ci: Update test workflow to Python 3.12 to resolve numpy conflictFix python ci version#208
ci: Update test workflow to Python 3.12 to resolve numpy conflictFix python ci version#208Ishant-Artishu wants to merge 5 commits into
Conversation
|
@Ishant-Artishu is attempting to deploy a commit to the s3dfx-cyber's projects Team on Vercel. A member of the Team first needs to authorize it. |
📝 WalkthroughWalkthroughThis PR updates the CI workflow to use Python 3.12 instead of 3.11 for the test job, and bumps the TENET-AI submodule reference to a commit that renames .dockerignore files to Dockerfile.dockerignore for the analyzer and ingest services. ChangesCI Python Version Update
TENET-AI Submodule Update
Estimated code review effort: 1 (Trivial) | ~3 minutes Related issues: Resolves Suggested labels: ci, dependencies Suggested reviewers: none identified 🐰 A hop, a bump, a version tweak, 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (3)
.github/workflows/qodana_code_quality.yml (2)
11-13: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueConfirm
fix-dockerignorebranch trigger is intentional.This looks like a transient/dev branch left in the push trigger. If it was only for testing the dockerignore rename mentioned in the submodule bump, consider removing it before merge.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/qodana_code_quality.yml around lines 11 - 13, The workflow push trigger currently includes the temporary fix-dockerignore branch, which appears to be a leftover test branch. Update the branch list in the qodana_code_quality workflow to remove fix-dockerignore unless it is intentionally meant to stay, keeping only the permanent branches that should trigger this job.
18-21: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win
contents: writeis unused sincepush-fixes: 'none'.The job requests
contents: write, but the Qodana step haspush-fixes: 'none'(Line 40), so nothing is written back to the repo. Granting write access to contents that is never exercised violates least privilege.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/qodana_code_quality.yml around lines 18 - 21, The Qodana workflow currently requests unnecessary repository write access because the job uses push-fixes: 'none' and does not write back to the repo. Update the permissions block in the workflow to remove contents: write and keep only the permissions actually needed by the Qodana job, using the qodana_code_quality workflow and its Qodana step as the reference points.qodana.yaml (1)
39-45: 🧹 Nitpick | 🔵 TrivialQuality gate is disabled — analysis is report-only for now.
failureConditionsis commented out, so Qodana won't fail the pipeline regardless of findings. Fine as an initial rollout; consider enabling severity/coverage thresholds once the baseline is established.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@qodana.yaml` around lines 39 - 45, The quality gate is currently disabled because the failureConditions block in qodana.yaml is commented out. Re-enable the failureConditions section and set appropriate severityThresholds and testCoverageThresholds in the Qodana config once the baseline is ready, so the pipeline can fail on unacceptable findings.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/qodana_code_quality.yml:
- Around line 23-26: The checkout step in the qodana_code_quality workflow is
persisting repository credentials unnecessarily; update the actions/checkout@v4
configuration to disable credential persistence. In the checkout block that
already sets ref and fetch-depth, add persist-credentials: false so the
GITHUB_TOKEN is not left in .git/config for the rest of the job.
---
Nitpick comments:
In @.github/workflows/qodana_code_quality.yml:
- Around line 11-13: The workflow push trigger currently includes the temporary
fix-dockerignore branch, which appears to be a leftover test branch. Update the
branch list in the qodana_code_quality workflow to remove fix-dockerignore
unless it is intentionally meant to stay, keeping only the permanent branches
that should trigger this job.
- Around line 18-21: The Qodana workflow currently requests unnecessary
repository write access because the job uses push-fixes: 'none' and does not
write back to the repo. Update the permissions block in the workflow to remove
contents: write and keep only the permissions actually needed by the Qodana job,
using the qodana_code_quality workflow and its Qodana step as the reference
points.
In `@qodana.yaml`:
- Around line 39-45: The quality gate is currently disabled because the
failureConditions block in qodana.yaml is commented out. Re-enable the
failureConditions section and set appropriate severityThresholds and
testCoverageThresholds in the Qodana config once the baseline is ready, so the
pipeline can fail on unacceptable findings.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 784b7dd5-7af6-4b29-a3b1-883930116ec7
⛔ Files ignored due to path filters (1)
out/production/TENET-AI/Main.classis excluded by!**/*.class
📒 Files selected for processing (10)
.github/workflows/ci.yml.github/workflows/qodana_code_quality.yml.idea/.gitignore.idea/misc.xml.idea/modules.xml.idea/vcs.xmlTENET-AITENET-AI.imlqodana.yamlsrc/Main.java
| - uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Set persist-credentials: false on checkout.
Static analysis (zizmor) flags credential persistence (artipacked): checkout doesn't disable credential persistence, leaving the GITHUB_TOKEN in .git/config for the rest of the job. Since push-fixes: 'none' (Line 40) means this workflow never needs to push back, there's no reason to persist credentials.
🔒 Proposed fix
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 0 | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 0 | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 23-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/qodana_code_quality.yml around lines 23 - 26, The checkout
step in the qodana_code_quality workflow is persisting repository credentials
unnecessarily; update the actions/checkout@v4 configuration to disable
credential persistence. In the checkout block that already sets ref and
fetch-depth, add persist-credentials: false so the GITHUB_TOKEN is not left in
.git/config for the rest of the job.
Source: Linters/SAST tools
There was a problem hiding this comment.
3 issues found across 11 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="qodana.yaml">
<violation number="1" location="qodana.yaml:49">
P2: The `qodana.yaml` config uses a JVM Qodana image (`jetbrains/qodana-jvm-community`) for what is primarily a Python project. This means the Qodana CI step will analyze Java/Kotlin code while skipping all the actual project Python code, creating a tooling blind spot where static analysis appears to run but provides no meaningful coverage. Consider switching to a Python-oriented Qodana linter (e.g., `jetbrains/qodana-python`) and reviewing whether `projectJDK` is still needed.</violation>
</file>
<file name=".github/workflows/qodana_code_quality.yml">
<violation number="1" location=".github/workflows/qodana_code_quality.yml:26">
P2: The `actions/checkout@v4` step persists credentials by default, leaving the `GITHUB_TOKEN` in `.git/config` for the remainder of the job. Since this workflow has `contents: write` permission but never pushes back (`push-fixes: 'none'`), adding `persist-credentials: false` reduces the attack surface without any functional impact.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
|
|
||
| #Qodana supports other languages, for example, Python, JavaScript, TypeScript, Go, C#, PHP | ||
| #For all supported languages see https://www.jetbrains.com/help/qodana/linters.html | ||
| linter: jetbrains/qodana-jvm-community:2025.2 |
There was a problem hiding this comment.
P2: The qodana.yaml config uses a JVM Qodana image (jetbrains/qodana-jvm-community) for what is primarily a Python project. This means the Qodana CI step will analyze Java/Kotlin code while skipping all the actual project Python code, creating a tooling blind spot where static analysis appears to run but provides no meaningful coverage. Consider switching to a Python-oriented Qodana linter (e.g., jetbrains/qodana-python) and reviewing whether projectJDK is still needed.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At qodana.yaml, line 49:
<comment>The `qodana.yaml` config uses a JVM Qodana image (`jetbrains/qodana-jvm-community`) for what is primarily a Python project. This means the Qodana CI step will analyze Java/Kotlin code while skipping all the actual project Python code, creating a tooling blind spot where static analysis appears to run but provides no meaningful coverage. Consider switching to a Python-oriented Qodana linter (e.g., `jetbrains/qodana-python`) and reviewing whether `projectJDK` is still needed.</comment>
<file context>
@@ -0,0 +1,49 @@
+
+#Qodana supports other languages, for example, Python, JavaScript, TypeScript, Go, C#, PHP
+#For all supported languages see https://www.jetbrains.com/help/qodana/linters.html
+linter: jetbrains/qodana-jvm-community:2025.2
</file context>
| - uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
P2: The actions/checkout@v4 step persists credentials by default, leaving the GITHUB_TOKEN in .git/config for the remainder of the job. Since this workflow has contents: write permission but never pushes back (push-fixes: 'none'), adding persist-credentials: false reduces the attack surface without any functional impact.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/qodana_code_quality.yml, line 26:
<comment>The `actions/checkout@v4` step persists credentials by default, leaving the `GITHUB_TOKEN` in `.git/config` for the remainder of the job. Since this workflow has `contents: write` permission but never pushes back (`push-fixes: 'none'`), adding `persist-credentials: false` reduces the attack surface without any functional impact.</comment>
<file context>
@@ -0,0 +1,40 @@
+ - uses: actions/checkout@v4
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+ fetch-depth: 0
+ - name: 'Qodana Scan'
+ uses: JetBrains/qodana-action@v2025.2
</file context>
| fetch-depth: 0 | |
| fetch-depth: 0 | |
| persist-credentials: false |
f36f6c1 to
ccbf201
Compare
|
@S3DFX-CYBER Hey! I just did a quick force push to clean up some accidental IntelliJ/Java configuration files that got scooped up in my initial commit. The PR is now perfectly scoped to just the ci.yml Python 3.12 version bump, and the CI test pipeline is officially green! ✅ The only two failing checks remaining are the Vercel authorization and the missing TENET_AI_KEY secret for the TENET Agent, which look like they just need repository admin access to resolve. Ready for review and merge whenever you have a second! Thanks! |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
I think it's still there , can u remove it
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/workflows/ci.yml (2)
27-27: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider disabling credential persistence on checkout.
Static analysis flags this checkout step for not setting
persist-credentials: false. By default,actions/checkoutleaves theGITHUB_TOKENin the local git config for the remainder of the job, which could be exfiltrated by any compromised dependency/step running later (e.g., a malicious package pulled in viapip install -r requirements-dev.txt).🔒 Suggested hardening
- uses: actions/checkout@v7 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml at line 27, The checkout step is leaving the GITHUB_TOKEN persisted in git config by default, so update the actions/checkout usage to disable credential persistence. In the CI workflow, modify the checkout configuration to set persist-credentials to false on the existing actions/checkout step so later jobs or dependencies cannot reuse the token.Source: Linters/SAST tools
27-27: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider disabling credential persistence on checkout.
Static analysis flags this checkout step for not setting
persist-credentials: false. By default,actions/checkoutleaves theGITHUB_TOKENin the local git config for the remainder of the job, which could be exfiltrated by any compromised dependency/step running later (e.g., viapip install -r requirements-dev.txt).🔒 Suggested hardening
- uses: actions/checkout@v7 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml at line 27, The checkout step is leaving GitHub credentials persisted in the runner’s local git config, which can be reused by later steps. Update the existing actions/checkout usage in the CI workflow to explicitly disable credential persistence by setting persist-credentials to false so the token is not retained after checkout.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/ci.yml:
- Line 27: The checkout step is leaving the GITHUB_TOKEN persisted in git config
by default, so update the actions/checkout usage to disable credential
persistence. In the CI workflow, modify the checkout configuration to set
persist-credentials to false on the existing actions/checkout step so later jobs
or dependencies cannot reuse the token.
- Line 27: The checkout step is leaving GitHub credentials persisted in the
runner’s local git config, which can be reused by later steps. Update the
existing actions/checkout usage in the CI workflow to explicitly disable
credential persistence by setting persist-credentials to false so the token is
not retained after checkout.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: d0af8d54-b7e6-4911-94db-0ae9db3ccf32
📒 Files selected for processing (1)
.github/workflows/ci.yml
|
@S3DFX-CYBER The accidental Java and IntelliJ files have been completely removed, and the src/Main.java thread is now outdated! The main Python CI pipeline is fully green. ✅ |
Summary
This PR updates the GitHub Actions test workflow to use Python 3.12, resolving a dependency resolution failure where the CI pipeline crashed while attempting to install
numpy>=2.5.0on an older Python 3.11 runner.Key Changes
python-versionfrom'3.11'to'3.12'in.github/workflows/ci.yml.Related Issue
Closes #200
Type of Change
Screenshots / Logs (Optional)
N/A
How Has This Been Tested?
The fix will be automatically tested by the GitHub Actions pipeline upon opening this PR. A successful run of the "Install dependencies" step will confirm the numpy conflict is resolved.
Checklist
Additional Notes (Optional)
Kept the scope strictly to
ci.ymlas it is the file responsible for running the test pipeline and installing the conflictingrequirements-dev.txtdependencies.Summary by cubic
Switch CI to Python 3.12 to resolve
numpy>=2.5.0install failures on Python 3.11. Also add theTENET-AIsubmodule pointer.Written for commit b492a95. Summary will update on new commits.
Summary by CodeRabbit