Conversation
…_process/, database/) #1037
…resh # Conflicts: # frontend/app/[locale]/setup/modelSetup/components/model/ModelAddDialog.tsx
…atically refresh according to the model type" #1049
…nland China are not configured.
…nland China are not configured.
…nland China are not configured.
…nland China are not configured.
…nland China are not configured.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Clone model | ||
| run: | | ||
| GIT_LFS_SKIP_SMUDGE=1 git clone https://huggingface.co/Nexent-AI/model-assets | ||
| cd ./model-assets | ||
| GIT_TRACE=1 GIT_CURL_VERBOSE=1 GIT_LFS_LOG=debug git lfs pull | ||
| rm -rf .git .gitattributes | ||
| - name: Build data process image (amd64) and load locally | ||
| run: | | ||
| docker build --platform linux/amd64 -t nexent/nexent-data-process:dev-amd64 -f make/data_process/Dockerfile . | ||
|
|
||
| build-data-process-arm64: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix this problem, we need to explicitly add a permissions: block specifying the least privilege required for the workflow jobs. Since both jobs only check out code and build Docker images, they do not require any special permissions—only the ability to read repository contents at most, so contents: read is enough. This block can be added at the workflow (top-level) right after the name: and before concurrency:, which will apply it to all jobs in the workflow. No other changes are required, and it will not affect any functionality of existing jobs.
| @@ -1,4 +1,6 @@ | ||
| name: Docker Build Data-Process Images | ||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: docker-build-data-process-dev-${{ github.ref }} |
| runs-on: ubuntu-24.04-arm | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Clone model | ||
| run: | | ||
| GIT_LFS_SKIP_SMUDGE=1 git clone https://huggingface.co/Nexent-AI/model-assets | ||
| cd ./model-assets | ||
| GIT_TRACE=1 GIT_CURL_VERBOSE=1 GIT_LFS_LOG=debug git lfs pull | ||
| rm -rf .git .gitattributes | ||
| - name: Build data process image (arm64) and load locally | ||
| run: | | ||
| docker build --platform linux/arm64 -t nexent/nexent-data-process:dev-arm64 -f make/data_process/Dockerfile . No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To address this issue, we should explicitly set the minimum required permissions for the workflow. This can be done by adding a permissions block at the top level of the workflow YAML, before the jobs: key. The least privilege required for the steps shown (checking out code, cloning models, building Docker images) is read-only access to the repository contents. Therefore, set:
permissions:
contents: readNo other permissions (write, etc.) are required here, so do not add them. Place the permissions: block after the name: and before concurrency: for clarity and conventional ordering.
| @@ -1,5 +1,8 @@ | ||
| name: Docker Build Data-Process Images | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: docker-build-data-process-dev-${{ github.ref }} | ||
| cancel-in-progress: true |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Build main image (amd64) and load locally | ||
| run: | | ||
| docker build --platform linux/amd64 -t nexent/nexent:dev-amd64 -f make/main/Dockerfile . | ||
|
|
||
| build-main-arm64: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix this issue, you should add a permissions block to restrict GITHUB_TOKEN permissions. The best way is to add it at the workflow root level (near the top, after name: and before concurrency: or on:), so it applies to all jobs by default. For this Docker build workflow, only minimal permissions are needed for checking out code and building images; contents: read is enough. No additional methods, imports, or definitions are required—simply add the permissions configuration.
| @@ -1,4 +1,6 @@ | ||
| name: Docker Build Main Images | ||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: docker-build-main-dev-${{ github.ref }} |
| runs-on: ubuntu-24.04-arm | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Build main image (arm64) and load locally | ||
| run: | | ||
| docker build --platform linux/arm64 -t nexent/nexent:dev-arm64 -f make/main/Dockerfile . No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix this problem, you should add an explicit permissions block to the workflow to restrict the default GITHUB_TOKEN permissions granted to all jobs. Since the jobs in this workflow only check out code and build Docker images—and do not modify repository contents, create issues, or interact with pull requests—you should set contents: read as the minimum required permission. This change can be made at the workflow level (top of the file, after name), which will apply to all jobs unless overridden. No changes to the jobs or steps are necessary.
| @@ -1,4 +1,6 @@ | ||
| name: Docker Build Main Images | ||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: docker-build-main-dev-${{ github.ref }} |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Build terminal image (amd64) and load locally | ||
| run: | | ||
| docker build --platform linux/amd64 -t nexent/nexent-ubuntu-terminal:dev-amd64 -f make/terminal/Dockerfile . | ||
|
|
||
| build-terminal-arm64: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To resolve the flagged issue, add a permissions block at the root level of the workflow YAML (ideally just below the workflow name and before concurrency). This block should restrict the GITHUB_TOKEN to only the necessary privilege. For this workflow, the minimal safe permission is to allow read-only access to repository contents (contents: read). No job in this workflow (based on the code provided) requires additional write permission.
Edit .github/workflows/auto-build-terminal-dev.yml by inserting the following block immediately after line 1:
permissions:
contents: readNo additional imports or dependencies are required.
| @@ -1,4 +1,6 @@ | ||
| name: Docker Build Terminal Images | ||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: docker-build-terminal-dev-${{ github.ref }} |
| runs-on: ubuntu-24.04-arm | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Build terminal image (arm64) and load locally | ||
| run: | | ||
| docker build --platform linux/arm64 -t nexent/nexent-ubuntu-terminal:dev-arm64 -f make/terminal/Dockerfile . No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, you should add a permissions block at the workflow root level in the .github/workflows/auto-build-terminal-dev.yml file, immediately after the name: key and before any jobs or other blocks. Since all jobs shown only require code checkout and do local docker builds, the minimal permission required is contents: read. This ensures the GITHUB_TOKEN only has read access to repository contents for all jobs in this workflow, following the principle of least privilege. No other permissions appear necessary per the current workflow steps.
| @@ -1,4 +1,6 @@ | ||
| name: Docker Build Terminal Images | ||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: docker-build-terminal-dev-${{ github.ref }} |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Build web image (amd64) and load locally | ||
| run: | | ||
| docker build --platform linux/amd64 -t nexent/nexent-web:dev-amd64 -f make/web/Dockerfile . | ||
|
|
||
| build-web-arm64: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix this issue, we must add a permissions block at the workflow root (above the jobs: key), as no individual jobs have special permissions needs. This block should specifically set contents: read as the minimal starting point, which allows code checkout but blocks write access. If future workflow changes require more permissions (e.g., writing to issues or PRs), these can be added in a fine-grained manner. The change consists of inserting the following block into .github/workflows/auto-build-web-dev.yml, right after the workflow name (recommended) but, in any case, before the jobs: block.
| @@ -1,4 +1,6 @@ | ||
| name: Docker Build Web Images | ||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: docker-build-web-dev-${{ github.ref }} |
| runs-on: ubuntu-24.04-arm | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Build web image (arm64) and load locally | ||
| run: | | ||
| docker build --platform linux/arm64 -t nexent/nexent-web:dev-arm64 -f make/web/Dockerfile . No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To address this issue, you should add a permissions block to the workflow, ideally at the root level so it applies to all jobs unless overridden. According to least privilege principles for the given workflow, set contents: read. This is a sufficient minimal baseline for typical operations like checking out code. This change should be made at the top level of the file, after the name: and before concurrency: or on:, to ensure the permissions setting is inherited by both jobs. No additional code, methods, or imports are needed since this is a configuration change within the YAML file.
| @@ -1,4 +1,6 @@ | ||
| name: Docker Build Web Images | ||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: docker-build-web-dev-${{ github.ref }} |
| runs-on: ${{ github.event_name == 'workflow_dispatch' && fromJson(inputs.runner_label_json) || fromJson('["ubuntu-latest"]') }} | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Generate random pull count | ||
| id: random-count | ||
| run: | | ||
| # Generate a random number between 2-5 | ||
| RANDOM_COUNT=$(shuf -i 2-5 -n 1) | ||
| echo "pull-count=$RANDOM_COUNT" >> "$GITHUB_OUTPUT" | ||
| echo "Will pull each image $RANDOM_COUNT times" | ||
|
|
||
| - name: Clean existing images | ||
| run: | | ||
| echo "Cleaning existing images..." | ||
| docker rmi -f ${{ env.NEXENT_IMAGE }} 2>/dev/null || echo "Image ${{ env.NEXENT_IMAGE }} not found locally" | ||
| docker rmi -f ${{ env.NEXENT_WEB_IMAGE }} 2>/dev/null || echo "Image ${{ env.NEXENT_WEB_IMAGE }} not found locally" | ||
| docker rmi -f ${{ env.NEXENT_DATA_PROCESS_IMAGE }} 2>/dev/null || echo "Image ${{ env.NEXENT_DATA_PROCESS_IMAGE }} not found locally" | ||
| docker rmi -f ${{ env.OPENSSH_SERVER_IMAGE }} 2>/dev/null || echo "Image ${{ env.OPENSSH_SERVER_IMAGE }} not found locally" | ||
|
|
||
| # Clean up dangling images | ||
| docker image prune -f 2>/dev/null || echo "No dangling images to remove" | ||
|
|
||
| echo "Image cleanup completed" | ||
|
|
||
| - name: Test pull nexent/nexent:latest | ||
| run: | | ||
| echo "Testing nexent/nexent:latest image pull..." | ||
| PULL_COUNT=${{ steps.random-count.outputs.pull-count }} | ||
|
|
||
| for i in $(seq 1 $PULL_COUNT); do | ||
| echo "Pull attempt $i/$PULL_COUNT for nexent/nexent:latest" | ||
| if docker pull ${{ env.NEXENT_IMAGE }}; then | ||
| echo "✅ Successfully pulled nexent/nexent:latest (attempt $i)" | ||
| # Remove image after successful pull to prepare for next pull | ||
| docker rmi -f ${{ env.NEXENT_IMAGE }} 2>/dev/null || true | ||
| else | ||
| echo "❌ Failed to pull nexent/nexent:latest (attempt $i)" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Wait 5 seconds if not the last pull attempt | ||
| if [ $i -lt $PULL_COUNT ]; then | ||
| sleep 5 | ||
| fi | ||
| done | ||
|
|
||
| - name: Test pull nexent/nexent-web:latest | ||
| run: | | ||
| echo "Testing nexent/nexent-web:latest image pull..." | ||
| PULL_COUNT=${{ steps.random-count.outputs.pull-count }} | ||
|
|
||
| for i in $(seq 1 $PULL_COUNT); do | ||
| echo "Pull attempt $i/$PULL_COUNT for nexent/nexent-web:latest" | ||
| if docker pull ${{ env.NEXENT_WEB_IMAGE }}; then | ||
| echo "✅ Successfully pulled nexent/nexent-web:latest (attempt $i)" | ||
| # Remove image after successful pull to prepare for next pull | ||
| docker rmi -f ${{ env.NEXENT_WEB_IMAGE }} 2>/dev/null || true | ||
| else | ||
| echo "❌ Failed to pull nexent/nexent-web:latest (attempt $i)" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Wait 5 seconds if not the last pull attempt | ||
| if [ $i -lt $PULL_COUNT ]; then | ||
| sleep 5 | ||
| fi | ||
| done | ||
|
|
||
| - name: Test pull nexent/nexent-data-process:latest | ||
| run: | | ||
| echo "Testing nexent/nexent-data-process:latest image pull..." | ||
| PULL_COUNT=${{ steps.random-count.outputs.pull-count }} | ||
|
|
||
| for i in $(seq 1 $PULL_COUNT); do | ||
| echo "Pull attempt $i/$PULL_COUNT for nexent/nexent-data-process:latest" | ||
| if docker pull ${{ env.NEXENT_DATA_PROCESS_IMAGE }}; then | ||
| echo "✅ Successfully pulled nexent/nexent-data-process:latest (attempt $i)" | ||
| # Remove image after successful pull to prepare for next pull | ||
| docker rmi -f ${{ env.NEXENT_DATA_PROCESS_IMAGE }} 2>/dev/null || true | ||
| else | ||
| echo "❌ Failed to pull nexent/nexent-data-process:latest (attempt $i)" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Wait 5 seconds if not the last pull attempt | ||
| if [ $i -lt $PULL_COUNT ]; then | ||
| sleep 5 | ||
| fi | ||
| done | ||
|
|
||
| - name: Test pull nexent/nexent-ubuntu-terminal:latest | ||
| run: | | ||
| echo "Testing nexent/nexent-ubuntu-terminal:latest image pull..." | ||
| PULL_COUNT=${{ steps.random-count.outputs.pull-count }} | ||
|
|
||
| for i in $(seq 1 $PULL_COUNT); do | ||
| echo "Pull attempt $i/$PULL_COUNT for nexent/nexent-ubuntu-terminal:latest" | ||
| if docker pull ${{ env.OPENSSH_SERVER_IMAGE }}; then | ||
| echo "✅ Successfully pulled nexent/nexent-ubuntu-terminal:latest (attempt $i)" | ||
| # Remove image after successful pull to prepare for next pull | ||
| docker rmi -f ${{ env.OPENSSH_SERVER_IMAGE }} 2>/dev/null || true | ||
| else | ||
| echo "❌ Failed to pull nexent/nexent-ubuntu-terminal:latest (attempt $i)" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Wait 5 seconds if not the last pull attempt | ||
| if [ $i -lt $PULL_COUNT ]; then | ||
| sleep 5 | ||
| fi | ||
| done | ||
|
|
||
| - name: Final cleanup | ||
| if: always() | ||
| run: | | ||
| echo "Performing final cleanup..." | ||
| docker rmi -f ${{ env.NEXENT_IMAGE }} 2>/dev/null || echo "Image ${{ env.NEXENT_IMAGE }} already removed" | ||
| docker rmi -f ${{ env.NEXENT_WEB_IMAGE }} 2>/dev/null || echo "Image ${{ env.NEXENT_WEB_IMAGE }} already removed" | ||
| docker rmi -f ${{ env.NEXENT_DATA_PROCESS_IMAGE }} 2>/dev/null || echo "Image ${{ env.NEXENT_DATA_PROCESS_IMAGE }} already removed" | ||
| docker rmi -f ${{ env.OPENSSH_SERVER_IMAGE }} 2>/dev/null || echo "Image ${{ env.OPENSSH_SERVER_IMAGE }} already removed" | ||
|
|
||
| # Clean up dangling and unused images | ||
| docker image prune -f 2>/dev/null || echo "No images to prune" | ||
|
|
||
| echo "Final cleanup completed" | ||
|
|
||
| - name: Test Summary | ||
| if: always() | ||
| run: | | ||
| echo "🎯 Docker Image Pull Test Summary" | ||
| echo "=================================" | ||
| echo "Test run completed with ${{ steps.random-count.outputs.pull-count }} pull attempts per image" | ||
| echo "Images tested:" | ||
| echo " - nexent/nexent:latest" | ||
| echo " - nexent/nexent-web:latest" | ||
| echo " - nexent/nexent-data-process:latest" | ||
| echo " - nexent/nexent-ubuntu-terminal:latest" | ||
| echo "Next scheduled run: in 30 minutes" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, the workflow YAML needs an explicit permissions: block that sets the minimum required privileges for the workflow to run. In this case, since the workflow only checks out code and interacts with Docker, and does not require write-access to repository contents or other resources, the safest default is contents: read. This should be added near the top of the workflow file, immediately after the workflow name and before the on: block (or at the job level if specific jobs need different permissions, but in this case a workflow-level permission suffices and is cleanest).
How to fix:
- Add the following block to the workflow file, directly beneath
name: Docker Image Pull Test:permissions: contents: read
- This restricts the GITHUB_TOKEN used during the workflow to only be able to read repository contents.
No further changes, imports, or definitions are needed.
| @@ -1,4 +1,6 @@ | ||
| name: Docker Image Pull Test | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| schedule: |
| except Exception as e: | ||
| logger.warning(f"UNCONNECTED: {model_name}; Base URL: {model_base_url}; API Key: {model_api_key}; Error: {str(e)}") | ||
| logger.warning( | ||
| f"UNCONNECTED: {model_name}; Base URL: {model_base_url}; API Key: {model_api_key}; Error: {str(e)}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the issue, we should avoid logging sensitive information such as API keys. The log message on line 295 (and line 269, which is similar and should also be addressed for completeness) currently includes the raw API key in its message. The best practice is to either remove the API key from the log entirely or, if necessary for debugging, log only a non-sensitive identifier (such as the last 4 characters, or its length—though even this should be avoided if possible).
Specifically, in backend/services/model_health_service.py:
- Edit the log message in the logger.warning call on line 295 (and line 269) to exclude the API key or replace it with a redacted version (e.g.,
***REDACTED***or***). - No new imports or method definitions are needed; just a change to the log message formatting.
| @@ -266,7 +266,7 @@ | ||
| ) | ||
| except Exception as e: | ||
| error_message = str(e) | ||
| logger.warning(f"UNCONNECTED: {model_name}; Base URL: {model_base_url}; API Key: {model_api_key}; Error: {error_message}") | ||
| logger.warning(f"UNCONNECTED: {model_name}; Base URL: {model_base_url}; API Key: ***REDACTED***; Error: {error_message}") | ||
| return ModelResponse( | ||
| code=500, | ||
| message="", | ||
| @@ -292,5 +292,5 @@ | ||
| return dimension | ||
| except Exception as e: | ||
| logger.warning( | ||
| f"UNCONNECTED: {model_name}; Base URL: {model_base_url}; API Key: {model_api_key}; Error: {str(e)}") | ||
| f"UNCONNECTED: {model_name}; Base URL: {model_base_url}; API Key: ***REDACTED***; Error: {str(e)}") | ||
| return 0 |
10 participants
No description provided.