Bump github/codeql-action from 3 to 4 (#823)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v3...v4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: dependabot[bot]

.github/workflows/ci-tests.yaml

@@ -17,11 +17,11 @@ jobs:
       security-events: write
     steps:
       - uses: actions/checkout@v5
-      - uses: github/codeql-action/init@v3
+      - uses: github/codeql-action/init@v4
         with:
           config-file: .github/codeql/config.yml
           languages: python
-      - uses: github/codeql-action/analyze@v3
+      - uses: github/codeql-action/analyze@v4
   cwl-conformance:
     name: "CWL conformance tests"
     strategy:
@@ -161,7 +161,7 @@ jobs:
           python -m pip install .
       - name: "Build documentation and check for consistency"
         env:
-          CHECKSUM: "421b1b0076e452ed821b7f129d52f5878cb8fa14170685a5c15575582201c8b2"
+          CHECKSUM: "867c9e683f36597fd9ddb8eaee60b5391cf9669c5d264d11cfb39c62955c7910"
         run: |
           cd docs
           HASH="$(make checksum | tail -n1)"

helm/chart/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: streamflow
-description: A Helm chart for StreamFlow
+description: A Helm chart for the StreamFlow workflow management system
 type: application
 version: 0.2.0
-appVersion: latest
+appVersion: 0.2.0.dev11

helm/chart/templates/_helpers.tpl

@@ -1,6 +1,6 @@
 {{/* vim: set filetype=mustache: */}}
 {{/*
-Expand the name of the chart.
+Expand the name of the chart
 */}}
 {{- define "streamflow.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
@@ -9,7 +9,7 @@ Expand the name of the chart.
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
+If release name contains chart name it will be used as a full name
 */}}
 {{- define "streamflow.fullname" -}}
 {{- if .Values.fullnameOverride -}}
@@ -25,12 +25,49 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 
 {{/*
-Create chart name and version as used by the chart label.
+Create chart name and version as used by the chart label
 */}}
 {{- define "streamflow.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Return the proper StreamFlow image name
+*/}}
+{{- define "streamflow.image" -}}
+{{- $registryName := default .Values.image.registry -}}
+{{- $repositoryName := .Values.image.repository -}}
+{{- $separator := ":" -}}
+{{- $termination := default .Chart.AppVersion .Values.image.tag | toString -}}
+
+{{- if not .Values.image.tag }}
+  {{- if .Chart }}
+    {{- $termination = .Chart.AppVersion | toString -}}
+  {{- end -}}
+{{- end -}}
+{{- if .Values.image.digest }}
+    {{- $separator = "@" -}}
+    {{- $termination = .Values.image.digest | toString -}}
+{{- end -}}
+{{- if $registryName }}
+    {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
+{{- else -}}
+    {{- printf "%s%s%s"  $repositoryName $separator $termination -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names evaluating values as templates
+*/}}
+{{- define "streamflow.imagePullSecrets" -}}
+{{- if (not (empty .Values.image.pullSecrets)) -}}
+imagePullSecrets:
+  {{- range .Values.image.pullSecrets | uniq }}
+  - name: {{ . }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
 {{/*
 Common labels
 */}}

helm/chart/templates/configmap.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "streamflow.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "streamflow.labels" . | nindent 4 }}
+data:
+  streamflow.yml: |-
+    version: v1.0
+    workflows:
+      {{ .Values.streamflow.workflow.name | default uuidv4 }}:
+        type: {{ .Values.streamflow.workflow.type }}
+        {{- if .Values.streamflow.workflow.bindings }}
+        {{- with .Values.streamflow.workflow.bindings }}
+        bindings:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- end }}
+        config:
+          {{- if eq .Values.streamflow.workflow.type "cwl" }}
+          file: {{ required "CWL processfile is mandatory" .Values.streamflow.workflow.cwl.processfile }}
+          {{- if .Values.streamflow.workflow.cwl.jobfile }}
+          settings: {{ .Values.streamflow.workflow.cwl.jobfile }}
+          {{- end }}
+          docker:
+            - step: /
+              deployment:
+                type: kubernetes
+                config:
+                  inCluster: true
+                  networkPolicy: {{ .Values.streamflow.workflow.cwl.restrictNetworkAccess }}
+          {{- end }}
+    {{- if .Values.streamflow.config }}
+    {{- toYaml .Values.streamflow.config | nindent 4 }}
+    {{- end }}

helm/chart/templates/job.yaml

@@ -13,32 +13,67 @@ spec:
       labels:
         {{- include "streamflow.selectorLabels" . | nindent 8 }}
     spec:
-    {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-    {{- end }}
       serviceAccountName: {{ include "streamflow.serviceAccountName" . }}
+      {{- include "streamflow.imagePullSecrets" . | nindent 6 }}
+      {{- if .Values.podSecurityContext.enabled }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
-        - name: {{ .Chart.Name }}
+        - name: {{ include "streamflow.fullname" . }}
+          {{- if .Values.containerSecurityContext.enabled }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}"
+            {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          image: {{ include "streamflow.image" . }}
+          {{- if .Values.command }}
+          command: {{ .Values.command }}
+          {{- end }}
+          {{- if .Values.args }}
           args: {{ .Values.args }}
+          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.resources }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: streamflow-config
+              mountPath: /streamflow/results/streamflow.yml
+              subPath: streamflow.yml
+            - name: streamflow-metadata
+              mountPath: /.streamflow
+            - name: streamflow-outdir
+              mountPath: /tmp/streamflow
+            - name: streamflow-workdir
+              mountPath: /streamflow/results
+      {{ if .Values.restartPolicy }}
       restartPolicy: {{ .Values.restartPolicy }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
+      {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
+      volumes:
+        - name: streamflow-metadata
+          {{- if .Values.persistence.metadata }}
+          {{ toYaml .Values.persistence.metadata | nindent 10}}
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+        - name: streamflow-outdir
+          {{- if .Values.persistence.outdir }}
+          {{ toYaml .Values.persistence.outdir | nindent 10}}
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+        - name: streamflow-workdir
+          {{- if .Values.persistence.workdir }}
+          {{ toYaml .Values.persistence.workdir | nindent 10}}
+          {{- else }}
+          emptyDir: {}
+          {{- end }}

helm/chart/templates/role.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "streamflow.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "streamflow.labels" . | nindent 4 }}
+rules:
+- verbs:
+    - get
+    - watch
+    - list
+    - create
+    - delete
+  apiGroups:
+    - ''
+  resources:
+    - pods
+    - pods/exec
+{{- if eq .Values.streamflow.workflow.type "cwl" }}
+{{- if .Values.streamflow.workflow.restrictNetworkAccess }}
+- verbs:
+    - get
+    - list
+    - create
+    - delete
+  apiGroups:
+    - networking.k8s.io
+  resources:
+    - networkpolicies
+{{- end }}
+{{- end }}
+{{- end }}

helm/chart/templates/rolebinding.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "streamflow.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "streamflow.labels" . | nindent 4 }}
+roleRef:
+  kind: Role
+  name: {{ include "streamflow.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "streamflow.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

helm/chart/templates/serviceaccount.yaml

@@ -9,4 +9,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 {{- end -}}