MAINT : Moved Docker images repo to docker folder in main branch

.github/ISSUE_TEMPLATE/release-checklist.md

@@ -58,6 +58,7 @@ Release captain responsible - <@gh_username>
 ## Cut the official release
 
 _If there were changes to the following packages, handle their releases before cutting a new release for Nebari_
+
 - [ ] [Cut PyPI release for `nebari-workflow-controller`](https://github.com/nebari-dev/nebari-workflow-controller)
 - [ ] [Cut PyPI release for `argo-jupyter-scheduler`](https://github.com/nebari-dev/argo-jupyter-scheduler)
 

.github/actions/init-local/action.yml

@@ -5,7 +5,7 @@ inputs:
   directory:
     description: "Path to directory to initialize in"
     required: false
-    default: './local-deployment'
+    default: "./local-deployment"
 
 outputs:
   directory:

.github/actions/publish-from-template/action.yml

@@ -15,8 +15,7 @@ runs:
       if: github.event_name != 'schedule'
       shell: bash
       env: ${{ env }}
-      run:
-        python ${{ github.action_path }}/render_template.py ${{inputs.filename }}
+      run: python ${{ github.action_path }}/render_template.py ${{inputs.filename }}
 
     - uses: JasonEtco/create-an-issue@v2
       # Only render template and create an issue in case the workflow is a scheduled one

.github/workflows/build_push_docker.yaml

@@ -0,0 +1,123 @@
+# Build and push images to:
+# GitHub Container Registry (ghcr.io)
+# Red Hat Container Registry (quay.io)
+name: "Build Docker Images"
+
+on:
+  workflow_dispatch: null
+  push:
+    branches:
+      - "*"
+    paths:
+      - "./docker/Dockerfile"
+      - "./docker/dask-worker/*"
+      - "./docker/jupyterhub/*"
+      - "./docker/jupyterlab/*"
+      - "./docker/nebari-workflow-controller/*"
+
+      - "./docker/scripts/*"
+
+      - ".github/workflows/build-push-docker.yaml"
+    tags:
+      - "*"
+
+env:
+  DOCKER_ORG: nebari
+  GPU_BASE_IMAGE: nvidia/cuda:12.8.1-base-ubuntu24.04
+  GPU_IMAGE_SUFFIX: gpu
+  BASE_IMAGE: ubuntu:24.04
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  security-events: write
+
+# https://docs.github.com/en/actions/using-jobs/using-concurrency
+concurrency:
+  # only cancel in-progress jobs or runs for the current workflow - matches against branch & tags
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-images:
+    name: "Build Docker Images"
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        dockerfile:
+          - jupyterlab
+          - jupyterhub
+          - dask-worker
+          - workflow-controller
+        platform:
+          - gpu
+          - cpu
+        exclude:
+          # excludes JupyterHub/GPU, Workflow Controller/GPU
+          - dockerfile: jupyterhub
+            platform: gpu
+          - dockerfile: workflow-controller
+            platform: gpu
+
+    steps:
+      - name: "Checkout Repository 🛎️"
+        uses: actions/checkout@v3
+
+      - name: "Set up Docker Buildx 🛠️"
+        uses: docker/setup-buildx-action@v2
+
+      - name: "Login to GitHub Container Registry 🔐"
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.BOT_GHCR_TOKEN }}
+
+      - name: "Login to Quay Container Registry 🔐"
+        uses: docker/login-action@v2
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+
+      - name: "Set BASE_IMAGE and Image Suffix 📷"
+        if: ${{ matrix.platform == 'gpu' }}
+        run: |
+          echo "GPU Platform Matrix"
+          echo "BASE_IMAGE=$GPU_BASE_IMAGE" >> $GITHUB_ENV
+          echo "IMAGE_SUFFIX=-$GPU_IMAGE_SUFFIX" >> $GITHUB_ENV
+
+      - name: "Generate Docker images tags 🏷️"
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            "quay.io/${{ env.DOCKER_ORG }}/nebari-${{ matrix.dockerfile }}${{ env.IMAGE_SUFFIX }}"
+            "ghcr.io/${{ github.repository_owner }}/nebari-${{ matrix.dockerfile }}${{ env.IMAGE_SUFFIX }}"
+          tags: |
+            # branch event -> e.g. `main-f0f6994-20221001`
+            type=ref, event=branch, suffix=-{{sha}}-{{date 'YYYYMMDD'}}
+            # needed for integration tests
+            type=ref, event=branch
+            # on tag push -> e.g. `2022.10.1`
+            type=ref, event=tag
+
+      - name: "Inspect image dir tree 🔍"
+        run: |
+          sudo apt-get install tree
+          tree .
+
+      - name: "Build docker images 🐳"
+        uses: docker/build-push-action@v3
+        with:
+          context: ./docker/
+          file: "Dockerfile"
+          target: ${{ matrix.dockerfile }}
+          tags: ${{ steps.meta.outputs.tags }}
+          push: ${{ github.event_name != 'pull_request' }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: BASE_IMAGE=${{ env.BASE_IMAGE }}
+          platforms: linux/amd64,linux/arm64

.github/workflows/docker_trivy.yaml

@@ -0,0 +1,40 @@
+name: Code Scanning
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+
+permissions:
+  contents: read
+
+jobs:
+  SAST:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Trivy config Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in config mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "config"
+          hide-progress: true
+          format: "sarif"
+          output: "trivy-results.sarif"
+          ignore-unfixed: true
+          severity: "CRITICAL,HIGH"
+          limit-severities-for-sarif: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: "trivy-results.sarif"

.github/workflows/generate_cli_doc.yml

@@ -3,14 +3,14 @@ name: Update API docs
 on:
   pull_request:
     paths:
-    - "src/_nebari/subcommands/**"
-    - "src/_nebari/cli.py"
+      - "src/_nebari/subcommands/**"
+      - "src/_nebari/cli.py"
   push:
     branches:
       - main
     paths:
-    - "src/_nebari/subcommands/**"
-    - "src/_nebari/cli.py"
+      - "src/_nebari/subcommands/**"
+      - "src/_nebari/cli.py"
   workflow_dispatch:
 
 jobs:
@@ -64,7 +64,7 @@ jobs:
           signoff: false
           branch: auto_cli_doc_update
           delete-branch: true
-          title: '[AUTO] Update CLI doc'
+          title: "[AUTO] Update CLI doc"
           body: |
             Update CLI doc
             - Auto-generated by [create-pull-request][1]

.github/workflows/release.yaml

@@ -9,7 +9,7 @@ jobs:
     name: Test PyPi release
     runs-on: ubuntu-latest
     permissions:
-      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
       - name: Set up python
         uses: actions/setup-python@v5

.github/workflows/run-precommit.yaml

@@ -21,14 +21,13 @@ jobs:
       - name: Setup python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.x'
+          python-version: "3.x"
 
       - name: Setup terraform
         uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: "1.5.7"
 
-
       - name: Run terraform pre-commit ⚡️
         uses: pre-commit/action@v3.0.1
         with:

.github/workflows/test-provider.yaml

@@ -78,12 +78,12 @@ jobs:
         with:
           python-version: "3.11"
 
-      - name: 'Authenticate to GCP'
+      - name: "Authenticate to GCP"
         if: ${{ matrix.provider == 'gcp' }}
-        uses: 'google-github-actions/auth@v1'
+        uses: "google-github-actions/auth@v1"
         with:
           token_format: access_token
-          create_credentials_file: 'true'
+          create_credentials_file: "true"
           workload_identity_provider: ${{ secrets.GCP_WORKFLOW_PROVIDER }}
           service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
 
@@ -92,15 +92,15 @@ jobs:
         run: |
           echo "GOOGLE_CREDENTIALS=${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" >> $GITHUB_ENV
 
-      - name: 'Authenticate to AWS'
+      - name: "Authenticate to AWS"
         if: ${{ matrix.provider == 'aws' }}
         uses: aws-actions/configure-aws-credentials@v1
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           role-session-name: github-action
           aws-region: us-east-1
 
-      - name: 'Azure login'
+      - name: "Azure login"
         if: ${{ matrix.provider == 'azure' }}
         uses: azure/login@v2
         with:

.github/workflows/test_aws_integration.yaml

@@ -6,22 +6,21 @@ on:
   workflow_dispatch:
     inputs:
       image-tag:
-        description: 'Nebari image tag created by the nebari-docker-images repo'
+        description: "Nebari image tag created by the nebari-docker-images repo"
         required: true
         default: main
         type: string
       tf-log-level:
-        description: 'Change Terraform log levels'
+        description: "Change Terraform log levels"
         required: false
         default: info
         type: choice
         options:
-        - info
-        - warn
-        - debug
-        - trace
-        - error
-
+          - info
+          - warn
+          - debug
+          - trace
+          - error
 
 env:
   AWS_DEFAULT_REGION: "us-west-2"

.github/workflows/test_azure_integration.yaml

@@ -6,21 +6,21 @@ on:
   workflow_dispatch:
     inputs:
       image-tag:
-        description: 'Nebari image tag created by the nebari-docker-images repo'
+        description: "Nebari image tag created by the nebari-docker-images repo"
         required: true
         default: main
         type: string
       tf-log-level:
-        description: 'Change Terraform log levels'
+        description: "Change Terraform log levels"
         required: false
         default: info
         type: choice
         options:
-        - info
-        - warn
-        - debug
-        - trace
-        - error
+          - info
+          - warn
+          - debug
+          - trace
+          - error
 
 env:
   NEBARI_IMAGE_TAG: ${{ github.event.inputs.image-tag || 'main' }}
@@ -50,7 +50,7 @@ jobs:
           conda install --quiet --yes conda-build
           playwright install
 
-      - name: 'Azure login'
+      - name: "Azure login"
         uses: azure/login@v2
         with:
           client-id: ${{ secrets.ARM_CLIENT_ID }}

.github/workflows/test_conda_build.yaml

@@ -17,11 +17,11 @@ jobs:
   test-conda-build:
     runs-on: ubuntu-latest
     defaults:
-        run:
-          shell: bash -el {0}
+      run:
+        shell: bash -el {0}
     concurrency:
-        group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-        cancel-in-progress: true
+      group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+      cancel-in-progress: true
     steps:
       - name: "Checkout Infrastructure"
         uses: actions/checkout@v4