Initial commit

.dockerignore

@@ -0,0 +1,17 @@
+.git
+.gitignore
+.gitattributes
+.cache
+*.md
+*.example
+LICENSE
+logo.*
+*.png
+*.gif
+*.jpg
+*.bmpr
+*.svg
+*.sample
+.env*
+Dockerfile
+docker-compose.yml

.gitattributes

@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto

.github/workflows/main.yaml

@@ -0,0 +1,124 @@
+name: "Docker Release -- LATEST"
+
+on:
+  push:
+    branches:
+      - "master"
+      - "main"
+env:
+  TERM: 'xterm'
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+
+jobs:
+  vuln-report:
+    name: Vulnerability Report
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH,MODERATE'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  bump-tag:
+    name: Create new tag
+    needs: []
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.save-output.outputs.version }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Bump version and push tag
+        id: bump-tag
+        uses: anothrNick/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_BRANCHES: "master,main"
+          DEFAULT_BUMP: "patch"
+          INITIAL_VERSION: "1.1.1"
+      - name: Log new version
+        id: log-version
+        run: echo "New version -- ${{ steps.bump-tag.outputs.new_tag }}"
+      - name: Save version to Output
+        id: save-output
+        run: echo "version=${{ steps.bump-tag.outputs.new_tag }}" >> $GITHUB_OUTPUT
+
+  release:
+    name: Publish Docker Image
+    needs: [bump-tag]
+    runs-on: ubuntu-latest
+    outputs:
+      tags: ${{ steps.docker-tags.outputs.tags }}
+    steps:
+      - name: Remove unnecessary files
+        run: |
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+      - name: Checkout source code
+        id: checkout-code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Build Docker Tags
+        id: docker-tags
+        run: |
+          CUR_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+          if [[ $CUR_BRANCH = "main" || $CUR_BRANCH = "master" ]]; then
+              TAGS="${{ github.repository }}:${{ needs.bump-tag.outputs.version }},${{ github.repository }}:latest"
+          fi
+          echo "tags=${TAGS}" >> $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        id: setup-qemu
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        id: setup-buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cache Docker layers
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ steps.vars.outputs.sha_short }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+
+      - name: Build & Push Base Image
+        id: docker-build
+        uses: docker/build-push-action@v5
+        with:
+          builder: ${{ steps.setup-buildx.outputs.name }}
+          context: ./
+          platforms: linux/amd64
+          file: ./Dockerfile
+          push: true
+          tags: ${{ steps.docker-tags.outputs.tags }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache
+
+      - name: Notify Slack
+        uses: act10ns/slack@v2
+        with:
+          status: ${{ job.status }}
+          steps: ${{ toJson(steps) }}
+        if: always()

.gitignore

@@ -0,0 +1,5 @@
+*.pyc
+data/*
+*.log
+.cache/*
+.nv/*

.streamlit/config.toml

@@ -0,0 +1,2 @@
+[browser]
+gatherUsageStats = false

Dockerfile

@@ -0,0 +1,38 @@
+FROM python:3.10-slim as base
+
+# Setup env
+ENV LANG C.UTF-8
+ENV LC_ALL C.UTF-8
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONFAULTHANDLER 1
+
+
+FROM base AS python-deps
+
+# Install pipenv and compilation dependencies
+RUN pip install pipenv
+RUN apt-get update && apt-get install -y --no-install-recommends gcc
+
+# Install python dependencies in /.venv
+COPY Pipfile .
+COPY Pipfile.lock .
+RUN PIPENV_VENV_IN_PROJECT=1 pipenv install --deploy
+
+
+FROM base AS runtime
+
+# Copy virtual env from python-deps stage
+COPY --from=python-deps /.venv /.venv
+ENV PATH="/.venv/bin:$PATH"
+
+# Create and switch to a new user
+RUN useradd --create-home appuser
+WORKDIR /home/appuser
+USER appuser
+
+# Install application into container
+COPY . .
+
+# Run the application
+ENTRYPOINT ["python", "-m", "streamlit"]
+CMD ["run", "main.py"]