Open source split clean

.github/workflows/ci-main.yml

@@ -0,0 +1,12 @@
+name: CI (Main)
+
+on:
+  push:
+
+jobs:
+  call-ci:
+    uses: ./.github/workflows/ci.yml
+    with:
+      saas: true
+    secrets:
+      GH_TOKEN: ${{ secrets.GH_TOKEN }}

.github/workflows/ci-pr.yml

@@ -0,0 +1,10 @@
+name: CI (PR)
+
+on:
+  pull_request:
+
+jobs:
+  call-ci:
+    uses: ./.github/workflows/ci.yml
+    with:
+      saas: false

.github/workflows/ci.yml

@@ -0,0 +1,106 @@
+name: Common CI
+
+on:
+  workflow_call:
+    inputs:
+      saas:
+        type: boolean
+        required: true
+    secrets:
+      GH_TOKEN:
+        required: false
+
+jobs:
+  security:
+    name: Security
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .ruby-version
+          bundler-cache: true
+
+      - name: Gem audit
+        run: bin/bundler-audit check --update
+
+      - name: Importmap audit
+        run: bin/importmap audit
+
+      - name: Brakeman audit
+        run: bin/brakeman --quiet --no-pager --exit-on-warn --exit-on-error
+
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .ruby-version
+          bundler-cache: true
+
+      - name: Lint code for consistent style
+        run: bin/rubocop
+
+
+  test:
+    name: Tests (${{ matrix.mode }})
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        include:
+          - mode: SQLite
+            db_adapter: sqlite
+          - mode: MySQL
+            db_adapter: mysql
+          - mode: SaaS
+            db_adapter: mysql
+            saas: ${{ inputs.saas }}
+
+    services:
+      mysql:
+        image: mysql:8.0
+        env:
+          MYSQL_ALLOW_EMPTY_PASSWORD: yes
+          MYSQL_DATABASE: fizzy_test
+        ports:
+          - 3306:3306
+        options: >-
+          --health-cmd="mysqladmin ping"
+          --health-interval=10s
+          --health-timeout=5s
+          --health-retries=3
+
+    env:
+      RAILS_ENV: test
+      DATABASE_ADAPTER: ${{ matrix.db_adapter }}
+      ${{ inputs.saas && 'SAAS' || 'SAAS_DISABLED' }}: ${{ inputs.saas && '1' || '' }}
+      BUNDLE_GEMFILE: ${{ inputs.saas && 'Gemfile.saas' || 'Gemfile' }}
+      MYSQL_HOST: 127.0.0.1
+      MYSQL_PORT: 3306
+      MYSQL_USER: root
+      FIZZY_DB_HOST: 127.0.0.1
+      FIZZY_DB_PORT: 3306
+      BUNDLE_GITHUB__COM: ${{ inputs.saas && format('x-access-token:{0}', secrets.GH_TOKEN) || '' }}
+
+    steps:
+      - name: Install system packages
+        run: sudo apt-get update && sudo apt-get install --no-install-recommends -y libsqlite3-0 libvips curl ffmpeg
+
+      - uses: actions/checkout@v4
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .ruby-version
+          bundler-cache: true
+
+      - name: Run tests
+        run: bin/rails db:setup test
+
+      - name: Run system tests
+        run: bin/rails test:system

Dockerfile

@@ -1,77 +1,76 @@
+# syntax=docker/dockerfile:1
+# check=error=true
+
+# This Dockerfile is designed for production, not development. Use with Kamal or build'n'run by hand:
+# docker build -t fizzy .
+# docker run -d -p 80:80 -e RAILS_MASTER_KEY=<value from config/master.key> --name fizzy fizzy
+
+# For a containerized dev environment, see Dev Containers: https://guides.rubyonrails.org/getting_started_with_devcontainer.html
+
 # Make sure RUBY_VERSION matches the Ruby version in .ruby-version
 ARG RUBY_VERSION=3.4.7
-FROM registry.docker.com/library/ruby:$RUBY_VERSION-slim AS base
+FROM docker.io/library/ruby:$RUBY_VERSION-slim AS base
 
 # Rails app lives here
 WORKDIR /rails
 
-# Set production environment
+# Install base packages
+RUN apt-get update -qq && \
+    apt-get install --no-install-recommends -y curl libjemalloc2 libvips sqlite3 && \
+    ln -s /usr/lib/$(uname -m)-linux-gnu/libjemalloc.so.2 /usr/local/lib/libjemalloc.so && \
+    rm -rf /var/lib/apt/lists /var/cache/apt/archives
+
+# Set production environment variables and enable jemalloc for reduced memory usage and latency.
 ENV RAILS_ENV="production" \
     BUNDLE_DEPLOYMENT="1" \
     BUNDLE_PATH="/usr/local/bundle" \
-    BUNDLE_WITHOUT="development"
-
+    BUNDLE_WITHOUT="development" \
+    LD_PRELOAD="/usr/local/lib/libjemalloc.so"
 
 # Throw-away build stage to reduce size of final image
 FROM base AS build
 
 # Install packages needed to build gems
 RUN apt-get update -qq && \
-    apt-get install -y --no-install-recommends -y build-essential pkg-config git libvips libyaml-dev libssl-dev && \
+    apt-get install --no-install-recommends -y build-essential git libyaml-dev pkg-config && \
     rm -rf /var/lib/apt/lists /var/cache/apt/archives
 
 # Install application gems
-COPY Gemfile Gemfile.lock .ruby-version ./
-COPY lib/bootstrap.rb ./lib/bootstrap.rb
-COPY gems ./gems/
-RUN --mount=type=secret,id=GITHUB_TOKEN --mount=type=cache,id=fizzy-permabundle-${RUBY_VERSION},sharing=locked,target=/permabundle \
-    gem install bundler && \
-    BUNDLE_PATH=/permabundle BUNDLE_GITHUB__COM="$(cat /run/secrets/GITHUB_TOKEN):x-oauth-basic" bundle install && \
-    cp -a /permabundle/. "$BUNDLE_PATH"/ && \
-    bundle clean --force && \
-    rm -rf "$BUNDLE_PATH"/ruby/*/bundler/gems/*/.git && \
-    find "$BUNDLE_PATH" -type f \( -name '*.gem' -o -iname '*.a' -o -iname '*.o' -o -iname '*.h' -o -iname '*.c' -o -iname '*.hpp' -o -iname '*.cpp' \) -delete && \
-    bundle exec bootsnap precompile --gemfile
+COPY Gemfile Gemfile.lock vendor ./
+
+RUN bundle install && \
+    rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git && \
+    # -j 1 disable parallel compilation to avoid a QEMU bug: https://github.com/rails/bootsnap/issues/495
+    bundle exec bootsnap precompile -j 1 --gemfile
 
 # Copy application code
 COPY . .
 
-# Precompile bootsnap code for faster boot times
-RUN bundle exec bootsnap precompile app/ lib/
+# Precompile bootsnap code for faster boot times.
+# -j 1 disable parallel compilation to avoid a QEMU bug: https://github.com/rails/bootsnap/issues/495
+RUN bundle exec bootsnap precompile -j 1 app/ lib/
 
 # Precompiling assets for production without requiring secret RAILS_MASTER_KEY
 RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
 
+
+
+
 # Final stage for app image
 FROM base
 
-# Install packages needed for deployment
-RUN apt-get update -qq && \
-    apt-get install --no-install-recommends -y curl libsqlite3-0 libvips build-essential ffmpeg groff libreoffice-writer libreoffice-impress libreoffice-calc mupdf-tools sqlite3 libjemalloc-dev && \
-    rm -rf /var/lib/apt/lists /var/cache/apt/archives
+# Run and own only the runtime files as a non-root user for security
+RUN groupadd --system --gid 1000 rails && \
+    useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash
+USER 1000:1000
 
 # Copy built artifacts: gems, application
-COPY --from=build /usr/local/bundle /usr/local/bundle
-COPY --from=build /rails /rails
-
-# Run and own only the runtime files as a non-root user for security
-RUN useradd rails --create-home --shell /bin/bash && \
-    chown -R rails:rails db log storage tmp
-USER rails:rails
+COPY --chown=rails:rails --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
+COPY --chown=rails:rails --from=build /rails /rails
 
 # Entrypoint prepares the database.
 ENTRYPOINT ["/rails/bin/docker-entrypoint"]
 
-# Ruby GC tuning values pulled from Autotuner recommendations
-ENV RUBY_GC_HEAP_0_INIT_SLOTS=692636 \
-    RUBY_GC_HEAP_1_INIT_SLOTS=175943 \
-    RUBY_GC_HEAP_2_INIT_SLOTS=148807 \
-    RUBY_GC_HEAP_3_INIT_SLOTS=9169 \
-    RUBY_GC_HEAP_4_INIT_SLOTS=3054 \
-    RUBY_GC_MALLOC_LIMIT=33554432 \
-    RUBY_GC_MALLOC_LIMIT_MAX=67108864 \
-    LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
-
-# Start the server by default, this can be overwritten at runtime
-EXPOSE 80 443 9394
+# Start server via Thruster by default, this can be overwritten at runtime
+EXPOSE 80
 CMD ["./bin/thrust", "./bin/rails", "server"]

Dockerfile.dev

@@ -18,7 +18,7 @@ RUN apt-get update -qq && \
 
 # Install application gems
 COPY Gemfile Gemfile.lock .ruby-version ./
-COPY lib/bootstrap.rb ./lib/bootstrap.rb
+COPY lib/fizzy.rb ./lib/fizzy.rb
 COPY gems ./gems/
 RUN --mount=type=secret,id=GITHUB_TOKEN --mount=type=cache,id=fizzy-devbundle-${RUBY_VERSION},sharing=locked,target=/devbundle \
     gem install bundler foreman && \