From 96d8c2d8da38d021c1de59c9001ccd913ac7635a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 17 Jul 2025 11:53:13 -0400 Subject: [PATCH 1/8] Target a single AWS Lambda Python runtime Instead of building for multiple Lambda runtimes it makes sense to just build targeting a single runtime. When deployed the infrastructure will just need to use the same runtime as supported by the Lambda configuration. Thus we drop support for all but the latest runtime that is specified in the configuration. --- Dockerfile | 16 ++------ {src/py3.9 => build}/Pipfile | 0 {src/py3.9 => build}/Pipfile.lock | 0 src/py3.7/Pipfile | 11 ------ src/py3.7/Pipfile.lock | 64 ------------------------------- src/py3.8/Pipfile | 11 ------ src/py3.8/Pipfile.lock | 61 ----------------------------- 7 files changed, 4 insertions(+), 159 deletions(-) rename {src/py3.9 => build}/Pipfile (100%) rename {src/py3.9 => build}/Pipfile.lock (100%) delete mode 100644 src/py3.7/Pipfile delete mode 100644 src/py3.7/Pipfile.lock delete mode 100644 src/py3.8/Pipfile delete mode 100644 src/py3.8/Pipfile.lock diff --git a/Dockerfile b/Dockerfile index 950fec6..20051c2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,4 @@ -ARG PY_VERSION=3.9 - -FROM amazon/aws-lambda-python:$PY_VERSION AS install-stage - -# Declare it a second time so it's brought into this scope. -ARG PY_VERSION=3.9 +FROM amazon/aws-lambda-python:3.9 AS install-stage # Install the Python packages necessary to install the Lambda dependencies. RUN python3 -m pip install --no-cache-dir \ @@ -17,7 +12,7 @@ RUN python3 -m pip install --no-cache-dir \ WORKDIR /tmp # Copy in the dependency files. -COPY src/py$PY_VERSION/ . +COPY build/Pipfile build/Pipfile.lock ./ # Install the Lambda dependencies. # @@ -25,7 +20,7 @@ COPY src/py$PY_VERSION/ . # underlying pip calls. RUN pipenv sync --system --extra-pip-args="--no-cache-dir --target ${LAMBDA_TASK_ROOT}" -FROM amazon/aws-lambda-python:$PY_VERSION AS build-stage +FROM amazon/aws-lambda-python:3.9 AS build-stage ### # For a list of pre-defined annotation keys and value types see: @@ -40,11 +35,8 @@ FROM amazon/aws-lambda-python:$PY_VERSION AS build-stage LABEL org.opencontainers.image.authors="github@cisa.dhs.gov" LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency" -# Declare it a third time so it's brought into this scope. -ARG PY_VERSION=3.9 - # This must be present in the image to generate a deployment artifact. -ENV BUILD_PY_VERSION=$PY_VERSION +ENV BUILD_PY_VERSION=3.9 COPY --from=install-stage ${LAMBDA_TASK_ROOT} ${LAMBDA_TASK_ROOT} diff --git a/src/py3.9/Pipfile b/build/Pipfile similarity index 100% rename from src/py3.9/Pipfile rename to build/Pipfile diff --git a/src/py3.9/Pipfile.lock b/build/Pipfile.lock similarity index 100% rename from src/py3.9/Pipfile.lock rename to build/Pipfile.lock diff --git a/src/py3.7/Pipfile b/src/py3.7/Pipfile deleted file mode 100644 index e49bd0f..0000000 --- a/src/py3.7/Pipfile +++ /dev/null @@ -1,11 +0,0 @@ -[[source]] -url = "https://pypi.org/simple" -verify_ssl = true -name = "pypi" - -[requires] -python_version = "3.7" - -[packages] -cowsay = "*" -example = {file = "https://github.com/cisagov/skeleton-python-library/archive/v0.1.0.tar.gz"} diff --git a/src/py3.7/Pipfile.lock b/src/py3.7/Pipfile.lock deleted file mode 100644 index e14bffd..0000000 --- a/src/py3.7/Pipfile.lock +++ /dev/null @@ -1,64 +0,0 @@ -{ - "_meta": { - "hash": { - "sha256": "fb8e36b2dfbe5f058679f36466257570fc6c43f47b6d060d907073b831843d83" - }, - "pipfile-spec": 6, - "requires": { - "python_version": "3.7" - }, - "sources": [ - { - "name": "pypi", - "url": "https://pypi.org/simple", - "verify_ssl": true - } - ] - }, - "default": { - "contextlib2": { - "hashes": [ - "sha256:3fbdb64466afd23abaf6c977627b75b6139a5a3e8ce38405c5b413aed7a0471f", - "sha256:ab1e2bfe1d01d968e1b7e8d9023bc51ef3509bba217bb730cee3827e1ee82869" - ], - "markers": "python_version >= '3.6'", - "version": "==21.6.0" - }, - "cowsay": { - "hashes": [ - "sha256:c00e02444f5bc7332826686bd44d963caabbaba9a804a63153822edce62bbbf3" - ], - "index": "pypi", - "version": "==5.0" - }, - "docopt": { - "hashes": [ - "sha256:49b3a825280bd66b3aa83585ef59c4a8c82f2c8a522dbe754a8bc8d08c85c491" - ], - "version": "==0.6.2" - }, - "example": { - "file": "https://github.com/cisagov/skeleton-python-library/archive/v0.1.0.tar.gz", - "hashes": [ - "sha256:d4ae2105b555cb386daf39e06b05594596e881e67faffc46c69d9e7ce56c8c4c" - ], - "version": "==0.1.0" - }, - "schema": { - "hashes": [ - "sha256:f06717112c61895cabc4707752b88716e8420a8819d71404501e114f91043197", - "sha256:f3ffdeeada09ec34bf40d7d79996d9f7175db93b7a5065de0faa7f41083c1e6c" - ], - "version": "==0.7.5" - }, - "setuptools": { - "hashes": [ - "sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54", - "sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75" - ], - "markers": "python_version >= '3.7'", - "version": "==65.6.3" - } - }, - "develop": {} -} diff --git a/src/py3.8/Pipfile b/src/py3.8/Pipfile deleted file mode 100644 index b568dea..0000000 --- a/src/py3.8/Pipfile +++ /dev/null @@ -1,11 +0,0 @@ -[[source]] -url = "https://pypi.org/simple" -verify_ssl = true -name = "pypi" - -[requires] -python_version = "3.8" - -[packages] -cowsay = "*" -example = {file = "https://github.com/cisagov/skeleton-python-library/archive/v0.1.0.tar.gz"} diff --git a/src/py3.8/Pipfile.lock b/src/py3.8/Pipfile.lock deleted file mode 100644 index 1d146e2..0000000 --- a/src/py3.8/Pipfile.lock +++ /dev/null @@ -1,61 +0,0 @@ -{ - "_meta": { - "hash": { - "sha256": "e7d647bd6df129d143384648900fa34961e527257ff08634f04b9badb5fd87f4" - }, - "pipfile-spec": 6, - "requires": { - "python_version": "3.8" - }, - "sources": [ - { - "name": "pypi", - "url": "https://pypi.org/simple", - "verify_ssl": true - } - ] - }, - "default": { - "contextlib2": { - "hashes": [ - "sha256:3fbdb64466afd23abaf6c977627b75b6139a5a3e8ce38405c5b413aed7a0471f", - "sha256:ab1e2bfe1d01d968e1b7e8d9023bc51ef3509bba217bb730cee3827e1ee82869" - ], - "markers": "python_version >= '3.6'", - "version": "==21.6.0" - }, - "cowsay": { - "hashes": [ - "sha256:274b1e6fc1b966d53976333eb90ac94cb07a450a700b455af9fbdf882244b30a" - ], - "index": "pypi", - "markers": "python_version >= '3.8'", - "version": "==6.1" - }, - "docopt": { - "hashes": [ - "sha256:49b3a825280bd66b3aa83585ef59c4a8c82f2c8a522dbe754a8bc8d08c85c491" - ], - "version": "==0.6.2" - }, - "example": { - "file": "https://github.com/cisagov/skeleton-python-library/archive/v0.1.0.tar.gz" - }, - "schema": { - "hashes": [ - "sha256:f06717112c61895cabc4707752b88716e8420a8819d71404501e114f91043197", - "sha256:f3ffdeeada09ec34bf40d7d79996d9f7175db93b7a5065de0faa7f41083c1e6c" - ], - "version": "==0.7.5" - }, - "setuptools": { - "hashes": [ - "sha256:4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87", - "sha256:b454a35605876da60632df1a60f736524eb73cc47bbc9f3f1ef1b644de74fd2a" - ], - "markers": "python_version >= '3.8'", - "version": "==68.2.2" - } - }, - "develop": {} -} From 2d815537f2175d87dd111edc5a7c10d25cabd58b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 17 Jul 2025 11:57:04 -0400 Subject: [PATCH 2/8] Relocate the `build_artifact.sh` script Store it in the build/ subdirectory along with the `pipenv` files. --- {src => build}/build_artifact.sh | 0 docker-compose.yml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename {src => build}/build_artifact.sh (100%) diff --git a/src/build_artifact.sh b/build/build_artifact.sh similarity index 100% rename from src/build_artifact.sh rename to build/build_artifact.sh diff --git a/docker-compose.yml b/docker-compose.yml index d40b564..15970b4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,7 +11,7 @@ services: # from the invoking environment but falls back to a default value. - BUILD_FILE_NAME=${BUILD_FILE_NAME:-lambda_build.zip} volumes: - - ./src/build_artifact.sh:/opt/build_artifact.sh + - ./build/build_artifact.sh:/opt/build_artifact.sh - .:/var/task/output run_lambda_locally: build: . From c85bd79bdafd6700a21fd9a75d4e8e4214d94a20 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 17 Jul 2025 11:59:12 -0400 Subject: [PATCH 3/8] Update the GitHub Actions configuration Now that we only build for a single runtime version we can simplify the `build` job's functionality. --- .github/workflows/build.yml | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1dbf140..60dc4ec 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -265,13 +265,6 @@ jobs: - diagnostics - lint - test - strategy: - matrix: - # Python runtime versions supported by AWS - python-version: - - "3.7" - - "3.8" - - "3.9" steps: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 @@ -305,16 +298,13 @@ jobs: echo "GH_SHORT_SHA=${GITHUB_SHA::7}" >> $GITHUB_ENV - name: Build the base Lambda Docker image run: | - docker compose build \ - --build-arg PY_VERSION=${{ matrix.python-version }} \ - build_deployment_package + docker compose build build_deployment_package - name: Generate the Lambda deployment package run: docker compose up build_deployment_package - name: Upload the generated Lambda deployment package as an artifact uses: actions/upload-artifact@v4 with: - name: ${{ github.event.repository.name }}-py${{ - matrix.python-version }}-${{ env.GH_SHORT_SHA }} + name: ${{ github.event.repository.name }}-${{ env.GH_SHORT_SHA }} path: ${{ env.DEFAULT_ARTIFACT_NAME }} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 From 723a78e4d19b06cb6880eb177443de199a0097ae Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 17 Jul 2025 12:40:13 -0400 Subject: [PATCH 4/8] Remove unused ENV instruction The need for this environment variable was removed in #3 but removing the creation of it was missed. --- Dockerfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 20051c2..a898019 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,9 +35,6 @@ FROM amazon/aws-lambda-python:3.9 AS build-stage LABEL org.opencontainers.image.authors="github@cisa.dhs.gov" LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency" -# This must be present in the image to generate a deployment artifact. -ENV BUILD_PY_VERSION=3.9 - COPY --from=install-stage ${LAMBDA_TASK_ROOT} ${LAMBDA_TASK_ROOT} WORKDIR ${LAMBDA_TASK_ROOT} From 36f232cecc4a767c380c7bec1a24e41d5fd6ad65 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 17 Jul 2025 13:02:12 -0400 Subject: [PATCH 5/8] Update the README Now that there is only a single dependency configuration we need to update the README's directions for updating Python dependencies. --- README.md | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index b2d3a2a..abdd61e 100644 --- a/README.md +++ b/README.md @@ -59,18 +59,15 @@ docker compose down ## How to update Python dependencies ## -The Python dependencies are maintained using a -[Pipenv](https://github.com/pypa/pipenv) configuration for each -supported Python version. Changes to requirements should be made to -the respective `src/py/Pipfile`. More information -about the `Pipfile` format can be found in the [`pipenv` -documentation](https://pipenv.pypa.io/en/latest/pipfile.html#example-pipfile). -The accompanying `Pipfile.lock` files contain the specific dependency -versions that will be installed. These files can be updated like so -(using the Python 3.9 configuration as an example): +The Lambda's Python dependencies are maintained using a [Pipenv](https://github.com/pypa/pipenv) +configuration. Changes to requirements should be made to the `Pipfile` located at +`build/Pipfile`. More information about the `Pipfile` format can be found in the +[`pipenv` documentation](https://pipenv.pypa.io/en/latest/pipfile.html#example-pipfile). +The accompanying `Pipfile.lock` file contains the specific dependency versions +that will be installed. This file is updated automatically like so: ```console -cd src/py3.9 +cd build pipenv lock ``` From 75a164aa6aff7af7931b9defc1f7689273584ae1 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 17 Jul 2025 13:04:54 -0400 Subject: [PATCH 6/8] Add comments to keep Python versions synchronized Add a comment to `build/Pipfile` and another to the Dockerfile that each mention keeping the Python versions specified in sync. --- Dockerfile | 2 ++ build/Pipfile | 1 + 2 files changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index a898019..505b296 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,4 @@ +# The runtime tag must match the version of Python specified in the Pipfile. FROM amazon/aws-lambda-python:3.9 AS install-stage # Install the Python packages necessary to install the Lambda dependencies. @@ -20,6 +21,7 @@ COPY build/Pipfile build/Pipfile.lock ./ # underlying pip calls. RUN pipenv sync --system --extra-pip-args="--no-cache-dir --target ${LAMBDA_TASK_ROOT}" +# The runtime tag must match the version of Python specified in the Pipfile. FROM amazon/aws-lambda-python:3.9 AS build-stage ### diff --git a/build/Pipfile b/build/Pipfile index 0e08b63..fecbf4a 100644 --- a/build/Pipfile +++ b/build/Pipfile @@ -4,6 +4,7 @@ verify_ssl = true name = "pypi" [requires] +# This must match the version of the Python runtime specified in the Dockerfile. python_version = "3.9" [packages] From 2c0ce9f87abec661e074290f2df1c2345a44f5ab Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 17 Jul 2025 13:28:20 -0400 Subject: [PATCH 7/8] Update the Lambda's Python dependencies Update the Python dependencies installed for the Lambda by running `pipenv lock` in the `build/` directory. --- build/Pipfile.lock | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/build/Pipfile.lock b/build/Pipfile.lock index 7a12085..2373e18 100644 --- a/build/Pipfile.lock +++ b/build/Pipfile.lock @@ -16,14 +16,6 @@ ] }, "default": { - "contextlib2": { - "hashes": [ - "sha256:3fbdb64466afd23abaf6c977627b75b6139a5a3e8ce38405c5b413aed7a0471f", - "sha256:ab1e2bfe1d01d968e1b7e8d9023bc51ef3509bba217bb730cee3827e1ee82869" - ], - "markers": "python_version >= '3.6'", - "version": "==21.6.0" - }, "cowsay": { "hashes": [ "sha256:274b1e6fc1b966d53976333eb90ac94cb07a450a700b455af9fbdf882244b30a" @@ -43,18 +35,18 @@ }, "schema": { "hashes": [ - "sha256:f06717112c61895cabc4707752b88716e8420a8819d71404501e114f91043197", - "sha256:f3ffdeeada09ec34bf40d7d79996d9f7175db93b7a5065de0faa7f41083c1e6c" + "sha256:5d976a5b50f36e74e2157b47097b60002bd4d42e65425fcc9c9befadb4255dde", + "sha256:7da553abd2958a19dc2547c388cde53398b39196175a9be59ea1caf5ab0a1807" ], - "version": "==0.7.5" + "version": "==0.7.7" }, "setuptools": { "hashes": [ - "sha256:4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87", - "sha256:b454a35605876da60632df1a60f736524eb73cc47bbc9f3f1ef1b644de74fd2a" + "sha256:062d34222ad13e0cc312a4c02d73f059e86a4acbfbdea8f8f76b28c99f306922", + "sha256:f36b47402ecde768dbfafc46e8e4207b4360c654f1f3bb84475f0a28628fb19c" ], - "markers": "python_version >= '3.8'", - "version": "==68.2.2" + "markers": "python_version >= '3.9'", + "version": "==80.9.0" } }, "develop": {} From 522e0ea14f6935c62681aee25c4cff064a376225 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 17 Jul 2025 14:05:34 -0400 Subject: [PATCH 8/8] Bump version from 0.0.2 to 0.0.3 --- src/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/version.txt b/src/version.txt index 4e379d2..bcab45a 100644 --- a/src/version.txt +++ b/src/version.txt @@ -1 +1 @@ -0.0.2 +0.0.3