Merge pull request #3669 from nulib/deploy/staging

Deploy v9.1.0 to production

.github/dependabot.yml

@@ -7,9 +7,8 @@ updates:
       time: "11:00"
     labels:
       - "dependencies"
-      - "automerge"
     open-pull-requests-limit: 10
-    target-branch: dependencies
+    target-branch: deploy/staging
     ignore:
       - dependency-name: "react-hook-form"
       - dependency-name: "node-sass"
@@ -28,26 +27,23 @@ updates:
       time: "11:00"
     labels:
       - "dependencies"
-      - "automerge"
     open-pull-requests-limit: 10
-    target-branch: dependencies
+    target-branch: deploy/staging
   - package-ecosystem: npm
     directory: "/lambdas/*"
     schedule:
       interval: daily
       time: "11:00"
     labels:
       - "dependencies"
-      - "automerge"
     open-pull-requests-limit: 10
-    target-branch: dependencies
+    target-branch: deploy/staging
   - package-ecosystem: mix
     directory: "/app"
     schedule:
       interval: daily
       time: "11:00"
     labels:
       - "dependencies"
-      - "automerge"
     open-pull-requests-limit: 10
-    target-branch: dependencies
+    target-branch: deploy/staging

.github/scripts/configure_aws.sh

@@ -1,6 +1,9 @@
 #!/bin/bash
 
-environment=$(echo $DEPLOY_ENV | tr a-z A-Z)
+environment=STAGING
+if [[ $DEPLOY_ENV == "production" ]]; then
+  environment=PRODUCTION
+fi
 access_key_id_var=${environment}_AWS_ACCESS_KEY_ID
 access_key_id=$(jq -r ".${access_key_id_var}" <<< $SECRETS)
 secret_key_var=${environment}_AWS_SECRET_ACCESS_KEY

.github/workflows/combine-prs.yml

@@ -0,0 +1,156 @@
+name: 'Combine PRs'
+
+# Controls when the action will run - in this case triggered manually
+on:
+  workflow_dispatch:
+    inputs:
+      branchPrefix:
+        description: 'Branch prefix to find combinable PRs based on'
+        required: true
+        default: 'dependabot'
+      mustBeGreen:
+        description: 'Only combine PRs that are green (status is success). Set to false if repo does not run checks'
+        type: boolean
+        required: true
+        default: true
+      combineBranchName:
+        description: 'Name of the branch to combine PRs into'
+        required: true
+        default: 'combined-dependencies'
+      combinePullRequestTitle:
+        description: 'Title of the combined Pull Request'
+        required: true
+        default: 'Dependency Rollup'
+      ignoreLabel:
+        description: 'Exclude PRs with this label'
+        required: true
+        default: 'nocombine'
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "combine-prs"
+  combine-prs:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      - uses: actions/github-script@v6
+        id: create-combined-pr
+        name: Create Combined PR
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            const pulls = await github.paginate('GET /repos/:owner/:repo/pulls', {
+              owner: context.repo.owner,
+              repo: context.repo.repo
+            });
+            let branchesAndPRStrings = [];
+            let baseBranch = null;
+            let baseBranchSHA = null;
+            for (const pull of pulls) {
+              const branch = pull['head']['ref'];
+              console.log('Pull for branch: ' + branch);
+              if (branch.startsWith('${{ github.event.inputs.branchPrefix }}')) {
+                console.log('Branch matched prefix: ' + branch);
+                let statusOK = true;
+                if(${{ github.event.inputs.mustBeGreen }}) {
+                  console.log('Checking green status: ' + branch);
+                  const stateQuery = `query($owner: String!, $repo: String!, $pull_number: Int!) {
+                    repository(owner: $owner, name: $repo) {
+                      pullRequest(number:$pull_number) {
+                        commits(last: 1) {
+                          nodes {
+                            commit {
+                              statusCheckRollup {
+                                state
+                              }
+                            }
+                          }
+                        }
+                      }
+                    }
+                  }`
+                  const vars = {
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    pull_number: pull['number']
+                  };
+                  const result = await github.graphql(stateQuery, vars);
+                  const [{ commit }] = result.repository.pullRequest.commits.nodes;
+                  const state = commit.statusCheckRollup.state
+                  console.log('Validating status: ' + state);
+                  if(state != 'SUCCESS') {
+                    console.log('Discarding ' + branch + ' with status ' + state);
+                    statusOK = false;
+                  }
+                }
+                console.log('Checking labels: ' + branch);
+                const labels = pull['labels'];
+                for(const label of labels) {
+                  const labelName = label['name'];
+                  console.log('Checking label: ' + labelName);
+                  if(labelName == '${{ github.event.inputs.ignoreLabel }}') {
+                    console.log('Discarding ' + branch + ' with label ' + labelName);
+                    statusOK = false;
+                  }
+                }
+                if (statusOK) {
+                  console.log('Adding branch to array: ' + branch);
+                  const prString = '#' + pull['number'] + ' ' + pull['title'];
+                  branchesAndPRStrings.push({ branch, prString });
+                  baseBranch = pull['base']['ref'];
+                  baseBranchSHA = pull['base']['sha'];
+                }
+              }
+            }
+            if (branchesAndPRStrings.length == 0) {
+              core.setFailed('No PRs/branches matched criteria');
+              return;
+            }
+            try {
+              await github.rest.git.createRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: 'refs/heads/' + '${{ github.event.inputs.combineBranchName }}',
+                sha: baseBranchSHA
+              });
+            } catch (error) {
+              console.log(error);
+              core.setFailed('Failed to create combined branch - maybe a branch by that name already exists?');
+              return;
+            }
+            
+            let combinedPRs = [];
+            let mergeFailedPRs = [];
+            for(const { branch, prString } of branchesAndPRStrings) {
+              try {
+                await github.rest.repos.merge({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  base: '${{ github.event.inputs.combineBranchName }}',
+                  head: branch,
+                });
+                console.log('Merged branch ' + branch);
+                combinedPRs.push(prString);
+              } catch (error) {
+                console.log('Failed to merge branch ' + branch);
+                mergeFailedPRs.push(prString);
+              }
+            }
+            
+            console.log('Creating combined PR');
+            const combinedPRsString = combinedPRs.join('\n');
+            let body = '✅ This PR was created by the Combine PRs action by combining the following PRs:\n' + combinedPRsString;
+            if(mergeFailedPRs.length > 0) {
+              const mergeFailedPRsString = mergeFailedPRs.join('\n');
+              body += '\n\n⚠️ The following PRs were left out due to merge conflicts:\n' + mergeFailedPRsString
+            }
+            await github.rest.pulls.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: '${{ github.event.inputs.combinePullRequestTitle }}',
+              head: '${{ github.event.inputs.combineBranchName }}',
+              base: baseBranch,
+              body: body
+            });

.github/workflows/deploy.yml

@@ -47,12 +47,19 @@ jobs:
       - name: Login to Amazon ECR
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v1
+      - uses: docker/build-push-action@v2
+        with:
+          context: ./livebook
+          push: true
+          tags: ${{ steps.login-ecr.outputs.registry }}/meadow:livebook-${{ env.DEPLOY_ENV }}
       - uses: docker/build-push-action@v2
         with:
           context: ./app
           push: true
           tags: ${{ steps.login-ecr.outputs.registry }}/meadow:${{ env.DEPLOY_ENV }}
           build-args: |
+            BUILD_IMAGE=hexpm/elixir:1.15.7-erlang-26.0.2-debian-bullseye-20231009
+            RUNTIME_IMAGE=node:18-bullseye-slim
             HONEYBADGER_API_KEY=${{ secrets.HONEYBADGER_API_KEY }}
             HONEYBADGER_API_KEY_FRONTEND=${{ secrets.HONEYBADGER_API_KEY_FRONTEND }}
             HONEYBADGER_ENVIRONMENT=${{ env.DEPLOY_ENV }}

.github/workflows/test.yml

@@ -162,7 +162,7 @@ jobs:
       - uses: actions/checkout@v2
       - name: Provision Localstack using Cloud Pod
         run: |
-          pip install localstack localstack-plugin-persistence
+          pip install localstack==2.1.0
           curl -O https://nul-public.s3.amazonaws.com/meadow/test/localstack.pod
           localstack pod load file://$PWD/localstack.pod
       - uses: actions/setup-node@v3

.gitignore

@@ -70,4 +70,4 @@ yarn.lock
 .DS_Store
 **/*/.DS_Store
 
-lambdas/stream-authorizer/environment.json
+lambdas/stream-authorizer/config

README.md

@@ -1,8 +1,8 @@
 # Meadow
 
-[![Build](https://github.com/nulib/meadow/actions/workflows/build.yml/badge.svg)](https://github.com/nulib/meadow/actions/workflows/build.yml)
+[![Build](https://github.com/nulib/meadow/actions/workflows/test.yml/badge.svg)](https://github.com/nulib/meadow/actions/workflows/test.yml)
 [![Coverage Status](https://coveralls.io/repos/github/nulib/meadow/badge.svg)](https://coveralls.io/github/nulib/meadow)
-[![Dependabot Status](https://api.dependabot.com/badges/status?host=github&repo=nulib/meadow)](https://dependabot.com)
+<!-- [![Dependabot Status](https://api.dependabot.com/badges/status?host=github&repo=nulib/meadow)](https://dependabot.com) -->
 
 ## Prerequisites
 

app/Dockerfile

@@ -1,5 +1,8 @@
+ARG BUILD_IMAGE
+ARG RUNTIME_IMAGE
+
 # Install elixir & npm dependencies
-FROM hexpm/elixir:1.15.4-erlang-26.0.2-alpine-3.18.2 AS build
+FROM ${BUILD_IMAGE} AS build
 LABEL edu.northwestern.library.app=meadow \
   edu.northwestern.library.cache=true \
   edu.northwestern.library.stage=deps
@@ -9,17 +12,19 @@ ARG HONEYBADGER_ENVIRONMENT=
 ARG HONEYBADGER_REVISION=
 ARG MEADOW_VERSION=
 ENV MIX_ENV=prod
-RUN  apk add --update --repository https://dl-3.alpinelinux.org/alpine/edge/testing/ curl git libstdc++ \
-  && mix local.hex --force \
+RUN  mix local.hex --force \
   && mix local.rebar --force
-ENV NODE_VERSION 18.18.0
+ENV NODE_VERSION 18
 ENV NPM_VERSION 10.1.0
 ENV ARCH x64
-RUN curl -fsSLO --compressed "https://unofficial-builds.nodejs.org/download/release/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz"; \
-  tar -xJf "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \
-  && ln -s /usr/local/bin/node /usr/local/bin/nodejs && \
-  npm install -g npm@$NPM_VERSION; \
-  rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz";
+RUN apt update -qq \
+ && apt install -y ca-certificates curl git gnupg \
+ && mkdir -p /etc/apt/keyrings \
+ && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
+ && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_VERSION}.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \
+ && apt update -qq \
+ && apt install -y nodejs \
+ && npm install -g npm@$NPM_VERSION
 COPY . /app
 WORKDIR /app
 RUN mix deps.get --only prod \
@@ -39,12 +44,12 @@ WORKDIR /app
 RUN mix release --overwrite
 
 # Create runtime image
-FROM node:18-alpine
+FROM ${RUNTIME_IMAGE}
 LABEL edu.northwestern.library.app=meadow \
   edu.northwestern.library.stage=runtime
-RUN apk update && apk --no-cache --update add curl jq libcrypto3 ncurses-libs openssl-dev
+RUN apt update -qq && apt install -y curl jq libssl-dev libncurses5-dev
 ENV LANG=en_US.UTF-8
-EXPOSE 4000 4369 24601
+EXPOSE 4000 4369
 COPY --from=build /app/_build/prod/rel/meadow /app
 WORKDIR /app
 ENTRYPOINT ["./bin/meadow"]

app/assets/js/components/Auth/DisplayAuthorized.jsx

@@ -10,7 +10,7 @@ function AuthDisplayAuthorized({ level, children }) {
 }
 
 AuthDisplayAuthorized.propTypes = {
-  level: PropTypes.oneOf(["USER", "EDITOR", "MANAGER", "ADMINISTRATOR"]),
+  level: PropTypes.oneOf(["USER", "EDITOR", "MANAGER", "ADMINISTRATOR", "SUPERUSER"]),
   children: PropTypes.node,
 };