Migrate to Debian bookworm

* Install poetry from Debian packages * Build deployment content in a Debian container instead of Python. This shouldn't make much of a difference except that we'll also get security updates of Python itself from Debian instead of needing to bump the image (which we haven't really been doing). * Bump the nginx alpine image to latest. Refs <freedomofpress/securedrop-docs#567>.
freedomofpress · Jun 10, 2024 · eeb61c0 · eeb61c0
1 parent 68c09c5
commit eeb61c0
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 58 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,4 +5,5 @@ on: [merge_group, push, pull_request]
 
 jobs:
  reusable:
- uses: freedomofpress/securedrop-docs/.github/workflows/ci.yml@main
+ # TODO: switch back to main once securedrop-docs is on bookworm
+ uses: freedomofpress/securedrop-docs/.github/workflows/ci.yml@bookworm
diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml
@@ -7,4 +7,5 @@ on:
 
 jobs:
  reusable:
- uses: freedomofpress/securedrop-docs/.github/workflows/linkcheck.yml@main
+ # TODO: switch back to main once securedrop-docs is on bookworm
+ uses: freedomofpress/securedrop-docs/.github/workflows/linkcheck.yml@bookworm
diff --git a/deploy/Dockerfile b/deploy/Dockerfile
@@ -1,15 +1,14 @@
-# sha256 as of 2023-10-16
-FROM python:3.9-slim-bullseye@sha256:b3415be51b8d2c8f35a6eb3db85e9ccdedf12beaa3b18ed4c2f769889717d02a as sphinx
+# sha256 as of 2024-06-10
+FROM debian:bookworm@sha256:911821c26cc366231183098f489068afff2d55cf56911cb5b7bd32796538dfe1 AS sphinx
 
 ARG GIT_BRANCH=main
-RUN apt-get -q update && apt-get -qy upgrade && apt-get -qy install git make latexmk texlive-latex-extra
+RUN apt-get -q update && apt-get -qy upgrade && apt-get -qy install git make latexmk texlive-latex-extra python3-poetry
 COPY ./ .
-RUN pip install poetry==1.7.1
 RUN poetry install
 RUN deploy/build $GIT_BRANCH
 
-# sha256 as of 2023-10-16
-FROM nginx:mainline-alpine-slim@sha256:1b0cb433e90260a96528c987ee78b797e842d510473935304a0931536d10f50d
+# sha256 as of 2024-06-10
+FROM nginx:mainline-alpine-slim@sha256:244d37691a469d45349d9f29e8b7462d9f510b70c0c93acc5d23ee227070c962
 
 COPY deploy/nginx.conf /etc/nginx
 RUN mkdir -p /opt/nginx/run /opt/nginx/webroot/en/latest && chown -R nginx:nginx /opt/nginx

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -6,7 +6,7 @@ authors = ["SecureDrop team <securedrop@freedom.press>"]
 readme = "README.md"
 
 [tool.poetry.dependencies]
-python = "^3.9"
+python = "^3.11"
 sphinx = "^7.3.7"
 sphinx-autobuild = "^2024.2.4"
 sphinx-rtd-theme = "^2.0.0"