Merge pull request #35 from cisagov/improvement/build_for_single_python_version

Target a single Python runtime

Author: mcdonnnj

.github/workflows/build.yml

@@ -265,13 +265,6 @@ jobs:
       - diagnostics
       - lint
       - test
-    strategy:
-      matrix:
-        # Python runtime versions supported by AWS
-        python-version:
-          - "3.7"
-          - "3.8"
-          - "3.9"
     steps:
       - name: Apply standard cisagov job preamble
         uses: cisagov/action-job-preamble@v1
@@ -305,16 +298,13 @@ jobs:
           echo "GH_SHORT_SHA=${GITHUB_SHA::7}" >> $GITHUB_ENV
       - name: Build the base Lambda Docker image
         run: |
-          docker compose build \
-            --build-arg PY_VERSION=${{ matrix.python-version }} \
-            build_deployment_package
+          docker compose build build_deployment_package
       - name: Generate the Lambda deployment package
         run: docker compose up build_deployment_package
       - name: Upload the generated Lambda deployment package as an artifact
         uses: actions/upload-artifact@v4
         with:
-          name: ${{ github.event.repository.name }}-py${{
-            matrix.python-version }}-${{ env.GH_SHORT_SHA }}
+          name: ${{ github.event.repository.name }}-${{ env.GH_SHORT_SHA }}
           path: ${{ env.DEFAULT_ARTIFACT_NAME }}
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3

Dockerfile

@@ -1,9 +1,5 @@
-ARG PY_VERSION=3.9
-
-FROM amazon/aws-lambda-python:$PY_VERSION AS install-stage
-
-# Declare it a second time so it's brought into this scope.
-ARG PY_VERSION=3.9
+# The runtime tag must match the version of Python specified in the Pipfile.
+FROM amazon/aws-lambda-python:3.9 AS install-stage
 
 # Install the Python packages necessary to install the Lambda dependencies.
 RUN python3 -m pip install --no-cache-dir \
@@ -17,15 +13,16 @@ RUN python3 -m pip install --no-cache-dir \
 WORKDIR /tmp
 
 # Copy in the dependency files.
-COPY src/py$PY_VERSION/ .
+COPY build/Pipfile build/Pipfile.lock ./
 
 # Install the Lambda dependencies.
 #
 # The --extra-pip-args option is used to pass necessary arguments to the
 # underlying pip calls.
 RUN pipenv sync --system --extra-pip-args="--no-cache-dir --target ${LAMBDA_TASK_ROOT}"
 
-FROM amazon/aws-lambda-python:$PY_VERSION AS build-stage
+# The runtime tag must match the version of Python specified in the Pipfile.
+FROM amazon/aws-lambda-python:3.9 AS build-stage
 
 ###
 # For a list of pre-defined annotation keys and value types see:
@@ -40,12 +37,6 @@ FROM amazon/aws-lambda-python:$PY_VERSION AS build-stage
 LABEL org.opencontainers.image.authors="[email protected]"
 LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency"
 
-# Declare it a third time so it's brought into this scope.
-ARG PY_VERSION=3.9
-
-# This must be present in the image to generate a deployment artifact.
-ENV BUILD_PY_VERSION=$PY_VERSION
-
 COPY --from=install-stage ${LAMBDA_TASK_ROOT} ${LAMBDA_TASK_ROOT}
 
 WORKDIR ${LAMBDA_TASK_ROOT}

README.md

@@ -59,18 +59,15 @@ docker compose down
 
 ## How to update Python dependencies ##
 
-The Python dependencies are maintained using a
-[Pipenv](https://github.com/pypa/pipenv) configuration for each
-supported Python version. Changes to requirements should be made to
-the respective `src/py<Python version>/Pipfile`. More information
-about the `Pipfile` format can be found in the [`pipenv`
-documentation](https://pipenv.pypa.io/en/latest/pipfile.html#example-pipfile).
-The accompanying `Pipfile.lock` files contain the specific dependency
-versions that will be installed. These files can be updated like so
-(using the Python 3.9 configuration as an example):
+The Lambda's Python dependencies are maintained using a [Pipenv](https://github.com/pypa/pipenv)
+configuration. Changes to requirements should be made to the `Pipfile` located at
+`build/Pipfile`. More information about the `Pipfile` format can be found in the
+[`pipenv` documentation](https://pipenv.pypa.io/en/latest/pipfile.html#example-pipfile).
+The accompanying `Pipfile.lock` file contains the specific dependency versions
+that will be installed. This file is updated automatically like so:
 
 ```console
-cd src/py3.9
+cd build
 pipenv lock
 ```
 

src/py3.9/Pipfile build/Pipfilesrc/py3.9/Pipfile renamed to build/Pipfile

@@ -4,6 +4,7 @@ verify_ssl = true
 name = "pypi"
 
 [requires]
+# This must match the version of the Python runtime specified in the Dockerfile.
 python_version = "3.9"
 
 [packages]

src/py3.9/Pipfile.lock build/Pipfile.locksrc/py3.9/Pipfile.lock renamed to build/Pipfile.lock

@@ -11,7 +11,7 @@ services:
       # from the invoking environment but falls back to a default value.
       - BUILD_FILE_NAME=${BUILD_FILE_NAME:-lambda_build.zip}
     volumes:
-      - ./src/build_artifact.sh:/opt/build_artifact.sh
+      - ./build/build_artifact.sh:/opt/build_artifact.sh
       - .:/var/task/output
   run_lambda_locally:
     build: .