Skip to content

1.0.8.3 code #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
bio-boris wants to merge 23 commits into
base: main
Choose a base branch
from
Draft

1.0.8.3 code #66

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
3b204ab
Add manual build and push workflow
bio-boris Oct 28, 2025
bd48733
Update build
Oct 28, 2025
34d3952
Create pr_build.yml
bio-boris Oct 28, 2025
4d46234
Add GitHub Actions workflow for release process
bio-boris Oct 28, 2025
00ec266
Update build
Oct 28, 2025
f1631a7
Update build
Oct 28, 2025
b8b703a
Docker
Oct 28, 2025
30c6d9f
Update health check
Oct 28, 2025
f65563e
udpate suffix
Oct 28, 2025
d4cbb4f
Update health check
Oct 28, 2025
e5063e8
Update cronjobs
Oct 28, 2025
e7b275b
Update deps
Oct 28, 2025
79e1916
Last reqs
Oct 28, 2025
e978653
Last reqs
Oct 28, 2025
5adce79
Fix docker permissions
Oct 29, 2025
1e414f0
Fix docker permissions
Oct 29, 2025
347ad7f
Update health check
Oct 29, 2025
416f28b
Update docker perms
Oct 29, 2025
13d821d
Update docker perms
Oct 29, 2025
433357b
Update docker perms
Oct 29, 2025
b8d2994
Add ownership change for submit workdir
bio-boris Oct 31, 2025
945fc19
Add 'uv' to pip install command in Dockerfile
bio-boris Jan 9, 2026
f147f3c
Fix conflicts
Jan 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion .github/workflows/manual-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,17 @@
---
name: Manual Build & Push
on:
workflow_dispatch:
workflow_dispatch:
inputs:
platforms:
description: 'The platforms for which the Docker image should be built. If not specified, defaults to linux/amd64.'
required: false
default: 'linux/amd64'
jobs:
build-push:
uses: kbase/.github/.github/workflows/reusable_build-push.yml@main
with:
name: '${{ github.event.repository.name }}-develop'
tags: br-${{ github.ref_name }}
platforms: ${{ github.event.inputs.platforms }}
secrets: inherit
48 changes: 48 additions & 0 deletions .github/workflows/pr_build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
---
name: Pull Request Build, Tag, & Push
on:
pull_request:
branches:
- develop
- main
- master
types:
- opened
- reopened
- synchronize
- closed
jobs:
build-develop-open:
if: github.base_ref == 'develop' && github.event.pull_request.merged == false
uses: kbase/.github/.github/workflows/reusable_build.yml@main
with:
platforms: "linux/amd64"
secrets: inherit
build-develop-merge:
Comment on lines +16 to +21

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

To remediate the problem, the workflow file .github/workflows/pr_build.yml should define a permissions block at either the global (workflow) scope or for each individual job. The least privilege setting, unless jobs require specific write access, is typically contents: read. Since this workflow appears to interact with PRs (labels such as "Tag", "Push", and the use of PR events), it is safest to grant contents: read globally. If specific jobs require write permissions for actions like tagging or merging, their associated jobs can be modified later, but the recommended minimum is:

permissions:
  contents: read

This should be added at the workflow root (just after the name: or on: key), so that all jobs default to these permissions unless specifically overridden. No changes to imports or other definitions are needed.

Suggested changeset 1
.github/workflows/pr_build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -1,5 +1,7 @@
 ---
 name: Pull Request Build, Tag, & Push
+permissions:
+  contents: read
 on:
   pull_request:
     branches:
EOF
@@ -1,5 +1,7 @@
---
name: Pull Request Build, Tag, & Push
permissions:
contents: read
on:
pull_request:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
if: github.base_ref == 'develop' && github.event.pull_request.merged == true
uses: kbase/.github/.github/workflows/reusable_build-push.yml@main
with:
name: '${{ github.event.repository.name }}-develop'
tags: pr-${{ github.event.number }},latest
platforms: "linux/amd64"
secrets: inherit
build-main-open:
Comment on lines +22 to +29

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

To fix the problem, we must add a permissions block to the workflow so that the permissions granted to the GITHUB_TOKEN are restricted according to the principle of least privilege. Ideally, this should be added at the top/root of the workflow, just below the name or before on, so it applies to all jobs unless overridden by specific jobs.

For most build/test workflows that do not require write-level tokens, the minimal default is usually:

permissions:
  contents: read

If the workflow (or any called workflow) needs to create or comment on pull requests, pull-requests: write can also be allowed. But as a minimal fix per the prompt, we will set:

permissions:
  contents: read

This can later be adjusted as needed if more is required, but starting with a minimal read-only approach is best.

Summary of Change:
Edit .github/workflows/pr_build.yml and insert

permissions:
  contents: read

immediately after the name field (after line 2, before line 3 in the snippet).

Suggested changeset 1
.github/workflows/pr_build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -1,5 +1,7 @@
 ---
 name: Pull Request Build, Tag, & Push
+permissions:
+  contents: read
 on:
   pull_request:
     branches:
EOF
@@ -1,5 +1,7 @@
---
name: Pull Request Build, Tag, & Push
permissions:
contents: read
on:
pull_request:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
if: (github.base_ref == 'main' || github.base_ref == 'master') && github.event.pull_request.merged == false
uses: kbase/.github/.github/workflows/reusable_build-push.yml@main
with:
name: '${{ github.event.repository.name }}'
tags: pr-${{ github.event.number }}
platforms: "linux/amd64"
secrets: inherit
build-main-merge:
Comment on lines +30 to +37

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

To fix the problem, you should add a permissions block at the root level of the workflow. The minimal and recommended way is to set all permissions to read by default. This means adding the following at the top (after the name: declaration and before on:):

permissions:
  contents: read

If you later find that a particular job requires additional permissions (such as pull-requests: write), you can override it at the relevant job level. However, based on the provided code, there is no explicit sign that more than contents: read is required, so this is a safe least-privilege fix.

How to implement:

  • Edit .github/workflows/pr_build.yml.
  • Add the following block after the name: label and before the on: block.
  • No other changes (such as job-level overrides or added imports) are required, since YAML workflows are declarative.
Suggested changeset 1
.github/workflows/pr_build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -1,5 +1,7 @@
 ---
 name: Pull Request Build, Tag, & Push
+permissions:
+  contents: read
 on:
   pull_request:
     branches:
EOF
@@ -1,5 +1,7 @@
---
name: Pull Request Build, Tag, & Push
permissions:
contents: read
on:
pull_request:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
if: (github.base_ref == 'main' || github.base_ref == 'master') && github.event.pull_request.merged == true
uses: kbase/.github/.github/workflows/reusable_build-push.yml@main
with:
name: '${{ github.event.repository.name }}'
tags: pr-${{ github.event.number }},latest-rc
platforms: "linux/amd64"
secrets: inherit
trivy-scans:
Comment on lines +38 to +45

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

To fix this issue, add a permissions block at the top of the workflow (global/root-level, immediately after the name: field and before the on: field). This will explicitly limit the permissions of the GITHUB_TOKEN for all jobs in the workflow, unless a job manually overrides them. The best practice is to grant only the minimal privileges required. For build/test-only workflows, contents: read is often sufficient. For push/tag/PR-related workflows, you may need write permissions on specific scopes, but if most jobs only need read-only access, start with contents: read as a baseline. Since the workflow does builds, pushes, and tags, you might need contents: write and possibly packages: write. However, for minimal starting point and best-practice alignment, start with contents: read, and escalate only when required.

Change to be made:

  • Insert a block: 
    permissions:
  contents: read
    (or extend with permissions actually needed such as packages: write, pull-requests: write, etc if required by actual reusable workflow steps).

Make this change in .github/workflows/pr_build.yml, between name: and on:.

You do not need to modify any code outside this snippet.

Suggested changeset 1
.github/workflows/pr_build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -1,5 +1,7 @@
 ---
 name: Pull Request Build, Tag, & Push
+permissions:
+  contents: read
 on:
   pull_request:
     branches:
EOF
@@ -1,5 +1,7 @@
---
name: Pull Request Build, Tag, & Push
permissions:
contents: read
on:
pull_request:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
if: (github.base_ref == 'develop' || github.base_ref == 'main' || github.base_ref == 'master' ) && github.event.pull_request.merged == false
uses: kbase/.github/.github/workflows/reusable_trivy-scans.yml@main
secrets: inherit
26 changes: 26 additions & 0 deletions .github/workflows/release-main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
name: Release - Build & Push Image
on:
release:
branches:
- main
- master
types: [ published ]
jobs:
check-source-branch:
uses: kbase/.github/.github/workflows/reusable_validate-branch.yml@main
with:
build_branch: '${{ github.event.release.target_commitish }}'
validate-release-tag:
needs: check-source-branch
uses: kbase/.github/.github/workflows/reusable_validate-release-tag.yml@main
with:
release_tag: '${{ github.event.release.tag_name }}'
build-push:
needs: validate-release-tag
uses: kbase/.github/.github/workflows/reusable_build-push.yml@main
with:
name: '${{ github.event.repository.name }}'
tags: '${{ github.event.release.tag_name }},latest'
platforms: "linux/amd64"
secrets: inherit
41 changes: 16 additions & 25 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,18 @@
FROM htcondor/execute:lts-el8
ENV container docker
FROM htcondor/base:25.0.1-el9

# Ge$t commonly used utilities
RUN yum -y update && yum upgrade -y
RUN yum install -y drpm
RUN yum -y install -y epel-release wget which git gcc libcgroup libcgroup-tools stress-ng tmpwatch
# Get commonly used utilities
RUN yum -y update && yum update -y systemd && yum -y install -y epel-release wget which git gcc stress-ng tmpwatch bzip2

# Install docker binaries
RUN yum install -y yum-utils device-mapper-persistent-data lvm2 && yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo && yum install -y docker-ce


#Install Python3 and Libraries (source /root/miniconda/bin/activate)
RUN yum install -y bzip2 \
&& wget https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-x86_64.sh -O ~/miniconda.sh \
RUN wget https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-x86_64.sh -O ~/miniconda.sh \
&& bash ~/miniconda.sh -b -p /miniconda \
&& export PATH="/miniconda/bin:$PATH"

# Add kbase user and set up directories
RUN useradd -c "KBase user" -rd /kb/deployment/ -u 998 -s /bin/bash kbase && \
RUN useradd -c "KBase user" -rd /kb/deployment/ -u 1000 -s /bin/bash kbase && \
mkdir -p /kb/deployment/bin && \
mkdir -p /kb/deployment/jettybase/logs/ && \
touch /kb/deployment/jettybase/logs/request.log && \
Expand All @@ -26,30 +21,26 @@ RUN useradd -c "KBase user" -rd /kb/deployment/ -u 998 -s /bin/bash kbase && \
#INSTALL DOCKERIZE
RUN wget -N https://github.com/kbase/dockerize/raw/master/dockerize-linux-amd64-v0.6.1.tar.gz && tar xvzf dockerize-linux-amd64-v0.6.1.tar.gz && cp dockerize /kb/deployment/bin && rm dockerize*

# Also add the user to the groups that map to "docker" on Linux and "daemon" on Mac
RUN usermod -a -G 0 kbase && usermod -a -G 999 kbase



#ADD DIRS
RUN mkdir -p /var/run/condor && mkdir -p /var/log/condor && mkdir -p /var/lock/condor && mkdir -p /var/lib/condor/execute

# Maybe you want: rm -rf /var/cache/yum, to also free up space taken by orphaned data from disabled or removed repos
RUN rm -rf /var/cache/yum

ENV PATH=/miniconda/bin:$PATH


RUN pip install uv requests websockets==10.0 slackclient psutil sanic==21.12.2 docker==7.1.0


COPY --chown=kbase deployment/ /kb/deployment/

# Install dependencies for JobRunner
ENV PATH /miniconda/bin:$PATH
RUN wget https://raw.githubusercontent.com/kbase/JobRunner/master/requirements.txt && pip install -r requirements.txt && rm requirements.txt
RUN /kb/deployment/bin/install_python_dependencies.sh

# The BUILD_DATE value seem to bust the docker cache when the timestamp changes, move to
# the end
LABEL org.label-schema.build-date=$BUILD_DATE \
org.label-schema.vcs-url="https://github.com/kbase/condor-worker.git" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.schema-version="1.0.0" \
us.kbase.vcs-branch=$BRANCH \
maintainer="Steve Chan sychan@lbl.gov"

ENV KB_DEPLOYMENT_CONFIG=/kb/deployment/conf/deployment.cfg


ENTRYPOINT [ "/kb/deployment/bin/dockerize" ]
CMD [ "-template", "/kb/deployment/conf/.templates/deployment.cfg.templ:/kb/deployment/conf/deployment.cfg", \
Expand Down
Loading
Loading