Merge pull request #2798 from ohcnetwork/develop

Merge Develop To Staging

.github/workflows/deploy.yml

@@ -28,6 +28,7 @@ env:
 
 jobs:
   test:
+    name: Test
     uses: ./.github/workflows/reusable-test.yml
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
@@ -36,30 +37,30 @@ jobs:
 
   build:
     needs: test
-    name: Build & Push to container registries
-    runs-on: ubuntu-24.04-arm
+    name: Build ${{ matrix.platform }}
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-24.04
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
     steps:
       - uses: actions/checkout@v4
 
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+
       - name: Generate docker tags
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: |
             ghcr.io/${{ github.repository }}
-          tags: |
-            type=raw,value=production-latest,enable=${{ startsWith(github.event.ref, 'refs/tags/v') }}
-            type=raw,value=production-latest-${{ github.run_number }}-{{date 'YYYYMMDD'}}-{{sha}},enable=${{ startsWith(github.event.ref, 'refs/tags/v') }}
-            type=raw,value=staging-latest,enable=${{ github.ref == 'refs/heads/staging' }}
-            type=raw,value=staging-latest-${{ github.run_number }}-{{date 'YYYYMMDD'}}-{{sha}},enable=${{ github.ref == 'refs/heads/staging' }}
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/develop' }}
-            type=raw,value=latest-${{ github.run_number }},enable=${{ github.ref == 'refs/heads/develop' }}
-            type=semver,pattern={{version}}
-          flavor: |
-            latest=false
-
-      - name: Setup QEMU
-        uses: docker/setup-qemu-action@v3
 
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -74,30 +75,97 @@ jobs:
       - name: Cache Docker layers
         uses: actions/cache@v4
         with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-build-${{ hashFiles('Pipfile.lock', 'docker/prod.Dockerfile') }}
+          path: ${{ runner.temp }}/.buildx-cache
+          key: ${{ runner.os }}-${{ runner.arch }}-buildx-prod-${{ hashFiles('Pipfile.lock', 'docker/prod.Dockerfile') }}
           restore-keys: |
-            ${{ runner.os }}-buildx-build-
+            ${{ runner.os }}-${{ runner.arch }}-buildx-prod-
 
       - name: Create new cache
         run: |
-          mkdir -p /tmp/.buildx-cache
-          mkdir -p /tmp/.buildx-cache-new
+          mkdir -p ${{ runner.temp }}/.buildx-cache
+          mkdir -p ${{ runner.temp }}/.buildx-cache-new
 
-      - name: Build and push image
+      - name: Build and push by digest
+        id: build
         uses: docker/build-push-action@v6
         with:
           context: .
           file: docker/prod.Dockerfile
-          push: true
-          provenance: false
-          platforms: linux/amd64,linux/arm64
-          tags: ${{ steps.meta.outputs.tags }}
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=image,name=ghcr.io/${{ github.repository }},push-by-digest=true,name-canonical=true,push=true
           build-args: |
             APP_VERSION=${{ github.sha }}
             ADDITIONAL_PLUGS=${{ env.ADDITIONAL_PLUGS }}
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+          cache-from: type=local,src=${{ runner.temp }}/.buildx-cache
+          cache-to: type=local,dest=${{ runner.temp }}/.buildx-cache-new,mode=max
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+      - name: Move cache
+        run: |
+          rm -rf ${{ runner.temp }}/.buildx-cache
+          mv ${{ runner.temp }}/.buildx-cache-new ${{ runner.temp }}/.buildx-cache
+
+
+  merge-manifests:
+    needs: build
+    name: Merge & Push Manifests
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Generate docker tags
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=raw,value=production-latest,enable=${{ startsWith(github.event.ref, 'refs/tags/v') }}
+            type=raw,value=production-latest-${{ github.run_number }}-{{date 'YYYYMMDD'}}-{{sha}},enable=${{ startsWith(github.event.ref, 'refs/tags/v') }}
+            type=raw,value=staging-latest,enable=${{ github.ref == 'refs/heads/staging' }}
+            type=raw,value=staging-latest-${{ github.run_number }}-{{date 'YYYYMMDD'}}-{{sha}},enable=${{ github.ref == 'refs/heads/staging' }}
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/develop' }}
+            type=raw,value=latest-${{ github.run_number }},enable=${{ github.ref == 'refs/heads/develop' }}
+            type=semver,pattern={{version}}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'ghcr.io/${{ github.repository }}@sha256:%s ' *)
 
       - name: Create Sentry release
         uses: getsentry/action-release@v1
@@ -107,16 +175,9 @@ jobs:
           SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
         with:
           version: ${{ github.sha }}
-      - name: Update cache
-        if: always() # Run even if previous steps fail
-        run: |
-          if [ -d "/tmp/.buildx-cache-new" ]; then
-            rm -rf /tmp/.buildx-cache
-            mv /tmp/.buildx-cache-new /tmp/.buildx-cache
-          fi
 
   notify-release:
-    needs: build
+    needs: merge-manifests
     if: startsWith(github.event.ref, 'refs/tags/v')
     name: Notify release
     runs-on: ubuntu-24.04-arm
@@ -126,7 +187,7 @@ jobs:
           echo "Release ${{ github.sha }} is ready to be deployed to production"
 
   deploy-staging-egov:
-    needs: build
+    needs: merge-manifests
     if: github.ref == 'refs/heads/develop'
     name: Deploy to ECS API Egov
     runs-on: ubuntu-24.04-arm

.github/workflows/linter.yml

@@ -19,6 +19,9 @@ jobs:
         with:
           python-version: "3.13"
 
-      - uses: pre-commit/[email protected]
-        with:
-          extra_args: --color=always --from-ref ${{ github.event.pull_request.base.sha }} --to-ref ${{ github.event.pull_request.head.sha }}
+      - run: |
+          python -m pip install pre-commit
+
+      - run: |
+          pre-commit run --show-diff-on-failure --color=always \
+          --from-ref ${{ github.event.pull_request.base.sha }} --to-ref ${{ github.event.pull_request.head.sha }}

.github/workflows/reusable-test.yml

@@ -13,6 +13,7 @@ on:
 
 jobs:
   test:
+    name: Test
     runs-on: ubuntu-24.04-arm
     steps:
       - uses: actions/checkout@v4
@@ -24,26 +25,37 @@ jobs:
         id: cache-restore
         uses: actions/cache/restore@v4
         with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ hashFiles('Pipfile.lock', 'docker/dev.Dockerfile') }}
+          path: |
+            ${{ runner.temp }}/.buildx-cache
+            ${{ runner.temp }}/.buildx-mounted-cache
+          key: ${{ runner.os }}-${{ runner.arch }}-buildx-dev-${{ hashFiles('Pipfile.lock', 'docker/dev.Dockerfile') }}
           restore-keys: |
-            ${{ runner.os }}-buildx-
+            ${{ runner.os }}-${{ runner.arch }}-buildx-dev-
+
+      - name: inject cache into docker
+        uses: reproducible-containers/[email protected]
+        with:
+          cache-map: |
+            {
+              "${{ runner.temp }}/.buildx-mounted-cache": "/root/.cache/pip"
+            }
+          skip-extraction: ${{ steps.cache-restore.outputs.cache-hit }}
 
       - name: Create new cache
         run: |
-          mkdir -p /tmp/.buildx-cache
-          mkdir -p /tmp/.buildx-cache-new
+          mkdir -p ${{ runner.temp }}/.buildx-cache
+          mkdir -p ${{ runner.temp }}/.buildx-cache-new
+          mkdir -p ${{ runner.temp }}/.buildx-mounted-cache
 
-      - name: Bake docker images
-        uses: docker/bake-action@v5
-        with:
-          load: true
-          set: |
-            *.cache-from=type=local,src=/tmp/.buildx-cache
-            *.cache-to=type=local,dest=/tmp/.buildx-cache-new
-          files: docker-compose.yaml,docker-compose.local.yaml
-        env:
-          DOCKER_BUILD_SUMMARY: false
+      - name: Build images
+        run: |
+          docker buildx build \
+            --file docker/dev.Dockerfile \
+            --tag care_local \
+            --cache-from=type=local,src=${{ runner.temp }}/.buildx-cache \
+            --cache-to=type=local,dest=${{ runner.temp }}/.buildx-cache-new,mode=max \
+            --platform linux/arm64 \
+            .
 
       - name: Start services
         run: |
@@ -56,7 +68,7 @@ jobs:
             -f docker-compose.local.yaml \
             logs
 
-      - name: Check migrations
+      - name: Check missing migrations
         run: make checkmigration
 
       - name: Validate integrity of fixtures
@@ -74,24 +86,30 @@ jobs:
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
-      - name: Move new cache
+      - name: Move cache
         run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+          rm -rf ${{ runner.temp }}/.buildx-cache
+          mv ${{ runner.temp }}/.buildx-cache-new ${{ runner.temp }}/.buildx-cache
 
       - name: Save Docker layers cache
-        if: ${{ inputs.event_name == 'push' || github.event_name == 'push' }}
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/develop' && steps.cache-restore.outputs.cache-hit != 'true' }}
         uses: actions/cache/save@v4
         with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ hashFiles('Pipfile.lock', 'docker/dev.Dockerfile') }}
+          path: |
+            ${{ runner.temp }}/.buildx-cache
+            ${{ runner.temp }}/.buildx-mounted-cache
+          key: ${{ runner.os }}-${{ runner.arch }}-buildx-dev-${{ hashFiles('Pipfile.lock', 'docker/dev.Dockerfile') }}
+
+      # Upload dummy db as artifact so it can be used to speed up frontend tests
+      - name: Dump db
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/develop' }}
+        run: make dump-db
 
       - name: Upload db artifact
-        if: ${{ inputs.event_name == 'push' || github.event_name == 'push' }}
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/develop' }}
         uses: actions/upload-artifact@v4
         with:
           name: care-db-dump
           path: care_db.dump
           retention-days: 30
           compression-level: 0 # file is already compressed
-          overwrite: true # keep only the last artifact

.github/workflows/test-merge-queue.yml

@@ -5,8 +5,7 @@ on:
 
 jobs:
   test:
+    name: Test
     uses: ./.github/workflows/reusable-test.yml
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-    with:
-      event_name: ${{ github.event_name }}

.github/workflows/test-pull-request.yml

@@ -9,8 +9,7 @@ concurrency:
 
 jobs:
   test:
+    name: Test
     uses: ./.github/workflows/reusable-test.yml
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-    with:
-      event_name: ${{ github.event_name }}

Pipfile

@@ -6,7 +6,7 @@ name = "pypi"
 [packages]
 argon2-cffi = "==23.1.0"
 authlib = "==1.4.0"
-boto3 = "==1.35.98"
+boto3 = "==1.36.7"
 celery = "==5.4.0"
 django = "==5.1.4"
 django-environ = "==0.12.0"
@@ -32,7 +32,7 @@ newrelic = "==10.4.0"
 pillow = "==11.1.0"
 psycopg = { extras = ["c"], version = "==3.2.3" }
 pydantic = "==2.9.2"
-pyjwt = "==2.9.0"
+pyjwt = "==2.10.1"
 python-slugify = "==8.0.4"
 pywebpush = "==2.0.1"
 redis = { extras = ["hiredis"], version = "==5.2.1" }
@@ -42,7 +42,7 @@ simplejson = "==3.19.3"
 sentry-sdk = "==2.18.0"
 whitenoise = "==6.8.2"
 django-anymail = {extras = ["amazon-ses"], version = "*"}
-pydantic-extra-types = "2.10.1"
+pydantic-extra-types = "2.10.2"
 phonenumberslite = "==8.13.52"
 
 [dev-packages]
@@ -56,7 +56,7 @@ djangorestframework-stubs = "==3.15.2"
 factory-boy = "==3.3.1"
 freezegun = "==1.5.1"
 ipython = "==8.31.0"
-mypy = "==1.13.0"
+mypy = "==1.14.1"
 pre-commit = "==4.0.1"
 requests-mock = "==1.12.1"
 tblib = "==3.0.0"