microbiomedata
diff --git a/‎.docker/mongo_init/initialize_replica_set.sh
+44 b/‎.docker/mongo_init/initialize_replica_set.sh
+44
diff --git a/‎.github/workflows/python-app.yml
+37-5 b/‎.github/workflows/python-app.yml
+37-5
diff --git a/‎docker-compose.test.yml
+63-30 b/‎docker-compose.test.yml
+63-30
@@ -0,0 +1,44 @@
+#! /bin/sh
+
+###############################################################################
+# Overview
+# --------
+# This shell script uses `mongosh` to: (a) check whether the specified MongoDB
+# instance is a member of a replica set and, if is isn't, (b) creates a replica
+# set of which that MongoDB instance is the sole member.
+#
+# This shell script was designed to be run within a Docker container based upon
+# the `mongo:8.0.4` container image (i.e., https://hub.docker.com/_/mongo).
+#
+# Positional parameters
+# ---------------------
+# 1. MongoDB hostname (e.g., "mongo")
+# 2. MongoDB port     (e.g., "27017")
+# 3. MongoDB username (e.g., "admin")
+# 4. MongoDB password (e.g., "root")
+#
+# References
+# ----------
+# 1. https://www.mongodb.com/docs/manual/reference/method/rs.status/
+# 2. https://www.mongodb.com/docs/mongodb-shell/reference/options/
+# 3. https://www.warp.dev/terminus/docker-compose-health-check
+###############################################################################
+
+echo 'Setting up replica set.'
+
+echo '
+  try {
+    rs.status();
+  } catch (e) {
+    rs.initiate({ _id: "rs0", members: [{ _id: 0, host: "localhost" }] });
+  }
+' | mongosh \
+  --host "${1}" \
+  --port "${2}" \
+  --username "${3}" \
+  --password "${4}"
+
+echo 'Finished setting up replica set.'
+
+# Exit with a status code of 0.
+exit 0
@@ -1,6 +1,5 @@
-# This workflow will install Python dependencies, run tests and lint with a single version of Python
-# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
-
+# This GitHub Actions workflow spins up the "test" Docker Compose stack and runs automated tests within it.
+# Reference: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
 name: Python application
 
 # Note: The following events will trigger this workflow:
@@ -35,13 +34,46 @@ on:
   # Reference: https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/manually-running-a-workflow
   workflow_dispatch: { }
 
-
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v4 # update version to maintain consistency across workflows
+    # Prepare the MongoDB keyfile to be mounted by the `mongo` container.
+    #
+    # Note: This is to prevent MongoDB from reporting the error:
+    #       > "permissions on /path/to/keyfile are too open"
+    #
+    # Note: This involves making the file be readable _only_ by the OS user that MongoDB runs as.
+    #
+    #       In containers using the `mongo` image, that user is named `mongodb` and has a
+    #       UID of `999`. That user belongs to a group named `mongodb`, whose GID is `999`.
+    #       You can verify this by looking at the Dockerfile layers on Docker Hub.
+    #       Reference: https://hub.docker.com/layers/library/mongo/8.0.5/images/sha256-90bf5066fed8a3cd59345d963922bc5cb557d4b4b2a0e38dfd9ee299c405741b
+    #
+    #       The GHA Runner will allow me to `chmod 600` the file, but not `chown 999:999` it.
+    #       Since the GHA Runner will not allow me to `chown` the file, I use a Docker container
+    #       to (effectively) accomplish that. Since—after I use the Docker container to change
+    #       the file's owner—the GHA Runner will not allow me to then `chmod` the file, I opt to
+    #       accomplish that within the Docker container as well.
+    #
+    #       The reason—within the Docker container—I do not `chmod` or `chown` the original file
+    #       directly, is that I am under the impression that ownership/permission changes made
+    #       within a container to mounted files that already exist on the host will not be seen
+    #       by the host. I have not found official documentation supporting this yet.
+    #       TODO: Include a reference about changing mounted file's permission within container.
+    #
+    - name: Restrict access to MongoDB keyfile
+      run: |
+        mkdir _tmp
+        docker run --rm \
+          -v ./mongoKeyFile:/mongoKeyFile \
+          -v ./_tmp:/out \
+          alpine \
+          sh -c 'cp /mongoKeyFile /out/mongoKeyFile && chmod 600 /out/mongoKeyFile && chown 999:999 /out/mongoKeyFile'
+        mv _tmp/mongoKeyFile ./mongoKeyFile
+        rmdir _tmp
     - name: Set up Python 3.10
       uses: actions/setup-python@v4
       with:
@@ -53,7 +85,7 @@ jobs:
 #        make lint
     - name: Build and run containers upon which test runner depends
       run: make up-test
-    - name: Build test runner container image
+    - name: Build container image for test runner
       run: make test-build
     - name: Run tests
       run: make test-run
@@ -1,21 +1,28 @@
 services:
-  # This service runs the postgres DB used by dagster for run storage, schedule storage,
-  # and event log storage.
-  # Tests use `postgres:11` image.
-  # https://github.com/dagster-io/dagster/blob/0.11.9/python_modules/libraries/dagster-postgres/dagster_postgres_tests/docker-compose.yml
+
+  # Postgres server used by Dagster.
+  #
+  # > This service runs the postgres DB used by dagster for run storage, schedule storage,
+  # > and event log storage.
+  # > Tests use `postgres:11` image.
+  # > https://github.com/dagster-io/dagster/blob/0.11.9/python_modules/libraries/dagster-postgres/dagster_postgres_tests/docker-compose.yml
+  #
   dagster-postgresql:
     image: postgres:11
     container_name: dagster-postgresql
-    volumes:
-      - nmdc_runtime_test_postgres_data:/var/lib/postgresql/data
     environment:
       POSTGRES_USER: "postgres_user"
       POSTGRES_PASSWORD: "postgres_password"
       POSTGRES_DB: "postgres_db"
+    volumes:
+      - nmdc_runtime_test_postgres_data:/var/lib/postgresql/data
 
-  # This service runs dagit.
-  # Since our instance uses the QueuedRunCoordinator, any runs submitted from dagit will be put on
-  # a queue and later dequeued and launched by dagster-daemon.
+  # Web server that hosts the Dagster web UI.
+  #
+  # > This service runs dagit.
+  # > Since our instance uses the QueuedRunCoordinator, any runs submitted from dagit will be put on
+  # > a queue and later dequeued and launched by dagster-daemon.
+  #
   dagster-dagit:
     build:
       context: .
@@ -27,8 +34,6 @@ services:
       - "3000"
     ports:
       - "3000:3000"
-    env_file:
-      - .env.test
     environment:
       DAGSTER_POSTGRES_USER: "postgres_user"
       DAGSTER_POSTGRES_PASSWORD: "postgres_password"
@@ -38,9 +43,13 @@ services:
     restart: on-failure
     volumes:
       - ./:/opt/dagster/lib
+    env_file: .env.test
 
-  # This service runs the dagster-daemon process, which is responsible for taking runs
-  # off of the queue and launching them, as well as creating runs from schedules or sensors.
+  # Dagster daemon.
+  #
+  # > This service runs the dagster-daemon process, which is responsible for taking runs
+  # > off of the queue and launching them, as well as creating runs from schedules or sensors.
+  #
   dagster-daemon:
     build:
       context: .
@@ -49,17 +58,20 @@ services:
     container_name: dagster-daemon
     entrypoint: ["tini", "--", "../lib/nmdc_runtime/site/entrypoint-daemon.sh"]
     restart: on-failure
-    env_file:
-      - .env.test
     environment:
       DAGSTER_POSTGRES_USER: "postgres_user"
       DAGSTER_POSTGRES_PASSWORD: "postgres_password"
       DAGSTER_POSTGRES_DB: "postgres_db"
     depends_on:
-      - dagster-postgresql
+      dagster-postgresql: { condition: service_started }
+      # Wait until the MongoDB replica set has been set up by the "init container"
+      # before starting this Dagster daemon container.
+      mongo-init: { condition: service_completed_successfully }
     volumes:
       - ./:/opt/dagster/lib
+    env_file: .env.test
 
+  # Uvicorn server hosting the FastAPI application.
   fastapi:
     build:
       context: .
@@ -68,27 +80,48 @@ services:
     container_name: fastapi
     ports:
       - "8000:8000"
-    env_file:
-      - .env.test
-    depends_on:
-      - mongo
     volumes:
       - .:/code
+    # Wait until the MongoDB replica set has been set up by the "init container"
+    # before starting this FastAPI container.
+    depends_on:
+      mongo-init: { condition: service_completed_successfully }
+    env_file: .env.test
+
+  # Short-lived MongoDB server used to initialize the one used by the FastAPI application.
+  mongo-init:
+    image: mongo:8.0.4
+    container_name: mongo-init
+    volumes:
+      - ./wait-for-it.sh:/wait-for-it.sh:ro
+      - .docker/mongo_init/initialize_replica_set.sh:/initialize_replica_set.sh:ro
+    depends_on:
+      mongo: { condition: service_started }
+    entrypoint: /bin/bash /wait-for-it.sh --host=mongo --port=27017 --timeout=20 -- /bin/sh /initialize_replica_set.sh mongo 27017 admin root
 
+  # MongoDB server used by the FastAPI application.
   mongo:
     image: mongo:8.0.4
     container_name: mongo
     ports:
       - "27018:27017"
-    volumes:
-      - nmdc_runtime_test_mongo_data:/data/db
-      - ~/nmdcdb-mongodump:/nmdc_dump:ro
-      - ./tests/mongorestore-nmdc-testdb.sh:/mongorestore-nmdc-testdb.sh:ro
     restart: unless-stopped
     environment:
       MONGO_INITDB_ROOT_USERNAME: admin
       MONGO_INITDB_ROOT_PASSWORD: root
+    # Configure MongoDB to run in replica set mode, so we can use MongoDB transactions.
+    #
+    # Note: Including a KeyFile is necessary when doing the combination of (a) running MongoDB in
+    #       replica set mode and (b) running MongoDB with authentication enabled.
+    #
+    command: ["--replSet", "rs0", "--bind_ip_all", "--keyFile", "/keyFile"]
+    volumes:
+      - nmdc_runtime_test_mongo_data:/data/db
+      - ./mongoKeyFile:/keyFile:ro
+      - ~/nmdcdb-mongodump:/nmdc_dump:ro
+      - ./tests/mongorestore-nmdc-testdb.sh:/mongorestore-nmdc-testdb.sh:ro
 
+  # Test runner.
   test:
     # Prevent Docker Compose from starting this service automatically.
     # Reference: https://stackoverflow.com/a/65957695
@@ -99,13 +132,13 @@ services:
       dockerfile: nmdc_runtime/Dockerfile
       target: test
     container_name: test
-    env_file:
-      - .env.test
+    env_file: .env.test
     depends_on:
-      - mongo
-      - fastapi
-      - dagster-daemon
-      - dagster-dagit
+      mongo-init: { condition: service_completed_successfully }
+      mongo: { condition: service_started }
+      fastapi: { condition: service_started }
+      dagster-daemon: { condition: service_started }
+      dagster-dagit: { condition: service_started }
     volumes:
       - .:/code