            echo "$ARCH is INVALID architecture!"
+            echo "$ARCH is INVALID architecture!" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "cpuarch=$ARCH" >> $GITHUB_OUTPUT
+
   deploy:
-    name: Stage Container Deploy
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-stage.yml@main
+    needs: prep
+    name: Stage Deploy
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-stage.yml@main
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"
       GHA_ROLE: "browsertrix-harvester-gha-stage"
       ECR: "browsertrix-harvester-stage"
+      CPU_ARCH: ${{ needs.prep.outputs.cpuarch }}
       # FUNCTION: ""
       # PREBUILD: 

.gitignore

@@ -155,4 +155,5 @@ cython_debug/
 .DS_Store
 output/
 .vscode/
-.idea/
+.idea/
+.arch_tag

.pre-commit-config.yaml

@@ -24,6 +24,6 @@ repos:
         types: ["python"]
       - id: pip-audit
         name: pip-audit
-        entry: pipenv run pip-audit
+        entry: pipenv run pip-audit --ignore-vuln GHSA-4xh5-x5gv-qwph
         language: system
         pass_filenames: false

Makefile

@@ -1,9 +1,10 @@
-### This is the Terraform-generated header for browsertrix-harvester-dev. If  ###
-###   this is a Lambda repo, uncomment the FUNCTION line below  ###
-###   and review the other commented lines in the document.     ###
-ECR_NAME_DEV:=browsertrix-harvester-dev
-ECR_URL_DEV:=222053980223.dkr.ecr.us-east-1.amazonaws.com/browsertrix-harvester-dev
-### End of Terraform-generated header                            ###
+### This is the Terraform-generated header for browsertrix-harvester-dev. If ###
+###   this is a Lambda repo, uncomment the FUNCTION line below               ###
+###   and review the other commented lines in the document.                  ###
+ECR_NAME_DEV := browsertrix-harvester-dev
+ECR_URL_DEV := 222053980223.dkr.ecr.us-east-1.amazonaws.com/browsertrix-harvester-dev
+CPU_ARCH ?= $(shell cat .aws-architecture 2>/dev/null || echo "linux/amd64")
+### End of Terraform-generated header                                        ###
 SHELL=/bin/bash
 DATETIME:=$(shell date -u +%Y%m%dT%H%M%SZ)
 
@@ -41,7 +42,7 @@ ruff:
 	pipenv run ruff check .
 
 safety: # Check for security vulnerabilities and verify Pipfile.lock is up-to-date
-	pipenv run pip-audit
+	pipenv run pip-audit --ignore-vuln GHSA-4xh5-x5gv-qwph
 	pipenv verify
 
 # apply changes to resolve any linting errors
@@ -85,30 +86,46 @@ test-parse-url-content:
 	--wacz-input-file="tests/fixtures/example.wacz" \
 	--url="https://example.com/hello-world"
 
+
 ### Terraform-generated Developer Deploy Commands for Dev environment ###
-dist-dev: ## Build docker container (intended for developer-based manual build)
-	docker build --platform linux/amd64 \
-	    -t $(ECR_URL_DEV):latest \
-		-t $(ECR_URL_DEV):`git describe --always` \
-		-t $(ECR_NAME_DEV):latest .
+check-arch:
+	@ARCH_FILE=".aws-architecture"; \
+	if [[ "$(CPU_ARCH)" != "linux/amd64" && "$(CPU_ARCH)" != "linux/arm64" ]]; then \
+        echo "Invalid CPU_ARCH: $(CPU_ARCH)"; exit 1; \
+    fi; \
+	if [[ -f $$ARCH_FILE ]]; then \
+		echo "latest-$(shell echo $(CPU_ARCH) | cut -d'/' -f2)" > .arch_tag; \
+	else \
+		echo "latest" > .arch_tag; \
+	fi
+
+dist-dev: check-arch ## Build docker container (intended for developer-based manual build)
+	@ARCH_TAG=$$(cat .arch_tag); \
+	docker buildx inspect $(ECR_NAME_DEV) >/dev/null 2>&1 || docker buildx create --name $(ECR_NAME_DEV) --use; \
+	docker buildx use $(ECR_NAME_DEV); \
+	docker buildx build --platform $(CPU_ARCH) \
+		--load \
+	    --tag $(ECR_URL_DEV):$$ARCH_TAG \
+	    --tag $(ECR_URL_DEV):make-$$ARCH_TAG \
+		--tag $(ECR_URL_DEV):make-$(shell git describe --always) \
+		--tag $(ECR_NAME_DEV):$$ARCH_TAG \
+		.
 
 publish-dev: dist-dev ## Build, tag and push (intended for developer-based manual publish)
-	docker login -u AWS -p $$(aws ecr get-login-password --region us-east-1) $(ECR_URL_DEV)
-	docker push $(ECR_URL_DEV):latest
-	docker push $(ECR_URL_DEV):`git describe --always`
-
-### Terraform-generated manual shortcuts for deploying to Stage. This requires  ###
-###   that ECR_NAME_STAGE, ECR_URL_STAGE, and FUNCTION_STAGE environment        ###
-###   variables are set locally by the developer and that the developer has     ###
-###   authenticated to the correct AWS Account. The values for the environment  ###
-###   variables can be found in the stage_build.yml caller workflow.            ###
-dist-stage: ## Only use in an emergency
-	docker build --platform linux/amd64 \
-	    -t $(ECR_URL_STAGE):latest \
-		-t $(ECR_URL_STAGE):`git describe --always` \
-		-t $(ECR_NAME_STAGE):latest .
-
-publish-stage: ## Only use in an emergency
-	docker login -u AWS -p $$(aws ecr get-login-password --region us-east-1) $(ECR_URL_STAGE)
-	docker push $(ECR_URL_STAGE):latest
-	docker push $(ECR_URL_STAGE):`git describe --always`
+	@ARCH_TAG=$$(cat .arch_tag); \
+	aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin $(ECR_URL_DEV); \
+	docker push $(ECR_URL_DEV):$$ARCH_TAG; \
+	docker push $(ECR_URL_DEV):make-$$ARCH_TAG; \
+	docker push $(ECR_URL_DEV):make-$(shell git describe --always); \
+    echo "Cleaning up dangling Docker images..."; \
+    docker image prune -f --filter "dangling=true"
+
+docker-clean: ## Clean up Docker detritus
+	@ARCH_TAG=$$(cat .arch_tag); \
+	echo "Cleaning up Docker leftovers (containers, images, builders)"; \
+	docker rmi -f $(ECR_URL_DEV):$$ARCH_TAG; \
+	docker rmi -f $(ECR_URL_DEV):make-$$ARCH_TAG; \
+	docker rmi -f $(ECR_URL_DEV):make-$(shell git describe --always) || true; \
+    docker rmi -f $(ECR_NAME_DEV):$$ARCH_TAG || true; \
+	docker buildx rm $(ECR_NAME_DEV) || true
+	@rm -rf .arch_tag

Pipfile

@@ -33,4 +33,4 @@ python_version = "3.12"
 
 [scripts]
 harvester = "python -c \"from harvester.cli import main; main()\""
-harvester-dockerized = "docker run -it -v $HOME/.aws:/root/.aws -v $PWD/output/crawls:/crawls browsertrix-harvester-dev:latest"
+harvester-dockerized = "docker run -it -v $PWD/output/crawls:/crawls browsertrix-harvester-dev:latest"