rbio deploy: add deploy:branch, deploy:repo, deploy:verify-images

Author: davidsmejia

bin/lib/deploy.py

@@ -1,12 +1,23 @@
 """deploy:* — deploy-time templating + ops invoked from infrastructure/."""
 
 import argparse
+import json
 import os
 import re
+import subprocess
+import urllib.error
+import urllib.request
 from pathlib import Path
 
+from lib._docker import ALL_IMAGES
 from lib._runtime import REPO_ROOT, Globals, stderr
 
+# Branch -> Dockerhub repo. Replaces scripts/common.sh::get_deploy_repo.
+DEPLOY_REPOS = {
+    "master": "ccdl",
+    "dev": "ccdlstaging",
+}
+
 # Per-template RAM fan-out for the workers project. A template not listed here
 # uses DEFAULT_WORKER_RAMS; one in NO_RAM_WORKER_TEMPLATES is rendered once
 # without a RAM postfix.
@@ -197,6 +208,147 @@ def _render(text, env):
     return TEMPLATE_VAR_RE.sub(lambda m: env.get(m.group(1), m.group(0)), text)
 
 
+def cmd_deploy_branch(argv):
+    p = argparse.ArgumentParser(
+        prog="rbio deploy:branch",
+        description=(
+            "Print the deploy branch (master/dev/unknown) a version tag was cut from. "
+            "Mirrors scripts/common.sh::get_deploy_branch."
+        ),
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+    )
+    p.add_argument("version", help="version tag (e.g. v1.2.3 or v1.2.3-dev)")
+    args = p.parse_args(argv)
+
+    on_master = _tag_reachable_from(args.version, "origin/master")
+    on_dev = _tag_reachable_from(args.version, "origin/dev")
+    # All staging versions end -dev or -dev-hotfix; production never does.
+    has_dev_suffix = bool(re.search(r"-dev(-hotfix)?$", args.version))
+
+    if on_master and not has_dev_suffix:
+        print("master")
+    elif on_dev:
+        print("dev")
+    else:
+        print("unknown")
+    return 0
+
+
+def _tag_reachable_from(version, remote_branch):
+    """True if `version` appears anywhere in `git log <remote_branch> --decorate=full`.
+
+    Mirrors common.sh's `git log origin/X --decorate=full | grep "$version"` heuristic.
+    """
+    result = subprocess.run(
+        ["git", "log", remote_branch, "--decorate=full"],
+        capture_output=True,
+        text=True,
+        cwd=str(REPO_ROOT),
+    )
+    return result.returncode == 0 and version in result.stdout
+
+
+def cmd_deploy_repo(argv):
+    p = argparse.ArgumentParser(
+        prog="rbio deploy:repo",
+        description=(
+            "Print the Dockerhub repo namespace for a deploy branch (master -> ccdl, "
+            "dev -> ccdlstaging). Mirrors scripts/common.sh::get_deploy_repo."
+        ),
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+    )
+    p.add_argument("branch", choices=sorted(DEPLOY_REPOS))
+    args = p.parse_args(argv)
+    print(DEPLOY_REPOS[args.branch])
+    return 0
+
+
+def cmd_deploy_verify_images(argv):
+    p = argparse.ArgumentParser(
+        prog="rbio deploy:verify-images",
+        description=(
+            "Verify every image in ALL_IMAGES has been pushed to Dockerhub at the "
+            "given tag. Used post-deploy to catch silent push failures."
+        ),
+        epilog=(
+            "env vars:\n"
+            "  DOCKER_USERNAME  Dockerhub login (required)\n"
+            "  DOCKER_PASSWORD  Dockerhub password / access token (required)\n"
+        ),
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+    )
+    p.add_argument(
+        "-r", "--repo", required=True, help="Dockerhub repo namespace (e.g. ccdlstaging)"
+    )
+    p.add_argument("-t", "--tag", required=True, help="image tag to verify (e.g. v1.2.3)")
+    args = p.parse_args(argv)
+
+    user = os.environ.get("DOCKER_USERNAME")
+    password = os.environ.get("DOCKER_PASSWORD")
+    if not user or not password:
+        stderr("rbio deploy:verify-images: DOCKER_USERNAME and DOCKER_PASSWORD must be set")
+        return 1
+
+    token = _dockerhub_token(user, password)
+    if not token:
+        stderr("rbio deploy:verify-images: failed to authenticate with Dockerhub")
+        return 1
+
+    missing = []
+    for image in ALL_IMAGES:
+        repo_path = f"{args.repo}/dr_{image}"
+        if not _dockerhub_tag_exists(token, repo_path, args.tag):
+            missing.append(f"{repo_path}:{args.tag}")
+
+    if missing:
+        stderr(f"rbio deploy:verify-images: {len(missing)} image(s) not found on Dockerhub:")
+        for m in missing:
+            stderr(f"  {m}")
+        stderr("This is generally caused by a temporary push error; rerun the workflow.")
+        return 1
+    return 0
+
+
+def _dockerhub_token(username, password):
+    """Authenticate to Dockerhub v2 API and return a JWT, or None on failure."""
+    req = urllib.request.Request(
+        "https://hub.docker.com/v2/users/login/",
+        data=json.dumps({"username": username, "password": password}).encode(),
+        headers={"Content-Type": "application/json"},
+        method="POST",
+    )
+    try:
+        with urllib.request.urlopen(req) as resp:
+            return json.loads(resp.read()).get("token")
+    except (urllib.error.URLError, json.JSONDecodeError):
+        return None
+
+
+def _dockerhub_tag_exists(token, repo, tag):
+    """True if `repo:tag` is listed in Dockerhub's tag index for `repo`."""
+    req = urllib.request.Request(
+        f"https://hub.docker.com/v2/repositories/{repo}/tags/?page_size=10000",
+        headers={"Authorization": f"JWT {token}"},
+    )
+    try:
+        with urllib.request.urlopen(req) as resp:
+            data = json.loads(resp.read())
+            return any(t.get("name") == tag for t in data.get("results", []))
+    except (urllib.error.URLError, json.JSONDecodeError):
+        return False
+
+
 COMMANDS = [
     ("deploy:format-batch", cmd_deploy_format_batch, "render Batch job specs/env from templates"),
+    (
+        "deploy:branch",
+        cmd_deploy_branch,
+        "print the deploy branch (master/dev/unknown) for a version tag",
+    ),
+    ("deploy:repo", cmd_deploy_repo, "print the Dockerhub repo namespace for a deploy branch"),
+    (
+        "deploy:verify-images",
+        cmd_deploy_verify_images,
+        "verify all ALL_IMAGES were pushed at a given tag",
+    ),
 ]