Skip to content

ci: Update test workflow to Python 3.12 to resolve numpy conflictFix python ci version#208

Open
Ishant-Artishu wants to merge 5 commits into
TENET-DEV-AI:mainfrom
Ishant-Artishu:fix-python-ci-version
Open

ci: Update test workflow to Python 3.12 to resolve numpy conflictFix python ci version#208
Ishant-Artishu wants to merge 5 commits into
TENET-DEV-AI:mainfrom
Ishant-Artishu:fix-python-ci-version

Conversation

@Ishant-Artishu

@Ishant-Artishu Ishant-Artishu commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🤖 TENET Agent will automatically review this PR for security issues and code quality.
Maintainers: to have TENET solve an issue autonomously, comment /tenet fix on the issue.


Summary

This PR updates the GitHub Actions test workflow to use Python 3.12, resolving a dependency resolution failure where the CI pipeline crashed while attempting to install numpy>=2.5.0 on an older Python 3.11 runner.

Key Changes

  • Bumped python-version from '3.11' to '3.12' in .github/workflows/ci.yml.

Related Issue

Closes #200


Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • CI/CD Improvement
  • Added Tests

Screenshots / Logs (Optional)

N/A


How Has This Been Tested?

The fix will be automatically tested by the GitHub Actions pipeline upon opening this PR. A successful run of the "Install dependencies" step will confirm the numpy conflict is resolved.

  • Unit tests
  • Integration tests
  • Manual testing

Checklist

  • My code follows the project's code style
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

Additional Notes (Optional)

Kept the scope strictly to ci.yml as it is the file responsible for running the test pipeline and installing the conflicting requirements-dev.txt dependencies.


Summary by cubic

Switch CI to Python 3.12 to resolve numpy>=2.5.0 install failures on Python 3.11. Also add the TENET-AI submodule pointer.

Written for commit b492a95. Summary will update on new commits.

Review in cubic

Summary by CodeRabbit

  • Chores
    • Updated the CI test environment to use Python 3.12.
  • Bug Fixes
    • Improved Docker build configuration for backend services to better match the root build context.

@vercel

vercel Bot commented Jul 4, 2026

Copy link
Copy Markdown

@Ishant-Artishu is attempting to deploy a commit to the s3dfx-cyber's projects Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates the CI workflow to use Python 3.12 instead of 3.11 for the test job, and bumps the TENET-AI submodule reference to a commit that renames .dockerignore files to Dockerfile.dockerignore for the analyzer and ingest services.

Changes

CI Python Version Update

Layer / File(s) Summary
Bump Python version to 3.12
.github/workflows/ci.yml
Updates the actions/setup-python python-version value from '3.11' to '3.12' in the test job to resolve a numpy dependency conflict.

TENET-AI Submodule Update

Layer / File(s) Summary
Submodule commit bump
TENET-AI
Updates the TENET-AI submodule reference, which renames .dockerignore files to Dockerfile.dockerignore for the analyzer and ingest services.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Related issues: Resolves #200 (CI test workflow Python version update to fix numpy dependency conflict).

Suggested labels: ci, dependencies

Suggested reviewers: none identified

🐰 A hop, a bump, a version tweak,
Python's now three-twelve, no more antique.
Dockerignore names renamed with grace,
Small commits find their place. 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning The TENET-AI submodule pointer update is unrelated to #200, which only asked for the ci.yml Python version bump. Remove or split the TENET-AI submodule change so this PR contains only the CI workflow Python 3.12 update.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The workflow update to Python 3.12 satisfies #200 by aligning the test runner with the project's numpy requirement.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title is related to the main change and identifies the Python 3.12 CI update, despite being awkwardly concatenated.
Description check ✅ Passed The description follows the template and includes summary, issue, change type, testing, checklist, and notes.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (3)
.github/workflows/qodana_code_quality.yml (2)

11-13: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Confirm fix-dockerignore branch trigger is intentional.

This looks like a transient/dev branch left in the push trigger. If it was only for testing the dockerignore rename mentioned in the submodule bump, consider removing it before merge.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/qodana_code_quality.yml around lines 11 - 13, The workflow
push trigger currently includes the temporary fix-dockerignore branch, which
appears to be a leftover test branch. Update the branch list in the
qodana_code_quality workflow to remove fix-dockerignore unless it is
intentionally meant to stay, keeping only the permanent branches that should
trigger this job.

18-21: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

contents: write is unused since push-fixes: 'none'.

The job requests contents: write, but the Qodana step has push-fixes: 'none' (Line 40), so nothing is written back to the repo. Granting write access to contents that is never exercised violates least privilege.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/qodana_code_quality.yml around lines 18 - 21, The Qodana
workflow currently requests unnecessary repository write access because the job
uses push-fixes: 'none' and does not write back to the repo. Update the
permissions block in the workflow to remove contents: write and keep only the
permissions actually needed by the Qodana job, using the qodana_code_quality
workflow and its Qodana step as the reference points.
qodana.yaml (1)

39-45: 🧹 Nitpick | 🔵 Trivial

Quality gate is disabled — analysis is report-only for now.

failureConditions is commented out, so Qodana won't fail the pipeline regardless of findings. Fine as an initial rollout; consider enabling severity/coverage thresholds once the baseline is established.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@qodana.yaml` around lines 39 - 45, The quality gate is currently disabled
because the failureConditions block in qodana.yaml is commented out. Re-enable
the failureConditions section and set appropriate severityThresholds and
testCoverageThresholds in the Qodana config once the baseline is ready, so the
pipeline can fail on unacceptable findings.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/qodana_code_quality.yml:
- Around line 23-26: The checkout step in the qodana_code_quality workflow is
persisting repository credentials unnecessarily; update the actions/checkout@v4
configuration to disable credential persistence. In the checkout block that
already sets ref and fetch-depth, add persist-credentials: false so the
GITHUB_TOKEN is not left in .git/config for the rest of the job.

---

Nitpick comments:
In @.github/workflows/qodana_code_quality.yml:
- Around line 11-13: The workflow push trigger currently includes the temporary
fix-dockerignore branch, which appears to be a leftover test branch. Update the
branch list in the qodana_code_quality workflow to remove fix-dockerignore
unless it is intentionally meant to stay, keeping only the permanent branches
that should trigger this job.
- Around line 18-21: The Qodana workflow currently requests unnecessary
repository write access because the job uses push-fixes: 'none' and does not
write back to the repo. Update the permissions block in the workflow to remove
contents: write and keep only the permissions actually needed by the Qodana job,
using the qodana_code_quality workflow and its Qodana step as the reference
points.

In `@qodana.yaml`:
- Around line 39-45: The quality gate is currently disabled because the
failureConditions block in qodana.yaml is commented out. Re-enable the
failureConditions section and set appropriate severityThresholds and
testCoverageThresholds in the Qodana config once the baseline is ready, so the
pipeline can fail on unacceptable findings.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 784b7dd5-7af6-4b29-a3b1-883930116ec7

📥 Commits

Reviewing files that changed from the base of the PR and between 164fd6e and f36f6c1.

⛔ Files ignored due to path filters (1)
  • out/production/TENET-AI/Main.class is excluded by !**/*.class
📒 Files selected for processing (10)
  • .github/workflows/ci.yml
  • .github/workflows/qodana_code_quality.yml
  • .idea/.gitignore
  • .idea/misc.xml
  • .idea/modules.xml
  • .idea/vcs.xml
  • TENET-AI
  • TENET-AI.iml
  • qodana.yaml
  • src/Main.java

Comment on lines +23 to +26
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Set persist-credentials: false on checkout.

Static analysis (zizmor) flags credential persistence (artipacked): checkout doesn't disable credential persistence, leaving the GITHUB_TOKEN in .git/config for the rest of the job. Since push-fixes: 'none' (Line 40) means this workflow never needs to push back, there's no reason to persist credentials.

🔒 Proposed fix
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 23-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/qodana_code_quality.yml around lines 23 - 26, The checkout
step in the qodana_code_quality workflow is persisting repository credentials
unnecessarily; update the actions/checkout@v4 configuration to disable
credential persistence. In the checkout block that already sets ref and
fetch-depth, add persist-credentials: false so the GITHUB_TOKEN is not left in
.git/config for the rest of the job.

Source: Linters/SAST tools

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 11 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="qodana.yaml">

<violation number="1" location="qodana.yaml:49">
P2: The `qodana.yaml` config uses a JVM Qodana image (`jetbrains/qodana-jvm-community`) for what is primarily a Python project. This means the Qodana CI step will analyze Java/Kotlin code while skipping all the actual project Python code, creating a tooling blind spot where static analysis appears to run but provides no meaningful coverage. Consider switching to a Python-oriented Qodana linter (e.g., `jetbrains/qodana-python`) and reviewing whether `projectJDK` is still needed.</violation>
</file>

<file name=".github/workflows/qodana_code_quality.yml">

<violation number="1" location=".github/workflows/qodana_code_quality.yml:26">
P2: The `actions/checkout@v4` step persists credentials by default, leaving the `GITHUB_TOKEN` in `.git/config` for the remainder of the job. Since this workflow has `contents: write` permission but never pushes back (`push-fixes: 'none'`), adding `persist-credentials: false` reduces the attack surface without any functional impact.</violation>
</file>

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread src/Main.java Outdated
Comment thread qodana.yaml Outdated

#Qodana supports other languages, for example, Python, JavaScript, TypeScript, Go, C#, PHP
#For all supported languages see https://www.jetbrains.com/help/qodana/linters.html
linter: jetbrains/qodana-jvm-community:2025.2

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: The qodana.yaml config uses a JVM Qodana image (jetbrains/qodana-jvm-community) for what is primarily a Python project. This means the Qodana CI step will analyze Java/Kotlin code while skipping all the actual project Python code, creating a tooling blind spot where static analysis appears to run but provides no meaningful coverage. Consider switching to a Python-oriented Qodana linter (e.g., jetbrains/qodana-python) and reviewing whether projectJDK is still needed.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At qodana.yaml, line 49:

<comment>The `qodana.yaml` config uses a JVM Qodana image (`jetbrains/qodana-jvm-community`) for what is primarily a Python project. This means the Qodana CI step will analyze Java/Kotlin code while skipping all the actual project Python code, creating a tooling blind spot where static analysis appears to run but provides no meaningful coverage. Consider switching to a Python-oriented Qodana linter (e.g., `jetbrains/qodana-python`) and reviewing whether `projectJDK` is still needed.</comment>

<file context>
@@ -0,0 +1,49 @@
+  
+#Qodana supports other languages, for example, Python, JavaScript, TypeScript, Go, C#, PHP
+#For all supported languages see https://www.jetbrains.com/help/qodana/linters.html
+linter: jetbrains/qodana-jvm-community:2025.2
</file context>

- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: The actions/checkout@v4 step persists credentials by default, leaving the GITHUB_TOKEN in .git/config for the remainder of the job. Since this workflow has contents: write permission but never pushes back (push-fixes: 'none'), adding persist-credentials: false reduces the attack surface without any functional impact.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/qodana_code_quality.yml, line 26:

<comment>The `actions/checkout@v4` step persists credentials by default, leaving the `GITHUB_TOKEN` in `.git/config` for the remainder of the job. Since this workflow has `contents: write` permission but never pushes back (`push-fixes: 'none'`), adding `persist-credentials: false` reduces the attack surface without any functional impact.</comment>

<file context>
@@ -0,0 +1,40 @@
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+      - name: 'Qodana Scan'
+        uses: JetBrains/qodana-action@v2025.2
</file context>
Suggested change
fetch-depth: 0
fetch-depth: 0
persist-credentials: false

@Ishant-Artishu Ishant-Artishu force-pushed the fix-python-ci-version branch from f36f6c1 to ccbf201 Compare July 4, 2026 20:16
@Ishant-Artishu

Copy link
Copy Markdown
Contributor Author

@S3DFX-CYBER Hey! I just did a quick force push to clean up some accidental IntelliJ/Java configuration files that got scooped up in my initial commit.

The PR is now perfectly scoped to just the ci.yml Python 3.12 version bump, and the CI test pipeline is officially green! ✅

The only two failing checks remaining are the Vercel authorization and the missing TENET_AI_KEY secret for the TENET Agent, which look like they just need repository admin access to resolve.

Ready for review and merge whenever you have a second! Thanks!

@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
tenet-ai.org Ready Ready Preview, Comment Jul 6, 2026 9:48am

Comment thread src/Main.java Outdated

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's still there , can u remove it

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
.github/workflows/ci.yml (2)

27-27: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider disabling credential persistence on checkout.

Static analysis flags this checkout step for not setting persist-credentials: false. By default, actions/checkout leaves the GITHUB_TOKEN in the local git config for the remainder of the job, which could be exfiltrated by any compromised dependency/step running later (e.g., a malicious package pulled in via pip install -r requirements-dev.txt).

🔒 Suggested hardening
     - uses: actions/checkout@v7
+      with:
+        persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 27, The checkout step is leaving the
GITHUB_TOKEN persisted in git config by default, so update the actions/checkout
usage to disable credential persistence. In the CI workflow, modify the checkout
configuration to set persist-credentials to false on the existing
actions/checkout step so later jobs or dependencies cannot reuse the token.

Source: Linters/SAST tools


27-27: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider disabling credential persistence on checkout.

Static analysis flags this checkout step for not setting persist-credentials: false. By default, actions/checkout leaves the GITHUB_TOKEN in the local git config for the remainder of the job, which could be exfiltrated by any compromised dependency/step running later (e.g., via pip install -r requirements-dev.txt).

🔒 Suggested hardening
     - uses: actions/checkout@v7
+      with:
+        persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 27, The checkout step is leaving GitHub
credentials persisted in the runner’s local git config, which can be reused by
later steps. Update the existing actions/checkout usage in the CI workflow to
explicitly disable credential persistence by setting persist-credentials to
false so the token is not retained after checkout.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 27: The checkout step is leaving the GITHUB_TOKEN persisted in git config
by default, so update the actions/checkout usage to disable credential
persistence. In the CI workflow, modify the checkout configuration to set
persist-credentials to false on the existing actions/checkout step so later jobs
or dependencies cannot reuse the token.
- Line 27: The checkout step is leaving GitHub credentials persisted in the
runner’s local git config, which can be reused by later steps. Update the
existing actions/checkout usage in the CI workflow to explicitly disable
credential persistence by setting persist-credentials to false so the token is
not retained after checkout.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d0af8d54-b7e6-4911-94db-0ae9db3ccf32

📥 Commits

Reviewing files that changed from the base of the PR and between f36f6c1 and b492a95.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml

@Ishant-Artishu

Copy link
Copy Markdown
Contributor Author

@S3DFX-CYBER The accidental Java and IntelliJ files have been completely removed, and the src/Main.java thread is now outdated! The main Python CI pipeline is fully green. ✅
Let me know if there's anything else needed, otherwise this should be ready for your approval and merge!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CI/Build: Update test workflow runner to Python 3.12 to resolve numpy dependency conflict

2 participants