Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
912fbad
Update Renovate configuration file
MH0386 Nov 4, 2025
a5e9e58
Merge pull request #377 from AlphaSphereDotAI/Renovate
MH0386 Nov 4, 2025
6f2d3bf
Configure Renovate with best practices and alerts
MH0386 Nov 4, 2025
fad7d5b
Merge pull request #378 from AlphaSphereDotAI/Renovate
MH0386 Nov 4, 2025
148a23c
Update Mergify configuration to remove branch deletion
MH0386 Nov 4, 2025
e1cd9d3
Merge pull request #379 from AlphaSphereDotAI/Mergify
MH0386 Nov 4, 2025
0e6f0f1
Delete .br directory
MH0386 Nov 4, 2025
814d625
Merge branch 'main' into ci
MH0386 Nov 4, 2025
f4d4b62
Switch all workflows to use ubuntu-slim for improved performance and …
MH0386 Nov 4, 2025
b99876b
Remove unnecessary free disk space step.
MH0386 Nov 4, 2025
817b4de
Add Docker setup step to multiple jobs in workflow
MH0386 Nov 4, 2025
c4c31e3
Refactor Docker setup steps to use QEMU and Buildx actions for improv…
MH0386 Nov 4, 2025
bdb9445
Add Docker-in-Docker service configuration for jobs
MH0386 Nov 4, 2025
41d7e13
Add Docker daemon configuration for debugging and features
MH0386 Nov 4, 2025
120fa85
Merge branch 'ci' of https://github.com/AlphaSphereDotAI/visualizr in…
MH0386 Nov 4, 2025
c0de707
Merge branch 'main' into ci
mergify[bot] Nov 4, 2025
2148953
Remove Docker-in-Docker service configuration from jobs for cleaner s…
MH0386 Nov 4, 2025
1b0d482
Merge branch 'ci' of https://github.com/AlphaSphereDotAI/visualizr in…
MH0386 Nov 4, 2025
a12dca2
Add iptables package package to Docker workflows
MH0386 Nov 4, 2025
6dbc1f3
Fix formatting for iptables package in Docker workflows
MH0386 Nov 4, 2025
ef441ef
Refactor APT package installation steps in Docker workflows for clarity
MH0386 Nov 4, 2025
80d0366
Add version specification for iptables package in Docker workflows
MH0386 Nov 4, 2025
3cb06aa
Replace cache action with direct APT package installation for iptable…
MH0386 Nov 4, 2025
8f7fe8e
Replace iptables installation with docker.io
MH0386 Nov 4, 2025
7992710
Update .docker.yaml
MH0386 Nov 4, 2025
85efc13
Add QEMU and Docker Buildx setup steps
MH0386 Nov 4, 2025
2db62f2
Update Docker installation steps in workflow
MH0386 Nov 4, 2025
7ceea6f
Merge branch 'main' into ci
mergify[bot] Nov 4, 2025
70f2784
Merge branch 'main' into ci
mergify[bot] Nov 5, 2025
3214fee
Merge branch 'main' into ci
mergify[bot] Nov 5, 2025
07d1e02
Merge branch 'main' into ci
mergify[bot] Nov 5, 2025
04700f6
Merge branch 'main' into ci
mergify[bot] Nov 5, 2025
0b73358
Merge branch 'main' into ci
mergify[bot] Nov 5, 2025
fd1aa6d
Merge branch 'main' into ci
mergify[bot] Nov 5, 2025
8afdf15
Merge branch 'main' into ci
mergify[bot] Nov 6, 2025
c84ccfa
Merge branch 'main' into ci
mergify[bot] Nov 6, 2025
5f9213b
Merge branch 'main' into ci
mergify[bot] Nov 6, 2025
a9955ca
Merge branch 'main' into ci
mergify[bot] Nov 6, 2025
ad72b0f
Merge branch 'main' into ci
mergify[bot] Nov 6, 2025
7c4492c
Merge branch 'main' into ci
mergify[bot] Nov 6, 2025
3ed987f
Merge branch 'main' into ci
mergify[bot] Nov 7, 2025
e04c478
Merge branch 'main' into ci
mergify[bot] Nov 8, 2025
170be57
Merge branch 'main' into ci
mergify[bot] Nov 11, 2025
dfa5bfc
Merge branch 'main' into ci
mergify[bot] Nov 12, 2025
5170284
Merge branch 'main' into ci
mergify[bot] Nov 13, 2025
84c4fe6
Merge branch 'main' into ci
mergify[bot] Nov 14, 2025
b7f3262
Merge branch 'main' into ci
mergify[bot] Nov 15, 2025
13da411
Merge branch 'main' into ci
mergify[bot] Nov 18, 2025
96ac93a
Merge branch 'main' into ci
mergify[bot] Nov 19, 2025
af28826
Merge branch 'main' into ci
mergify[bot] Nov 20, 2025
f8c5b15
Merge branch 'main' into ci
mergify[bot] Nov 21, 2025
93f041a
Merge branch 'main' into ci
mergify[bot] Nov 22, 2025
724b64d
Merge branch 'main' into ci
mergify[bot] Nov 24, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 1 addition & 6 deletions .github/mergify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,6 @@ pull_request_rules:
- files = .trunk/trunk.yaml
actions:
merge:
- name: Delete branch after close
conditions:
- closed
actions:
delete_head_branch:
- name: Comment when a pull request is merged
conditions:
- merged
Expand Down Expand Up @@ -83,6 +78,6 @@ queue_rules:
- check-success = GitGuardian Security Checks
- check-success = SonarCloud
- check-success = Trunk Check
- check-success = CodeRabbit
- check-success = Test Image / API Test
- check-success = CodeQL
# - check-success = CodeRabbit
2 changes: 2 additions & 0 deletions .github/renovate.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
"dependencies"
]
},
"osvVulnerabilityAlerts": true,
"dependencyDashboardOSVVulnerabilitySummary": "all",
Comment on lines +13 to +14

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Enabling OSV vulnerability alerts is a great security enhancement. However, with pyproject.toml currently in ignorePaths (line 16), Renovate will not scan or update the Python dependencies defined in that file. This means you won't get vulnerability alerts for them, which largely defeats the purpose of these new settings. To make these alerts effective, you should consider removing pyproject.toml from the ignorePaths list.

"ignorePaths": [
"pyproject.toml"
]
Expand Down
46 changes: 38 additions & 8 deletions .github/workflows/.docker.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,28 @@ permissions:
jobs:
check_dockerfile:
name: Validate Dockerfile
runs-on: ubuntu-latest
runs-on: ubuntu-slim
Comment thread
coderabbitai[bot] marked this conversation as resolved.
if: ${{ inputs.is_test }}
environment:
name: code_quality
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- name: Install APT packages
run: |
sudo apt-get update
sudo apt-get install -y docker.io
sudo systemctl start docker
- name: Log in to ${{ inputs.registry }} Registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
registry: ${{ inputs.registry }}
username: mh0386
password: ${{ inputs.registry == 'ghcr.io' && secrets.GH_TOKEN || inputs.registry == 'docker.io' && secrets.TOKEN_KEY_DOCKER }}
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
- name: Validate build configuration
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
with:
Expand All @@ -55,23 +64,32 @@ jobs:
name: Build and push Docker image to ${{ inputs.registry }}
needs: check_dockerfile
if: ${{ always() && !cancelled() }}
runs-on: ubuntu-latest
runs-on: ubuntu-slim
outputs:
image_tag: ${{ steps.tag.outputs.TAG }}
environment:
name: docker_image
url: ${{inputs.registry}}/${{github.repository}}
steps:
- name: Free Disk Space
if: github.event_name != 'pull_request'
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- name: Get Python version from pyproject.toml
id: get_python_version
uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1
with:
cmd: yq -roy '.project.requires-python' pyproject.toml
- name: Install APT packages
run: sudo apt-get update && sudo apt-get install -y docker.io
- name: Set up Docker
uses: docker/setup-docker-action@v4.5.0
with:
daemon-config: |
{
"debug": true,
"features": {
"containerd-snapshotter": true
}
}
Comment on lines +84 to +92

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Pin docker/setup-docker-action to commit SHA to mitigate supply-chain risk.

Lines 84 and 161 use the mutable tag @v4.5.0. Per GitHub Actions security best practices, these must be pinned to the full commit SHA. Previous reviews indicate this should have been fixed, but the unpinned references remain.

Apply this diff to both locations:

       - name: Set up Docker
-        uses: docker/setup-docker-action@v4.5.0
+        uses: docker/setup-docker-action@efe9e3891a4f7307e689f2100b33a155b900a608 # v4.5.0
         with:
           daemon-config: |
             {
               "debug": true,
               "features": {
                 "containerd-snapshotter": true
               }
             }

Use commit SHA efe9e3891a4f7307e689f2100b33a155b900a608 for both lines 84 and 161.

Also applies to: 161-169

🤖 Prompt for AI Agents
In .github/workflows/.docker.yaml around lines 84-92 and 161-169, the workflow
uses the mutable tag docker/setup-docker-action@v4.5.0 which is a supply-chain
risk; replace both occurrences with the pinned commit SHA
docker/setup-docker-action@efe9e3891a4f7307e689f2100b33a155b900a608 so the
action is fixed to that exact commit.

- name: Log in to ${{ inputs.registry }} Registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
Expand Down Expand Up @@ -126,7 +144,7 @@ jobs:
name: Docker Scout (${{ matrix.commands }})
needs: build_image
if: ${{ always() && !cancelled() }}
runs-on: ubuntu-latest
runs-on: ubuntu-slim
environment:
name: docker_image
strategy:
Expand All @@ -137,6 +155,18 @@ jobs:
- cves
- recommendations
steps:
- name: Install APT packages
run: sudo apt-get update && sudo apt-get install -y docker.io
- name: Set up Docker
uses: docker/setup-docker-action@v4.5.0
with:
daemon-config: |
{
"debug": true,
"features": {
"containerd-snapshotter": true
}
}
Comment on lines +161 to +169

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Pin docker/setup-docker-action to commit SHA (docker_scout job).

Line 158 has the same unpinned action issue. This must also be updated to use the full commit SHA instead of the version tag @v4.5.0.

Apply this diff:

-      - name: Set up Docker
-        uses: docker/setup-docker-action@v4.5.0
+      - name: Set up Docker
+        uses: docker/setup-docker-action@<FULL_COMMIT_SHA> # v4.5.0
         with:
           daemon-config: |
             {
               "debug": true,
               "features": {
                 "containerd-snapshotter": true
               }
             }

Use the same commit SHA as you pin in the build_image job (line 81).

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents
.github/workflows/.docker.yaml around lines 158 to 166: the
docker/setup-docker-action is referenced with a floating tag (@v4.5.0); replace
that tag with the exact commit SHA used for docker/setup-docker-action in the
build_image job at line 81 so the docker_scout job is pinned to the same commit
SHA; update the uses line to reference the full SHA (same string as line 81) and
leave the rest of the step (with: daemon-config) unchanged.

- name: Log in to ${{ inputs.registry }} Registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
Expand All @@ -155,7 +185,7 @@ jobs:
api_test:
name: API Test
needs: build_image
runs-on: ubuntu-latest
runs-on: ubuntu-slim
if: ${{ always() && !cancelled() && inputs.is_test }}
environment:
name: api_test
Expand Down Expand Up @@ -194,7 +224,7 @@ jobs:
- api_test
- docker_scout
if: ${{ always() && !cancelled() && inputs.registry == 'ghcr.io' }}
runs-on: ubuntu-latest
runs-on: ubuntu-slim
environment:
name: docker_image
steps:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/.lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ permissions:
jobs:
format:
name: Format
runs-on: ubuntu-latest
runs-on: ubuntu-slim
permissions:
contents: write
environment:
Expand Down Expand Up @@ -37,7 +37,7 @@ jobs:
commit_options: '--no-verify'
check:
name: Check
runs-on: ubuntu-latest
runs-on: ubuntu-slim
environment:
name: code_quality
needs: format
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
UV_LINK_MODE: "copy"
permissions:
contents: write
runs-on: ubuntu-latest
runs-on: ubuntu-slim
steps:
- name: Checkout Code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
Expand Down Expand Up @@ -64,7 +64,7 @@ jobs:
github_release:
name: Create GitHub Release
needs: setup_and_build
runs-on: ubuntu-latest
runs-on: ubuntu-slim
environment:
name: github
url: ${{github.event.repository.html_url}}/releases/tag/${{github.ref_name}}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/ci_tools.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ concurrency:
jobs:
trunk_upgrade:
name: Upgrade Trunk
runs-on: ubuntu-latest
runs-on: ubuntu-slim
if: github.event_name == 'schedule'
permissions:
contents: write
Expand All @@ -28,7 +28,7 @@ jobs:
uses: trunk-io/trunk-action/upgrade@75699af9e26881e564e9d832ef7dc3af25ec031b # v1
cache_trunk:
name: Cache Trunk
runs-on: ubuntu-latest
runs-on: ubuntu-slim
if: github.event_name == 'push'
permissions:
actions: write
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ concurrency:
jobs:
pypi:
name: Upload Python Package
runs-on: ubuntu-latest
runs-on: ubuntu-slim
permissions:
contents: read
id-token: write
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ permissions: read-all
jobs:
compatibility:
name: Check Dependency Compatibility
runs-on: ubuntu-latest
runs-on: ubuntu-slim
environment:
name: code_quality
permissions:
Expand Down
Loading