Skip to content

Upgrade dependencies 2025-05-12 (#6960, #7118, #7108) #7119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: develop
Choose a base branch
from
Open

Upgrade dependencies 2025-05-12 (#6960, #7118, #7108) #7119

wants to merge 12 commits into from
+161 −228

Conversation

achave11-ucsc
Copy link
Member

@achave11-ucsc achave11-ucsc commented May 14, 2025
edited by dsotirho-ucsc
Loading

Connected issue: #6960, #7108, #7118

Checklist

Author

  • Target branch is develop
  • Name of PR branch matches upgrades/yyyy-mm-dd
  • On ZenHub, PR is connected to the upgrade issue it resolves
  • PR title matches Upgrade dependencies yyyy-mm-dd
  • PR title references the connected issue

Author (upgrading deployments)

  • Ran make docker_images.json and committed the resulting changes or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable
  • Documented upgrading of deployments in UPGRADING.rst or this PR does not require upgrading deployments
  • Added u tag to commit title or this PR does not require upgrading deployments
  • This PR is labeled upgrade or does not require upgrading deployments
  • This PR is labeled deploy:shared or does not modify docker_images.json, and does not require deploying the shared component for any other reason
  • This PR is labeled deploy:gitlab or does not require deploying the gitlab component
  • This PR is labeled backup:gitlab
  • This PR is labeled deploy:runner or does not require deploying the runner image

Author (before every review)

  • Rebased PR branch on develop, squashed old fixups
  • Ran make requirements_update or this PR does not modify requirements*.txt, common.mk, Makefile and Dockerfile
  • Added R tag to commit title or this PR does not modify requirements*.txt
  • This PR is labeled reqs or does not modify requirements*.txt
  • make integration_test passes in personal deployment or this PR does not modify functionality that could affect the IT outcome

System administrator (after approval)

  • Actually approved the PR
  • Labeled connected issue as no demo
  • A comment to this PR details the completed security design review
  • PR title is appropriate as title of merge commit
  • Moved connected issue to Approved column
  • PR is assigned to only the operator

Operator (before pushing merge the commit)

  • Squashed PR branch and rebased onto develop
  • Sanity-checked history
  • Pushed PR branch to GitHub
  • Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused or this PR is not labeled deploy:shared
  • Ran _select dev.gitlab && python scripts/create_gitlab_snapshot.py --no-restart (see operator manual for details) or this PR is not labeled backup:gitlab
  • Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply or this PR is not labeled deploy:gitlab
  • Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused or this PR is not labeled deploy:shared
  • Ran _select anvildev.gitlab && python scripts/create_gitlab_snapshot.py --no-restart (see operator manual for details) or this PR is not labeled backup:gitlab
  • Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply or this PR is not labeled deploy:gitlab
  • Checked the items in the next section or this PR is labeled deploy:gitlab
  • PR is assigned to only the system administrator or this PR is not labeled deploy:gitlab

System administrator

  • Background migrations for dev.gitlab are complete or this PR is not labeled deploy:gitlab
  • Background migrations for anvildev.gitlab are complete or this PR is not labeled deploy:gitlab
  • PR is assigned to only the operator

Operator (before pushing merge the commit)

  • Ran _select dev.gitlab && make -C terraform/gitlab/runner or this PR is not labeled deploy:runner
  • Ran _select anvildev.gitlab && make -C terraform/gitlab/runner or this PR is not labeled deploy:runner
  • Added sandbox label
  • Pushed PR branch to GitLab dev
  • Pushed PR branch to GitLab anvildev
  • Build passes in sandbox deployment
  • Build passes in anvilbox deployment
  • Reviewed build logs for anomalies in sandbox deployment
  • Reviewed build logs for anomalies in anvilbox deployment
  • Confirmed all checks in PR are OK and the PR is mergeable
  • The title of the merge commit starts with the title of this PR
  • Added PR # reference to merge commit title
  • Collected commit title tags in merge commit title but excluded any p tags
  • Moved connected issue to Merged lower column in ZenHub
  • Moved blocked issues to Triage or no issues are blocked on the connected issue
  • Closed related Dependabot PRs with a comment referencing the corresponding commit in this PR or this PR does not include any such commits
  • Pushed merge commit to GitHub

Operator (after pushing the merge commit)

  • Pushed merge commit to GitLab dev
  • Pushed merge commit to GitLab anvildev
  • Build passes on GitLab dev
  • Reviewed build logs for anomalies on GitLab dev
  • Build passes on GitLab anvildev
  • Reviewed build logs for anomalies on GitLab anvildev
  • Ran _select dev.shared && make -C terraform/shared apply or this PR is not labeled deploy:shared
  • Ran _select anvildev.shared && make -C terraform/shared apply or this PR is not labeled deploy:shared
  • Deleted PR branch from GitHub
  • Deleted PR branch from GitLab dev
  • Deleted PR branch from GitLab anvildev

Operator

  • At least 24 hours have passed since anvildev.shared was last deployed
  • Ran scripts/export_inspector_findings.py against anvildev, imported results to Google Sheet and posted screenshot of relevant1 findings as a comment on the connected issue.
  • Propagated the deploy:shared, deploy:gitlab, deploy:runner and backup:gitlab labels to the next promotion PRs or this PR carries none of these labels
  • Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner and backup:gitlab labels, from the description of this PR to that of the next promotion PRs or this PR carries none of these labels
  • PR is assigned to only the system administrator

1A relevant finding is a high or critical vulnerability in an image
that is used within the security boundary. Images not used within the boundary
are tracked in azul.docker_images under a key starting with _.

System administrator

  • No currently reported vulnerability requires immediate attention
  • PR is assigned to no one

Shorthand for review comments

  • L line is too long
  • W line wrapping is wrong
  • Q bad quotes
  • F other formatting problem

@github-actions github-actions bot added the orange [process] Done by the Azul team label May 14, 2025
@achave11-ucsc achave11-ucsc added deploy:gitlab [process] PR requires deploying `gitlab` component deploy:shared [process] PR requires deploying `shared` component deploy:runner [process] PR requires deploying `runner` component backup:gitlab [process] PR requires backing up GitLab instances labels May 14, 2025
@achave11-ucsc achave11-ucsc force-pushed the upgrades/2025-05-12 branch from 5ba7735 to eab3575 Compare May 14, 2025 15:51
@coveralls
Copy link

coveralls commented May 14, 2025
edited
Loading

Coverage Status

coverage: 85.417%. remained the same
when pulling 68ba988 on upgrades/2025-05-12
into 7964fe5 on develop.

@codecov Codecov
Copy link

codecov bot commented May 14, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.24%. Comparing base (7964fe5) to head (68ba988).

Additional details and impacted files 
@@           Coverage Diff            @@
##           develop    #7119   +/-   ##
========================================
  Coverage    85.24%   85.24%           
========================================
  Files          152      152           
  Lines        22060    22060           
========================================
  Hits         18804    18804           
  Misses        3256     3256

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@achave11-ucsc achave11-ucsc added the reqs [process] PR includes commit requiring ``make requirements`` label May 14, 2025
@achave11-ucsc achave11-ucsc force-pushed the upgrades/2025-05-12 branch from eab3575 to 8fc14d0 Compare May 15, 2025 18:22
@achave11-ucsc achave11-ucsc changed the title Upgrade dependencies 2025-05-12 (#7108) Upgrade dependencies 2025-05-12 ( #6160, #7118, #7108) May 15, 2025
@achave11-ucsc achave11-ucsc force-pushed the upgrades/2025-05-12 branch 9 times, most recently from 00d4170 to 2b774b8 Compare May 16, 2025 22:43
@achave11-ucsc achave11-ucsc changed the title Upgrade dependencies 2025-05-12 ( #6160, #7118, #7108) Upgrade dependencies 2025-05-12 (#6160, #7118, #7108) May 16, 2025
@achave11-ucsc achave11-ucsc force-pushed the upgrades/2025-05-12 branch from 2b774b8 to e656bfc Compare May 19, 2025 19:50
@achave11-ucsc achave11-ucsc changed the title Upgrade dependencies 2025-05-12 (#6160, #7118, #7108) Upgrade dependencies 2025-05-12 (#6960, #7118, #7108) May 23, 2025
@achave11-ucsc achave11-ucsc force-pushed the upgrades/2025-05-12 branch from b2b2e5d to 391ee66 Compare May 23, 2025 21:48
@achave11-ucsc achave11-ucsc requested a review from hannes-ucsc May 23, 2025 22:49
hannes-ucsc
hannes-ucsc previously approved these changes May 24, 2025
View reviewed changes
@hannes-ucsc
Copy link
Member

Security design review

  • Security design review completed; this PR does not
    • … affect authentication; for example:
      • OAuth 2.0 with the application (API or Swagger UI)
      • Authentication of developers with Google Cloud APIs
      • Authentication of developers with AWS APIs
      • Authentication with a GitLab instance in the system
      • Password and 2FA authentication with GitHub
      • API access token authentication with GitHub
      • Authentication with Terra
    • … affect the permissions of internal users like access to
      • Cloud resources on AWS and GCP
      • GitLab repositories, projects and groups, administration
      • an EC2 instance via SSH
      • GitHub issues, pull requests, commits, commit statuses, wikis, repositories, organizations
    • … affect the permissions of external users like access to
      • TDR snapshots
    • … affect permissions of service or bot accounts
      • Cloud resources on AWS and GCP
    • … affect audit logging in the system, like
      • adding, removing or changing a log message that represents an auditable event
      • changing the routing of log messages through the system
    • … affect monitoring of the system
    • … introduce a new software dependency like
      • Python packages on PYPI
      • Command-line utilities
      • Docker images
      • Terraform providers
    • … add an interface that exposes sensitive or confidential data at the security boundary
    • … affect the encryption of data at rest
    • … require persistence of sensitive or confidential data that might require encryption at rest
    • … require unencrypted transmission of data within the security boundary
    • … affect the network security layer; for example by
      • modifying, adding or removing firewall rules
      • modifying, adding or removing security groups
      • changing or adding a port a service, proxy or load balancer listens on
  • Documentation on any unchecked boxes is provided in comments below

@achave11-ucsc achave11-ucsc force-pushed the upgrades/2025-05-12 branch from 391ee66 to 441c038 Compare May 27, 2025 15:58
@dsotirho-ucsc dsotirho-ucsc force-pushed the upgrades/2025-05-12 branch from 441c038 to 68ba988 Compare May 27, 2025 23:32
@dsotirho-ucsc dsotirho-ucsc added the sandbox [process] Resolution is being verified in sandbox deployment label May 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hannes-ucsc hannes-ucsc hannes-ucsc left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@dsotirho-ucsc dsotirho-ucsc

Labels
backup:gitlab [process] PR requires backing up GitLab instances deploy:gitlab [process] PR requires deploying `gitlab` component deploy:runner [process] PR requires deploying `runner` component deploy:shared [process] PR requires deploying `shared` component orange [process] Done by the Azul team reqs [process] PR includes commit requiring ``make requirements`` sandbox [process] Resolution is being verified in sandbox deployment
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@achave11-ucsc @coveralls @hannes-ucsc @dsotirho-ucsc