🚚 transfer release/v1.7.2.2 into main. #1004
Conversation
🧪 modify test_model_managment_db.py
…lable 🐛 fix bug: MCP status indicator stays green when mcp server is unavailable
🐛 Fix bug: memory unavailable in speed deployment
… expired 🐛 Fix bug: login modal not automatically pop up when login session is expired
✨ Model access supports modification access - bugs fix
🐛 Fix bug: login modal unexpectedly shows up in speed mode
…file paths ✨ Replace the terminal service base image and support mounting local file paths
…he cookie is cleaned 🐛 Fix bug: Fatal error "local variable 'new_memories_with_actions' referenced before assignment" in specific version mem0ai==0.1.115
…like agent name or agent variable name.
…like agent name or agent variable name.
…y in order to prepare for the northbound development 🧪 Modify corresponding test files
…m out the conversation #124
…d result in max_tokens being 0, making the model unavailable.#995
…d result in max_tokens being 0, making the model unavailable.#995
…d result in max_tokens being 0, making the model unavailable.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Set up Docker Buildx | ||
| run: | | ||
| if ! docker buildx inspect nexent_builder > /dev/null 2>&1; then | ||
| docker buildx create --name nexent_builder --use | ||
| else | ||
| docker buildx use nexent_builder | ||
| fi | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Build terminal image (amd64) and load locally | ||
| run: | | ||
| docker buildx build --platform linux/amd64 -t nexent/nexent-ubuntu-terminal:beta-amd64 --load -f make/terminal/Dockerfile . | ||
| - name: Login to DockerHub | ||
| run: echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u nexent --password-stdin | ||
| - name: Push terminal image (amd64) to DockerHub | ||
| run: docker push nexent/nexent-ubuntu-terminal:beta-amd64 | ||
|
|
||
| build-and-push-terminal-arm64: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the issue, you should explicitly set the permissions key either at the top/root of the workflow or for each job (if jobs require differing permissions). In this case, the safest and simplest fix is to set the root-level permissions: block, since all jobs simply check out code (requiring only contents: read) and do not interact with issues or pull requests. This change should be made at the top of the workflow file, after the name: and before the first key (concurrency:). No additional imports, methods, or code changes are necessary, just a YAML block specifying minimal permissions.
| @@ -1,5 +1,8 @@ | ||
| name: Docker Build and Push All Images (Beta Version) | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: docker-build-push-beta-${{ github.ref }} | ||
| cancel-in-progress: true |
| runs-on: ubuntu-latest | ||
| needs: | ||
| - build-and-push-terminal-amd64 | ||
| - build-and-push-terminal-arm64 | ||
| steps: | ||
| - name: Login to DockerHub | ||
| run: echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u nexent --password-stdin | ||
| - name: Create and push manifest for terminal (DockerHub) | ||
| run: | | ||
| docker manifest create nexent/nexent-ubuntu-terminal:beta \ | ||
| nexent/nexent-ubuntu-terminal:beta-amd64 \ | ||
| nexent/nexent-ubuntu-terminal:beta-arm64 | ||
| docker manifest push nexent/nexent-ubuntu-terminal:beta |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, add a permissions block to the workflow to explicitly restrict the GITHUB_TOKEN to the minimum required privileges. Since all jobs appear only to build Docker images and push them to DockerHub (using secrets for authentication), and do not interact with issues, PRs, or write to repo contents, the best practice is to set the overall workflow permissions to read-only or, most restrictively, to {} (which disables all default permissions for the workflow). This block should be placed near the top of the workflow file—immediately after name: and before concurrency:. No other changes are needed in the workflow as no job appears to require escalation from the minimum. This change confines the GITHUB_TOKEN to the minimum privileges, hardening CI security.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: Docker Build and Push All Images (Beta Version) | ||
|
|
||
| concurrency: |
| runs-on: ${{ fromJson(inputs.runner_label_json) }} | ||
| steps: | ||
| - name: Set up Docker Buildx | ||
| run: | | ||
| if ! docker buildx inspect nexent_builder > /dev/null 2>&1; then | ||
| docker buildx create --name nexent_builder --use | ||
| else | ||
| docker buildx use nexent_builder | ||
| fi | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Build terminal image (amd64) and load locally | ||
| run: | | ||
| docker buildx build --platform linux/amd64 --load -t ccr.ccs.tencentyun.com/nexent-hub/nexent-ubuntu-terminal:amd64 -f make/terminal/Dockerfile . | ||
| - name: Login to Tencent Cloud | ||
| run: echo ${{ secrets.TCR_PASSWORD }} | docker login ccr.ccs.tencentyun.com --username=${{ secrets.TCR_USERNAME }} --password-stdin | ||
| - name: Push terminal image (amd64) to Tencent Cloud | ||
| run: docker push ccr.ccs.tencentyun.com/nexent-hub/nexent-ubuntu-terminal:amd64 | ||
|
|
||
| build-and-push-terminal-arm64: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this problem, explicitly set a permissions: key at the workflow root, just below the name: or on: sections. This ensures that all jobs in the workflow only receive the minimal required repository privileges. For this workflow, the only repository interaction needed is checking out code, which requires contents: read. Other steps interact solely with Docker registry using secrets, not the repository. Thus, add permissions:\n contents: read below the name: (or on: if present).
Specifically:
- Edit
.github/workflows/docker-build-push-mainland.yml. - Add the following lines after the
name:(line 1) or after theon:block for clarity:permissions: contents: read
- This grants read-only access and ensures the GITHUB_TOKEN in all jobs cannot be used for write access or privileged operations in the repository.
No other areas of the YAML file or code need modification.
| @@ -1,5 +1,8 @@ | ||
| name: Docker Build and Push All Images to tencentyun | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
| runs-on: ubuntu-latest | ||
| needs: | ||
| - build-and-push-terminal-amd64 | ||
| - build-and-push-terminal-arm64 | ||
| steps: | ||
| - name: Login to Tencent Cloud | ||
| run: echo ${{ secrets.TCR_PASSWORD }} | docker login ccr.ccs.tencentyun.com --username=${{ secrets.TCR_USERNAME }} --password-stdin | ||
| - name: Create and push manifest for terminal (Tencent Cloud) | ||
| run: | | ||
| docker manifest create ccr.ccs.tencentyun.com/nexent-hub/nexent-ubuntu-terminal:latest \ | ||
| ccr.ccs.tencentyun.com/nexent-hub/nexent-ubuntu-terminal:amd64 \ | ||
| ccr.ccs.tencentyun.com/nexent-hub/nexent-ubuntu-terminal:arm64 | ||
| docker manifest push ccr.ccs.tencentyun.com/nexent-hub/nexent-ubuntu-terminal:latest |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
The best way to fix this problem is to explicitly add a permissions block at the root of the workflow (.github/workflows/docker-build-push-mainland.yml), so that all jobs will inherit the least privilege needed unless overridden locally. For workflows whose jobs do not interact with the repo (e.g., only using docker and external secrets), the recommended minimal permissions are typically contents: read, which allows jobs to clone the repo if needed but does not enable write operations. If a particular job really does need to write (for example, to create a release or interact with issues/pull requests), selectively grant those permissions only to that job. In this case, as all jobs appear to only be pushing docker images and do not interact with the repo or issues, the global workflow permission of contents: read is correct. Edit the top of .github/workflows/docker-build-push-mainland.yml to add:
permissions:
contents: read
directly below the workflow name (and before on:).
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: Docker Build and Push All Images to tencentyun | ||
|
|
||
| on: |
| runs-on: ${{ fromJson(inputs.runner_label_json) }} | ||
| steps: | ||
| - name: Set up Docker Buildx | ||
| run: | | ||
| if ! docker buildx inspect nexent_builder > /dev/null 2>&1; then | ||
| docker buildx create --name nexent_builder --use | ||
| else | ||
| docker buildx use nexent_builder | ||
| fi | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Build terminal image (amd64) and load locally | ||
| run: | | ||
| docker buildx build --platform linux/amd64 -t nexent/nexent-ubuntu-terminal:amd64 --load -f make/terminal/Dockerfile . | ||
| - name: Login to DockerHub | ||
| run: echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u nexent --password-stdin | ||
| - name: Push terminal image (amd64) to DockerHub | ||
| run: docker push nexent/nexent-ubuntu-terminal:amd64 | ||
|
|
||
| build-and-push-terminal-arm64: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem and adhere to least privilege best practices, add a permissions key set to contents: read at the top (root) of the workflow file, right after the name (or on block) but before jobs. This ensures all jobs in this workflow only have read access to repository contents by default. If a specific job needs additional write privileges (for instance, for PR status updates), these can be added at the job level. This change does not affect the functionality of this workflow (which only checks out code and pushes to DockerHub using external credentials).
Implementation Steps:
- Edit
.github/workflows/docker-build-push-overseas.yml - Insert the block:
right after the
permissions: contents: read
name(or immediately before or after theonblock, per YAML semantics).
| @@ -1,5 +1,8 @@ | ||
| name: Docker Build and Push All Images to DockerHub | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
| runs-on: ubuntu-latest | ||
| needs: | ||
| - build-and-push-terminal-amd64 | ||
| - build-and-push-terminal-arm64 | ||
| steps: | ||
| - name: Login to DockerHub | ||
| run: echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u nexent --password-stdin | ||
| - name: Create and push manifest for terminal (DockerHub) | ||
| run: | | ||
| docker manifest create nexent/nexent-ubuntu-terminal:latest \ | ||
| nexent/nexent-ubuntu-terminal:amd64 \ | ||
| nexent/nexent-ubuntu-terminal:arm64 | ||
| docker manifest push nexent/nexent-ubuntu-terminal:latest |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To address this problem, you should add an explicit permissions block to limit the permissions granted to the GITHUB_TOKEN for this workflow. Since the workflow only checks out repository code (which needs contents: read) and otherwise interacts with DockerHub via a secret, you can safely limit permissions to the minimum. The recommended approach is to specify the permissions block at the workflow root, so it applies to all jobs unless overridden, or you can set it individually for jobs if granular control is desired. The best practice is to use:
permissions:
contents: readunless some step or future edit truly requires additional scopes. You should place this block immediately after the name: key, before the on: key, at the top of .github/workflows/docker-build-push-overseas.yml.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: Docker Build and Push All Images to DockerHub | ||
|
|
||
| on: |
| build-terminal: | ||
| runs-on: ${{ fromJson(inputs.runner_label_json) }} | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Build terminal image |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this problem, add a permissions key at the root of the workflow file .github/workflows/docker-build.yml, immediately following the workflow's name and before the on block. Assign contents: read as the minimal permission needed. This ensures GITHUB_TOKEN is restricted to only being able to read repository contents, thus reducing risk if a workflow step or dependency is compromised, while not affecting workflow functionality since none of the jobs require write access.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: Docker Build All Images | ||
|
|
||
| on: |
No description provided.