Skip to content

Release/v2.19.0#577

Merged
voxelbuildbot merged 11 commits into
mainfrom
release/v2.19.0
May 28, 2026
Merged

Release/v2.19.0#577
voxelbuildbot merged 11 commits into
mainfrom
release/v2.19.0

Conversation

@kevin-dimichel

Copy link
Copy Markdown
Contributor

Rationale

release v2.19.0

Review Priority

  • high
  • medium
  • low

Changes

Checklist

  • This PR maintains parity between Docker Compose and Helm

Testing

n/a

tom-vx51 and others added 10 commits May 13, 2026 11:25
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…v2.19.0-rc.0 api:v2.19.0rc1 app:v2.19.0rc1 cas:v2.19.0-rc.0
…v2.19.0-rc.1 api:v2.19.0rc2 app:v2.19.0rc2 cas:v2.19.0-rc.1
…v2.19.0-rc.2 api:v2.19.0rc3 app:v2.19.0rc3 cas:v2.19.0-rc.2
…v2.19.0-rc.3 api:v2.19.0rc4 app:v2.19.0rc4 cas:v2.19.0-rc.3
…v2.19.0-rc.4 api:v2.19.0rc5 app:v2.19.0rc5 cas:v2.19.0-rc.4
chore: fix helm.fiftyone.ai table
Enables the new observability features released in FiftyOne Enterprise 2.19.0, including enhanced process metrics, real-time logs, and more, viewable directly within the UI. 

Changes:

* Helm
  * Adds a sidecar container to the following pods:
    * fiftyone-app
    * teams-api
    * plugins
    * do deployments
    * do jobs (as a native sidecar)
  * Adds a role and rolebinding for telemetry
  * Adds get pods/log permission to api role
  * Adds an optional redis deployment and service, with a further optional chart-managed pvc, or a further optional existing PVC by name
* Compose
  * Drops support for `FIFTYONE_DELEGATED_OPERATOR_WORKER_REPLICAS` config option, replacing it with `COMPOSE_PROFILES="do-3"`
  * Adds sidecar containers to same services as Helm
  * Adds a tmpfs volume for the telemetry socket
* Scripts: Adds support for the new telemetry-sidecar image

---------

Signed-off-by: Alan Smith <209585+mo-getter@users.noreply.github.com>
Signed-off-by: Kacey <kacey@voxel51.com>
Co-authored-by: kacey <kacey@voxel51.com>
Co-authored-by: Kevin DiMichel <56850465+kevin-dimichel@users.noreply.github.com>
…v2.19.0-rc.18 api:v2.19.0rc19 app:v2.19.0rc19 cas:v2.19.0-rc.18
@kevin-dimichel kevin-dimichel requested a review from a team as a code owner May 28, 2026 15:01
@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ec34d68c-f18f-4cad-a5b6-3168cba43e8f

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

Version 2.19.0 release adds bundled telemetry sidecars with Redis backend across Docker Compose and Helm deployments. Updates include new telemetry environment variables, pod security context defaults (UID/GID 1000), Compose profile-based delegated-operator worker scaling, comprehensive documentation, and extensive test coverage for telemetry injection and configuration.

Changes

FiftyOne Enterprise v2.19.0 Telemetry & Infrastructure

Layer / File(s) Summary
Version baseline and documentation foundation
Makefile, helm/fiftyone-teams-app/README.md, docker/README.md
Version bumped from 2.18.1 to 2.19.0; telemetry section added to Docker/Helm documentation.
Docker Compose telemetry wiring and configuration
docker/README.md, docker/docs/configuring-*.md, docker/internal-auth/env.template, docker/legacy-auth/env.template
Environment templates replace deprecated FIFTYONE_DELEGATED_OPERATOR_WORKER_REPLICAS with Compose profile-based worker scaling. New telemetry Redis/sidecar configuration variables documented. Delegated-operator and GPU workload documentation updated.
Helm telemetry templates and helper functions
helm/fiftyone-teams-app/templates/_telemetry.tpl, helm/fiftyone-teams-app/templates/_helpers.tpl
New _telemetry.tpl template file with named templates for Redis connectivity, sidecar injection, RBAC, and environment wiring. Helper template _helpers.tpl updated to inject telemetry Redis URLs into service environment lists.
Helm values, pod security context, and README updates
helm/fiftyone-teams-app/README.md, helm/fiftyone-teams-app/templates/NOTES.txt, helm/fiftyone-teams-app/README.md.gotmpl
Helm README values table extended with telemetry Redis/persistence/sidecar configuration. Pod security context defaults changed to explicit UID/GID 1000 across API, app, plugins, and delegated-operator workloads. NOTES template now conditionally warns about emptyDir Redis persistence.
Kubernetes and orchestrator integration documentation
docs/orchestrators/configuring-kubernetes-orchestrator.md, docs/orchestrators/configuring-databricks-orchestrator.md
Kubernetes documentation extended with telemetry sidecar Job template configuration, shared PID namespace, and opt-out instructions. Databricks requirements.txt updated to v2.19.0.
Upgrade and migration documentation
docker/docs/upgrading.md, helm/docs/upgrading.md
Docker and Helm upgrade docs updated to reflect v2.19.0 requirements, telemetry sidecar behavior, host/cluster resource impacts, and delegated-operator worker profile migration (deprecated env var replacement).
Test helper utilities and common setup
tests/unit/helm/yaml_helpers.go, tests/unit/compose/common_test.go
New helpers splitYAMLDocs and disableTelemetry simplify Helm test rendering with telemetry disabled by default. telemetrySocketDriverOpts added for tmpfs mounts in Compose tests.
Compose integration and unit tests
tests/unit/compose/docker-compose-*.test.go, tests/integration/compose/docker-compose-*.test.go
Tests updated for v2.19.0 image tags, telemetry environment variables, telemetry-redis-data volumes, delegated operations with Compose profiles, and container log signature changes (motd.py, executor registration).
Helm deployment and pod security context tests
tests/unit/helm/api-deployment_test.go, tests/unit/helm/app-deployment_test.go, tests/unit/helm/plugins-deployment_test.go, tests/unit/helm/teams-app-deployment_test.go, tests/unit/helm/delegated-operator-*.test.go
All Helm deployment tests wrapped with disableTelemetry helper. Pod security context assertions updated to expect UID/GID 1000 defaults. New TestTelemetrySocketInjection tests added for automatic volume/mount injection.
Helm telemetry-specific unit test suites
tests/unit/helm/telemetry-redis_test.go, tests/unit/helm/telemetry-rolebinding_test.go, tests/unit/helm/telemetry-sidecar_test.go, tests/unit/helm/common_test.go
New comprehensive test suites for telemetry Redis (enabled/disabled, bundled vs external, persistence, image configuration), RBAC/RoleBinding (pods/log permissions), and sidecar injection (shareProcessNamespace, securityContext with SYS_PTRACE for executors).
Helm ConfigMap and API role tests
tests/unit/helm/delegated-operator-job-configmap_test.go, tests/unit/helm/api-role_test.go
ConfigMap tests updated to disable telemetry by default; new socket injection test added. API role tests extended to include pods/log access rule independent of telemetry setting.
Test fixtures, build tags, and utility scripts
tests/fixtures/docker/*.env, tests/unit/helm/common_test.go, utils/bump-fixtures-helm.sh, utils/validate-docker-pulls.sh
Test fixtures bumped to v2.19.0rc19/v2.19.0-rc.18. Helm build tags extended for telemetry-specific test compilation. Utilities updated to set telemetry sidecar image tags and validate redis:7-alpine + voxel51/telemetry-sidecar images.
Miscellaneous documentation and custom plugins
docs/custom-plugins.md, docker/docs/configuring-delegated-operators.md
Custom plugins documentation and delegated-operator callouts updated with v2.19.0 tags and profile-based worker scaling explanation.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

  • voxel51/fiftyone-teams-app-deploy#564: Related via the same Makefile VERSION bump from 2.18.1 to 2.19.0, which drives cascading version reference updates across compose/Helm tooling.
  • voxel51/fiftyone-teams-app-deploy#566: Related through telemetry sidecar integration work including FIFTYONE_TELEMETRY_REDIS_URL/TELEMETRY_SOCKET environment setup, _telemetry.tpl Helm templates, and telemetry unit tests.
  • voxel51/fiftyone-teams-app-deploy#571: Related via delegated-operator telemetry setup, removal of FIFTYONE_DELEGATED_OPERATOR_WORKER_REPLICAS, and documentation of profile-gated teams-do-* telemetry sidecars.

Suggested labels

documentation, helm, docker, testing

Suggested reviewers

  • mo-getter
  • kaixi-wang

Poem

🐰 A telemetry sidecar hops in,
Watching metrics flow, tail to chin,
Redis keeps the dashboard spry,
Logs won't vanish when pods fly,
v2.19.0 brings sight divine!

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch release/v2.19.0

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 9

🧹 Nitpick comments (2)
tests/unit/helm/delegated-operator-job-configmap_test.go (1)

714-725: ⚡ Quick win

Assert mount path preservation in user-declared telemetry socket case.

The dedup test only checks count. It should also verify the existing custom mount path (/custom/path) is preserved, not replaced during injection.

Suggested assertion addition
 		{
 			name: "doesNotDuplicateWhenUserDeclaresTelemetrySocket",
 			values: map[string]string{
 				"telemetry.enabled": "true",
 				"delegatedOperatorJobTemplates.jobs.cpuDefault.unused":                     "nil",
 				"delegatedOperatorJobTemplates.jobs.cpuDefault.volumes[0].name":            socketName,
 				"delegatedOperatorJobTemplates.jobs.cpuDefault.volumes[0].emptyDir.medium": "Memory",
 				"delegatedOperatorJobTemplates.jobs.cpuDefault.volumeMounts[0].name":       socketName,
 				"delegatedOperatorJobTemplates.jobs.cpuDefault.volumeMounts[0].mountPath":  "/custom/path",
 			},
 			expectVol: 1,
 			expectMnt: 1,
 		},
@@
 			s.Equal(
 				testCase.expectMnt,
 				countMountsByName(job.Spec.Template.Spec.Containers[0].VolumeMounts, socketName),
 				"telemetry-socket volumeMount count mismatch",
 			)
+			if testCase.name == "doesNotDuplicateWhenUserDeclaresTelemetrySocket" {
+				found := false
+				for _, m := range job.Spec.Template.Spec.Containers[0].VolumeMounts {
+					if m.Name == socketName {
+						s.Equal("/custom/path", m.MountPath, "existing telemetry mountPath should be preserved")
+						found = true
+					}
+				}
+				s.True(found, "expected telemetry-socket mount to exist")
+			}
 		})
 	}
 }

Also applies to: 748-752

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/unit/helm/delegated-operator-job-configmap_test.go` around lines 714 -
725, In the "doesNotDuplicateWhenUserDeclaresTelemetrySocket" test, add an
assertion that the user-provided volumeMount path "/custom/path" is preserved
(i.e., the injected telemetry mount did not override it) by inspecting the
rendered job's volumeMounts for the entry named socketName and asserting
mountPath == "/custom/path" in addition to the existing expectVol/expectMnt
count checks; make the same mount-path-preservation assertion for the other
similar test case referenced in the comment (the neighboring dedup test around
the other case).
tests/unit/helm/plugins-deployment_test.go (1)

2525-2528: ⚡ Quick win

Add nil guards before dereferencing PodSecurityContext fields.

These direct dereferences can panic and make regressions harder to diagnose. Guard the pointer fields first.

Proposed test-hardening patch
 			func(podSecurityContext *corev1.PodSecurityContext) {
+				s.Require().NotNil(podSecurityContext, "podSecurityContext should be set")
+				s.Require().NotNil(podSecurityContext.FSGroup, "fsGroup should be set")
+				s.Require().NotNil(podSecurityContext.RunAsGroup, "runAsGroup should be set")
+				s.Require().NotNil(podSecurityContext.RunAsNonRoot, "runAsNonRoot should be set")
+				s.Require().NotNil(podSecurityContext.RunAsUser, "runAsUser should be set")
 				s.Equal(int64(1000), *podSecurityContext.FSGroup, "fsGroup should be 1000 (image UID)")
 				s.Equal(int64(1000), *podSecurityContext.RunAsGroup, "runAsGroup should be 1000")
 				s.True(*podSecurityContext.RunAsNonRoot, "runAsNonRoot should be true")
 				s.Equal(int64(1000), *podSecurityContext.RunAsUser, "runAsUser should be 1000")
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/unit/helm/plugins-deployment_test.go` around lines 2525 - 2528, The
assertions currently dereference podSecurityContext fields directly (FSGroup,
RunAsGroup, RunAsNonRoot, RunAsUser) which can panic; add nil guards by first
asserting podSecurityContext is not nil (e.g., s.NotNil(podSecurityContext)) and
then assert each pointer field is not nil (s.NotNil(podSecurityContext.FSGroup),
etc.) before dereferencing, and then perform the existing equality/true checks
to keep test semantics intact.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker/docs/configuring-delegated-operators.md`:
- Line 43: The sentence "If you used on the <2.19 default of 3 workers, set
`COMPOSE_PROFILES=do-3`." contains a typo and awkward phrasing; replace it with
the suggested wording "If you were using the pre-2.19 default of 3 workers, set
`COMPOSE_PROFILES=do-3`." Update that exact sentence in the documentation to
improve clarity.

In `@docker/docs/configuring-gpu-workloads.md`:
- Around line 57-58: Update the example that sets COMPOSE_PROFILES so it follows
the delegated-operator profile semantics: replace the incorrect
`COMPOSE_PROFILES=do-1,gpu` with `COMPOSE_PROFILES=gpu` (or
`COMPOSE_PROFILES=do-2,gpu` / `COMPOSE_PROFILES=do-3,gpu` when showing how to
scale extra workers). Ensure any mention of slot 1 being optional is removed and
that examples reference `do-2`/`do-3` for additional worker slots and `gpu` for
the GPU profile.

In `@docker/docs/configuring-telemetry.md`:
- Around line 143-148: Add the missing compose.override.yaml snippet to the "To
run without telemetry" opt-out section by including a services block that sets
deploy.replicas: 0 for each telemetry service (refer to service names
telemetry-redis, fiftyone-app-telemetry, teams-api-telemetry,
teams-plugins-telemetry, teams-do-telemetry, teams-do-2-telemetry,
teams-do-3-telemetry, teams-do-gpu-telemetry) so users can scale telemetry to
zero, and fix the typo "Cpmpose" to "Compose" where it appears.

In `@docker/internal-auth/env.template`:
- Around line 97-107: Add the missing example `COMPOSE_PROFILES` line referenced
by the comment: insert a commented and an uncommented example showing how to
enable delegated-operator slots (e.g., `COMPOSE_PROFILES="do-2"` or
`COMPOSE_PROFILES="do-3"`) near the existing explanatory block so users can
copy/paste to enable `do-2`/`do-3`; reference the environment variable name
COMPOSE_PROFILES and ensure the examples mirror the comment text by showing both
single and multi-slot profiles (e.g., `do-2` and `do-3`) and note that it must
not exceed the license max.

In `@helm/docs/upgrading.md`:
- Around line 173-181: Update the paragraph describing the delegated-operator
sidecar to remove the incorrect claim that the configuration is "compatible with
Pod Security Admission `restricted` out of the box"; instead explicitly state
that the delegated-operator sidecar requires the `SYS_PTRACE` capability (which
is prohibited by PSA `restricted`) and therefore clusters must either allow
`SYS_PTRACE` for that workload/namespace via a policy exception or disable
telemetry by setting `telemetry.enabled: false`. Mention `delegated-operator`
and `telemetry.enabled` by name so readers know which sidecar and flag are
affected, and remove the existing wording implying automatic `restricted`
compatibility.

In `@helm/fiftyone-teams-app/templates/_telemetry.tpl`:
- Around line 146-152: The telemetry sidecar securityContext drops all
capabilities but conditionally adds SYS_PTRACE without ensuring a root UID,
which will fail if cluster defaults enforce non-root; update the telemetry
sidecar block in _telemetry.tpl (securityContext) so that when adding
["SYS_PTRACE"] (the conditional around .executor) you also set runAsUser: 0 and
runAsNonRoot: false (i.e., make these keys conditional alongside the add:
["SYS_PTRACE"] clause) so the sidecar runs as root only when ptrace is required.

In `@tests/unit/helm/delegated-operator-instance-deployment_test.go`:
- Around line 3655-3658: The test directly dereferences fields on
podSecurityContext (FSGroup, RunAsGroup, RunAsNonRoot, RunAsUser) which can
panic if nil; update the assertions in the test function to first assert
s.NotNil(podSecurityContext) and then s.NotNil for each pointer field
(podSecurityContext.FSGroup, podSecurityContext.RunAsGroup,
podSecurityContext.RunAsNonRoot, podSecurityContext.RunAsUser) before calling
s.Equal/ s.True on their dereferenced values so failures report clearly instead
of causing a panic.

In `@tests/unit/helm/telemetry-redis_test.go`:
- Around line 139-147: The test currently only asserts the value when
FIFTYONE_TELEMETRY_REDIS_URL is found, so a missing env var would not fail;
update the loop over deployment.Spec.Template.Spec.Containers in
telemetry-redis_test.go to assert presence of the env var for each container
(same pattern as TestExternalUrlWiresApiDeployment) by checking container.Env
contains an entry with Name == "FIFTYONE_TELEMETRY_REDIS_URL" (use s.True or
s.Require().True) and then assert that entry's Value equals expectedURL,
referencing the container.Name in the failure messages.

In `@utils/validate-docker-pulls.sh`:
- Around line 17-18: The script validate-docker-pulls.sh currently appends the
chart appVersion to voxel51 images and has no way to override that, causing
mismatches with RC tags; add a CLI flag (e.g., --expected-tag) and/or
environment variable (e.g., EXPECTED_IMAGE_TAG) parsing at the top of
validate-docker-pulls.sh and use that value when building the expected image
name instead of always using the chart APP_VERSION; update the logic that
constructs expected image strings (references to where appVersion/APP_VERSION is
used) to prefer EXPECTED_IMAGE_TAG if set (or the CLI flag) and fall back to the
existing behavior otherwise, and include usage/help text for the new option.

---

Nitpick comments:
In `@tests/unit/helm/delegated-operator-job-configmap_test.go`:
- Around line 714-725: In the "doesNotDuplicateWhenUserDeclaresTelemetrySocket"
test, add an assertion that the user-provided volumeMount path "/custom/path" is
preserved (i.e., the injected telemetry mount did not override it) by inspecting
the rendered job's volumeMounts for the entry named socketName and asserting
mountPath == "/custom/path" in addition to the existing expectVol/expectMnt
count checks; make the same mount-path-preservation assertion for the other
similar test case referenced in the comment (the neighboring dedup test around
the other case).

In `@tests/unit/helm/plugins-deployment_test.go`:
- Around line 2525-2528: The assertions currently dereference podSecurityContext
fields directly (FSGroup, RunAsGroup, RunAsNonRoot, RunAsUser) which can panic;
add nil guards by first asserting podSecurityContext is not nil (e.g.,
s.NotNil(podSecurityContext)) and then assert each pointer field is not nil
(s.NotNil(podSecurityContext.FSGroup), etc.) before dereferencing, and then
perform the existing equality/true checks to keep test semantics intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 68922226-e655-451e-8eb0-ace3fb9029b6

📥 Commits

Reviewing files that changed from the base of the PR and between 816edea and 8a9eab2.

⛔ Files ignored due to path filters (35)
  • docker/common-services.yaml is excluded by !**/*.yaml
  • docker/internal-auth/compose.dedicated-plugins.yaml is excluded by !**/*.yaml
  • docker/internal-auth/compose.delegated-operators.gpu.yaml is excluded by !**/*.yaml
  • docker/internal-auth/compose.delegated-operators.yaml is excluded by !**/*.yaml
  • docker/internal-auth/compose.plugins.yaml is excluded by !**/*.yaml
  • docker/internal-auth/compose.yaml is excluded by !**/*.yaml
  • docker/legacy-auth/compose.dedicated-plugins.yaml is excluded by !**/*.yaml
  • docker/legacy-auth/compose.delegated-operators.gpu.yaml is excluded by !**/*.yaml
  • docker/legacy-auth/compose.delegated-operators.yaml is excluded by !**/*.yaml
  • docker/legacy-auth/compose.plugins.yaml is excluded by !**/*.yaml
  • docker/legacy-auth/compose.yaml is excluded by !**/*.yaml
  • helm/fiftyone-teams-app/Chart.yaml is excluded by !**/*.yaml
  • helm/fiftyone-teams-app/templates/api-deployment.yaml is excluded by !**/*.yaml
  • helm/fiftyone-teams-app/templates/api-role.yaml is excluded by !**/*.yaml
  • helm/fiftyone-teams-app/templates/app-deployment.yaml is excluded by !**/*.yaml
  • helm/fiftyone-teams-app/templates/delegated-operator-instance-deployment.yaml is excluded by !**/*.yaml
  • helm/fiftyone-teams-app/templates/delegated-operator-job-configmap.yaml is excluded by !**/*.yaml
  • helm/fiftyone-teams-app/templates/plugins-deployment.yaml is excluded by !**/*.yaml
  • helm/fiftyone-teams-app/templates/telemetry-redis-deployment.yaml is excluded by !**/*.yaml
  • helm/fiftyone-teams-app/templates/telemetry-redis-pvc.yaml is excluded by !**/*.yaml
  • helm/fiftyone-teams-app/templates/telemetry-redis-service.yaml is excluded by !**/*.yaml
  • helm/fiftyone-teams-app/templates/telemetry-role.yaml is excluded by !**/*.yaml
  • helm/fiftyone-teams-app/templates/telemetry-rolebinding.yaml is excluded by !**/*.yaml
  • helm/fiftyone-teams-app/values.schema.json is excluded by !**/*.json
  • helm/fiftyone-teams-app/values.yaml is excluded by !**/*.yaml
  • helm/values.yaml is excluded by !**/*.yaml
  • skaffold.yaml is excluded by !**/*.yaml
  • tests/fixtures/docker/compose.override.mongodb.yaml is excluded by !**/*.yaml
  • tests/fixtures/docker/compose.override.mongodb_do.yaml is excluded by !**/*.yaml
  • tests/fixtures/docker/compose.override.mongodb_plugins.yaml is excluded by !**/*.yaml
  • tests/fixtures/helm/integration_values.yaml is excluded by !**/*.yaml
  • tests/unit/helm/test_data/delegated-operator-job-configmap_test/expected-cpu-default-override-template-values.yaml is excluded by !**/*.yaml
  • tests/unit/helm/test_data/delegated-operator-job-configmap_test/expected-cpu-default.yaml is excluded by !**/*.yaml
  • tests/unit/helm/test_data/delegated-operator-job-configmap_test/expected-override-example-cascading-template.yaml is excluded by !**/*.yaml
  • tests/unit/helm/test_data/delegated-operator-job-configmap_test/expected-override-example-template.yaml is excluded by !**/*.yaml
📒 Files selected for processing (40)
  • Makefile
  • docker/README.md
  • docker/docs/configuring-delegated-operators.md
  • docker/docs/configuring-gpu-workloads.md
  • docker/docs/configuring-telemetry.md
  • docker/docs/upgrading.md
  • docker/internal-auth/env.template
  • docker/legacy-auth/env.template
  • docs/custom-plugins.md
  • docs/orchestrators/configuring-databricks-orchestrator.md
  • docs/orchestrators/configuring-kubernetes-orchestrator.md
  • helm/docs/upgrading.md
  • helm/fiftyone-teams-app/README.md
  • helm/fiftyone-teams-app/README.md.gotmpl
  • helm/fiftyone-teams-app/templates/NOTES.txt
  • helm/fiftyone-teams-app/templates/_do_targets.tpl
  • helm/fiftyone-teams-app/templates/_helpers.tpl
  • helm/fiftyone-teams-app/templates/_telemetry.tpl
  • tests/fixtures/docker/.env
  • tests/fixtures/docker/integration_internal_auth.env
  • tests/fixtures/docker/integration_legacy_auth.env
  • tests/integration/compose/docker-compose-internal-auth_test.go
  • tests/integration/compose/docker-compose-legacy-auth_test.go
  • tests/unit/compose/common_test.go
  • tests/unit/compose/docker-compose-internal-auth_test.go
  • tests/unit/compose/docker-compose-legacy-auth_test.go
  • tests/unit/helm/api-deployment_test.go
  • tests/unit/helm/api-role_test.go
  • tests/unit/helm/app-deployment_test.go
  • tests/unit/helm/common_test.go
  • tests/unit/helm/delegated-operator-instance-deployment_test.go
  • tests/unit/helm/delegated-operator-job-configmap_test.go
  • tests/unit/helm/plugins-deployment_test.go
  • tests/unit/helm/teams-app-deployment_test.go
  • tests/unit/helm/telemetry-redis_test.go
  • tests/unit/helm/telemetry-rolebinding_test.go
  • tests/unit/helm/telemetry-sidecar_test.go
  • tests/unit/helm/yaml_helpers.go
  • utils/bump-fixtures-helm.sh
  • utils/validate-docker-pulls.sh
💤 Files with no reviewable changes (1)
  • tests/fixtures/docker/.env

> profiles (`do-2`, `do-3`). Set `COMPOSE_PROFILES=do-N` to add slots
> up to N (cap of 3). This replaces the deprecated
> `FIFTYONE_DELEGATED_OPERATOR_WORKER_REPLICAS` environment variable.
> If you used on the <2.19 default of 3 workers, set `COMPOSE_PROFILES=do-3`.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix typo in upgrade guidance sentence.

Line 43 reads awkwardly (If you used on the <2.19 default...). Suggested wording: If you were using the pre-2.19 default of 3 workers, set COMPOSE_PROFILES=do-3.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker/docs/configuring-delegated-operators.md` at line 43, The sentence "If
you used on the <2.19 default of 3 workers, set `COMPOSE_PROFILES=do-3`."
contains a typo and awkward phrasing; replace it with the suggested wording "If
you were using the pre-2.19 default of 3 workers, set `COMPOSE_PROFILES=do-3`."
Update that exact sentence in the documentation to improve clarity.

Comment on lines +57 to +58
worker profile (e.g. `COMPOSE_PROFILES=do-1,gpu`); see
[Configuring Telemetry](./configuring-telemetry.md#scaling-teams-do-with-telemetry)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix profile example to match delegated-operator profile semantics.

Line 57 uses COMPOSE_PROFILES=do-1,gpu, but this conflicts with the delegated-operators doc update in this PR where slot 1 is always on and optional profiles are do-2/do-3. Use COMPOSE_PROFILES=gpu (or do-2,gpu / do-3,gpu when scaling extra workers).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker/docs/configuring-gpu-workloads.md` around lines 57 - 58, Update the
example that sets COMPOSE_PROFILES so it follows the delegated-operator profile
semantics: replace the incorrect `COMPOSE_PROFILES=do-1,gpu` with
`COMPOSE_PROFILES=gpu` (or `COMPOSE_PROFILES=do-2,gpu` /
`COMPOSE_PROFILES=do-3,gpu` when showing how to scale extra workers). Ensure any
mention of slot 1 being optional is removed and that examples reference
`do-2`/`do-3` for additional worker slots and `gpu` for the GPU profile.

Comment on lines +143 to +148
To run without telemetry

1. Add a `compose.override.yaml` that scales the
telemetry services to zero replicas:

### Scaling teams-do with telemetry

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Complete the “Opting out” instructions and fix the Compose typo

The section introduces an opt-out flow but stops before showing the actual compose.override.yaml example, then jumps to a different heading. Also Line 237 has “Cpmpose”. Please include the missing override snippet and correct the typo.

Suggested patch
@@
 To run without telemetry
 
 1. Add a `compose.override.yaml` that scales the
    telemetry services to zero replicas:
+
+```yaml
+services:
+  telemetry-redis:
+    deploy:
+      replicas: 0
+  fiftyone-app-telemetry:
+    deploy:
+      replicas: 0
+  teams-api-telemetry:
+    deploy:
+      replicas: 0
+  teams-plugins-telemetry:
+    deploy:
+      replicas: 0
+  teams-do-telemetry:
+    deploy:
+      replicas: 0
+  teams-do-2-telemetry:
+    deploy:
+      replicas: 0
+  teams-do-3-telemetry:
+    deploy:
+      replicas: 0
+  teams-do-gpu-telemetry:
+    deploy:
+      replicas: 0
+```
@@
-in the Cpmpose files.
+in the Compose files.

Also applies to: 237-237

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker/docs/configuring-telemetry.md` around lines 143 - 148, Add the missing
compose.override.yaml snippet to the "To run without telemetry" opt-out section
by including a services block that sets deploy.replicas: 0 for each telemetry
service (refer to service names telemetry-redis, fiftyone-app-telemetry,
teams-api-telemetry, teams-plugins-telemetry, teams-do-telemetry,
teams-do-2-telemetry, teams-do-3-telemetry, teams-do-gpu-telemetry) so users can
scale telemetry to zero, and fix the typo "Cpmpose" to "Compose" where it
appears.

Comment on lines +97 to +107
# Delegated-operator worker count is selected via Compose profiles when
# the `compose.delegated-operators.yaml` overlay is in use. Slot 1
# (`teams-do`) runs by default; uncomment the line below to add slots
# 2 and/or 3, each paired with its own telemetry sidecar (static cap
# of 3). `do-N` includes every lower slot, so `do-3` runs three workers.
#
# See docker/docs/configuring-telemetry.md
# and docker/docs/configuring-delegated-operators.md for details. The
# value must not exceed the max concurrent delegated operators set in
# your license file.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add the missing COMPOSE_PROFILES example line referenced by the comment.

The text says “uncomment the line below,” but no line is present. Add a concrete example so users can actually enable do-2/do-3.

Suggested doc fix
 # Delegated-operator worker count is selected via Compose profiles when
 # the `compose.delegated-operators.yaml` overlay is in use. Slot 1
 # (`teams-do`) runs by default; uncomment the line below to add slots
 # 2 and/or 3, each paired with its own telemetry sidecar (static cap
 # of 3). `do-N` includes every lower slot, so `do-3` runs three workers.
+#
+# COMPOSE_PROFILES=do-2   # enables teams-do-2 (plus default teams-do)
+# COMPOSE_PROFILES=do-3   # enables teams-do-2 and teams-do-3 (plus default teams-do)
 #
 # See docker/docs/configuring-telemetry.md
 # and docker/docs/configuring-delegated-operators.md for details. The
 # value must not exceed the max concurrent delegated operators set in
 # your license file.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker/internal-auth/env.template` around lines 97 - 107, Add the missing
example `COMPOSE_PROFILES` line referenced by the comment: insert a commented
and an uncommented example showing how to enable delegated-operator slots (e.g.,
`COMPOSE_PROFILES="do-2"` or `COMPOSE_PROFILES="do-3"`) near the existing
explanatory block so users can copy/paste to enable `do-2`/`do-3`; reference the
environment variable name COMPOSE_PROFILES and ensure the examples mirror the
comment text by showing both single and multi-slot profiles (e.g., `do-2` and
`do-3`) and note that it must not exceed the license max.

Comment thread helm/docs/upgrading.md
Comment on lines +173 to +181
user) with `cap_drop: ALL`. The delegated-operator sidecar
additionally has `SYS_PTRACE` added (required for `py-spy` stack
sampling); the other three sidecars run with no capabilities. This
posture is compatible with
[Pod Security Admission][psa] `restricted` out of the box.
Clusters enforcing additional admission policies (OPA/Gatekeeper,
Kyverno) that explicitly block `SYS_PTRACE` on the
delegated-operator namespace can either allow that single capability
or disable telemetry with `telemetry.enabled: false`.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

In Kubernetes Pod Security Standards "restricted", which Linux capabilities are allowed in container securityContext.capabilities.add? Is SYS_PTRACE allowed?

💡 Result:

In the Kubernetes "restricted" Pod Security Standard, the configuration for container capabilities is highly restrictive [1][2]. Under this policy, containers must drop all capabilities, and the only capability that is explicitly permitted to be added back is NET_BIND_SERVICE [1][2]. SYS_PTRACE is not allowed under the restricted Pod Security Standard [1][2]. Any attempt to add SYS_PTRACE or any other capability (other than NET_BIND_SERVICE) via spec.containers[*].securityContext.capabilities.add will violate the restricted policy and result in the Pod being rejected by the Pod Security Admission controller if it is set to enforce mode [1][3].

Citations:


🌐 Web query:

Kubernetes Pod Security Standards restricted seccomp capabilities add allowed NET_BIND_SERVICE SYS_PTRACE container securityContext.capabilities.add

💡 Result:

Under the Kubernetes Restricted Pod Security Standard, adding capabilities beyond those explicitly permitted is prohibited [1][2]. Specifically, the Restricted policy mandates that containers must drop all capabilities and are only permitted to add back the NET_BIND_SERVICE capability [1][3]. Consequently, adding NET_BIND_SERVICE via container.securityContext.capabilities.add is compliant with the Restricted standard [1][4], while adding SYS_PTRACE is not allowed and will cause a violation [1][2]. Regarding seccomp, the Restricted policy requires that the seccomp profile must not be set to Unconfined [1][2]. It must be explicitly set to either RuntimeDefault or Localhost [1][2]. If a container's seccomp profile is not explicitly defined, it may inherit the pod-level profile, but the final configuration must conform to these restricted values [1][5]. In summary: 1. NET_BIND_SERVICE: Allowed to be added [1][2]. 2. SYS_PTRACE: Prohibited from being added [1][2]. 3. Seccomp: Must be RuntimeDefault or Localhost; Unconfined is prohibited [1][5][2].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail
sed -n '150,210p' helm/docs/upgrading.md | nl -ba | sed -n '1,120p'

Repository: voxel51/fiftyone-teams-app-deploy

Length of output: 120


🏁 Script executed:

#!/bin/bash
set -euo pipefail
f="helm/docs/upgrading.md"
if [ ! -f "$f" ]; then
  echo "Missing file: $f"
  exit 1
fi
# Print lines 160-195 with line numbers using awk (nl not available)
awk 'NR>=160 && NR<=195 {printf "%d:%s\n", NR, $0}' "$f"

Repository: voxel51/fiftyone-teams-app-deploy

Length of output: 1751


Fix PSA “restricted” compatibility claim: SYS_PTRACE is not allowed

  • helm/docs/upgrading.md says the delegated-operator sidecar adds SYS_PTRACE, but also claims the posture is compatible with PSA restricted “out of the box”; Kubernetes “restricted” only permits adding NET_BIND_SERVICE and prohibits SYS_PTRACE, so enforcing restricted will reject the pod.
  • Reword to state compatibility requires either a policy exception allowing SYS_PTRACE for that workload/namespace or disabling telemetry (telemetry.enabled: false).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@helm/docs/upgrading.md` around lines 173 - 181, Update the paragraph
describing the delegated-operator sidecar to remove the incorrect claim that the
configuration is "compatible with Pod Security Admission `restricted` out of the
box"; instead explicitly state that the delegated-operator sidecar requires the
`SYS_PTRACE` capability (which is prohibited by PSA `restricted`) and therefore
clusters must either allow `SYS_PTRACE` for that workload/namespace via a policy
exception or disable telemetry by setting `telemetry.enabled: false`. Mention
`delegated-operator` and `telemetry.enabled` by name so readers know which
sidecar and flag are affected, and remove the existing wording implying
automatic `restricted` compatibility.

Comment on lines +146 to +152
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
{{- if .executor }}
add: ["SYS_PTRACE"]
{{- end }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

❓ Verification inconclusive

🏁 Script executed:

#!/bin/bash
# Verify whether pod-level non-root defaults coexist with sidecar templates lacking runAsUser override.
# Expected: find pod non-root defaults and confirm telemetry sidecar securityContext has no runAsUser/runAsNonRoot lines.

set -euo pipefail

echo "== Files setting pod-level non-root defaults =="
rg -n -C2 'runAsNonRoot|runAsUser|podSecurityContext|securityContext' helm/fiftyone-teams-app/templates

echo
echo "== telemetry.sidecar and telemetry.native-sidecar securityContext blocks =="
rg -n -C4 'define "telemetry\.sidecar"|define "telemetry\.native-sidecar"|securityContext:|runAsNonRoot|runAsUser|SYS_PTRACE' helm/fiftyone-teams-app/templates/_telemetry.tpl

Repository: voxel51/fiftyone-teams-app-deploy

Length of output: 2091


Fix telemetry sidecar securityContext to handle non-root defaults when adding SYS_PTRACE

helm/fiftyone-teams-app/templates/_telemetry.tpl’s telemetry sidecar securityContext drops all capabilities and conditionally adds SYS_PTRACE, but it lacks explicit runAsNonRoot: false / runAsUser: 0. If the chart/pod security defaults enforce non-root, the sidecar may fail to start or access required /proc/ptrace capabilities.

Suggested fix
   securityContext:
     allowPrivilegeEscalation: false
+    runAsNonRoot: false
+    runAsUser: 0
     capabilities:
       drop: ["ALL"]
       {{- if .executor }}
       add: ["SYS_PTRACE"]
       {{- end }}
@@
   securityContext:
     allowPrivilegeEscalation: false
+    runAsNonRoot: false
+    runAsUser: 0
     capabilities:
       drop: ["ALL"]
       {{- if .executor }}
       add: ["SYS_PTRACE"]
       {{- end }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
{{- if .executor }}
add: ["SYS_PTRACE"]
{{- end }}
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
runAsUser: 0
capabilities:
drop: ["ALL"]
{{- if .executor }}
add: ["SYS_PTRACE"]
{{- end }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@helm/fiftyone-teams-app/templates/_telemetry.tpl` around lines 146 - 152, The
telemetry sidecar securityContext drops all capabilities but conditionally adds
SYS_PTRACE without ensuring a root UID, which will fail if cluster defaults
enforce non-root; update the telemetry sidecar block in _telemetry.tpl
(securityContext) so that when adding ["SYS_PTRACE"] (the conditional around
.executor) you also set runAsUser: 0 and runAsNonRoot: false (i.e., make these
keys conditional alongside the add: ["SYS_PTRACE"] clause) so the sidecar runs
as root only when ptrace is required.

Comment on lines +3655 to +3658
s.Equal(int64(1000), *podSecurityContext.FSGroup, "fsGroup should be 1000 (image UID)")
s.Equal(int64(1000), *podSecurityContext.RunAsGroup, "runAsGroup should be 1000")
s.True(*podSecurityContext.RunAsNonRoot, "runAsNonRoot should be true")
s.Equal(int64(1000), *podSecurityContext.RunAsUser, "runAsUser should be 1000")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Guard pointer dereferences in PodSecurityContext assertions.

At Line 3655 and Line 3675 blocks, direct pointer dereferences can panic before assertion reporting if the field is unexpectedly nil. Add explicit NotNil checks first for clearer failures.

Suggested patch
 func(podSecurityContext *corev1.PodSecurityContext) {
+  s.Require().NotNil(podSecurityContext.FSGroup, "fsGroup should be set")
+  s.Require().NotNil(podSecurityContext.RunAsGroup, "runAsGroup should be set")
+  s.Require().NotNil(podSecurityContext.RunAsNonRoot, "runAsNonRoot should be set")
+  s.Require().NotNil(podSecurityContext.RunAsUser, "runAsUser should be set")
   s.Equal(int64(1000), *podSecurityContext.FSGroup, "fsGroup should be 1000 (image UID)")
   s.Equal(int64(1000), *podSecurityContext.RunAsGroup, "runAsGroup should be 1000")
   s.True(*podSecurityContext.RunAsNonRoot, "runAsNonRoot should be true")
   s.Equal(int64(1000), *podSecurityContext.RunAsUser, "runAsUser should be 1000")
   ...
 }

Also applies to: 3675-3678

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/unit/helm/delegated-operator-instance-deployment_test.go` around lines
3655 - 3658, The test directly dereferences fields on podSecurityContext
(FSGroup, RunAsGroup, RunAsNonRoot, RunAsUser) which can panic if nil; update
the assertions in the test function to first assert s.NotNil(podSecurityContext)
and then s.NotNil for each pointer field (podSecurityContext.FSGroup,
podSecurityContext.RunAsGroup, podSecurityContext.RunAsNonRoot,
podSecurityContext.RunAsUser) before calling s.Equal/ s.True on their
dereferenced values so failures report clearly instead of causing a panic.

Comment on lines +139 to +147
for _, container := range deployment.Spec.Template.Spec.Containers {
for _, ev := range container.Env {
if ev.Name == "FIFTYONE_TELEMETRY_REDIS_URL" {
s.Equal(expectedURL, ev.Value,
"FIFTYONE_TELEMETRY_REDIS_URL on %s should be release-scoped in-cluster URL",
container.Name)
}
}
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Assert env var presence in bundled URL path

On Line 139, this loop validates value only when FIFTYONE_TELEMETRY_REDIS_URL exists, so the test can pass even if the env var is missing entirely on a container. Add an explicit presence assertion per container (same pattern used in TestExternalUrlWiresApiDeployment).

Suggested patch
 	for _, container := range deployment.Spec.Template.Spec.Containers {
-		for _, ev := range container.Env {
+		found := false
+		for _, ev := range container.Env {
 			if ev.Name == "FIFTYONE_TELEMETRY_REDIS_URL" {
+				found = true
 				s.Equal(expectedURL, ev.Value,
 					"FIFTYONE_TELEMETRY_REDIS_URL on %s should be release-scoped in-cluster URL",
 					container.Name)
+				break
 			}
 		}
+		s.True(found, "FIFTYONE_TELEMETRY_REDIS_URL should be set on %s container", container.Name)
 	}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
for _, container := range deployment.Spec.Template.Spec.Containers {
for _, ev := range container.Env {
if ev.Name == "FIFTYONE_TELEMETRY_REDIS_URL" {
s.Equal(expectedURL, ev.Value,
"FIFTYONE_TELEMETRY_REDIS_URL on %s should be release-scoped in-cluster URL",
container.Name)
}
}
}
for _, container := range deployment.Spec.Template.Spec.Containers {
found := false
for _, ev := range container.Env {
if ev.Name == "FIFTYONE_TELEMETRY_REDIS_URL" {
found = true
s.Equal(expectedURL, ev.Value,
"FIFTYONE_TELEMETRY_REDIS_URL on %s should be release-scoped in-cluster URL",
container.Name)
break
}
}
s.True(found, "FIFTYONE_TELEMETRY_REDIS_URL should be set on %s container", container.Name)
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/unit/helm/telemetry-redis_test.go` around lines 139 - 147, The test
currently only asserts the value when FIFTYONE_TELEMETRY_REDIS_URL is found, so
a missing env var would not fail; update the loop over
deployment.Spec.Template.Spec.Containers in telemetry-redis_test.go to assert
presence of the env var for each container (same pattern as
TestExternalUrlWiresApiDeployment) by checking container.Env contains an entry
with Name == "FIFTYONE_TELEMETRY_REDIS_URL" (use s.True or s.Require().True) and
then assert that entry's Value equals expectedURL, referencing the
container.Name in the failure messages.

Comment on lines +17 to +18
# Images with an explicit `:tag` are taken as-is; voxel51/ images without
# a tag get the chart appVersion appended automatically.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Make expected image tag overridable for prerelease validation

The current “append chart appVersion” behavior is causing this job to validate voxel51/*:v2.19.0, but this PR’s fixtures are still on RC image tags (v2.19.0rc19 / v2.19.0-rc.18). That mismatch is what the failing pipeline output shows. Please add an override path (CLI flag/env var) so CI can validate against RC tags before GA images exist.

Suggested patch
@@
-expected_tag=$(yq '.appVersion' "${GIT_ROOT}/helm/fiftyone-teams-app/Chart.yaml")
+expected_tag="${EXPECTED_IMAGE_TAG:-$(yq '.appVersion' "${GIT_ROOT}/helm/fiftyone-teams-app/Chart.yaml")}"
@@ print_usage() {
-  echo "-f, --values VALUES_YAML values.yaml to use in templating. Defaults to ${VALUES_YAML}"
+  echo "-f, --values VALUES_YAML values.yaml to use in templating. Defaults to ${VALUES_YAML}"
+  echo "-t, --expected-tag TAG    override appended tag for untagged voxel51/* images"
@@ parse_arguments() {
       -f | --values)
@@
         shift 2
         ;;
+      -t | --expected-tag)
+        EXPECTED_IMAGE_TAG="${2-}"
+        if [[ -z "${EXPECTED_IMAGE_TAG}" ]]; then
+          log_error "--expected-tag requires a non-empty value"
+          exit 1
+        fi
+        shift 2
+        ;;
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@utils/validate-docker-pulls.sh` around lines 17 - 18, The script
validate-docker-pulls.sh currently appends the chart appVersion to voxel51
images and has no way to override that, causing mismatches with RC tags; add a
CLI flag (e.g., --expected-tag) and/or environment variable (e.g.,
EXPECTED_IMAGE_TAG) parsing at the top of validate-docker-pulls.sh and use that
value when building the expected image name instead of always using the chart
APP_VERSION; update the logic that constructs expected image strings (references
to where appVersion/APP_VERSION is used) to prefer EXPECTED_IMAGE_TAG if set (or
the CLI flag) and fall back to the existing behavior otherwise, and include
usage/help text for the new option.

mo-getter
mo-getter previously approved these changes May 28, 2026
@voxelbuildbot voxelbuildbot merged commit 6cd3ad2 into main May 28, 2026
14 of 15 checks passed
@voxelbuildbot voxelbuildbot deleted the release/v2.19.0 branch May 28, 2026 20:30
@coderabbitai coderabbitai Bot mentioned this pull request Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants