move to pdm, change to docker secrets over env, change builds to use pdm and multistage

Author: AbstractUmbra

.dockerignore

@@ -1,15 +1,17 @@
 __pycache__/
 *.py[cod]
-_pyright/
+**/*.ipynb
+
 .git/
 .github/
 .venv/
 .vscode/
 .idea/
-logs/
+.ruff_cache/
 .gitignore
-.gitmodules
-**/*.ipynb
+.gitmodule
+
+logs/
 docker-compose.yml
 Dockerfile
 LICENSE

.github/workflows/coverage_and_lint.yml

@@ -24,51 +24,25 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: "Load cached poetry installation @ ${{ matrix.python-version }}"
-        id: cached-poetry
-        uses: actions/cache@v3
+      - name: Setup PDM @ ${{ matrix.python-version }}
+        uses: pdm-project/setup-pdm@v4
         with:
-          path: ~/.local
-          key: poetry-0
+          python-version: ${{ matrix.python-version }}
+          cache: true
 
-      - name: "Setup Poetry @ ${{ matrix.python-version }}"
-        if: steps.cached-poetry.outputs.cache-hit != 'true'
-        uses: snok/install-poetry@v1
-        with:
-          version: latest
-          virtualenvs-create: true
-          virtualenvs-in-project: true
-          virtualenvs-path: .venv
-
-      - name: "Setup Python @ ${{ matrix.python-version }}"
-        id: setup-python
-        uses: actions/setup-python@v4
-        with:
-          python-version: "${{ matrix.python-version }}"
-          cache: "poetry"
-
-      - name: "Load cached venv @ ${{ matrix.python-version }}"
-        id: cached-pip-wheels
-        uses: actions/cache@v3
-        with:
-          path: .venv/
-          key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }}
-
-      - name: "Install Python deps @ ${{ matrix.python-version }}"
-        if: ${{ steps.cached-pip-wheels.outputs.cache-hit != 'true' }}
-        id: install-deps
+      - name: Install deps @ ${{ matrix.python-version }}
         run: |
-          poetry install --no-interaction
+          pdm install --check --no-editable
 
       - name: Activate venv @ ${{ matrix.python-version }}
         run: |
-          echo "$(poetry env info --path)/bin" >> $GITHUB_PATH
+          echo "$(pdm info --where)/.venv/bin" >> $GITHUB_PATH
 
       - name: "Run Pyright @ ${{ matrix.python-version }}"
-        uses: jakebailey/pyright-action@v1
+        uses: jakebailey/pyright-action@v2
         with:
           warnings: false
-          no-comments: ${{ matrix.python-version != '3.x' }}
+          annotate: ${{ matrix.python-version != '3.x' }}
 
       - name: Lint
-        uses: astral-sh/ruff-action@v3
+        uses: astral-sh/ruff-action@v2

.gitignore

@@ -113,6 +113,9 @@ venv.bak/
 # Visual Studio Code settings
 .vscode/
 
+# Intellij settings
+.idea/
+
 # Spyder project settings
 .spyderproject
 .spyproject
@@ -133,6 +136,5 @@ dmypy.json
 
 # config
 config.toml
-
-.vscode/
-.idea/
+postgres_password.txt
+.pdm-python

.template.env

@@ -1,54 +1,30 @@
-FROM python:3.12-slim
+ARG PYTHON_BASE=3.11-slim
+
+FROM python:${PYTHON_BASE} AS builder
+
+# disable update check since we're "static" in an image
+ENV PDM_CHECK_UPDATE=false
+# install PDM
+RUN pip install -U pdm
+
+WORKDIR /project
+COPY . /project/
+RUN apt-get update -y \
+    && apt-get install --no-install-recommends --no-install-suggests -y git \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN pdm install --check --prod --no-editable
+
+FROM python:${PYTHON_BASE}
 
 LABEL org.opencontainers.image.source=https://github.com/PythonistaGuild/Pythonista-Bot
 LABEL org.opencontainers.image.description="Pythonista Guild's Discord Bot"
 LABEL org.opencontainers.image.licenses=MIT
 
-ENV PYTHONUNBUFFERED=1 \
-    # prevents python creating .pyc files
-    PYTHONDONTWRITEBYTECODE=1 \
-    \
-    # pip
-    PIP_NO_CACHE_DIR=off \
-    PIP_DISABLE_PIP_VERSION_CHECK=on \
-    PIP_DEFAULT_TIMEOUT=100 \
-    \
-    # poetry
-    # https://python-poetry.org/docs/configuration/#using-environment-variables
-    # make poetry install to this location
-    POETRY_HOME="/opt/poetry" \
-    # make poetry create the virtual environment in the project's root
-    # it gets named `.venv`
-    POETRY_VIRTUALENVS_IN_PROJECT=true \
-    # do not ask any interactive question
-    POETRY_NO_INTERACTION=1 \
-    \
-    # paths
-    # this is where our requirements + virtual environment will live
-    PYSETUP_PATH="/opt/pysetup" \
-    VENV_PATH="/opt/pysetup/.venv"
-
-ENV PATH="$POETRY_HOME/bin:$VENV_PATH/bin:$PATH"
-
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y \
-    git \
-    # deps for installing poetry
-    curl \
-    # deps for building python deps
-    build-essential \
-    libcurl4-gnutls-dev \
-    gnutls-dev \
-    libmagic-dev
-
-RUN curl -sSL https://install.python-poetry.org | python -
-
-# copy project requirement files here to ensure they will be cached.
 WORKDIR /app
-COPY poetry.lock pyproject.toml ./
-
-# install runtime deps - uses $POETRY_VIRTUALENVS_IN_PROJECT internally
-RUN poetry install --only=main
 
+COPY --from=builder /project/.venv/ /app/.venv
+ENV PATH="/app/.venv/bin:$PATH"
 COPY . /app/
-ENTRYPOINT ["poetry", "run", "python", "-O", "launcher.py" ]
+
+ENTRYPOINT [ "python", "-O", "bot.py" ]

Dockerfile

@@ -28,7 +28,7 @@ python -O launcher.py
 We also provide both `Dockerfile` and `docker-compose.yml` files for running the bot in Docker.
 The default compose file assumes you want snekbox too, however you can comment out or remove that entire key if this is not the case.
 
-Make a copy of `.template.env` and name it to `.env`, edit the values as you see fit (the defaults will work too, and be okay so long as you don't expose this database to the internet).
+Make a copy of `postgres_password.example.txt` and name it to `postgres_password.txt`, edit the text within the file as you see fit.
 Then a simple `docker compose up` will bring your bot up!
 
 NOTE: If you want to enable the snekbox service for sandboxed open eval, do:
@@ -43,7 +43,7 @@ which will enable all services and snekbox.
 
 This also means that it will use internal docker networking to resolve the database and snekbox names. By default these will be `database` and `snekbox`, but these will be the **service names** in `docker-compose.yml` if you change them. Please keep this in mind when editing your config file.
 
-We also provide a file for ignoring git blame references. You can enable this with:-
+We also provide a file for ignoring git blame references (for mass edits like formatting tools and so on). You can enable this with:-
 ```sh
 git config blame.ignoreRevsFile .git-blame-ignore-revs
 ```

README.md

@@ -11,18 +11,18 @@ services:
   database:
     image: postgres
     container_name: pythonista-bot-db
-    env_file:
-      - .env
     environment:
-      - POSTGRES_USER=${POSTGRES_USER}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
-      - POSTGRES_DB=${POSTGRES_DB}
+      - POSTGRES_USER=pythonistabot
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres-password
+      - POSTGRES_DB=pythonistabot
     healthcheck:
       interval: 1s
       retries: 10
       test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
       timeout: 5s
     restart: always
+    secrets:
+      - postgres-password
     volumes:
       - pgdata:/var/lib/postgresql/data
       - ./database/schema.sql:/docker-entrypoint-initdb.d/schema.sql:ro
@@ -38,5 +38,9 @@ services:
       - "snekbox"
     restart: always
 
+secrets:
+  postgres-password:
+    file: ./postgres-password.txt
+
 volumes:
   pgdata: