Skip to content

Commit dc637b2

Browse files
cafalchiomadhu-mohan-jaishankargcgoncalveslucarliggandhipratik203
authored
Release/v1.0.4 (#5311)
* fix(docker): restrict hermetic wheel closure to s390x/ppc64le only Signed-off-by: Madhu Mohan Jaishankar <madhu.mohan.jaishankar@ibm.com> * Updated version to 1.0.4 Signed-off-by: cafalchio <mcafalchio@gmail.com> * npm audit fix Signed-off-by: Gabriel Costa <gabrielcg@proton.me> * Updated python versions Signed-off-by: cafalchio <mcafalchio@gmail.com> * Updated UBI container versions Signed-off-by: cafalchio <mcafalchio@gmail.com> * chore: refresh release dependency locks Signed-off-by: lucarlig <luca.carlig@ibm.com> * chore: bump cpex plugin packages Signed-off-by: lucarlig <luca.carlig@ibm.com> * chore: refresh Go dependencies Signed-off-by: lucarlig <luca.carlig@ibm.com> * code quality gates Signed-off-by: cafalchio <mcafalchio@gmail.com> * docs: add cargo-vet prune release step Signed-off-by: lucarlig <luca.carlig@ibm.com> * Addressed dependabot issues Signed-off-by: cafalchio <mcafalchio@gmail.com> * fix(deps): remove duplicate python-multipart entry in uv.lock The python-multipart [[package]] block in uv.lock had its version, sdist, and wheel lines duplicated (introduced in the dependabot merge), producing invalid TOML (duplicate keys). uv could not parse the lockfile, which broke every uv-based command and test gate. Remove the three duplicate lines so the block is well-formed again. Signed-off-by: Pratik Gandhi <gandhipratik203@gmail.com> * fix(sso): merge Keycloak realm/client roles from access_token, not just userinfo/id_token Keycloak's built-in "realm roles" and "client roles" client-scope mappers default access.token.claim=true but id.token.claim=userinfo.token.claim=false. Since SSO role mapping reads claims from the userinfo response (with an id_token fallback for split-host 401s), realm_access/resource_access were silently missing on any stock Keycloak setup, even when the operator assigned the correct role and configured SSO_KEYCLOAK_ROLE_MAPPINGS correctly. New admins (and any role-mapped user) would fall through to the default role instead. _get_user_info()/_enrich_user_data_from_claims() now also decode the already-in-hand access_token and merge realm_access/resource_access/groups when missing from userinfo and id_token, covering both the normal 200 path and the existing 401 split-host fallback. Also fix a related inconsistency in _map_groups_to_roles(): role_mappings lookups were case-sensitive while _should_user_be_admin() already matched case-insensitively, which could grant is_admin=True with no matching RBAC role row when IdP role casing differed from the configured mapping key. Updated the local Keycloak dev seed (infra/keycloak/realm-export.json) to explicitly enable id_token/userinfo claim inclusion on the realm/client role mappers, and documented the default-mapper gotcha in the Keycloak SSO tutorial. Closes #5327 Signed-off-by: Suresh Kumar Moharajan <suresh.kumar.m@ibm.com> * chore: update detect-secrets baseline for keycloak SSO claims fix Line numbers shifted in mcpgateway/services/sso_service.py and tests/unit/mcpgateway/services/test_sso_service.py after the role-claims merge fix; regenerated via make detect-secrets-scan. Signed-off-by: Suresh Kumar Moharajan <suresh.kumar.m@ibm.com> * chore: fix stale line number in detect-secrets baseline Previous baseline update had an off-by-one line number for the existing admin.html allowlisted entry; regenerated to match current file state. Signed-off-by: Suresh Kumar Moharajan <suresh.kumar.m@ibm.com> * chore: regenerate detect-secrets baseline (stable) Baseline had residual stale line-number drift from earlier regenerations run against transient working-tree states. Re-scanned against the clean checkout; two consecutive scans now agree with no diff. Signed-off-by: Suresh Kumar Moharajan <suresh.kumar.m@ibm.com> * chore: regenerate detect-secrets baseline via pinned pre-commit hook Earlier regeneration used the Makefile's pinned detect-secrets release via 'make detect-secrets-scan', which computes slightly different line offsets than the IBM fork pinned in .pre-commit-config.yaml that CI actually runs. Regenerate using 'pre-commit run detect-secrets' so the baseline matches what CI checks against. Signed-off-by: Suresh Kumar Moharajan <suresh.kumar.m@ibm.com> * chore: fix stale realm-export.json line number in detect-secrets baseline Previous commit captured the baseline before the post-stabilization scan result; the realm-export.json entry shifts from line 172 to 200 because this PR adds 28 lines of protocolMappers above it. Signed-off-by: Suresh Kumar Moharajan <suresh.kumar.m@ibm.com> * Updated cryptography and msgpack Signed-off-by: cafalchio <mcafalchio@gmail.com> * fix(ci): pin buildx version to avoid Docker Hub rate-limit on setup-buildx-action Signed-off-by: Madhu Mohan Jaishankar <madhu.mohan.jaishankar@ibm.com> * chore(docker): update UBI image versions Signed-off-by: Madhu Mohan Jaishankar <madhu.mohan.jaishankar@ibm.com> * docs: update roadmap for release 1.0.4 due date and changelog reference Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com> * fix(secrets): update generated_at timestamp and adjust line numbers for detected secrets Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com> * docs: update 1.0.4 release description in roadmap to reflect accurate focus areas Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com> * fix secrets Signed-off-by: cafalchio <mcafalchio@gmail.com> * fixed secrets Signed-off-by: cafalchio <mcafalchio@gmail.com> * Updated langsmith python package Signed-off-by: cafalchio <mcafalchio@gmail.com> --------- Signed-off-by: Madhu Mohan Jaishankar <madhu.mohan.jaishankar@ibm.com> Signed-off-by: cafalchio <mcafalchio@gmail.com> Signed-off-by: Gabriel Costa <gabrielcg@proton.me> Signed-off-by: lucarlig <luca.carlig@ibm.com> Signed-off-by: Pratik Gandhi <gandhipratik203@gmail.com> Signed-off-by: Suresh Kumar Moharajan <suresh.kumar.m@ibm.com> Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com> Co-authored-by: Madhu Mohan Jaishankar <madhu.mohan.jaishankar@ibm.com> Co-authored-by: Gabriel Costa <gabrielcg@proton.me> Co-authored-by: lucarlig <luca.carlig@ibm.com> Co-authored-by: Pratik Gandhi <gandhipratik203@gmail.com> Co-authored-by: Suresh Kumar Moharajan <suresh.kumar.m@ibm.com> Co-authored-by: Lang-Akshay <akshay.shinde26@ibm.com>
1 parent 30a7057 commit dc637b2

32 files changed

Lines changed: 1706 additions & 2814 deletions

File tree

.bumpversion.cfg

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
[bumpversion]
2-
current_version = 1.0.3
2+
current_version = 1.0.4
33
commit = False
44
tag = False
55
sign-tags = True

.github/workflows/docker-multiplatform.yml

Lines changed: 36 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -59,11 +59,12 @@ env:
5959

6060
jobs:
6161
# ---------------------------------------------------------------
62-
# Build the full dependency-closure wheel image for every arch, so
63-
# Containerfile.lite's `ARG WHEELS_REF` default (${TARGETARCH}-latest)
64-
# resolves on all four without a flag. Content-addressed by
65-
# sha256(uv.lock) and pull-or-build idempotent, so unchanged deps are a
66-
# cache hit. Rides the same non-PR events as the platform builds below
62+
# Build the full dependency-closure wheel image for s390x and ppc64le only.
63+
# amd64/arm64 have full PyPI manylinux coverage and do not need a wheel
64+
# closure — Containerfile.lite always resolves via PyPI for those arches.
65+
# s390x/ppc64le wheels are content-addressed by sha256(uv.lock) and the
66+
# build is idempotent (skipped when the lock-hash tag already exists).
67+
# Rides the same non-PR events as the platform builds below
6768
# (push/merge_group/workflow_dispatch).
6869
# ---------------------------------------------------------------
6970
wheels:
@@ -73,12 +74,6 @@ jobs:
7374
fail-fast: false
7475
matrix:
7576
include:
76-
- platform: linux/amd64
77-
runner: ubuntu-24.04
78-
suffix: amd64
79-
- platform: linux/arm64
80-
runner: ubuntu-24.04-arm
81-
suffix: arm64
8277
- platform: linux/s390x
8378
runner: ubuntu-24.04-s390x
8479
suffix: s390x
@@ -107,6 +102,8 @@ jobs:
107102
108103
- name: Set up Docker Buildx
109104
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
105+
with:
106+
version: latest
110107

111108
- name: Log in to GHCR
112109
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
@@ -220,6 +217,8 @@ jobs:
220217
- name: Set up Docker Buildx
221218
if: github.event_name != 'pull_request' || matrix.build_on_pr
222219
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
220+
with:
221+
version: latest
223222

224223
# Login is needed both for pushing the final image (push/workflow_dispatch)
225224
# and for probing the wheel-image registry below.
@@ -231,33 +230,34 @@ jobs:
231230
username: ${{ github.actor }}
232231
password: ${{ secrets.GITHUB_TOKEN }}
233232

234-
# Resolve WHEELS_REF explicitly for every arch so the pipeline never
235-
# relies on Containerfile.lite's bare `ARG WHEELS_REF` default (which
236-
# points at a GHCR tag for local-build convenience). Prefer the
237-
# lock-matched tag (exact reproducible closure); if it isn't published
238-
# yet (cold lock-hash, `wheels` job still running), fall back to the
239-
# per-arch `latest` wheel image. If neither exists (first-ever run,
240-
# before `wheels` has published anything for this arch), fall back to
241-
# the literal UBI_MINIMAL default so the build doesn't depend on a
242-
# GHCR tag that doesn't exist yet - Containerfile.lite's install step
243-
# then falls through to a live PyPI install, compiling anything
244-
# missing itself.
233+
# Resolve WHEELS_REF for the build:
234+
# - amd64/arm64: always use UBI_MINIMAL (full PyPI manylinux coverage,
235+
# no wheel closure needed; avoids stale GHCR images)
236+
# - s390x/ppc64le: prefer the lock-hash-tagged wheel image built by the
237+
# `wheels` job above; fall back to `latest` if the lock-hash tag isn't
238+
# published yet; fall back to UBI_MINIMAL if neither exists (first-ever
239+
# run before any wheel image has been published for this arch).
245240
- name: Compute wheel image ref
246241
if: github.event_name != 'pull_request' || matrix.build_on_pr
247242
run: |
248-
WHEELS_IMAGE_LC=$(echo "${{ env.IMAGE_NAME }}-wheels" | tr '[:upper:]' '[:lower:]')
249-
LOCK_HASH=$(sha256sum uv.lock | cut -c1-16)
250-
LOCK_TAG="${{ env.REGISTRY }}/${WHEELS_IMAGE_LC}:${{ matrix.suffix }}-${LOCK_HASH}"
251-
LATEST_TAG="${{ env.REGISTRY }}/${WHEELS_IMAGE_LC}:${{ matrix.suffix }}-latest"
252-
if docker manifest inspect "${LOCK_TAG}" >/dev/null 2>&1; then
253-
echo "Using lock-matched wheel image: ${LOCK_TAG}"
254-
echo "WHEELS_REF=${LOCK_TAG}" >> "${GITHUB_ENV}"
255-
elif docker manifest inspect "${LATEST_TAG}" >/dev/null 2>&1; then
256-
echo "Lock-matched wheel image not published yet; falling back to ${LATEST_TAG}"
257-
echo "WHEELS_REF=${LATEST_TAG}" >> "${GITHUB_ENV}"
243+
UBI_MINIMAL_DEFAULT=$(grep -m1 '^ARG UBI_MINIMAL=' Containerfile.lite | cut -d= -f2-)
244+
if [[ "${{ matrix.suffix }}" == "s390x" || "${{ matrix.suffix }}" == "ppc64le" ]]; then
245+
WHEELS_IMAGE_LC=$(echo "${{ env.IMAGE_NAME }}-wheels" | tr '[:upper:]' '[:lower:]')
246+
LOCK_HASH=$(sha256sum uv.lock | cut -c1-16)
247+
LOCK_TAG="${{ env.REGISTRY }}/${WHEELS_IMAGE_LC}:${{ matrix.suffix }}-${LOCK_HASH}"
248+
LATEST_TAG="${{ env.REGISTRY }}/${WHEELS_IMAGE_LC}:${{ matrix.suffix }}-latest"
249+
if docker manifest inspect "${LOCK_TAG}" >/dev/null 2>&1; then
250+
echo "Using lock-matched wheel image: ${LOCK_TAG}"
251+
echo "WHEELS_REF=${LOCK_TAG}" >> "${GITHUB_ENV}"
252+
elif docker manifest inspect "${LATEST_TAG}" >/dev/null 2>&1; then
253+
echo "Lock-matched wheel image not published yet; falling back to ${LATEST_TAG}"
254+
echo "WHEELS_REF=${LATEST_TAG}" >> "${GITHUB_ENV}"
255+
else
256+
echo "No wheel image available yet for ${{ matrix.suffix }}; falling back to ${UBI_MINIMAL_DEFAULT}"
257+
echo "WHEELS_REF=${UBI_MINIMAL_DEFAULT}" >> "${GITHUB_ENV}"
258+
fi
258259
else
259-
UBI_MINIMAL_DEFAULT=$(grep -m1 '^ARG UBI_MINIMAL=' Containerfile.lite | cut -d= -f2-)
260-
echo "No wheel image available yet for ${{ matrix.suffix }}; falling back to ${UBI_MINIMAL_DEFAULT}, Containerfile.lite will install from PyPI"
260+
echo "${{ matrix.suffix }}: using UBI_MINIMAL as WHEELS_REF (PyPI install, no wheel closure needed)"
261261
echo "WHEELS_REF=${UBI_MINIMAL_DEFAULT}" >> "${GITHUB_ENV}"
262262
fi
263263
@@ -333,6 +333,8 @@ jobs:
333333
334334
- name: Set up Docker Buildx
335335
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
336+
with:
337+
version: latest
336338

337339
- name: Log in to GHCR
338340
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3

0 commit comments

Comments
 (0)