hasura · hgiasac · Apr 3, 2025 · Apr 2, 2025 · Apr 2, 2025 · Apr 2, 2025
diff --git a/.github/workflows/ndc-python-lambda-connector.yaml b/.github/workflows/ndc-python-lambda-connector.yaml
@@ -6,7 +6,7 @@ on:
       - test-ci/**
   push:
     branches:
-      - 'main'
+      - "main"
       - test-ci/**
     tags:
       - v**
@@ -21,9 +21,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
-          python-version: '3.9'
+          python-version: "3.12"
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
@@ -45,10 +45,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # This is important for git describe to work correctly
-      - uses: actions/setup-python@v4
+          fetch-depth: 0 # This is important for git describe to work correctly
+      - uses: actions/setup-python@v5
         with:
-          python-version: '3.9'
+          python-version: "3.12"
       - name: Build connector
         run: |
           cd connector-definition
@@ -60,7 +60,7 @@ jobs:
           echo "sha256=$SHA256" >> $GITHUB_OUTPUT
       - name: Get commit hash
         id: get_commit_hash
-        run: |           
+        run: |
           COMMIT_HASH=$(git rev-parse HEAD)
           echo "commit_hash=$COMMIT_HASH" >> $GITHUB_OUTPUT
       - name: Debug information
@@ -82,30 +82,83 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     steps:
       - uses: actions/checkout@v4
+
+      - name: Set up containerd
+        uses: crazy-max/ghaction-setup-containerd@v3
+
+      - name: Fix containerd socket permissions
+        run: |
+          sudo chgrp docker /run/containerd/containerd.sock
+
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
-            registry: ${{ env.DOCKER_REGISTRY }}
-            username: ${{ github.actor }}
-            password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ${{ env.DOCKER_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Extract metadata (tags, labels) for Docker
         id: docker-metadata
         uses: docker/metadata-action@v5
         with:
-            images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+          images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.docker-metadata.outputs.tags }}
+          labels: ${{ steps.docker-metadata.outputs.labels }}
+          # Export the image to a tar so it can be imported into containerd so gokakashi can scan it
+          outputs: type=oci,dest=/tmp/image.tar
+
+      - name: Import docker image into containerd store
+        run: |
+          ctr images import --base-name ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }} --digests --all-platforms /tmp/image.tar
+
+      - name: Get first docker tag for gokakashi
+        id: first-docker-tag
+        run: |
+          FIRST_TAG=$(echo "${{ steps.docker-metadata.outputs.tags }}" | head -n 1)
+          echo "First docker tag: $FIRST_TAG"
+          echo "tag=$FIRST_TAG" >> $GITHUB_OUTPUT
+
+      - name: Scan docker image with gokakashi
+        uses: shinobistack/[email protected]
+        with:
+          image: ${{ steps.first-docker-tag.outputs.tag }}
+          labels: agentKey=${{ github.run_id }}
+          policy: ci-platform
+          server: https://gokakashi-server.hasura-app.io
+          token: ${{ secrets.GOKAKASHI_API_TOKEN }}
+          cf_client_id: ${{ secrets.CF_ACCESS_CLIENT_ID }}
+          cf_client_secret: ${{ secrets.CF_ACCESS_CLIENT_SECRET }}
+          interval: 10
+          retries: 8
+
+      - name: Upload Trivy report as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-report
+          path: /tmp/trivy-report-*.json
+
+      - name: Push Docker image
+        uses: docker/build-push-action@v6
         with:
-            context: .
-            push: true
-            platforms: linux/amd64,linux/arm64
-            tags: ${{ steps.docker-metadata.outputs.tags }}
-            labels: ${{ steps.docker-metadata.outputs.labels }}
-  
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.docker-metadata.outputs.tags }}
+          labels: ${{ steps.docker-metadata.outputs.labels }}
+
   release-connector:
     name: Release connector
     runs-on: ubuntu-latest
@@ -126,11 +179,13 @@ jobs:
         run: |
           echo "tagged_version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
         shell: bash
+
       - uses: mindsers/changelog-reader-action@v2
         id: changelog-reader
         with:
           version: ${{ steps.get-version.outputs.tagged_version }}
           path: ./CHANGELOG.md
+
       - uses: softprops/action-gh-release@v1
         with:
           draft: false
@@ -142,75 +197,76 @@ jobs:
 
       - name: Update ndc-hub
         env:
-            REGISTRY_NAME: hasura
-            CONNECTOR_NAME: ndc-python-lambda
-            COMMIT_HASH: ${{ needs.build-connector.outputs.commit_hash }}
-            SHA256: ${{ needs.build-connector.outputs.sha256 }}
-            GH_TOKEN: ${{ secrets.PAT_TOKEN }}
+          REGISTRY_NAME: hasura
+          CONNECTOR_NAME: ndc-python-lambda
+          COMMIT_HASH: ${{ needs.build-connector.outputs.commit_hash }}
+          SHA256: ${{ needs.build-connector.outputs.sha256 }}
+          GH_TOKEN: ${{ secrets.PAT_TOKEN }}
         run: |
-              # Clone ndc-hub repository
-              git clone https://github.com/hasura/ndc-hub.git
-              cd ndc-hub
-
-              # Create a new branch
-              NEW_BRANCH="update-${{ env.CONNECTOR_NAME }}-connector-v${{ steps.get-version.outputs.tagged_version }}"
-              git checkout -b $NEW_BRANCH
-
-              cd registry/${{ env.REGISTRY_NAME }}/python
-
-              # Create releases directory if it doesn't exist
-              mkdir -p releases/v${{ steps.get-version.outputs.tagged_version }}
-
-              # Create connector-packaging.json
-              cat << EOF > releases/v${{ steps.get-version.outputs.tagged_version }}/connector-packaging.json
-              {
-                "version": "v${{ steps.get-version.outputs.tagged_version }}",
-                "uri": "https://github.com/${{ github.repository }}/releases/download/v${{ steps.get-version.outputs.tagged_version }}/connector-definition.tgz",
-                "checksum": {
-                  "type": "sha256",
-                  "value": "$SHA256"
-                },
-                "source": {
-                  "hash": "$COMMIT_HASH"
-                }
-              }
-              EOF
-
-              # Update metadata.json to remove 'packages' field if it exists and update 'latest_version'
-              jq --arg version_tag "v${{ steps.get-version.outputs.tagged_version }}" \
-                --arg commit_hash "$COMMIT_HASH" \
-                'if has("packages") then del(.packages) else . end | 
-                  .overview.latest_version = $version_tag |
-                  if has("source_code") then
-                    .source_code.version += [{
-                      "tag": $version_tag,
-                      "hash": $commit_hash,
-                      "is_verified": false
-                    }]
-                  else
-                    . + {"source_code": {"version": [{
-                      "tag": $version_tag,
-                      "hash": $commit_hash,
-                      "is_verified": false
-                    }]}}
-                  end' \
-                metadata.json > tmp.json && mv tmp.json metadata.json
-
-              cp ../../../../README.md ./README.md
-
-              # Commit changes
-              git config user.name "GitHub Action"
-              git config user.email "[email protected]"
-              git add metadata.json README.md releases
-              git commit -m "Update ${{ env.CONNECTOR_NAME }} connector metadata to version ${{ steps.get-version.outputs.tagged_version }}"
-
-              # Push changes
-              git push https://${{ secrets.PAT_TOKEN }}@github.com/hasura/ndc-hub.git HEAD:$NEW_BRANCH
-
-              # Create PR using GitHub CLI
-              cd ../..
-              gh pr create --repo hasura/ndc-hub \
-                --base main \
-                --head $NEW_BRANCH \
-                --title "Update ${{ env.CONNECTOR_NAME }} connector to v${{ steps.get-version.outputs.tagged_version }}" \
-                --body "This PR updates the ${{ env.CONNECTOR_NAME }} connector metadata to version ${{ steps.get-version.outputs.tagged_version }}."
+          # Clone ndc-hub repository
+          git clone https://github.com/hasura/ndc-hub.git
+          cd ndc-hub
+
+          # Create a new branch
+          NEW_BRANCH="update-${{ env.CONNECTOR_NAME }}-connector-v${{ steps.get-version.outputs.tagged_version }}"
+          git checkout -b $NEW_BRANCH
+
+          cd registry/${{ env.REGISTRY_NAME }}/python
+
+          # Create releases directory if it doesn't exist
+          mkdir -p releases/v${{ steps.get-version.outputs.tagged_version }}
+
+          # Create connector-packaging.json
+          cat << EOF > releases/v${{ steps.get-version.outputs.tagged_version }}/connector-packaging.json
+          {
+            "version": "v${{ steps.get-version.outputs.tagged_version }}",
+            "uri": "https://github.com/${{ github.repository }}/releases/download/v${{ steps.get-version.outputs.tagged_version }}/connector-definition.tgz",
+            "checksum": {
+              "type": "sha256",
+              "value": "$SHA256"
+            },
+            "source": {
+              "hash": "$COMMIT_HASH"
+            },
+            "test": {
+              "test_config_path": "../../tests/test-config.json"
+            }
+          }
+          EOF
+
+          # Update metadata.json to remove 'packages' field if it exists and update 'latest_version'
+          jq --arg version_tag "v${{ steps.get-version.outputs.tagged_version }}" \
+            --arg commit_hash "$COMMIT_HASH" \
+            'if has("packages") then del(.packages) else . end | 
+              .overview.latest_version = $version_tag |
+              if has("source_code") then
+                .source_code.version += [{
+                  "tag": $version_tag,
+                  "hash": $commit_hash,
+                  "is_verified": false
+                }]
+              else
+                . + {"source_code": {"version": [{
+                  "tag": $version_tag,
+                  "hash": $commit_hash,
+                  "is_verified": false
+                }]}}
+              end' \
+            metadata.json > tmp.json && mv tmp.json metadata.json
+
+          # Commit changes
+          git config user.name "GitHub Action"
+          git config user.email "[email protected]"
+          git add metadata.json README.md releases
+          git commit -m "Update ${{ env.CONNECTOR_NAME }} connector metadata to version ${{ steps.get-version.outputs.tagged_version }}"
+
+          # Push changes
+          git push https://${{ secrets.PAT_TOKEN }}@github.com/hasura/ndc-hub.git HEAD:$NEW_BRANCH
+
+          # Create PR using GitHub CLI
+          cd ../..
+          gh pr create --repo hasura/ndc-hub \
+            --base main \
+            --head $NEW_BRANCH \
+            --title "Update ${{ env.CONNECTOR_NAME }} connector to v${{ steps.get-version.outputs.tagged_version }}" \
+            --body "This PR updates the ${{ env.CONNECTOR_NAME }} connector metadata to version ${{ steps.get-version.outputs.tagged_version }}."
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ This changelog documents the changes between release versions.
 ## [Unreleased]
 Changes to be included in the next upcoming release
 
+## [0.2.0] - 2025-04-02
+* Upgrade Python 3.12 
+* Use `python:3.12-slim` image tag with non-root user.
+
 ## [0.1.6] - 2025-01-22
 * Fix workflows
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,9 @@
-FROM python:3.10
+FROM python:3.12-slim
 
 # Install curl for healthcheck
-RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && \
+    apt-get install -y curl git && \
+    rm -rf /var/lib/apt/lists/*
 
 COPY /docker /scripts
 COPY /functions /functions

diff --git a/README.md b/README.md
@@ -1,4 +1,5 @@
 # Hasura Python Lambda Connector
+
 <a href="https://www.python.org/"><img src="https://github.com/hasura/ndc-python-lambda/blob/main/docs/logo.svg" align="right" width="200"></a>
 
 [![Docs](https://img.shields.io/badge/docs-v3.x-brightgreen.svg?style=flat)](https://hasura.io/connectors/python)
@@ -21,6 +22,7 @@ This connector is built using the [Python Data Connector SDK](https://github.com
 1. The [DDN CLI](https://hasura.io/docs/3.0/cli/installation) and [Docker](https://docs.docker.com/engine/install/) installed
 2. A [supergraph](https://hasura.io/docs/3.0/getting-started/init-supergraph)
 3. A [subgraph](https://hasura.io/docs/3.0/getting-started/init-subgraph)
+4. Python 3.12
 
 The steps below explain how to Initialize and configure a connector for local development. You can learn how to deploy a connector — after it's been configured — [here](https://hasura.io/docs/3.0/getting-started/deployment/deploy-a-connector).
 
@@ -56,7 +58,7 @@ ddn connector introspect python
 
 ### Step 4: Add your resources
 
-You can add the models, commands, and relationships to your API by tracking them which generates the HML files. 
+You can add the models, commands, and relationships to your API by tracking them which generates the HML files.
 
 ```bash
 ddn connector-link add-resources python
@@ -79,15 +81,21 @@ include:
 
 To run your connector outside of Docker first go into the connector directory:
 
-`cd app/connector/python`
+```bash
+cd app/connector/python
+```
 
 Install the requirements:
 
-`pip3 install -r requirements.txt`
+```bash
+pip3 install -r requirements.txt`
+```
 
 Then run the connector locally:
 
-```ddn connector setenv --connector connector.yaml -- python3 functions.py serve```
+```bash
+ddn connector setenv --connector connector.yaml -- python3 functions.py serve
+```
 
 ## Documentation
 
@@ -99,4 +107,4 @@ Check out our [contributing guide](https://github.com/hasura/ndc-python-lambda/b
 
 ## License
 
-The Turso connector is available under the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0).
+The Turso connector is available under the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0).