Skip to content

v2.3.0 #318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rtuszik merged 23 commits into from
Jun 20, 2026
Merged

v2.3.0 #318

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
3b6ce15
Update docker/login-action action to v4
Apr 24, 2026
7124e0c
Update docker/setup-buildx-action action to v4
Apr 24, 2026
cf98c44
feat: multi-stage build without uv runtime dependency
rtuszik Apr 27, 2026
1e6825f
increase test coverage
rtuszik May 10, 2026
79fcf19
single region jsonl implementation
rtuszik Apr 2, 2026
0cbf919
jsonl e2e test
rtuszik Apr 2, 2026
ae0729d
feat: add multi-region JSONL support with country codes
rtuszik Apr 27, 2026
94999f5
fix: prevent serving empty index after a failed JSONL import
rtuszik Jun 9, 2026
d959484
ci: use uv native caching, pin to .python-version file
rtuszik Jun 9, 2026
53d2f68
chore(deps): update dependency pytest to v9.0.3 [security]
koalabot-rt[bot] Jun 12, 2026
827ffaf
refactor: split filesystem/updater into index and update modules
rtuszik Jun 10, 2026
a5da3c8
fix: index marker scope
rtuszik Jun 13, 2026
04a1106
refactor(import): rename import marker functions for clarity
rtuszik Jun 13, 2026
a83c2e5
refactor: standardize ruff config and make args keyword-only
rtuszik Jun 13, 2026
7a8a9d6
Update Photon version to 1.2.0
rtuszik Jun 13, 2026
b062d85
fix: correct continent country-code slices and harden update recovery
rtuszik Jun 13, 2026
56032fc
feat: checksum retry, move before extraction, add notification
rtuszik Jun 17, 2026
fd75833
docs(README): update index info, add import mode and env vars
rtuszik Jun 18, 2026
50fbd41
chore: uv lock update
rtuszik Jun 18, 2026
af6f7fb
Update .github/workflows/full-test-jsonl.yml
rtuszik Jun 18, 2026
85e611e
ci: update lint workflow and fix README badges and typos
rtuszik Jun 18, 2026
70264b8
ci(github-actions): add read permissions and use env vars in summary
rtuszik Jun 18, 2026
e8581cc
refactor(update): ensure temp directory cleared on failure
rtuszik Jun 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions .github/workflows/build-and-push.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ on:
branches:
- dev

permissions:
contents: read
packages: write

jobs:
build-and-push:
runs-on: ubuntu-latest
Expand All @@ -29,16 +33,16 @@ jobs:
persist-credentials: false

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4

- name: Login to DockerHub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Login to GitHub Container Registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
Expand Down
110 changes: 110 additions & 0 deletions .github/workflows/full-test-jsonl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
name: Container Test

on:
pull_request:
branches:
- main
- dev
paths:
- "Dockerfile"
- "src/**"
- "docker-compose*.yml"
- ".last_release"
- "pyproject.toml"
- "uv.lock"

permissions:
contents: read

jobs:
test-container-jsonl:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4

- name: Read Photon version from .last_release
id: photon_version
run: |
PHOTON_VERSION=$(cat .last_release | tr -d '[:space:]')
if [[ -z "$PHOTON_VERSION" || ! "$PHOTON_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Error: .last_release is missing, empty, or contains an invalid version: '$PHOTON_VERSION'"
exit 1
fi
echo "PHOTON_VERSION=$PHOTON_VERSION" >> "$GITHUB_ENV"
echo "Photon Version: $PHOTON_VERSION"

- name: Build test image
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
with:
context: .
file: ./Dockerfile
build-args: |
PHOTON_VERSION=${{ env.PHOTON_VERSION }}
push: false
load: true
tags: photon-test:pr-${{ github.event.pull_request.number }}
platforms: linux/amd64
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Start container
run: |
docker run -d \
--name photon-test-pr-${{ github.event.pull_request.number }} \
-e REGION=andorra \
-e IMPORT_MODE=jsonl \
-e UPDATE_STRATEGY=DISABLED \
photon-test:pr-${{ github.event.pull_request.number }}

- name: Wait for container to be healthy
run: |
echo "Waiting for container to become healthy (timeout: 6 minutes)..."
CONTAINER_NAME=photon-test-pr-${{ github.event.pull_request.number }}

docker logs -f $CONTAINER_NAME &
LOGS_PID=$!

ELAPSED=0
TIMEOUT=360

while [ "$ELAPSED" -lt "$TIMEOUT" ]; do
HEALTH_STATUS=$(docker inspect --format='{{.State.Health.Status}}' $CONTAINER_NAME 2>/dev/null || echo "unknown")

if [ "$HEALTH_STATUS" = "healthy" ]; then
echo "Container is healthy after ${ELAPSED} seconds"
kill $LOGS_PID 2>/dev/null || true
exit 0
fi

echo "Health status: $HEALTH_STATUS (elapsed: ${ELAPSED}s)"
sleep 10
ELAPSED=$((ELAPSED + 10))
done

kill $LOGS_PID 2>/dev/null || true
echo "Container failed to become healthy within $TIMEOUT seconds"
docker logs $CONTAINER_NAME
exit 1

- name: Cleanup
if: always()
run: |
docker stop photon-test-pr-${{ github.event.pull_request.number }} || true
docker rm photon-test-pr-${{ github.event.pull_request.number }} || true
docker rmi photon-test:pr-${{ github.event.pull_request.number }} || true

- name: Output summary
if: always()
run: |
echo "## Container Test Summary" >> $GITHUB_STEP_SUMMARY
echo "- **PR Number:** ${{ github.event.pull_request.number }}" >> $GITHUB_STEP_SUMMARY
echo "- **Photon Version:** ${PHOTON_VERSION}" >> $GITHUB_STEP_SUMMARY
echo "- **Status:** ${JOB_STATUS}" >> $GITHUB_STEP_SUMMARY
env:
JOB_STATUS: ${{ job.status }}
5 changes: 4 additions & 1 deletion .github/workflows/full-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ on:
- "pyproject.toml"
- "uv.lock"

permissions:
contents: read

jobs:
test-container:
runs-on: ubuntu-latest
Expand All @@ -24,7 +27,7 @@ jobs:
persist-credentials: false

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4

- name: Read Photon version from .last_release
id: photon_version
Expand Down
98 changes: 23 additions & 75 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,112 +7,60 @@ on:
- "tests/**"
- "pyproject.toml"
- "uv.lock"
- ".python-version"
workflow_dispatch:

jobs:
setup:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: "Set up Python"
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version-file: "pyproject.toml"
- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8
with:
enable-cache: true
version: 0.11.*
- name: Install dependencies
run: uv sync --locked
- name: Cache dependencies
uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: |
.venv
~/.cache/uv
key: ${{ runner.os }}-uv-${{ hashFiles('uv.lock') }}
permissions:
contents: read

jobs:
lint:
runs-on: ubuntu-latest
needs: setup
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: "Set up Python"
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version-file: "pyproject.toml"
- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8
python-version-file: ".python-version"

Comment thread
coderabbitai[bot] marked this conversation as resolved.
- uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8
with:
enable-cache: true
version: 0.11.*
- name: Restore dependencies
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: |
.venv
~/.cache/uv
key: ${{ runner.os }}-uv-${{ hashFiles('uv.lock') }}
fail-on-cache-miss: true
- name: Run linting
run: |
uv run ruff check --fix
uv run ruff format
- run: uv sync --locked
- run: |
uv run ruff check
uv run ruff format --check

typecheck:
runs-on: ubuntu-latest
needs: setup
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: "Set up Python"
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version-file: "pyproject.toml"
- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8
python-version-file: ".python-version"
- uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8
with:
enable-cache: true
version: 0.11.*
- name: Restore dependencies
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: |
.venv
~/.cache/uv
key: ${{ runner.os }}-uv-${{ hashFiles('uv.lock') }}
fail-on-cache-miss: true
- name: Run type checking
run: uv run ty check
- run: uv sync --locked
- run: uv run ty check
Comment thread
coderabbitai[bot] marked this conversation as resolved.

vulture:
runs-on: ubuntu-latest
needs: setup
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: "Set up Python"
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version-file: "pyproject.toml"
- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8
python-version-file: ".python-version"
- uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8
with:
enable-cache: true
version: 0.11.*
- name: Restore dependencies
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: |
.venv
~/.cache/uv
key: ${{ runner.os }}-uv-${{ hashFiles('uv.lock') }}
fail-on-cache-miss: true
- name: Run vulture
run: uv run vulture --min-confidence 100 --exclude ".venv" .
- run: uv sync --locked
- run: uv run vulture --min-confidence 100 --exclude ".venv" .
2 changes: 1 addition & 1 deletion .last_release
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.1.0
1.2.0
54 changes: 37 additions & 17 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,40 @@
FROM eclipse-temurin:21.0.9_10-jre-noble
FROM ubuntu:noble AS builder

ARG DEBIAN_FRONTEND=noninteractive

RUN apt-get update \
&& apt-get -y install --no-install-recommends \
python3.12 \
&& rm -rf /var/lib/apt/lists/*

# install astral uv
COPY --from=ghcr.io/astral-sh/uv:0.10 /uv /usr/local/bin/

WORKDIR /build

COPY pyproject.toml uv.lock ./

ENV UV_PYTHON=/usr/bin/python3.12 \
UV_PYTHON_PREFERENCE=only-system \
UV_LINK_MODE=copy \
UV_PROJECT_ENVIRONMENT=/photon/.venv

RUN uv sync --locked --no-dev --no-install-project


FROM eclipse-temurin:21.0.9_10-jre-noble

ARG DEBIAN_FRONTEND=noninteractive
ARG PHOTON_VERSION
ARG PUID=9011
ARG PGID=9011

RUN apt-get update \
&& apt-get -y install --no-install-recommends \
lbzip2 \
gosu \
python3.12 \
curl \
&& rm -rf /var/lib/apt/lists/*
&& apt-get -y install --no-install-recommends \
lbzip2 \
gosu \
python3.12 \
curl \
&& rm -rf /var/lib/apt/lists/*

RUN groupadd -g ${PGID} -o photon && \
useradd -l -u ${PUID} -g photon -o -s /bin/false -m -d /photon photon
Expand All @@ -27,24 +47,24 @@ ADD https://github.com/komoot/photon/releases/download/${PHOTON_VERSION}/photon-

COPY src/ ./src/
COPY entrypoint.sh .
COPY pyproject.toml .
COPY uv.lock .
RUN gosu photon uv sync --locked
COPY --from=builder /photon/.venv /photon/.venv

ENV PATH="/photon/.venv/bin:${PATH}" \
VIRTUAL_ENV=/photon/.venv

RUN chmod 644 /photon/photon.jar && \
chown -R photon:photon /photon

LABEL org.opencontainers.image.title="photon-docker" \
org.opencontainers.image.description="Unofficial docker image for the Photon Geocoder" \
org.opencontainers.image.url="https://github.com/rtuszik/photon-docker" \
org.opencontainers.image.source="https://github.com/rtuszik/photon-docker" \
org.opencontainers.image.documentation="https://github.com/rtuszik/photon-docker#readme"
org.opencontainers.image.description="Unofficial docker image for the Photon Geocoder" \
org.opencontainers.image.url="https://github.com/rtuszik/photon-docker" \
org.opencontainers.image.source="https://github.com/rtuszik/photon-docker" \
org.opencontainers.image.documentation="https://github.com/rtuszik/photon-docker#readme"

EXPOSE 2322

HEALTHCHECK --interval=30s --timeout=10s --start-period=240s --retries=3 \
CMD curl -f http://localhost:2322/status || exit 1
CMD curl -f http://localhost:2322/status || exit 1

ENTRYPOINT ["/bin/sh", "entrypoint.sh"]
CMD ["uv", "run", "-m", "src.process_manager"]
CMD ["/photon/.venv/bin/python", "-m", "src.process_manager"]
Comment on lines 69 to +70

@coderabbitai coderabbitai Bot Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Run the final container as the non-root user.

The runtime image still executes as root because the final stage never switches user. Add USER photon before startup to reduce container breakout impact.

Suggested patch 
 RUN chmod 644 /photon/photon.jar && \
     chown -R photon:photon /photon
+
+USER photon
 
 LABEL org.opencontainers.image.title="photon-docker" \

Source: Linters/SAST tools

Loading