upgrade Pythong 3.12

Author: hgiasac

.github/workflows/ndc-python-lambda-connector.yaml

@@ -6,7 +6,7 @@ on:
       - test-ci/**
   push:
     branches:
-      - 'main'
+      - "main"
       - test-ci/**
     tags:
       - v**
@@ -21,9 +21,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
-          python-version: '3.9'
+          python-version: "3.12"
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
@@ -45,10 +45,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # This is important for git describe to work correctly
-      - uses: actions/setup-python@v4
+          fetch-depth: 0 # This is important for git describe to work correctly
+      - uses: actions/setup-python@v5
         with:
-          python-version: '3.9'
+          python-version: "3.12"
       - name: Build connector
         run: |
           cd connector-definition
@@ -60,7 +60,7 @@ jobs:
           echo "sha256=$SHA256" >> $GITHUB_OUTPUT
       - name: Get commit hash
         id: get_commit_hash
-        run: |           
+        run: |
           COMMIT_HASH=$(git rev-parse HEAD)
           echo "commit_hash=$COMMIT_HASH" >> $GITHUB_OUTPUT
       - name: Debug information
@@ -82,30 +82,83 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     steps:
       - uses: actions/checkout@v4
+
+      - name: Set up containerd
+        uses: crazy-max/ghaction-setup-containerd@v3
+
+      - name: Fix containerd socket permissions
+        run: |
+          sudo chgrp docker /run/containerd/containerd.sock
+
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
-            registry: ${{ env.DOCKER_REGISTRY }}
-            username: ${{ github.actor }}
-            password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ${{ env.DOCKER_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Extract metadata (tags, labels) for Docker
         id: docker-metadata
         uses: docker/metadata-action@v5
         with:
-            images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+          images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.docker-metadata.outputs.tags }}
+          labels: ${{ steps.docker-metadata.outputs.labels }}
+          # Export the image to a tar so it can be imported into containerd so gokakashi can scan it
+          outputs: type=oci,dest=/tmp/image.tar
+
+      - name: Import docker image into containerd store
+        run: |
+          ctr images import --base-name ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }} --digests --all-platforms /tmp/image.tar
+
+      - name: Get first docker tag for gokakashi
+        id: first-docker-tag
+        run: |
+          FIRST_TAG=$(echo "${{ steps.docker-metadata.outputs.tags }}" | head -n 1)
+          echo "First docker tag: $FIRST_TAG"
+          echo "tag=$FIRST_TAG" >> $GITHUB_OUTPUT
+
+      - name: Scan docker image with gokakashi
+        uses: shinobistack/gokakashi-action@v0.1.1
+        with:
+          image: ${{ steps.first-docker-tag.outputs.tag }}
+          labels: agentKey=${{ github.run_id }}
+          policy: ci-platform
+          server: https://gokakashi-server.hasura-app.io
+          token: ${{ secrets.GOKAKASHI_API_TOKEN }}
+          cf_client_id: ${{ secrets.CF_ACCESS_CLIENT_ID }}
+          cf_client_secret: ${{ secrets.CF_ACCESS_CLIENT_SECRET }}
+          interval: 10
+          retries: 8
+
+      - name: Upload Trivy report as artifact
+        uses: actions/upload-artifact@v4
         with:
-            context: .
-            push: true
-            platforms: linux/amd64,linux/arm64
-            tags: ${{ steps.docker-metadata.outputs.tags }}
-            labels: ${{ steps.docker-metadata.outputs.labels }}
-  
+          name: trivy-report
+          path: /tmp/trivy-report-*.json
+
+      - name: Push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.docker-metadata.outputs.tags }}
+          labels: ${{ steps.docker-metadata.outputs.labels }}
+
   release-connector:
     name: Release connector
     runs-on: ubuntu-latest
@@ -126,91 +179,91 @@ jobs:
         run: |
           echo "tagged_version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
         shell: bash
-      - uses: mindsers/changelog-reader-action@v2
-        id: changelog-reader
-        with:
-          version: ${{ steps.get-version.outputs.tagged_version }}
-          path: ./CHANGELOG.md
-      - uses: softprops/action-gh-release@v1
-        with:
-          draft: false
-          tag_name: v${{ steps.get-version.outputs.tagged_version }}
-          body: ${{ steps.changelog-reader.outputs.changes }}
-          files: |
-            ./connector-definition/dist/connector-definition.tgz
-          fail_on_unmatched_files: true
-
-      - name: Update ndc-hub
-        env:
-            REGISTRY_NAME: hasura
-            CONNECTOR_NAME: ndc-python-lambda
-            COMMIT_HASH: ${{ needs.build-connector.outputs.commit_hash }}
-            SHA256: ${{ needs.build-connector.outputs.sha256 }}
-            GH_TOKEN: ${{ secrets.PAT_TOKEN }}
-        run: |
-              # Clone ndc-hub repository
-              git clone https://github.com/hasura/ndc-hub.git
-              cd ndc-hub
-
-              # Create a new branch
-              NEW_BRANCH="update-${{ env.CONNECTOR_NAME }}-connector-v${{ steps.get-version.outputs.tagged_version }}"
-              git checkout -b $NEW_BRANCH
-
-              cd registry/${{ env.REGISTRY_NAME }}/python
-
-              # Create releases directory if it doesn't exist
-              mkdir -p releases/v${{ steps.get-version.outputs.tagged_version }}
-
-              # Create connector-packaging.json
-              cat << EOF > releases/v${{ steps.get-version.outputs.tagged_version }}/connector-packaging.json
-              {
-                "version": "v${{ steps.get-version.outputs.tagged_version }}",
-                "uri": "https://github.com/${{ github.repository }}/releases/download/v${{ steps.get-version.outputs.tagged_version }}/connector-definition.tgz",
-                "checksum": {
-                  "type": "sha256",
-                  "value": "$SHA256"
-                },
-                "source": {
-                  "hash": "$COMMIT_HASH"
-                }
-              }
-              EOF
-
-              # Update metadata.json to remove 'packages' field if it exists and update 'latest_version'
-              jq --arg version_tag "v${{ steps.get-version.outputs.tagged_version }}" \
-                --arg commit_hash "$COMMIT_HASH" \
-                'if has("packages") then del(.packages) else . end | 
-                  .overview.latest_version = $version_tag |
-                  if has("source_code") then
-                    .source_code.version += [{
-                      "tag": $version_tag,
-                      "hash": $commit_hash,
-                      "is_verified": false
-                    }]
-                  else
-                    . + {"source_code": {"version": [{
-                      "tag": $version_tag,
-                      "hash": $commit_hash,
-                      "is_verified": false
-                    }]}}
-                  end' \
-                metadata.json > tmp.json && mv tmp.json metadata.json
-
-              cp ../../../../README.md ./README.md
-
-              # Commit changes
-              git config user.name "GitHub Action"
-              git config user.email "action@github.com"
-              git add metadata.json README.md releases
-              git commit -m "Update ${{ env.CONNECTOR_NAME }} connector metadata to version ${{ steps.get-version.outputs.tagged_version }}"
-
-              # Push changes
-              git push https://${{ secrets.PAT_TOKEN }}@github.com/hasura/ndc-hub.git HEAD:$NEW_BRANCH
-
-              # Create PR using GitHub CLI
-              cd ../..
-              gh pr create --repo hasura/ndc-hub \
-                --base main \
-                --head $NEW_BRANCH \
-                --title "Update ${{ env.CONNECTOR_NAME }} connector to v${{ steps.get-version.outputs.tagged_version }}" \
-                --body "This PR updates the ${{ env.CONNECTOR_NAME }} connector metadata to version ${{ steps.get-version.outputs.tagged_version }}."
+      # - uses: mindsers/changelog-reader-action@v2
+      #   id: changelog-reader
+      #   with:
+      #     version: ${{ steps.get-version.outputs.tagged_version }}
+      #     path: ./CHANGELOG.md
+      # - uses: softprops/action-gh-release@v1
+      #   with:
+      #     draft: false
+      #     tag_name: v${{ steps.get-version.outputs.tagged_version }}
+      #     body: ${{ steps.changelog-reader.outputs.changes }}
+      #     files: |
+      #       ./connector-definition/dist/connector-definition.tgz
+      #     fail_on_unmatched_files: true
+
+      # - name: Update ndc-hub
+      #   env:
+      #     REGISTRY_NAME: hasura
+      #     CONNECTOR_NAME: ndc-python-lambda
+      #     COMMIT_HASH: ${{ needs.build-connector.outputs.commit_hash }}
+      #     SHA256: ${{ needs.build-connector.outputs.sha256 }}
+      #     GH_TOKEN: ${{ secrets.PAT_TOKEN }}
+      #   run: |
+      #     # Clone ndc-hub repository
+      #     git clone https://github.com/hasura/ndc-hub.git
+      #     cd ndc-hub
+
+      #     # Create a new branch
+      #     NEW_BRANCH="update-${{ env.CONNECTOR_NAME }}-connector-v${{ steps.get-version.outputs.tagged_version }}"
+      #     git checkout -b $NEW_BRANCH
+
+      #     cd registry/${{ env.REGISTRY_NAME }}/python
+
+      #     # Create releases directory if it doesn't exist
+      #     mkdir -p releases/v${{ steps.get-version.outputs.tagged_version }}
+
+      #     # Create connector-packaging.json
+      #     cat << EOF > releases/v${{ steps.get-version.outputs.tagged_version }}/connector-packaging.json
+      #     {
+      #       "version": "v${{ steps.get-version.outputs.tagged_version }}",
+      #       "uri": "https://github.com/${{ github.repository }}/releases/download/v${{ steps.get-version.outputs.tagged_version }}/connector-definition.tgz",
+      #       "checksum": {
+      #         "type": "sha256",
+      #         "value": "$SHA256"
+      #       },
+      #       "source": {
+      #         "hash": "$COMMIT_HASH"
+      #       }
+      #     }
+      #     EOF
+
+      #     # Update metadata.json to remove 'packages' field if it exists and update 'latest_version'
+      #     jq --arg version_tag "v${{ steps.get-version.outputs.tagged_version }}" \
+      #       --arg commit_hash "$COMMIT_HASH" \
+      #       'if has("packages") then del(.packages) else . end |
+      #         .overview.latest_version = $version_tag |
+      #         if has("source_code") then
+      #           .source_code.version += [{
+      #             "tag": $version_tag,
+      #             "hash": $commit_hash,
+      #             "is_verified": false
+      #           }]
+      #         else
+      #           . + {"source_code": {"version": [{
+      #             "tag": $version_tag,
+      #             "hash": $commit_hash,
+      #             "is_verified": false
+      #           }]}}
+      #         end' \
+      #       metadata.json > tmp.json && mv tmp.json metadata.json
+
+      #     cp ../../../../README.md ./README.md
+
+      #     # Commit changes
+      #     git config user.name "GitHub Action"
+      #     git config user.email "action@github.com"
+      #     git add metadata.json README.md releases
+      #     git commit -m "Update ${{ env.CONNECTOR_NAME }} connector metadata to version ${{ steps.get-version.outputs.tagged_version }}"
+
+      #     # Push changes
+      #     git push https://${{ secrets.PAT_TOKEN }}@github.com/hasura/ndc-hub.git HEAD:$NEW_BRANCH
+
+      #     # Create PR using GitHub CLI
+      #     cd ../..
+      #     gh pr create --repo hasura/ndc-hub \
+      #       --base main \
+      #       --head $NEW_BRANCH \
+      #       --title "Update ${{ env.CONNECTOR_NAME }} connector to v${{ steps.get-version.outputs.tagged_version }}" \
+      #       --body "This PR updates the ${{ env.CONNECTOR_NAME }} connector metadata to version ${{ steps.get-version.outputs.tagged_version }}."

CHANGELOG.md

@@ -4,6 +4,10 @@ This changelog documents the changes between release versions.
 ## [Unreleased]
 Changes to be included in the next upcoming release
 
+## [0.2.0] - 2025-04-02
+* Upgrade Python 3.12 
+* Use `python:3.12-slim` image tag with non-root user.
+
 ## [0.1.6] - 2025-01-22
 * Fix workflows
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.10
+FROM python:3.12-slim
 
 # Install curl for healthcheck
 RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*

connector-definition/Dockerfile

@@ -3,8 +3,17 @@ FROM ghcr.io/hasura/ndc-python-lambda:v{{VERSION}}
 COPY requirements.txt /functions/
 
 WORKDIR /functions
+
 RUN python3 -m venv venv && \
     . venv/bin/activate && \
     pip install -r requirements.txt
 
-COPY ./ /functions
+COPY ./ /functions
+
+# create the group and user
+RUN adduser -u 1000 python
+
+RUN chown -R python:python /functions
+
+# stating USER before WORKDIR means the directory is created with the non-root proper ownership
+USER python