Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
version: 2.1

jobs:
quality-gate:
docker:
- image: cimg/python:3.10
steps:
- checkout
- run:
name: Install uv
command: |
export UV_UNMANAGED_INSTALL=1
export UV_NO_MODIFY_PATH=1
curl -LsSf -o /tmp/uv-install.sh https://astral.sh/uv/0.11.3/install.sh
sh /tmp/uv-install.sh
echo 'export PATH="$HOME/.local/bin:$PATH"' >> "$BASH_ENV"
- run:
name: Install project dependencies
command: |
source "$BASH_ENV"
uv sync --locked --extra dev
- run:
name: Run warnings-as-errors tests
command: |
source "$BASH_ENV"
PYTHONWARNINGS=error uv run pytest
- run:
name: Run coverage quality gate
command: |
source "$BASH_ENV"
uv run pytest --cov=src/newsdom_api --cov-branch --cov-report=term-missing --cov-fail-under=100

workflows:
quality-gate:
jobs:
- quality-gate
10 changes: 10 additions & 0 deletions .clusterfuzzlite/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
ARG UV_IMAGE=ghcr.io/astral-sh/uv@sha256:90bbb3c16635e9627f49eec6539f956d70746c409209041800a0280b93152823

FROM ${UV_IMAGE} AS uv-bin

FROM gcr.io/oss-fuzz-base/base-builder-python@sha256:60e8ef87f2c0367254ff979a4dea61dad2684b001e3e666e2cc6fe992064dbbf

WORKDIR /src/newsdom-api
COPY --from=uv-bin /uv /uvx /usr/local/bin/
COPY . .
COPY .clusterfuzzlite/build.sh /src/build.sh
21 changes: 21 additions & 0 deletions .clusterfuzzlite/build.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/bin/bash
set -euo pipefail

cd "$SRC/newsdom-api"

uv sync --frozen --extra fuzz
export PATH="$SRC/newsdom-api/.venv/bin:$PATH"

for fuzzer in $(find fuzzers -name '*_fuzzer.py'); do
fuzzer_basename=$(basename -s .py "$fuzzer")
fuzzer_package="${fuzzer_basename}.pkg"

pyinstaller --distpath "$OUT" --onefile --name "$fuzzer_package" "$fuzzer"

cat >"$OUT/$fuzzer_basename" <<EOF
#!/bin/sh
this_dir=\$(dirname "\$0")
exec "\$this_dir/$fuzzer_package" "\$@"
EOF
chmod +x "$OUT/$fuzzer_basename"
done
1 change: 1 addition & 0 deletions .clusterfuzzlite/project.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
language: python
8 changes: 8 additions & 0 deletions .coderabbit.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
language: ko

reviews:
profile: chill
request_changes_workflow: true
auto_review:
enabled: true
auto_incremental_review: true
10 changes: 10 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
.git
.github
.venv
__pycache__
.pytest_cache
.coverage
*.pyc
site
dist
build
85 changes: 85 additions & 0 deletions .github/actions/upload-pages-artifact/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
name: "Upload GitHub Pages artifact"
description: "Prepare and upload the static site artifact for GitHub Pages deployment"

inputs:
name:
description: "Artifact name"
required: false
default: "github-pages"
path:
description: "Path of the directory containing the static assets."
required: true
default: "_site/"
retention-days:
description: "Duration after which artifact will expire in days."
required: false
default: "1"

outputs:
artifact_id:
description: "The ID of the artifact that was uploaded."
value: ${{ steps.upload-artifact.outputs.artifact-id }}

runs:
using: composite
steps:
- name: Archive artifact
shell: sh
if: runner.os == 'Linux'
run: |
echo ::group::Archive artifact
tar \
--dereference --hard-dereference \
--directory "$INPUT_PATH" \
-cvf "$RUNNER_TEMP/artifact.tar" \
--exclude=.git \
--exclude=.github \
--exclude=".[^/]*" \
.
echo ::endgroup::
env:
INPUT_PATH: ${{ inputs.path }}

- name: Archive artifact
shell: sh
if: runner.os == 'macOS'
run: |
echo ::group::Archive artifact
gtar \
--dereference --hard-dereference \
--directory "$INPUT_PATH" \
-cvf "$RUNNER_TEMP/artifact.tar" \
--exclude=.git \
--exclude=.github \
--exclude=".[^/]*" \
.
echo ::endgroup::
env:
INPUT_PATH: ${{ inputs.path }}

- name: Archive artifact
shell: bash
if: runner.os == 'Windows'
run: |
echo ::group::Archive artifact
tar \
--dereference --hard-dereference \
--directory "$INPUT_PATH" \
-cvf "$RUNNER_TEMP\artifact.tar" \
--exclude=.git \
--exclude=.github \
--exclude=".[^/]*" \
--force-local \
"."
echo ::endgroup::
env:
INPUT_PATH: ${{ inputs.path }}

- name: Upload artifact
id: upload-artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
with:
name: ${{ inputs.name }}
path: ${{ runner.temp }}/artifact.tar
retention-days: ${{ inputs.retention-days }}
if-no-files-found: error
21 changes: 21 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: "/"
target-branch: develop
schedule:
interval: weekly
groups:
github-actions:
patterns:
- "*"

- package-ecosystem: "pip"
directory: "/"
target-branch: develop
schedule:
interval: weekly
groups:
python:
patterns:
- "*"
33 changes: 33 additions & 0 deletions .github/workflows/clusterfuzzlite.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: clusterfuzzlite

on:
pull_request:
workflow_dispatch:

permissions:
contents: read

jobs:
fuzz:
runs-on: ubuntu-latest
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

- name: Build fuzzers
uses: google/clusterfuzzlite/actions/build_fuzzers@52ecc61cb587ee99c26825a112a21abf19c7448c
with:
language: python
sanitizer: address
github-token: ${{ github.token }}

- name: Run fuzzers
uses: google/clusterfuzzlite/actions/run_fuzzers@52ecc61cb587ee99c26825a112a21abf19c7448c
with:
language: python
sanitizer: address
mode: code-change
fuzz-seconds: 300
github-token: ${{ github.token }}
15 changes: 9 additions & 6 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,30 +4,33 @@ on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
schedule:
- cron: '43 5 * * 1'

permissions:
actions: read
contents: read
security-events: write

jobs:
analyze:
name: codeql (python)
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13
with:
languages: python

- name: Autobuild
uses: github/codeql-action/autobuild@v3
uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13

- name: Analyze
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13
102 changes: 102 additions & 0 deletions .github/workflows/container-image.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
name: container-image

on:
pull_request:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
publish_nvidia:
description: Publish the linux/amd64 NVIDIA parsing image
required: false
default: 'false'

permissions:
contents: read

jobs:
image:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
REGISTRY: ghcr.io
IMAGE_NAME: seongho-bae/newsdom-api
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f

- name: Log in to GHCR
if: github.event_name != 'pull_request'
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ github.token }}

- name: Extract image metadata
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=tag
type=raw,value=latest,enable={{is_default_branch}}

- name: Build and optionally push image
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
with:
context: .
file: ./Dockerfile
push: ${{ github.event_name != 'pull_request' }}
platforms: linux/amd64,linux/arm64
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}

image-nvidia:
if: github.event_name == 'workflow_dispatch' && github.event.inputs.publish_nvidia == 'true'
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
REGISTRY: ghcr.io
IMAGE_NAME: seongho-bae/newsdom-api-nvidia
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f

- name: Log in to GHCR
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ github.token }}

- name: Extract NVIDIA image metadata
id: meta-nvidia
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=nvidia

- name: Build and push NVIDIA image
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
with:
context: .
file: ./Dockerfile.nvidia
push: true
platforms: linux/amd64
tags: ${{ steps.meta-nvidia.outputs.tags }}
labels: ${{ steps.meta-nvidia.outputs.labels }}
7 changes: 4 additions & 3 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ name: dependency-review

on:
pull_request:
branches: [main, develop]

permissions:
contents: read
Expand All @@ -12,9 +11,11 @@ jobs:
dependency-review:
name: dependency-review
runs-on: ubuntu-latest
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

- name: Dependency review
uses: actions/dependency-review-action@v4
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48
Loading
Loading