docker ops cleanup

.dclintrc

@@ -0,0 +1,8 @@
+{
+  "rules": {
+	  "require-project-name-field": 0,
+	  "no-build-and-image": 0
+  },
+  "quiet": false,
+  "debug": true
+}

.github/workflows/codeql-analysis.yml

@@ -14,9 +14,11 @@ name: "CodeQL"
 on:
   push:
     branches: [ master, production ]
+    paths: [ TWLight ]
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ master ]
+    paths: [ TWLight ]
   schedule:
     - cron: '31 13 * * 3'
 
@@ -39,7 +41,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -50,7 +52,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@v4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -64,4 +66,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4

.github/workflows/dclint.yml

@@ -0,0 +1,15 @@
+name: DCLint
+
+on:
+  push:
+    branches: [ master, production ]
+  pull_request:
+      branches: [ master ]
+      types: [ synchronize ]
+
+jobs:
+  dclint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker-compose-linter/dclint-github-action/docker-action@v1.6.0

bin/debian_swarm_deploy.sh

@@ -41,7 +41,7 @@ git clone https://github.com/WikipediaLibrary/TWLight.git /srv/TWLight
 cd /srv/TWLight || exit
 # Get on correct branch
 echo "Enter git branch:"
-read TWLIGHT_GIT_BRANCH
+read -r TWLIGHT_GIT_BRANCH
 git checkout "${TWLIGHT_GIT_BRANCH}" && git pull
 
 # Get input from human

bin/twlight_docker_deploy.sh

@@ -12,17 +12,23 @@ env=${1}
 tag=${2}
 
 # Move into the repository.
-cd /srv/TWLight
+cd /srv/TWLight || (echo "Error"; exit 1)
 # Check for newer image
-pull=$(docker pull quay.io/wikipedialibrary/twlight:${tag})
+pull=$(docker pull "quay.io/wikipedialibrary/twlight:${tag}")
 
 # Pull swarm config updates and update the stack if there is a new image.
-if echo ${pull} | grep "Status: Downloaded newer image for quay.io/wikipedialibrary/twlight:${tag}" >/dev/null
+if echo "${pull}" | grep "Status: Downloaded newer image for quay.io/wikipedialibrary/twlight:${tag}" >/dev/null
 then
+    # Accept divergent commit history from staging remote
+    if [ "$env" == "staging" ]
+    then
+        git fetch
+        git reset --hard origin
+    fi
     git pull
-    docker stack deploy -c docker-compose.yml -c docker-compose.${env}.yml ${env}
+    docker stack deploy --detach=false -c docker-compose.yml -c "docker-compose.${env}.yml" "${env}"
 # Report if the local image is already up to date.
-elif echo ${pull} | grep "Status: Image is up to date for quay.io/wikipedialibrary/twlight:${tag}" >/dev/null
+elif echo "${pull}" | grep "Status: Image is up to date for quay.io/wikipedialibrary/twlight:${tag}" >/dev/null
 then
    echo "Up to date"
 # Fail in any other circumstance.

docker-compose.cicd.yml

@@ -1,7 +1,4 @@
 ---
-
-version: '3.4'
-
 services:
   twlight:
     image: quay.io/wikipedialibrary/twlight:local

docker-compose.debug_toolbar.yml

@@ -1,7 +1,4 @@
 ---
-
-version: '3.4'
-
 services:
   twlight:
     build:

docker-compose.override.yml

@@ -1,8 +1,24 @@
 ---
-
-version: '3.4'
-
-# Local environment should mount plaintext files as secrets
+services:
+  twlight:
+    image: quay.io/wikipedialibrary/twlight:local
+    # Local environment should mount things from the code directory
+    volumes:
+      - type: bind
+        source: .
+        target: /app
+    env_file:
+      - path: ./conf/local.twlight.env
+        required: true
+      - path: .env
+        required: false
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+  web:
+    volumes:
+      - type: bind
+        source: ./conf/local.nginx.conf
+        target: /etc/nginx/conf.d/default.conf
 secrets:
   DJANGO_DB_NAME:
     file: ./secrets/DJANGO_DB_NAME
@@ -26,24 +42,3 @@ secrets:
     file: ./secrets/MW_API_EMAIL_USER
   MW_API_EMAIL_PASSWORD:
     file: ./secrets/MW_API_EMAIL_PASSWORD
-
-services:
-  twlight:
-    extra_hosts:
-      - "host.docker.internal:host-gateway"
-    image: quay.io/wikipedialibrary/twlight:local
-    env_file:
-      - path: ./conf/local.twlight.env
-        required: true
-      - path: .env
-        required: false
-    # Local environment should mount things from the code directory
-    volumes:
-      - type: bind
-        source: .
-        target: /app
-  web:
-    volumes:
-      - type: bind
-        source: ./conf/local.nginx.conf
-        target: /etc/nginx/conf.d/default.conf

docker-compose.production.yml

@@ -1,48 +1,16 @@
 ---
-
-version: '3.4'
-
-secrets:
-  DJANGO_DB_NAME:
-    external: true
-  DJANGO_DB_USER:
-    external: true
-  DJANGO_DB_PASSWORD:
-    external: true
-  DKIM_PRIVATE_KEY:
-    external: true
-  MYSQL_ROOT_PASSWORD:
-    external: true
-  SECRET_KEY:
-    external: true
-  TWLIGHT_OAUTH_CONSUMER_KEY:
-    external: true
-  TWLIGHT_OAUTH_CONSUMER_SECRET:
-    external: true
-  TWLIGHT_EZPROXY_SECRET:
-    external: true
-  MW_API_EMAIL_USER:
-    external: true
-  MW_API_EMAIL_PASSWORD:
-    external: true
-
 services:
   migrate:
     image: quay.io/wikipedialibrary/twlight:branch_production
-    command: >
-      bash -c "/app/bin/twlight_backup.sh && /app/bin/virtualenv_migrate.sh"
-    restart: on-failure
-    env_file:
-      - ./conf/production.twlight.env
+    depends_on:
+      - 'db'
     volumes:
       - type: bind
         source: /data/project/prod
         target: /app/backup
       - type: bind
         source: ./media
         target: /app/media
-    depends_on:
-      - 'db'
     secrets:
       - DJANGO_DB_NAME
       - DJANGO_DB_USER
@@ -52,20 +20,48 @@ services:
       - TWLIGHT_OAUTH_CONSUMER_KEY
       - TWLIGHT_OAUTH_CONSUMER_SECRET
       - TWLIGHT_EZPROXY_SECRET
-  twlight:
-    image: quay.io/wikipedialibrary/twlight:branch_production
     env_file:
       - ./conf/production.twlight.env
+    command: >
+      bash -c "/app/bin/twlight_backup.sh && /app/bin/virtualenv_migrate.sh"
+    restart: on-failure
+  twlight:
+    image: quay.io/wikipedialibrary/twlight:branch_production
+    depends_on:
+      - 'migrate'
     volumes:
       - type: bind
         source: /data/project/prod
         target: /app/backup
-    depends_on:
-      - 'migrate'
+    env_file:
+      - ./conf/production.twlight.env
   web:
     volumes:
       - type: volume
         target: /var/lib/nginx/cache
       - type: bind
         source: ./conf/production.nginx.conf
         target: /etc/nginx/conf.d/default.conf
+secrets:
+  DJANGO_DB_NAME:
+    external: true
+  DJANGO_DB_USER:
+    external: true
+  DJANGO_DB_PASSWORD:
+    external: true
+  DKIM_PRIVATE_KEY:
+    external: true
+  MYSQL_ROOT_PASSWORD:
+    external: true
+  SECRET_KEY:
+    external: true
+  TWLIGHT_OAUTH_CONSUMER_KEY:
+    external: true
+  TWLIGHT_OAUTH_CONSUMER_SECRET:
+    external: true
+  TWLIGHT_EZPROXY_SECRET:
+    external: true
+  MW_API_EMAIL_USER:
+    external: true
+  MW_API_EMAIL_PASSWORD:
+    external: true

docker-compose.staging.yml

@@ -1,48 +1,16 @@
 ---
-
-version: '3.4'
-
-secrets:
-  DJANGO_DB_NAME:
-    external: true
-  DJANGO_DB_USER:
-    external: true
-  DJANGO_DB_PASSWORD:
-    external: true
-  DKIM_PRIVATE_KEY:
-    external: true
-  MYSQL_ROOT_PASSWORD:
-    external: true
-  SECRET_KEY:
-    external: true
-  TWLIGHT_OAUTH_CONSUMER_KEY:
-    external: true
-  TWLIGHT_OAUTH_CONSUMER_SECRET:
-    external: true
-  TWLIGHT_EZPROXY_SECRET:
-    external: true
-  MW_API_EMAIL_USER:
-    external: true
-  MW_API_EMAIL_PASSWORD:
-    external: true
-
 services:
   migrate:
     image: quay.io/wikipedialibrary/twlight:branch_staging
-    command: >
-      bash -c "/app/bin/twlight_backup.sh && /app/bin/virtualenv_migrate.sh"
-    restart: on-failure
-    env_file:
-      - ./conf/staging.twlight.env
+    depends_on:
+      - 'db'
     volumes:
       - type: bind
         source: /data/project/staging
         target: /app/backup
       - type: bind
         source: ./media
         target: /app/media
-    depends_on:
-      - 'db'
     secrets:
       - DJANGO_DB_NAME
       - DJANGO_DB_USER
@@ -52,20 +20,48 @@ services:
       - TWLIGHT_OAUTH_CONSUMER_KEY
       - TWLIGHT_OAUTH_CONSUMER_SECRET
       - TWLIGHT_EZPROXY_SECRET
-  twlight:
-    image: quay.io/wikipedialibrary/twlight:branch_staging
     env_file:
       - ./conf/staging.twlight.env
+    command: >
+      bash -c "/app/bin/twlight_backup.sh && /app/bin/virtualenv_migrate.sh"
+    restart: on-failure
+  twlight:
+    image: quay.io/wikipedialibrary/twlight:branch_staging
+    depends_on:
+      - 'migrate'
     volumes:
       - type: bind
         source: /data/project/staging
         target: /app/backup
-    depends_on:
-      - 'migrate'
+    env_file:
+      - ./conf/staging.twlight.env
   web:
     volumes:
       - type: volume
         target: /var/lib/nginx/cache
       - type: bind
         source: ./conf/staging.nginx.conf
         target: /etc/nginx/conf.d/default.conf
+secrets:
+  DJANGO_DB_NAME:
+    external: true
+  DJANGO_DB_USER:
+    external: true
+  DJANGO_DB_PASSWORD:
+    external: true
+  DKIM_PRIVATE_KEY:
+    external: true
+  MYSQL_ROOT_PASSWORD:
+    external: true
+  SECRET_KEY:
+    external: true
+  TWLIGHT_OAUTH_CONSUMER_KEY:
+    external: true
+  TWLIGHT_OAUTH_CONSUMER_SECRET:
+    external: true
+  TWLIGHT_EZPROXY_SECRET:
+    external: true
+  MW_API_EMAIL_USER:
+    external: true
+  MW_API_EMAIL_PASSWORD:
+    external: true