Merge branch 'main' into dependabot/github_actions/actions/checkout-5

Author: dvvanessastoiber

.github/CODEOWNERS

@@ -1 +1 @@
-* @dvviktordelev
+* @dvviktordelev @puehringer

.github/actions/build-node-python/action.yml

@@ -85,6 +85,11 @@ inputs:
   run_python_build:
     default: true
     required: false
+  # Rust
+  enable_rust:
+    description: "enables the rust part of the action"
+    default: false
+    required: true
 
 runs:
   using: "composite"
@@ -125,6 +130,29 @@ runs:
         sudo /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y
         sudo apt-get install postgresql-16-pgvector -y
       shell: bash
+    # Rust
+    - name: Install Rust
+      if: inputs.enable_rust == 'true'
+      run: |
+        if ! command -v rustup &> /dev/null ; then
+          curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused -fsSL "https://sh.rustup.rs" | sh -s -- --default-toolchain stable -y
+
+          # Resolve the correct CARGO_HOME path depending on OS
+          if [[ "$RUNNER_OS" == "Windows" ]]; then
+            echo "${CARGO_HOME:-$USERPROFILE/.cargo}/bin" | sed 's|/|\\|g' >> $GITHUB_PATH
+          else
+            echo "${CARGO_HOME:-$HOME/.cargo}/bin" >> $GITHUB_PATH
+          fi
+          # Load cargo environment so cargo and rustc are available in this shell
+          . "$HOME/.cargo/env"
+        fi
+
+        # Ensure stable rust toolchain is installed
+        rustup install stable
+
+        rustc --version
+        cargo --version
+      shell: bash
     # General
     - name: Git config
       if: inputs.github_ro_token != ''

.github/workflows/build-docker-artifacts-config.schema.json

@@ -39,6 +39,13 @@
                       "type": "boolean",
                       "default": true,
                       "description": "Scan the image for high severity vulnerabilities"
+                    },
+                    "build_args": {
+                      "type": "object",
+                      "description": "Build arguments to pass to Docker",
+                      "additionalProperties": {
+                        "type": "string"
+                      }
                     }
                   },
                   "required": ["directory", "ecr_repository"]

.github/workflows/build-docker-artifacts.yml

@@ -114,6 +114,10 @@ jobs:
                 image_tag_branch_name: imageTagBranchName,
                 ecr_respositories: flavor.components.map(component => component.ecr_repository),
                 components: flavor.components.map(component => {
+                  // Format build arguments as build-args string
+                  const formattedBuildArgs = component.build_args ?
+                    Object.entries(component.build_args).map(([key, value]) => `${key}=${value}`).join('\n') : '';
+
                   return {
                     ...component,
                     // Add metadata to the component object (will be used as matrix input),
@@ -123,6 +127,7 @@ jobs:
                     build_time: buildTime,
                     image_tag: imageTag,
                     image_tag_branch_name: imageTagBranchName,
+                    formatted_build_args: formattedBuildArgs,
                   };
                 }),
               };
@@ -223,6 +228,7 @@ jobs:
             DATAVISYN_PYTHON_BASE_IMAGE=${{ env.DATAVISYN_PYTHON_BASE_IMAGE }}
             NODE_BASE_IMAGE=${{ env.NODE_BASE_IMAGE }}
             DATAVISYN_NGINX_BASE_IMAGE=${{ env.DATAVISYN_NGINX_BASE_IMAGE }}
+            ${{ matrix.component.formatted_build_args }}
           secrets:
             # Mount the token as secret mount: https://docs.docker.com/build/ci/github-actions/secrets/#secret-mounts
             "github_token=${{ secrets.CHECKOUT_TOKEN || github.event.repository.private == true && secrets.DATAVISYN_BOT_REPO_TOKEN || github.token }}"
@@ -256,7 +262,7 @@ jobs:
             echo "severity=HIGH,CRITICAL" >> "$GITHUB_OUTPUT"
           fi
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.32.0
+        uses: aquasecurity/trivy-action@0.33.1
         with:
           image-ref: ${{ vars.DV_AWS_ECR_REGISTRY }}/${{ matrix.component.ecr_repository }}:${{ matrix.component.image_tag }}
           # Disable scanning the current directory (defaults to .)

.github/workflows/build-node-python.yml

@@ -79,12 +79,26 @@ on:
         required: false
         type: boolean
         default: false
+      rust_enable:
+        description: 'Enable Rust install'
+        required: false
+        type: boolean
+        default: false
+      cancel_in_progress:
+        type: boolean
+        default: true
       timeout:
         description: "Timeout for each job in minutes."
         type: number
         required: false
         default: 60
-      
+      python_version:
+        type: string
+        required: false
+      node_version:
+        type: string
+        required: false
+
     secrets:
       DATAVISYN_BOT_REPO_TOKEN:
         required: false
@@ -101,10 +115,10 @@ on:
 
 env:
   NPM_REGISTRY: "https://registry.npmjs.org/"
-  NODE_VERSION: "20.9"
+  NODE_VERSION: ${{ vars.NODE_VERSION || '20.9' }}
   PYPI_REGISTRY: "https://upload.pypi.org/legacy/"
   PYPI_USERNAME: "datavisyn"
-  PYTHON_VERSION: "3.10"
+  PYTHON_VERSION: ${{ vars.PYTHON_VERSION || '3.10' }}
   WORKFLOW_BRANCH: "main"
   POSTGRES_HOSTNAME: postgres_${{ github.job }}_${{ inputs.deduplication_id }}_${{ github.run_id }}_${{ github.run_attempt }}
 
@@ -121,7 +135,7 @@ jobs:
     if: ${{ (!inputs.cypress_enable || (!inputs.cypress_run_because_flag && inputs.cypress_run_because_branch != 'true')) && (!inputs.playwright_enable || (!inputs.playwright_run_because_flag && inputs.playwright_run_because_branch != 'true')) }}
     concurrency:
       group: "node-${{ github.workflow }}-${{ github.ref || github.head_ref }}-${{ inputs.branch }}"
-      cancel-in-progress: true
+      cancel-in-progress: ${{ inputs.cancel_in_progress }}
     permissions:
       id-token: write
       contents: write
@@ -144,10 +158,12 @@ jobs:
         with:
           enable_node: true
           enable_python: false
+          # We probably won't need Rust on Node builds...
+          # enable_rust: ${{ inputs.rust_enable }}
           run_parallel: ${{ inputs.run_parallel }}
-          node_version: ${{ secrets.NODE_VERSION || env.NODE_VERSION }}
+          node_version: ${{ inputs.node_version || secrets.NODE_VERSION || env.NODE_VERSION }}
           npm_registry: ${{ env.NPM_REGISTRY }}
-          python_version: ${{ secrets.PYTHON_VERSION || env.PYTHON_VERSION }}
+          python_version: ${{ inputs.python_version || secrets.PYTHON_VERSION || env.PYTHON_VERSION }}
           github_ro_token: ${{ github.event.repository.private == true && secrets.DATAVISYN_BOT_REPO_TOKEN || github.token  }}
           run_node_bundle: ${{ inputs.node_run_webpack }}
           enable_node_cache: ${{ inputs.runs_on != 'self-hosted' }}
@@ -161,7 +177,7 @@ jobs:
     if: ${{ (!inputs.cypress_enable || (!inputs.cypress_run_because_flag && inputs.cypress_run_because_branch != 'true')) && (!inputs.playwright_enable || (!inputs.playwright_run_because_flag && inputs.playwright_run_because_branch != 'true')) }}
     concurrency:
       group: "python-${{ github.workflow }}-${{ github.ref || github.head_ref }}-${{ inputs.branch }}"
-      cancel-in-progress: true
+      cancel-in-progress: ${{ inputs.cancel_in_progress }}
     permissions:
       id-token: write
       contents: write
@@ -183,10 +199,11 @@ jobs:
         with:
           enable_node: false
           enable_python: true
+          enable_rust: ${{ inputs.rust_enable }}
           run_parallel: ${{ inputs.run_parallel }}
-          node_version: ${{ secrets.NODE_VERSION || env.NODE_VERSION }}
+          node_version: ${{ inputs.node_version || secrets.NODE_VERSION || env.NODE_VERSION }}
           npm_registry: ${{ env.NPM_REGISTRY }}
-          python_version: ${{ secrets.PYTHON_VERSION || env.PYTHON_VERSION }}
+          python_version: ${{ inputs.python_version || secrets.PYTHON_VERSION || env.PYTHON_VERSION }}
           github_ro_token: ${{ github.event.repository.private == true && secrets.DATAVISYN_BOT_REPO_TOKEN || github.token  }}
           run_node_bundle: ${{ inputs.node_run_webpack }}
           enable_node_cache: ${{ inputs.runs_on != 'self-hosted' }}
@@ -199,7 +216,7 @@ jobs:
     if: ${{ inputs.cypress_enable && (inputs.cypress_run_because_flag || inputs.cypress_run_because_branch == 'true') }}
     concurrency:
       group: "node-python-cypress-${{ github.workflow }}-${{ github.ref || github.head_ref }}-${{ inputs.branch }}"
-      cancel-in-progress: true
+      cancel-in-progress: ${{ inputs.cancel_in_progress }}
     permissions:
       id-token: write
       contents: write
@@ -273,10 +290,11 @@ jobs:
       - name: Build node and python
         uses: ./tmp/github-workflows/.github/actions/build-node-python
         with:
+          enable_rust: ${{ inputs.rust_enable }}
           run_parallel: ${{ inputs.run_parallel }}
-          node_version: ${{ secrets.NODE_VERSION || env.NODE_VERSION }}
+          node_version: ${{ inputs.node_version || secrets.NODE_VERSION || env.NODE_VERSION }}
           npm_registry: ${{ env.NPM_REGISTRY }}
-          python_version: ${{ secrets.PYTHON_VERSION || env.PYTHON_VERSION }}
+          python_version: ${{ inputs.python_version || secrets.PYTHON_VERSION || env.PYTHON_VERSION }}
           github_ro_token: ${{ github.event.repository.private == true && secrets.DATAVISYN_BOT_REPO_TOKEN || github.token  }}
           run_node_bundle: false # Disable the build here and call afterwards, as otherwise the yarn run env:decrypt will fail due to a missing yarn install
           enable_node_cache: ${{ inputs.cypress_runs_on != 'self-hosted' && inputs.runs_on != 'self-hosted' }}
@@ -339,7 +357,7 @@ jobs:
     if: ${{ inputs.playwright_enable && (inputs.playwright_run_because_flag || inputs.playwright_run_because_branch == 'true') }}
     concurrency:
       group: "node-python-playwright-${{ github.workflow }}-${{ github.ref || github.head_ref }}-${{ inputs.branch }}"
-      cancel-in-progress: true
+      cancel-in-progress: ${{ inputs.cancel_in_progress }}
     permissions:
       id-token: write
       contents: write
@@ -415,10 +433,11 @@ jobs:
       - name: Build node and python
         uses: ./tmp/github-workflows/.github/actions/build-node-python
         with:
+          enable_rust: ${{ inputs.rust_enable }}
           run_parallel: ${{ inputs.run_parallel }}
-          node_version: ${{ secrets.NODE_VERSION || env.NODE_VERSION }}
+          node_version: ${{ inputs.node_version || secrets.NODE_VERSION || env.NODE_VERSION }}
           npm_registry: ${{ env.NPM_REGISTRY }}
-          python_version: ${{ secrets.PYTHON_VERSION || env.PYTHON_VERSION }}
+          python_version: ${{ inputs.python_version || secrets.PYTHON_VERSION || env.PYTHON_VERSION }}
           github_ro_token: ${{ github.event.repository.private == true && secrets.DATAVISYN_BOT_REPO_TOKEN || github.token  }}
           run_node_bundle: false # Disable the build here and call afterwards, as otherwise the yarn run env:decrypt will fail due to a missing yarn install
           run_playwright_browser_install: true
@@ -441,12 +460,13 @@ jobs:
         env:
           VISYN_CORE__SENTRY__FRONTEND_DSN: ${{ vars.PLAYWRIGHT__VISYN_CORE__SENTRY__FRONTEND_DSN }}
           VISYN_CORE__SENTRY__BACKEND_DSN: ${{ vars.PLAYWRIGHT__VISYN_CORE__SENTRY__BACKEND_DSN }}
-      - name: Upload bundle
-        uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: "bundles-${{ inputs.branch || github.sha }}"
-          path: bundles/
+      # Disable upload of bundles as there is no real value...
+      # - name: Upload bundle
+      #   uses: actions/upload-artifact@v4
+      #   if: always()
+      #   with:
+      #     name: "bundles-${{ inputs.branch || github.sha }}"
+      #     path: bundles/
       - name: Upload playwright report
         uses: actions/upload-artifact@v4
         if: always()

.github/workflows/build-node.yml

@@ -21,6 +21,10 @@ on:
         type: string
         required: false
         default: "ubuntu-22.04"
+      node_version:
+        type: string
+        required: false
+
     secrets:
       DATAVISYN_BOT_REPO_TOKEN:
         required: false
@@ -31,7 +35,7 @@ on:
 
 env:
   NPM_REGISTRY: "https://registry.npmjs.org/"
-  NODE_VERSION: "20.9"
+  NODE_VERSION: ${{ vars.NODE_VERSION || '20.9' }}
   WORKFLOW_BRANCH: "main"
 
 permissions:
@@ -69,7 +73,7 @@ jobs:
         with:
           enable_node: true
           enable_python: false
-          node_version: ${{ secrets.NODE_VERSION || env.NODE_VERSION }}
+          node_version: ${{ inputs.node_version || secrets.NODE_VERSION || env.NODE_VERSION }}
           npm_registry: ${{ env.NPM_REGISTRY }}
           github_ro_token: ${{ github.event.repository.private == true && secrets.DATAVISYN_BOT_REPO_TOKEN || github.token  }}
           run_node_bundle: ${{ inputs.node_run_webpack }}

.github/workflows/build-product.yml

@@ -30,8 +30,8 @@ concurrency:
 
 env:
   TIME_ZONE: "Europe/Vienna"
-  NODE_VERSION: "20.9"
-  PYTHON_VERSION: "3.10"
+  NODE_VERSION: ${{ vars.NODE_VERSION || '20.9' }}
+  PYTHON_VERSION: ${{ vars.PYTHON_VERSION || '3.10' }}
   WORKFLOW_BRANCH: "main"
   PYTHON_BASE_IMAGE: "python:3.10.18-slim-bullseye"
   DATAVISYN_PYTHON_BASE_IMAGE: "188237246440.dkr.ecr.eu-central-1.amazonaws.com/datavisyn/base/python:main"

.github/workflows/build-python.yml

@@ -11,6 +11,10 @@ on:
         type: string
         required: false
         default: "ubuntu-22.04"
+      python_version:
+        type: string
+        required: false
+
     secrets:
       DATAVISYN_BOT_REPO_TOKEN:
         required: false
@@ -20,7 +24,7 @@ on:
 env:
   PYPI_REGISTRY: "https://upload.pypi.org/legacy/"
   PYPI_USERNAME: "test"
-  PYTHON_VERSION: "3.10"
+  PYTHON_VERSION: ${{ vars.PYTHON_VERSION || '3.10' }}
   WORKFLOW_BRANCH: "main"
 
 permissions:
@@ -58,5 +62,5 @@ jobs:
           enable_node: false
           enable_python: true
           github_ro_token: ${{ github.event.repository.private == true && secrets.DATAVISYN_BOT_REPO_TOKEN || github.token  }}
-          python_version: ${{ secrets.PYTHON_VERSION || env.PYTHON_VERSION }}
+          python_version: ${{ inputs.python_version || secrets.PYTHON_VERSION || env.PYTHON_VERSION }}
           enable_python_cache: ${{ inputs.runs_on != 'self-hosted' }}

.github/workflows/build-single-product-part.yml

@@ -52,8 +52,8 @@ on:
           default: "ubuntu-22.04"
 env:
   TIME_ZONE: "Europe/Vienna"
-  NODE_VERSION: "20.9"
-  PYTHON_VERSION: "3.10"
+  NODE_VERSION: ${{ vars.NODE_VERSION || '20.9' }}
+  PYTHON_VERSION: ${{ vars.PYTHON_VERSION || '3.10' }}
   WORKFLOW_BRANCH: "main"
   PYTHON_BASE_IMAGE: "python:3.10.18-slim-bullseye"
   DATAVISYN_PYTHON_BASE_IMAGE: "188237246440.dkr.ecr.eu-central-1.amazonaws.com/datavisyn/base/python:main"

.github/workflows/build-workspace-product-part.yml

@@ -18,36 +18,37 @@ on:
       GITLAB_HOST:
         required: false
     inputs:
-        component:
-          description: "component that should be built"
-          required: true
-          type: string
-        image_tag1:
-          description: "image tag 1 to push the image"
-          required: true
-          type: string
-        image_tag2:
-          description: "image tag 2 for labeling"
-          required: true
-          type: string
-        build_time:
-          description: "actually build time (in RFC 3339)"
-          required: true
-          type: string
-        stage:
-          description: "stage for the image (develop or production) depending on the branch name"
-          required: true
-          type: string
-        timeout:
-          description: "Timeout for each job in minutes."
-          type: number
-          required: false
-          default: 60
+      component:
+        description: "component that should be built"
+        required: true
+        type: string
+      image_tag1:
+        description: "image tag 1 to push the image"
+        required: true
+        type: string
+      image_tag2:
+        description: "image tag 2 for labeling"
+        required: true
+        type: string
+      build_time:
+        description: "actually build time (in RFC 3339)"
+        required: true
+        type: string
+      stage:
+        description: "stage for the image (develop or production) depending on the branch name"
+        required: true
+        type: string
+      timeout:
+        description: "Timeout for each job in minutes."
+        type: number
+        required: false
+        default: 60
+
 env:
   VISYN_SCRIPTS_VERSION: "v7" # visyn_scripts@v7 is the last version with workspace support
   TIME_ZONE: "Europe/Vienna"
-  NODE_VERSION: "20.9"
-  PYTHON_VERSION: "3.10"
+  NODE_VERSION: ${{ vars.NODE_VERSION || '20.9' }}
+  PYTHON_VERSION: ${{ vars.PYTHON_VERSION || '3.10' }}
   WORKFLOW_BRANCH: "main"
   PYTHON_BASE_IMAGE: "python:3.10.18-slim-bullseye"
   DATAVISYN_PYTHON_BASE_IMAGE: "188237246440.dkr.ecr.eu-central-1.amazonaws.com/datavisyn/base/python:main"