From 9014fff24e8f07f1994790e9f7634d44b213be70 Mon Sep 17 00:00:00 2001 From: Irving Popovetsky Date: Sun, 25 Jan 2026 14:33:57 -0800 Subject: [PATCH 1/5] Change all references of master to main --- .github/SETUP.md | 8 ++++---- .github/workflows/ci.yml | 38 +++++++++++++++++++------------------- CONTRIBUTING.md | 12 ++++++------ MAINTAINERS.md | 2 +- OPS.md | 8 ++++---- src/gunicorn_config.py | 6 +++--- 6 files changed, 37 insertions(+), 37 deletions(-) diff --git a/.github/SETUP.md b/.github/SETUP.md index 24b25262..c8830530 100644 --- a/.github/SETUP.md +++ b/.github/SETUP.md @@ -39,18 +39,18 @@ After adding the secret, the workflow will automatically: - Authenticate to AWS using OIDC (no credentials stored) - Build Docker images for ARM64 platform - Push to ECR with appropriate tags: - - `:staging` for non-master branches - - `:prod` for master branch (after CI passes) + - `:staging` for non-main branches + - `:prod` for main branch (after CI passes) ## Testing To test the setup: -1. **Test staging build**: Push to any branch except `master` +1. **Test staging build**: Push to any branch except `main` - Should trigger Docker build and push to `:staging` tag - Check ECR repository to verify image was pushed -2. **Test production build**: Merge to `master` branch +2. **Test production build**: Merge to `main` branch - Should run lint, test, security checks first - If all pass, should build and push to `:prod` tag - Check ECR repository to verify image was pushed diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9c13f970..3473f97c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,9 +2,9 @@ name: CI on: push: - branches: [master] + branches: [main] pull_request: - branches: [master] + branches: [main] env: POETRY_VERSION: "2.3.0" @@ -14,8 +14,8 @@ jobs: lint: name: Lint runs-on: ubuntu-latest - # Only run on master branch pushes and PRs to master - if: github.event_name == 'pull_request' || github.ref == 'refs/heads/master' + # Only run on main branch pushes and PRs to main + if: github.event_name == 'pull_request' || github.ref == 'refs/heads/main' steps: - name: Checkout code uses: actions/checkout@v4 @@ -62,8 +62,8 @@ jobs: test: name: Test runs-on: ubuntu-latest - # Only run on master branch pushes and PRs to master - if: github.event_name == 'pull_request' || github.ref == 'refs/heads/master' + # Only run on main branch pushes and PRs to main + if: github.event_name == 'pull_request' || github.ref == 'refs/heads/main' steps: - name: Checkout code uses: actions/checkout@v4 @@ -125,8 +125,8 @@ jobs: security: name: Security Scan runs-on: ubuntu-latest - # Only run on master branch pushes and PRs to master - if: github.event_name == 'pull_request' || github.ref == 'refs/heads/master' + # Only run on main branch pushes and PRs to main + if: github.event_name == 'pull_request' || github.ref == 'refs/heads/main' steps: - name: Checkout code uses: actions/checkout@v4 @@ -173,9 +173,9 @@ jobs: docker-build-push: name: Build and Push Docker Image runs-on: ubuntu-latest - # Run on push to master (build+push) and on PRs (build only) + # Run on push to main (build+push) and on PRs (build only) if: github.event_name == 'push' || github.event_name == 'pull_request' - # For master/PR, wait for CI checks to pass + # For main/PR, wait for CI checks to pass needs: [ci-success] permissions: id-token: write # Required for OIDC authentication @@ -232,7 +232,7 @@ jobs: - name: Determine Docker tag id: docker-tag run: | - if [ "${{ github.ref }}" == "refs/heads/master" ]; then + if [ "${{ github.ref }}" == "refs/heads/main" ]; then echo "image=633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end:prod" >> $GITHUB_OUTPUT echo "environment=Production" >> $GITHUB_OUTPUT else @@ -286,12 +286,12 @@ jobs: # Always run to satisfy docker-build-push dependency if: always() steps: - - name: Check all jobs passed (master/PR only) - if: github.event_name == 'pull_request' || github.ref == 'refs/heads/master' + - name: Check all jobs passed (main/PR only) + if: github.event_name == 'pull_request' || github.ref == 'refs/heads/main' run: | - # Check if jobs were skipped (non-master) or failed + # Check if jobs were skipped (non-main) or failed if [[ "${{ needs.lint.result }}" == "skipped" ]]; then - echo "Lint job was skipped - this should not happen on master/PR" + echo "Lint job was skipped - this should not happen on main/PR" exit 1 fi if [[ "${{ needs.lint.result }}" != "success" ]]; then @@ -299,7 +299,7 @@ jobs: exit 1 fi if [[ "${{ needs.test.result }}" == "skipped" ]]; then - echo "Test job was skipped - this should not happen on master/PR" + echo "Test job was skipped - this should not happen on main/PR" exit 1 fi if [[ "${{ needs.test.result }}" != "success" ]]; then @@ -308,7 +308,7 @@ jobs: fi # Security is informational, doesn't fail CI echo "All required jobs passed!" - - name: Pass through for non-master branches - if: github.event_name != 'pull_request' && github.ref != 'refs/heads/master' + - name: Pass through for non-main branches + if: github.event_name != 'pull_request' && github.ref != 'refs/heads/main' run: | - echo "Skipping CI checks for non-master branch (staging build will proceed)" + echo "Skipping CI checks for non-main branch (staging build will proceed)" diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3b2da3d2..b86de683 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -172,7 +172,7 @@ High level overview of upcoming Operation Code goals. This is the source of upc ## Working On Your Issue -* Please first **read** Operation Code's [guidelines for working an issue](https://github.com/OperationCode/operationcode/blob/master/CONTRIBUTING.md#guidelines-for-working-an-issue) +* Please first **read** Operation Code's [guidelines for working an issue](https://github.com/OperationCode/operationcode/blob/main/CONTRIBUTING.md#guidelines-for-working-an-issue) * From the forked and cloned repository on your environment, you can now create a [feature branch](http://nvie.com/posts/a-successful-git-branching-model/). It is a good idea to name your branch after the issue it is attached to. @@ -188,10 +188,10 @@ git branch * Once you have finished your work, head over to **Operation Code**'s main GitHub page, and make a pull request. More information about pull requests can be found in the next section. -* To return to your main `master` branch, type the following in the terminal: +* To return to your main `main` branch, type the following in the terminal: ```bash -git checkout master +git checkout main ``` @@ -202,10 +202,10 @@ git checkout master Click to Expand Some issues take awhile to code a solution for. It is very normal to take a large amount of time to turn in well-written work that resolves an issue! In the meantime, there could be many other people contributing to the -code base. Since we use Git, you'll want to keep you project up-to-date with the `master` branch so there are no +code base. Since we use Git, you'll want to keep you project up-to-date with the `main` branch so there are no [merge conflicts](https://help.github.com/articles/about-merge-conflicts/) to resolve when you make your pull request.
    -
  1. Keep your fork in sync with Operation Code's master branch.
    2. +
  2. Keep your fork in sync with Operation Code's main branch.
@@ -291,7 +291,7 @@ Download and install Git for Windows from https://git-scm.com/download/win Download the latest version of python at https://www.python.org/downloads/, (3.7.3 at time of writing) -Follow the steps found in the [Quick Start Guide](https://github.com/OperationCode/back-end/blob/master/README.md#quick-start) +Follow the steps found in the [Quick Start Guide](https://github.com/OperationCode/back-end/blob/main/README.md#quick-start) Occasionally you will deal with path issues this is fixed within windows by adding the appropriate key value pair to the path. diff --git a/MAINTAINERS.md b/MAINTAINERS.md index 71c49be1..dd613633 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -2,7 +2,7 @@ This file lists how the Operation Code Back End project is maintained. When making changes to the system, this file tells you who needs to review your contribution - you need a simple majority of maintainers for the relevant subsystems to provide a 👍 on your pull request. Additionally, you need to not receive a veto from a lieutenant or the project lead. -Check out [how Operation Code Open Source projects are maintained](https://github.com/OperationCode/START_HERE/blob/master/open_source_maintenance_policy.md) for details on the process, how to become a maintainer, lieutenant, or the project lead. +Check out [how Operation Code Open Source projects are maintained](https://github.com/OperationCode/START_HERE/blob/main/open_source_maintenance_policy.md) for details on the process, how to become a maintainer, lieutenant, or the project lead. # Project Lead diff --git a/OPS.md b/OPS.md index 68e03890..0ccdf73e 100644 --- a/OPS.md +++ b/OPS.md @@ -8,8 +8,8 @@ The backend is deployed to AWS ECS (Elastic Container Service) with separate sta Docker images are automatically built and pushed to AWS ECR via GitHub Actions: -- **PR branches** (any branch except `master`): Automatically builds and pushes to `:staging` tag -- **Master branch**: Automatically builds and pushes to `:prod` tag after CI checks pass +- **PR branches** (any branch except `main`): Automatically builds and pushes to `:staging` tag +- **main branch**: Automatically builds and pushes to `:prod` tag after CI checks pass The automated builds use AWS OIDC for secure authentication (no long-lived credentials). @@ -208,8 +208,8 @@ After setup, the GitHub Actions workflow will automatically: - Push images to ECR with appropriate tags (`:staging` or `:prod`) You can verify by: -1. Pushing a commit to a non-master branch (should push `:staging`) -2. Merging to master (should push `:prod` after tests pass) +1. Pushing a commit to a non-main branch (should push `:staging`) +2. Merging to main (should push `:prod` after tests pass) 3. Checking ECR repository for new images ## Security Best Practices diff --git a/src/gunicorn_config.py b/src/gunicorn_config.py index 52378c86..73b8cdef 100644 --- a/src/gunicorn_config.py +++ b/src/gunicorn_config.py @@ -48,7 +48,7 @@ # # A positive integer generally set to around 1000. # -# timeout - If a worker does not notify the master process in this +# timeout - If a worker does not notify the main process in this # number of seconds it is killed and a new worker is spawned # to replace it. # @@ -73,7 +73,7 @@ # preload_app - Load application code before forking worker processes. # This conserves memory and speeds up server boot times by loading -# the Django application once in the master process, then forking +# the Django application once in the main process, then forking # worker processes with shared code in memory. # # Greatly improves startup performance by eliminating redundant @@ -186,7 +186,7 @@ # A callable that accepts the same arguments as after_fork # # pre_exec - Called just prior to forking off a secondary -# master process during things like config reloading. +# main process during things like config reloading. # # A callable that takes a server instance as the sole argument. # From f13fa0d70ed2b9aa71f8fd7115d464ea7fa5d0cd Mon Sep 17 00:00:00 2001 From: Irving Popovetsky Date: Sun, 25 Jan 2026 14:54:08 -0800 Subject: [PATCH 2/5] optimize docker build process --- .dockerignore | 81 ++++++++++++++++++++++++++-------------- .github/workflows/ci.yml | 14 +++++-- Dockerfile | 29 ++++++++------ 3 files changed, 79 insertions(+), 45 deletions(-) diff --git a/.dockerignore b/.dockerignore index 1afb66fa..f1e53452 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,33 +1,56 @@ -*.env -git/ +# Git +.git +.github +.gitignore -build -dist +# Python +.venv +venv +__pycache__ +*.pyc +*.pyo +*.pyd +.Python +*.so +*.egg *.egg-info -*.egg/ +dist +build +.pytest_cache +.coverage +htmlcov +.tox +.mypy_cache +.ruff_cache + +# Environment files +.env +.env.* +!.env.example + +# IDE +.vscode +.idea *.swp +*.swo +*~ -.tox -.coverage -html/* -**/__pycache__ -**/*.pyc - -# Development files - should not be in production -.dev/ -src/.dev/ -src/.dev -**/.dev/ -**/.dev -*.sqlite3 -*.db -db.sqlite3 -src/db.sqlite3 -**/db.sqlite3 - -# Test artifacts -.pytest_cache/ -src/.pytest_cache/ -**/.pytest_cache/ -.coverage -htmlcov/ \ No newline at end of file +# Logs +*.log + +# Documentation +*.md +!README.md +docs/ + +# Testing +tests/ +*.test + +# macOS +.DS_Store + +# Temporary files +tmp/ +temp/ +*.tmp diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3473f97c..8f3d1452 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -172,7 +172,7 @@ jobs: docker-build-push: name: Build and Push Docker Image - runs-on: ubuntu-latest + runs-on: ubuntu-24.04-arm64 # Run on push to main (build+push) and on PRs (build only) if: github.event_name == 'push' || github.event_name == 'pull_request' # For main/PR, wait for CI checks to pass @@ -260,7 +260,7 @@ jobs: uses: aws-actions/amazon-ecr-login@v2 - name: Build and push Docker image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . target: runtime @@ -269,8 +269,14 @@ jobs: tags: | ${{ steps.docker-tag.outputs.image }} provenance: false - cache-from: type=gha - cache-to: type=gha,mode=max + cache-from: | + type=gha,scope=arm64-${{ github.head_ref || github.ref_name }} + type=gha,scope=arm64-main + type=registry,ref=633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end-cache:${{ github.head_ref || github.ref_name }} + type=registry,ref=633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end-cache:main + cache-to: | + type=gha,mode=max,scope=arm64-${{ github.head_ref || github.ref_name }} + type=registry,ref=633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end-cache:${{ github.head_ref || github.ref_name }},mode=max - name: Output image URI if: steps.can-push.outputs.push == 'true' diff --git a/Dockerfile b/Dockerfile index dded4d67..f64bb57e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,11 +6,13 @@ FROM python:3.12-slim AS builder # Install build dependencies required for compiling Python packages -RUN apt-get update && apt-get install -y --no-install-recommends \ +RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ + --mount=type=cache,target=/var/lib/apt,sharing=locked \ + rm -f /etc/apt/apt.conf.d/docker-clean && \ + apt-get update && apt-get install -y --no-install-recommends \ build-essential \ libpq-dev \ - curl \ - && rm -rf /var/lib/apt/lists/* + curl # Install Poetry ENV POETRY_VERSION=2.3.0 \ @@ -20,7 +22,8 @@ ENV POETRY_VERSION=2.3.0 \ POETRY_VIRTUALENVS_CREATE=1 \ POETRY_CACHE_DIR=/tmp/poetry_cache -RUN curl -sSL https://install.python-poetry.org | python3 - && \ +RUN --mount=type=cache,target=/root/.cache \ + curl -sSL https://install.python-poetry.org | python3 - && \ ln -s /opt/poetry/bin/poetry /usr/local/bin/poetry WORKDIR /app @@ -52,13 +55,14 @@ LABEL org.opencontainers.image.description="Operation Code Backend - Development LABEL org.opencontainers.image.licenses="MIT" # Install runtime dependencies -RUN apt-get update && apt-get install -y --no-install-recommends \ +RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ + --mount=type=cache,target=/var/lib/apt,sharing=locked \ + rm -f /etc/apt/apt.conf.d/docker-clean && \ + apt-get update && apt-get install -y --no-install-recommends \ libpq5 \ curl \ wget \ - && apt-get upgrade -y \ - && rm -rf /var/lib/apt/lists/* \ - && apt-get clean + && apt-get upgrade -y # Create non-root user for security RUN groupadd -r appuser && \ @@ -100,13 +104,14 @@ LABEL org.opencontainers.image.description="Operation Code Backend - Django API" LABEL org.opencontainers.image.licenses="MIT" # Install only runtime dependencies (no build tools) -RUN apt-get update && apt-get install -y --no-install-recommends \ +RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ + --mount=type=cache,target=/var/lib/apt,sharing=locked \ + rm -f /etc/apt/apt.conf.d/docker-clean && \ + apt-get update && apt-get install -y --no-install-recommends \ libpq5 \ curl \ wget \ - && apt-get upgrade -y \ - && rm -rf /var/lib/apt/lists/* \ - && apt-get clean + && apt-get upgrade -y # Create non-root user for security RUN groupadd -r appuser && \ From 9cbb00a36aad68d1d4bf453848ed6c82c127d5ec Mon Sep 17 00:00:00 2001 From: Irving Popovetsky Date: Sun, 25 Jan 2026 14:57:13 -0800 Subject: [PATCH 3/5] fix runner type --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8f3d1452..858c2f1a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -172,7 +172,7 @@ jobs: docker-build-push: name: Build and Push Docker Image - runs-on: ubuntu-24.04-arm64 + runs-on: ubuntu-24.04-arm # Run on push to main (build+push) and on PRs (build only) if: github.event_name == 'push' || github.event_name == 'pull_request' # For main/PR, wait for CI checks to pass From 943ab96478f09655429e7a3b8b2724b95406e0a0 Mon Sep 17 00:00:00 2001 From: Irving Popovetsky Date: Sun, 25 Jan 2026 15:02:20 -0800 Subject: [PATCH 4/5] simplify cache key --- .github/workflows/ci.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 858c2f1a..22a16cd2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -270,13 +270,11 @@ jobs: ${{ steps.docker-tag.outputs.image }} provenance: false cache-from: | - type=gha,scope=arm64-${{ github.head_ref || github.ref_name }} - type=gha,scope=arm64-main - type=registry,ref=633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end-cache:${{ github.head_ref || github.ref_name }} - type=registry,ref=633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end-cache:main + type=gha,scope=arm64 + type=registry,ref=633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end-cache:latest cache-to: | - type=gha,mode=max,scope=arm64-${{ github.head_ref || github.ref_name }} - type=registry,ref=633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end-cache:${{ github.head_ref || github.ref_name }},mode=max + type=gha,mode=max,scope=arm64 + type=registry,ref=633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end-cache:latest,mode=max - name: Output image URI if: steps.can-push.outputs.push == 'true' From 0b407f7d096f870c55cd1396d7862d964154808c Mon Sep 17 00:00:00 2001 From: Irving Popovetsky Date: Sun, 25 Jan 2026 15:07:12 -0800 Subject: [PATCH 5/5] don't cache to ECR --- .github/workflows/ci.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 22a16cd2..e8efec6b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -269,12 +269,8 @@ jobs: tags: | ${{ steps.docker-tag.outputs.image }} provenance: false - cache-from: | - type=gha,scope=arm64 - type=registry,ref=633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end-cache:latest - cache-to: | - type=gha,mode=max,scope=arm64 - type=registry,ref=633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end-cache:latest,mode=max + cache-from: type=gha,scope=arm64 + cache-to: type=gha,mode=max,scope=arm64 - name: Output image URI if: steps.can-push.outputs.push == 'true'