Merge remote-tracking branch 'upstream/main'

Author: dchourasia

.github/workflows/build-notebooks-TEMPLATE.yaml

@@ -90,17 +90,28 @@ jobs:
         env:
           GIT_CRYPT_KEY: ${{ secrets.GIT_CRYPT_KEY }}
 
+      # https://console.redhat.com/insights/connector/activation-keys
+      # This runs slower than storing the entitlement certificates with git-crypt,
+      #  but on the other hand, it's then not necessary to regularly update them in the repo.
       - name: Add subscriptions from GitHub secret
         if: ${{ inputs.subscription }}
         run: |
-          sudo mkdir -p /etc/pki/
-          sudo cp -R ${PWD}/ci/secrets/pki/* /etc/pki/
           # https://access.redhat.com/solutions/5870841
           # https://github.com/containers/common/issues/1735
-          printf "${PWD}/ci/secrets/run/secrets/rhsm:/etc/rhsm\n${PWD}/ci/secrets/run/secrets/etc-pki-entitlement:/etc/pki/entitlement\n${PWD}/ci/secrets/pki/consumer:/etc/pki/consumer\n" | sudo tee /usr/share/containers/mounts.conf
+          mkdir entitlement
+          mkdir consumer
+          docker run \
+            -v ${PWD}/entitlement:/etc/pki/entitlement:Z \
+            -v ${PWD}/consumer:/etc/pki/consumer:Z \
+            --rm -t registry.access.redhat.com/ubi9/ubi \
+              /usr/sbin/subscription-manager register --org=${SUBSCRIPTION_ORG} --activationkey=${SUBSCRIPTION_ACTIVATION_KEY}
+          printf "${PWD}/entitlement:/etc/pki/entitlement\n${PWD}/consumer:/etc/pki/consumer\n" | sudo tee /usr/share/containers/mounts.conf
 
           mkdir -p $HOME/.config/containers/
           sudo cp ${PWD}/ci/secrets/pull-secret.json $HOME/.config/containers/auth.json
+        env:
+          SUBSCRIPTION_ORG: ${{ secrets.SUBSCRIPTION_ORG }}
+          SUBSCRIPTION_ACTIVATION_KEY: ${{ secrets.SUBSCRIPTION_ACTIVATION_KEY }}
 
       # for bin/buildinputs in scripts/sandbox.py
       - uses: actions/setup-go@v5

.github/workflows/code-quality.yaml

@@ -66,6 +66,7 @@ jobs:
         run: rm -rf ./ci/secrets
 
       - name: Validate YAML files (best code practices check included)
+        if: ${{ !cancelled() }}
         id: validate-yaml-files
         run: |
           type yamllint || sudo apt-get -y install yamllint
@@ -75,31 +76,19 @@ jobs:
 
       # In some YAML files we use JSON strings, let's check these
       - name: Validate JSON strings in YAML files (just syntax)
+        if: ${{ !cancelled() }}
         id: validate-json-strings-in-yaml-files
         run: |
           type json_verify || sudo apt-get -y install yajl-tools
           bash ./ci/check-json.sh
 
       - name: Validate JSON files (just syntax)
+        if: ${{ !cancelled() }}
         id: validate-json-files
-        run: |
-          set -Eeuxo pipefail
-
-          type json_verify || sudo apt-get -y install yajl-tools
-          shopt -s globstar
-          ret_code=0
-          echo "-- Checking a regular '*.json' files"
-          for f in **/*.json; do echo "Checking: '${f}"; echo -n "  > "; [[ "$(basename "$f")" == "tsconfig.json" ]] && echo "Skipping ${f}" && continue; cat $f | json_verify || ret_code=1; done
-          echo "-- Checking a 'Pipfile.lock' files"
-          for f in **/Pipfile.lock; do echo "Checking: '${f}"; echo -n "  > "; cat $f | json_verify || ret_code=1; done
-          echo "-- Checking a '*.ipynb' Jupyter notebook files"
-          for f in **/*.ipynb; do echo "Checking: '${f}"; echo -n "  > "; cat $f | json_verify || ret_code=1; done
-          if test "${ret_code}" -ne 0; then
-              echo "There were errors in some of the checked files. Please run `json_verify` on such files and fix issues there."
-          fi
-          exit "${ret_code}"
+        run: ./ci/validate_json.py
 
       - name: Validate Dockerfiles
+        if: ${{ !cancelled() }}
         id: validate-dockerfiles
         run: |
           type hadolint || sudo apt-get -y install wget \
@@ -111,6 +100,6 @@ jobs:
 
       # This simply checks that the manifests and respective kustomization.yaml finishes without an error.
       - name: Check kustomize manifest
+        if: ${{ !cancelled() }}
         id: kustomize-manifests
-        run: |
-          ./ci/kustomize.sh
+        run: ./ci/kustomize.sh

.github/workflows/security.yaml

@@ -16,9 +16,21 @@ jobs:
       security-events: write
     steps:
 
+      # https://github.com/astral-sh/setup-uv
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          version: "latest"
+          activate-environment: false
+          ignore-empty-workdir: true
+          enable-cache: false
+
       - name: Checkout code
         uses: actions/checkout@v5
 
+      # Trivy does not support pylock.toml https://github.com/aquasecurity/trivy/discussions/9408
+      - run: find . -name pyproject.toml -execdir uv lock \;
+
       - name: Trivy scan
         uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4  # 0.32.0
         with:

.tekton/odh-base-image-cuda-py311-c9s-pull-request.yaml

@@ -0,0 +1,51 @@
+# yamllint disable-file
+# This pipeline is autogenerated by scripts/generate_pull_request_pipelineruns.py
+---
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/notebooks?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/cancel-in-progress: 'true'
+    pipelinesascode.tekton.dev/max-keep-runs: '3'
+    pipelinesascode.tekton.dev/on-comment: ^/kfbuild\s+(all|odh\-base\-image\-cuda\-py311\-c9s|base\-images/cuda/12\.6/c9s\-python\-3\.11)
+    pipelinesascode.tekton.dev/on-cel-expression: |
+      event == "pull_request" && target_branch == "main"  && ( "base-images/cuda/12.6/c9s-python-3.11/**".pathChanged() || ".tekton/odh-base-image-cuda-py311-c9s-pull-request.yaml".pathChanged() )
+      && body.repository.full_name == "opendatahub-io/notebooks"
+  labels:
+    appstudio.openshift.io/application: opendatahub-release
+    appstudio.openshift.io/component: odh-base-image-cuda-py311-c9s
+    pipelines.appstudio.openshift.io/type: build
+  name: odh-base-image-cuda-py311-c9s-on-pull-request
+  namespace: open-data-hub-tenant
+spec:
+  timeouts:
+    pipeline: 3h
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/opendatahub/odh-base-image-cuda-py311-c9s:on-pr-{{revision}}
+  - name: image-expires-after
+    value: 5d
+  - name: build-platforms
+    value:
+    - linux/x86_64
+  - name: dockerfile
+    value: base-images/cuda/12.6/c9s-python-3.11/Dockerfile.cuda
+  - name: path-context
+    value: .
+  pipelineRef:
+    name: multiarch-pull-request-pipeline
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-odh-base-image-cuda-py311-c9s
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}

.tekton/odh-base-image-cuda-py311-c9s-push.yaml

@@ -0,0 +1,42 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/notebooks?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/cancel-in-progress: "false"
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main"  && ( "base-images/cuda/12.6/c9s-python-3.11/**".pathChanged() || ".tekton/odh-base-image-cuda-py311-c9s-push.yaml".pathChanged() )
+  creationTimestamp:
+  labels:
+    appstudio.openshift.io/application: opendatahub-release
+    appstudio.openshift.io/component: odh-base-image-cuda-py311-c9s
+    pipelines.appstudio.openshift.io/type: build
+  name: odh-base-image-cuda-py311-c9s-on-push
+  namespace: open-data-hub-tenant
+spec:
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/opendatahub/odh-base-image-cuda-py311-c9s:{{revision}}
+  - name: dockerfile
+    value: base-images/cuda/12.6/c9s-python-3.11/Dockerfile.cuda
+  - name: path-context
+    value: .
+  - name: additional-tags
+    value:
+    - '{{target_branch}}-{{revision}}'
+    - v12.6
+  pipelineRef:
+    name: singlearch-push-pipeline
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-odh-base-image-cuda-py311-c9s
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}

.tekton/odh-base-image-cuda-py312-c9s-pull-request.yaml

@@ -0,0 +1,51 @@
+# yamllint disable-file
+# This pipeline is autogenerated by scripts/generate_pull_request_pipelineruns.py
+---
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/notebooks?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/cancel-in-progress: 'true'
+    pipelinesascode.tekton.dev/max-keep-runs: '3'
+    pipelinesascode.tekton.dev/on-comment: ^/kfbuild\s+(all|odh\-base\-image\-cuda\-py312\-c9s|base\-images/cuda/12\.6/c9s\-python\-3\.12)
+    pipelinesascode.tekton.dev/on-cel-expression: |
+      event == "pull_request" && target_branch == "main"  && ( "base-images/cuda/12.6/c9s-python-3.12/**".pathChanged() || ".tekton/odh-base-image-cuda-py312-c9s-pull-request.yaml".pathChanged() )
+      && body.repository.full_name == "opendatahub-io/notebooks"
+  labels:
+    appstudio.openshift.io/application: opendatahub-release
+    appstudio.openshift.io/component: odh-base-image-cuda-py312-c9s
+    pipelines.appstudio.openshift.io/type: build
+  name: odh-base-image-cuda-py312-c9s-on-pull-request
+  namespace: open-data-hub-tenant
+spec:
+  timeouts:
+    pipeline: 3h
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/opendatahub/odh-base-image-cuda-py312-c9s:on-pr-{{revision}}
+  - name: image-expires-after
+    value: 5d
+  - name: build-platforms
+    value:
+    - linux/x86_64
+  - name: dockerfile
+    value: base-images/cuda/12.6/c9s-python-3.12/Dockerfile.cuda
+  - name: path-context
+    value: .
+  pipelineRef:
+    name: multiarch-pull-request-pipeline
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-odh-base-image-cuda-py312-c9s
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}

.tekton/odh-base-image-cuda-py312-c9s-push.yaml

@@ -0,0 +1,42 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/notebooks?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/cancel-in-progress: "false"
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main"  && ( "base-images/cuda/12.6/c9s-python-3.12/**".pathChanged() || ".tekton/odh-base-image-cuda-py312-c9s-push.yaml".pathChanged() )
+  creationTimestamp:
+  labels:
+    appstudio.openshift.io/application: opendatahub-release
+    appstudio.openshift.io/component: odh-base-image-cuda-py312-c9s
+    pipelines.appstudio.openshift.io/type: build
+  name: odh-base-image-cuda-py312-c9s-on-push
+  namespace: open-data-hub-tenant
+spec:
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/opendatahub/odh-base-image-cuda-py312-c9s:{{revision}}
+  - name: dockerfile
+    value: base-images/cuda/12.6/c9s-python-3.12/Dockerfile.cuda
+  - name: path-context
+    value: .
+  - name: additional-tags
+    value:
+    - '{{target_branch}}-{{revision}}'
+    - v12.6
+  pipelineRef:
+    name: singlearch-push-pipeline
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-odh-base-image-cuda-py312-c9s
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}

.tekton/odh-base-image-cuda-py312-ubi9-pull-request.yaml

@@ -0,0 +1,51 @@
+# yamllint disable-file
+# This pipeline is autogenerated by scripts/generate_pull_request_pipelineruns.py
+---
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/notebooks?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/cancel-in-progress: 'true'
+    pipelinesascode.tekton.dev/max-keep-runs: '3'
+    pipelinesascode.tekton.dev/on-comment: ^/kfbuild\s+(all|odh\-base\-image\-cuda\-py312\-ubi9|base\-images/cuda/12\.6/ubi9\-python\-3\.12)
+    pipelinesascode.tekton.dev/on-cel-expression: |
+      event == "pull_request" && target_branch == "main"  && ( "base-images/cuda/12.6/ubi9-python-3.12/**".pathChanged() || ".tekton/odh-base-image-cuda-py312-ubi9-pull-request.yaml".pathChanged() )
+      && body.repository.full_name == "opendatahub-io/notebooks"
+  labels:
+    appstudio.openshift.io/application: opendatahub-release
+    appstudio.openshift.io/component: odh-base-image-cuda-py312-ubi9
+    pipelines.appstudio.openshift.io/type: build
+  name: odh-base-image-cuda-py312-ubi9-on-pull-request
+  namespace: open-data-hub-tenant
+spec:
+  timeouts:
+    pipeline: 3h
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/opendatahub/odh-base-image-cuda-py312-ubi9:on-pr-{{revision}}
+  - name: image-expires-after
+    value: 5d
+  - name: build-platforms
+    value:
+    - linux/x86_64
+  - name: dockerfile
+    value: base-images/cuda/12.6/ubi9-python-3.12/Dockerfile.cuda
+  - name: path-context
+    value: .
+  pipelineRef:
+    name: multiarch-pull-request-pipeline
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-odh-base-image-cuda-py312-ubi9
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}

.tekton/odh-base-image-cuda-py312-ubi9-push.yaml

@@ -0,0 +1,42 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/opendatahub-io/notebooks?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/cancel-in-progress: "false"
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main"  && ( "base-images/cuda/12.6/ubi9-python-3.12/**".pathChanged() || ".tekton/odh-base-image-cuda-py312-ubi9-push.yaml".pathChanged() )
+  creationTimestamp:
+  labels:
+    appstudio.openshift.io/application: opendatahub-release
+    appstudio.openshift.io/component: odh-base-image-cuda-py312-ubi9
+    pipelines.appstudio.openshift.io/type: build
+  name: odh-base-image-cuda-py312-ubi9-on-push
+  namespace: open-data-hub-tenant
+spec:
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/opendatahub/odh-base-image-cuda-py312-ubi9:{{revision}}
+  - name: dockerfile
+    value: base-images/cuda/12.6/ubi9-python-3.12/Dockerfile.cuda
+  - name: path-context
+    value: .
+  - name: additional-tags
+    value:
+    - '{{target_branch}}-{{revision}}'
+    - v12.6
+  pipelineRef:
+    name: singlearch-push-pipeline
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-odh-base-image-cuda-py312-ubi9
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}