promote deploy-test to PROD

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.2.1
+current_version = 0.3.0
 commit = True
 tag = False
 

.github/workflows/deploy-to-aws.yaml

@@ -10,79 +10,16 @@ on:
   workflow_dispatch:
 
 jobs:
-  # call-test-workflow:
-  #   uses: GNS-Science/nshm-github-actions/.github/workflows/python-run-tests.yml@main
-  #   with:
-  #     operating-systems: "['ubuntu-latest']"
-  #     python-versions: "['3.11']"
-  #   secrets: inherit
-
-  deploy:
-    # needs: call-test-workflow
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [22]
-        python-version: [3.11]
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - name: Install and configure Poetry
-        uses: GNS-Science/install-poetry@main
-        with:
-          virtualenvs-create: true
-          virtualenvs-in-project: true
-          installer-parallel: true
-
-      - name: Ensure latest requiremments.txt
-        run: |
-          poetry self add poetry-plugin-export
-          poetry export --without-hashes --format=requirements.txt > requirements.txt
-
-      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
-        with:
-          node-version: ${{ matrix.node-version }}
-          check-latest: true
-
-      - name: upgrade NPM
-        run: npm install --location=global npm@latest
-
-      - name: Verify NPM
-        run: npm doctor
-
-      - name: Install Dependencies
-        run: npm install
-
-      - name: List packages
-        run: npm ls	
-
-      - name: Serverless Doctor
-        run: npm run-script sls_doctor
-
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: ap-southeast-2
-
-      - name: Login to ECR
-        uses: docker/login-action@v3
-        with:
-          registry: 461564345538.dkr.ecr.ap-southeast-2.amazonaws.com
-
-      - name: Serverless Deploy ....
-        env:
-          ENABLE_METRICS: 1
-        run: |
-          if [[ "${{github.base_ref}}" == "main" || "${{github.ref}}" == 'refs/heads/main' ]]; then
-              STAGE=prod REGION=ap-southeast-2 npm run-script deploy
-          else
-              STAGE=test REGION=ap-southeast-2 npm run-script deploy
-          fi
-
+  call-test-workflow:
+    uses: ./.github/workflows/dev.yml
+    secrets: inherit
+
+  call-deploy-workflow:
+    needs: call-test-workflow
+    uses: GNS-Science/nshm-github-actions/.github/workflows/deploy-to-aws.yml@main
+    with:
+      python-version: '3.12'
+      node-version: '22'
+      docker: true
+      node-pkg-manager: 'yarn2' 
+    secrets: inherit

.github/workflows/dev.yml

@@ -9,11 +9,14 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+  workflow_call:
+
 jobs:
   call-test-workflow:
     uses: GNS-Science/nshm-github-actions/.github/workflows/python-run-tests.yml@main
     with:
       operating-systems: "['ubuntu-latest']"
-      python-versions: "['3.10', '3.11']"
+      python-versions: "['3.12']"
       delete-poetry-lock: ${{ github.event_name == 'schedule' }} # the scheduled build tests against newer dependencies
+      optional-dependency-groups: dev
     secrets: inherit

.github/workflows/release.yml

@@ -0,0 +1,28 @@
+# Publish package on main branch if it's tagged with 'v*'
+
+name: Release & publish workflow
+
+# Controls when the action will run.
+on:
+  # Triggers the workflow on push events but only for the master branch
+  push:
+    tags: 'v*'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+
+  release-and-distribute:
+    uses:  GNS-Science/nshm-github-actions/.github/workflows/python-release.yml@main
+    with:
+      python-version:  '3.12'
+      pypi-publish: false
+    secrets: inherit
+
+#   deploy-docs:
+#     uses:  GNS-Science/nshm-github-actions/.github/workflows/python-deploy-docs.yml@main
+#     with:
+#       python-version:  '3.12'
+#       optional-dependency-groups: 'doc'
+#     secrets: inherit

.gitignore

@@ -36,6 +36,8 @@ wheels/
 *.egg-info/
 .installed.cfg
 *.egg
+requirements.txt
+audit.txt
 
 # PyInstaller
 #  Usually these files are written by a python script from a template

CHANGELOG.md

@@ -1,5 +1,33 @@
 # Changelog
 
+## [0.3.0] - 2025-10-20
+
+### Changed
+ - migrate to serverless 4
+ - set serverless to python 3.12
+ - migrate pyproject.toml to PEP508
+ - ensureCI/CD workflows use minimum install footprints
+
+### Added
+ - tox audit step
+
+## Removed
+ - doc dependency group
+
+## [0.2.3] - 2025-09-23
+
+### Changed
+ - pinned import on graphql_server library to 3.0.0b7 until upstream release is fixed.
+ - upgraded to Python 3.12
+ - move to yarn2 for node package management
+ - update python packages with security warnings
+
+## [0.2.2] - 2025-07-23
+
+### Changed
+ - update to THS 1.2.1
+ - migrate to THS hazard queries
+
 ## [0.2.1] - 2025-07-17
 
 ### Added

Containerise-00.md

@@ -13,33 +13,35 @@ Login Succeeded
 
 ## Get a base image
 
-Using the AWS official python lambda image: `public.ecr.aws/lambda/python:3.11`
+Using the AWS official python lambda image: `public.ecr.aws/lambda/python:3.12`
 
 ```
-docker pull public.ecr.aws/lambda/python:3.11
+docker pull public.ecr.aws/lambda/python:3.12
 3.12: Pulling from lambda/python
 .....
-Status: Downloaded newer image for public.ecr.aws/lambda/python:3.11
-public.ecr.aws/lambda/python:3.11
+Status: Downloaded newer image for public.ecr.aws/lambda/python:3.12
+public.ecr.aws/lambda/python:3.12
 ```
 
 ### get the requirements
 poetry export --without-hashes --format=requirements.txt > requirements.txt
 
 ### test wsgi handlers
 
-`poetry run npx serverless wsgi serve`
+```
+ENABLE_METRICS=0 poetry run yarn sls wsgi serve
+```
 
 ## A Dockerfile
 
 see [Dockerfile](./Dockerfile)
 
 ### build it
+```
+BUILDX_NO_DEFAULT_ATTESTATIONS=1 yarn sls package
+```
 
-`BUILDX_NO_DEFAULT_ATTESTATIONS=1 npx serverless package`
-
-### and/or deploy it
-
-this will push the image
-
-`BUILDX_NO_DEFAULT_ATTESTATIONS=1 npx serverless deploy  --stage dev --region us-east-1`
+### and/or just deploy it
+```
+BUILDX_NO_DEFAULT_ATTESTATIONS=1 yarn sls deploy --stage dev --region ap-southeast-2
+```

DEVELOPMENT.md

@@ -1,21 +1,27 @@
 # DEVELOPMENT
 
-This application uses  serverless.com.
-
+This application uses serverless.com.
 
 ### Environment setup
 
  - clone the repo
- - check/install a recent node version >=17.8
- - check/install a recent npm version >=8.11
- - install serverless `npm install --save serverless` [more info]()
- - install `npm install --save serverless-python-requirements`  [more info](https://www.serverless.com/blog/serverless-python-packaging/)
- - install `npm install -save serverless-wsgi` [more info](https://www.serverless.com/plugins/serverless-wsgi)
- - `serverless plugin install -n serverless-python-requirements`
- - `serverless plugin install -n serverless-wsgi`
+ - check/install a recent node version >=22
+   `nvm use 22`
+
+- setup python env
+```
+pyenv local 3.12
+poetry env use 3.12
+```
 
+setup yarn 2 ...
+```
+corepack enable
+yarn set version berry
+yarn install
+```
 
-Now `sls info` should print something like ...
+Now `yarn sls info` should print something like ...
 
 ```
 chrisbc@tryharder-ubuntu:/GNSDATA/API/kororaa-graphql-api$ sls info
@@ -28,19 +34,18 @@ Bugs:        github.com/serverless/serverless/issue
 
 ```
 
-You'll problably see an error, if youtr AWS credentials are not thise required for SLS.
-
+You'll problably see an error, if your AWS credentials are not thise required for SLS.
 
 ### AWS credentials
 
 ## TESTING
 
-### Run API locally
-`$> ENABLE_METRICS=0 AWS_PROFILE=toshi_batch_devops sls wsgi serve --region ap-southeast-2 --stage PROD`
-
-
 ### API Feature tests
-`$>poetry run pytest`
+`poetry run pytest`
+
+### Run API locally
+`ENABLE_METRICS=0 poetry run yarn sls wsgi serve`
+poetry run yarn serverless wsgi serve
 
 
 

Dockerfile

@@ -1,21 +1,23 @@
 #Dockerfile
-FROM public.ecr.aws/lambda/python:3.11
+FROM public.ecr.aws/lambda/python:3.12
 
 ARG FUNCTION_ROOT_DIR="/var/task"
 
-# GIT
-RUN yum install git-core -y
-
 # Create function directory
 RUN mkdir -p ${FUNCTION_ROOT_DIR}/nshm_hazard_graphql_api
 
 # The lamba service functions
 COPY ./nshm_hazard_graphql_api/ ${FUNCTION_ROOT_DIR}/nshm_hazard_graphql_api
-COPY requirements.txt ${FUNCTION_DIR}
+COPY requirements.txt ${FUNCTION_ROOT_DIR}
 
 WORKDIR ${FUNCTION_ROOT_DIR}
-RUN pip install --upgrade pip
-RUN pip3 install -r requirements.txt
+
+RUN dnf install git-core -y &&\
+    pip install --upgrade pip &&\
+    pip3 install -r requirements.txt &&\
+    pip cache purge &&\
+    dnf remove git-core -y &&\
+    dnf clean all
 
 # lambda entry point
 CMD ["nshm_hazard_graphql_api.nshm_hazard_graphql_api.app"]

nshm_hazard_graphql_api/__init__.py

@@ -2,4 +2,4 @@
 
 __author__ = """GNS Science New Zealand"""
 __email__ = 'nshm@gns.cri.nz'
-__version__ = '0.2.1'
+__version__ = '0.3.0'

nshm_hazard_graphql_api/config.py

@@ -1,6 +1,7 @@
 """
 This module exports comfiguration for the current system
 """
+
 import os
 
 from dotenv import load_dotenv
@@ -21,6 +22,3 @@ def boolean_env(environ_name, default='FALSE'):
 LOGGING_CFG = os.getenv('LOGGING_CFG', 'nshm_hazard_graphql_api/logging_aws.yaml')
 ENABLE_METRICS = bool(os.getenv('ENABLE_METRICS', '').upper() in ["1", "Y", "YES", "TRUE"])
 CW_METRICS_RESOLUTION = os.getenv('CW_METRICS_RESOLUTION', 60)  # 1 for high resolution or 60
-
-DATASET_AGGR_ENABLED = bool(os.getenv('DATASET_AGGR_ENABLED', '').upper() in ["1", "Y", "YES", "TRUE"])
-DATASET_AGGR_URI = os.getenv('DATASET_AGGR_URI', '')