msk-access · rhshah · Sep 4, 2025 · May 13, 2025 · Sep 4, 2025 · Sep 4, 2025
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -0,0 +1,57 @@
+name: Publish Python Package
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to publish (e.g., 1.0.0)'
+        required: false
+
+env:
+  PYTHON_VERSION: '3.9'
+
+jobs:
+  deploy:
+    name: Build and Publish
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'pip'
+          cache-dependency-path: 'pyproject.toml'
+
+      - name: Install build dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install build twine
+
+      - name: Build package
+        run: |
+          python -m build --sdist --wheel --outdir dist/
+
+      - name: Verify package
+        run: |
+          twine check dist/*
+
+      - name: Publish to PyPI
+        if: github.event_name == 'release' && github.event.action == 'published'
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          skip-existing: true
+          verbose: true
+
+      - name: Show package info
+        run: |
+          echo "Package built for version: ${{ github.event.release.tag_name }}"
+          ls -la dist/
diff --git a/.github/workflows/publish_docker.yaml b/.github/workflows/publish_docker.yaml
@@ -1,64 +1,160 @@
-name: Publish Docker image to ghcr.io
+name: Publish Docker Image
+
 on:
-    push:
-        tags:
-            - "*"
+  push:
+    branches: [ main, master ]
+    tags: [ '*', '!*-*' ]  # Match v1.2.3 but not v1.2.3-rc1
+  pull_request:
+    branches: [ main, master ]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to build (e.g., v1.2.3)'
+        required: false
+
+# Set job-level environment variables
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  DOCKERFILE_PATH: ./Dockerfile
+  BUILDX_CACHE_DIR: /tmp/.buildx-cache
+  BUILDX_CACHE_KEY: ${{ github.ref }}-${{ github.sha }}
+
 jobs:
-    push_to_registries:
-        name: Build and publish Docker image
-        runs-on: ubuntu-latest
-        steps:
-            - name: Check out the repo
-              uses: actions/checkout@v3
-            - name: Set up QEMU
-              uses: docker/setup-qemu-action@v2
-            - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v2
-            - name: Prepare
-              # In this preparation step, a few configurations are made
-              # according to tags that will be used to export the image
-              # for Docker Hub, as well as the name of the image itself
-              id: prep
-              run: |
-                  DOCKER_IMAGE=ghcr.io/msk-access/genotype_variants
-                  VERSION=noop
-                  if [ "${{ github.event_name }}" = "schedule" ]; then
-                    VERSION=nightly
-                  elif [[ $GITHUB_REF == refs/tags/* ]]; then
-                    VERSION=${GITHUB_REF#refs/tags/}
-                  elif [[ $GITHUB_REF == refs/heads/* ]]; then
-                    VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')
-                  fi
-                  TAGS="${DOCKER_IMAGE}:${VERSION}"
-                  if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
-                    MINOR=${VERSION%.*}
-                    MAJOR=${MINOR%.*}
-                    TAGS="$TAGS,${DOCKER_IMAGE}:latest"
-                  elif [[ $VERSION =~ ^v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
-                    VERSION=$(echo ${VERSION#v})
-                    TAGS="${DOCKER_IMAGE}:${VERSION}"
-                  elif [ "${{ github.event_name }}" = "push" ]; then
-                    TAGS="$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}"
-                  fi
-                  echo ::set-output name=version::${VERSION}
-                  echo ::set-output name=tags::${TAGS}
-            - name: Login to GitHub Container Registry
-              #if: github.event_name != 'pull_request'
-              uses: docker/login-action@v2
-              with:
-                  registry: ghcr.io
-                  username: ${{ github.repository_owner }}
-                  password: ${{ secrets.RS_PAT }}
-            - name: Push to GitHub Packages
-              uses: docker/build-push-action@v3
-              with:
-                  context: .
-                  file: ./Dockerfile
-                  push: true
-                  tags: ${{ steps.prep.outputs.tags }}
-                  build-args: |
-                      GENOTYPE_VARIANTS_VERSION=${{ steps.prep.outputs.version }}
-                  labels: |
-                      org.opencontainers.image.title=${{ github.event.repository.name }}
-                      org.opencontainers.image.description=${{ github.event.repository.description }}
-                      org.opencontainers.image.version=${{ steps.prep.outputs.version }}
+  build-and-push:
+    name: Build and Push Docker Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      security-events: write  # For Trivy SARIF upload
+
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: [linux/amd64, linux/arm64]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Needed for version detection
+          submodules: recursive
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: arm64,amd64
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          install: true
+          driver-opts: |
+            image=moby/buildkit:latest
+            network=host
+          buildkitd-config-inline: |
+            [worker.oci]
+              max-parallelism = 4
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=schedule,pattern=nightly
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha,format=long,prefix=sha-
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+          flavor: |
+            latest=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+          labels: |
+            org.opencontainers.image.title=${{ github.event.repository.name }}
+            org.opencontainers.image.description=${{ github.event.repository.description }}
+            org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.created=${{ steps.date.outputs.date }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.version=${{ github.ref_name }}
+
+      - name: Log in to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ env.BUILDX_CACHE_DIR }}
+          key: buildx-${{ runner.os }}-${{ matrix.platform }}-${{ env.BUILDX_CACHE_KEY }}
+          restore-keys: |
+            buildx-${{ runner.os }}-${{ matrix.platform }}-
+            buildx-${{ runner.os }}-
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ${{ env.DOCKERFILE_PATH }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: ${{ matrix.platform }}
+          cache-from: type=local,src=${{ env.BUILDX_CACHE_DIR }}
+          cache-to: type=local,dest=${{ env.BUILDX_CACHE_DIR }}-new,mode=max
+          build-args: |
+            BUILDKIT_INLINE_CACHE=1
+            GENOTYPE_VARIANTS_VERSION=${{ github.ref_name }}
+            BUILD_VERSION=${{ github.ref_name }}
+            BUILD_DATE=${{ steps.date.outputs.date }}
+            VCS_REF=${{ github.sha }}
+          provenance: ${{ github.event_name != 'pull_request' }}
+          sbom: true
+          secrets: |
+            GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Trivy vulnerability scanner
+        if: github.event_name != 'pull_request'
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.meta.outputs.version }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          exit-code: '1'
+          timeout: '5m'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        if: always() && (github.event_name != 'pull_request')
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: 'container-scan'
+
+      - name: Update Buildx cache
+        if: github.event_name != 'pull_request'
+        run: |
+          rm -rf ${{ env.BUILDX_CACHE_DIR }}
+          mv ${{ env.BUILDX_CACHE_DIR }}-new ${{ env.BUILDX_CACHE_DIR }}
+          echo "Updated build cache"
+
+      - name: Show image details
+        if: always()
+        run: |
+          echo "Built image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}"
+          echo "Tags: ${{ steps.meta.outputs.tags }}"
+          echo "Labels: ${{ steps.meta.outputs.labels }}"
diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml
@@ -1,43 +1,68 @@
-name: validate
+name: Validate
+
 on:
   push:
+    branches: [ main ]
     paths-ignore:
-    - 'docs/**'
-    - '**.md'
-    - '**.rst'
-    tags-ignore:
-    - v*
+      - 'docs/**'
+      - '**.md'
+      - '**.rst'
+      - '**.gitignore'
+      - '.github/**'
   pull_request:
     paths-ignore:
-    - 'docs/**'
-    - '**.md'
-    - '**.rst'
+      - 'docs/**'
+      - '**.md'
+      - '**.rst'
+      - '**.gitignore'
+      - '.github/**'
+
+env:
+  PYTHON_VERSION: '3.9'
 
 jobs:
-  test_nucleo:
-    runs-on: ${{ matrix.platform }}
-    if: "!contains(github.event.head_commit.message, 'ci skip')"
+  test:
+    name: Test Python 3.9 on Ubuntu
+    runs-on: ubuntu-latest
+    if: github.event.head_commit == null || !contains(github.event.head_commit.message, 'ci skip')
+
     strategy:
-      max-parallel: 4
-      matrix:
-        platform: [ubuntu-latest]
-        python-version: [3.7, 3.8]
+      fail-fast: false
+
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@v2
+      - name: Checkout repository
+        uses: actions/checkout@v4
         with:
-          ref: ${{ github.head_ref }}
+          fetch-depth: 0
           submodules: recursive
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@v4
         with:
-          python-version: ${{ matrix.python-version }}
-      - name: Install Python dependencies
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'pip'
+          cache-dependency-path: 'pyproject.toml'
+
+      - name: Set up environment and install dependencies
+        run: |
+          # Create virtual environment
+          python -m venv .venv
+
+          # Activate and set up the environment
+          source .venv/bin/activate
+
+          # Ensure pip is up to date and install build tools
+          python -m pip install --upgrade pip setuptools wheel build
+
+          # Install package with dev dependencies from pyproject.toml
+          pip install -e ".[dev]"
+
+      - name: Build package
+        run: |
+          source .venv/bin/activate
+          python -m build --sdist --wheel --outdir dist/ .
+
+      - name: Run tests
         run: |
-          python -m pip install --upgrade pip
-          pip install tox tox-gh-actions
-      - name: Test with tox
-        id: run-tox
-        run: tox -vv
-        env:
-          PLATFORM: ${{ matrix.platform }}
+          source .venv/bin/activate
+          python -m pytest tests/ -v