mapproxy · simonseyock · Apr 10, 2025 · Apr 10, 2025
diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
@@ -32,6 +32,6 @@
 ## Your Environment
 <!--- Include as many relevant details about the environment you experienced the bug in -->
 * Version used:
-* Environment name and version (e.g. Python 2.7.5 with mod_wsgi 4.5.9):
+* Environment name and version (e.g. Python 3.9 with mod_wsgi 4.5.9):
 * Server type and version:
 * Operating System and version:
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,3 +4,11 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/dockerbuild.yml b/.github/workflows/dockerbuild.yml
@@ -1,68 +1,143 @@
 name: Docker Build and Publish
 
+permissions:
+  packages: write
+
 on:
-  workflow_dispatch:
   push:
     tags:
       - "*.*.*"
 jobs:
-  build-and-publish:
+  get-version:
     runs-on: ubuntu-latest
+    outputs:
+      version: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
+          flavor: |
+            latest=false
           images: |
-            ghcr.io/mapproxy/mapproxy/mapproxy
+            ghcr.io/${{ github.repository }}/mapproxy
           tags: |
             type=semver,pattern={{version}}
 
+  build-and-publish-ubuntu:
+    needs: get-version
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to ghcr.io
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push base image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
-          context: docker/
-          file: ./docker/Dockerfile
+          file: ./Dockerfile
           push: true
-          build-args: |
-            MAPPROXY_VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
           target: base
-          tags: |
-            ${{ steps.meta.outputs.tags }}
+          tags: ${{ needs.get-version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
 
       - name: Build and push development image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
-          context: docker/
-          file: ./docker/Dockerfile
+          file: ./Dockerfile
           push: true
-          build-args: |
-            MAPPROXY_VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
           target: development
-          tags: |
-            ${{ steps.meta.outputs.tags }}-dev
+          tags: ${{ needs.get-version.outputs.version }}-dev
+          platforms: linux/amd64,linux/arm64
 
       - name: Build and push nginx image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
-          context: docker/
-          file: ./docker/Dockerfile
+          file: ./Dockerfile
           push: true
-          build-args: |
-            MAPPROXY_VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
           target: nginx
-          tags: |
-            ${{ steps.meta.outputs.tags }}-nginx
+          tags: ${{ needs.get-version.outputs.version }}-nginx
+          platforms: linux/amd64,linux/arm64
+
+  build-and-publish-alpine:
+    needs: get-version
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push base alpine image
+        uses: docker/build-push-action@v6
+        with:
+          file: ./Dockerfile-alpine
+          push: true
+          target: base
+          tags: ${{ needs.get-version.outputs.version }}-alpine
+          platforms: linux/amd64,linux/arm64
+
+      - name: Build and push alpine development image
+        uses: docker/build-push-action@v6
+        with:
+          file: ./Dockerfile-alpine
+          push: true
+          target: development
+          tags: ${{ needs.get-version.outputs.version }}-alpine-dev
+          platforms: linux/amd64,linux/arm64
+
+      - name: Build and push alpine based nginx image
+        uses: docker/build-push-action@v6
+        with:
+          file: ./Dockerfile-alpine
+          push: true
+          target: nginx
+          tags: ${{ needs.get-version.outputs.version }}-alpine-nginx
+          platforms: linux/amd64,linux/arm64
+
+  run-trivy:
+    needs:
+      - get-version
+      - build-and-publish-ubuntu
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run trivy
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          format: 'sarif'
+          ignore-unfixed: true
+          image-ref: ${{ needs.get-version.outputs.version }}
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          vuln-type: 'os,library'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/ghpages.yml b/.github/workflows/ghpages.yml
@@ -1,31 +1,52 @@
 name: Build and deploy documentation on github pages
 
 on:
-  workflow_dispatch:
   push:
     tags:
-      - '*'
+      - "*.*.*"
 
-jobs:  
+permissions:
+  contents: write
+
+jobs:
   build:
     runs-on: ubuntu-20.04
 
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: Install dependencies ⏬
-      run: pip install sphinx sphinx-bootstrap-theme
+      run: pip install sphinx sphinx-book-theme sphinx-copybutton
+
+    - name: Run documentation build
+      run: sphinx-build doc/ docs -D html_context.current_version=${{ github.ref_name }}
+
+    - name: Deploy docs to folder `latest` to GitHub Pages
+      uses: JamesIves/github-pages-deploy-action@v4.7.2
+      with:
+        folder: docs
+        target-folder: docs/latest
 
-    - name: Run documentation build and publish 🏗️
+    - name: Deploy docs to a folder named after the new tag to GitHub Pages
+      uses: JamesIves/github-pages-deploy-action@v4.7.2
+      with:
+        folder: docs
+        target-folder: docs/${{ github.ref_name }}
+
+    - name: Update versions config
+      # read existing versions from gh-pages branch, add new version, sort, dedupe and write results to config/versions.json
       run: |
-        git config --global user.name 'ghpages'
-        git config --global user.email 'ghpages@users.noreply.github.com'
-        git fetch --all
-        git checkout gh-pages
-        git pull origin gh-pages
-        git rebase origin/master
-        sphinx-build doc/ docs
-        git add docs
-        git commit -m "Automated documentation"
-        git push -f origin gh-pages
+        mkdir config
+        git show gh-pages:docs/config/versions.json \
+        | jq -r '(. + ["${{ github.ref_name }}"])[]' \
+        | sort -V \
+        | uniq \
+        | jq -R -s -c 'split("\n")[:-1]' \
+        > config/versions.json
+
+    - name: Deploy config folder to GitHub Pages
+      uses: JamesIves/github-pages-deploy-action@v4.7.2
+      with:
+        folder: config
+        target-folder: docs/config
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,26 @@
+name: Running mapproxy lint
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  test:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v4
+
+      - name: Use python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
+
+      - name: flake8 Lint
+        uses: py-actions/flake8@v2
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,49 @@
+name: Release
+on:
+  push:
+    tags:
+      - "*.*.*"
+
+jobs:
+  build-publish-release:
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/project/MapProxy
+    permissions:
+      id-token: write  # this permission is needed for trusted publishing on pypi
+      contents: write # this is needed to create the github release
+
+    steps:
+      - name: Install packages
+        run: |
+          sudo apt update
+          sudo apt -y install --no-install-recommends python3-pil python3-yaml python3-pyproj libgeos-dev python3-lxml libgdal-dev python3-shapely libxml2-dev libxslt-dev
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup python
+        uses: actions/setup-python@v5
+
+      - name: Make wheel
+        run: |
+          python setup.py egg_info -b "" -D sdist bdist_wheel
+
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+      - name: Grep changes
+        run: |
+          awk '
+          /^[0-9]+\.[0-9]+\.[0-9]+ [0-9]{4}-[0-9]{2}-[0-9]{2}$/ { if (header_found) exit; header_found=1; skip=2}
+          skip { skip--; next }
+          /^.*$/ { print }
+          ' CHANGES.txt > RELEASE_NOTES.txt
+
+      - name: Create a GitHub release page
+        uses: ncipollo/release-action@v1
+        with:
+          generateReleaseNotes: true
+          bodyFile: RELEASE_NOTES.txt
+          artifacts: "dist/*.whl"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -33,7 +33,7 @@ jobs:
 
     strategy:
       matrix:
-        python-version: [3.7, 3.8, 3.9, "3.10", "3.11"]
+        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"]
 
     env:
       MAPPROXY_TEST_COUCHDB: 'http://localhost:5984'
@@ -52,15 +52,15 @@ jobs:
         sudo apt install proj-bin libgeos-dev libgdal-dev libxslt1-dev libxml2-dev build-essential python-dev libjpeg-dev zlib1g-dev libfreetype6-dev protobuf-compiler libprotoc-dev -y
 
     - name: Checkout sources
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: Use python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
 
     - name: Cache python deps 💾
-      uses: actions/cache@v2
+      uses: actions/cache@v4
       with:
         path: ~/.cache/pip
         key: ${{ runner.OS }}-python-${{ hashFiles('**/requirements-tests.txt') }}
@@ -70,8 +70,8 @@ jobs:
 
     - name: Install dependencies ⏬
       run: |
+        pip install .
         pip install -r requirements-tests.txt
-        if [[ ${{ matrix.python-version }} = 2.7 || ${{ matrix.python-version }} = 3.8 ]]; then pip install -U "Pillow!=8.3.0,!=8.3.1"; fi
         pip freeze
 
     - name: Run tests 🏗️