Merge branch 'develop' into update_argo_wf

.github/workflows/test-provider.yaml

@@ -75,7 +75,7 @@ jobs:
           python-version: "3.11"
 
       - name: Retrieve secret from Vault
-        uses: hashicorp/vault-action@v2.5.0
+        uses: hashicorp/vault-action@v3.0.0
         with:
           method: jwt
           url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200"

.github/workflows/test_aws_integration.yaml

@@ -1,4 +1,4 @@
-name: test-aws-integration
+name: AWS Deployment
 
 on:
   schedule:
@@ -32,12 +32,12 @@ env:
   AWS_DEFAULT_REGION: "us-west-2"
   NEBARI_GH_BRANCH: ${{ github.event.inputs.branch || 'develop' }}
   NEBARI_IMAGE_TAG: ${{ github.event.inputs.image-tag || 'main' }}
-  TF_LOG: ${{ github.event.inputs.tf-log-level || 'info' }}
-
+  TF_LOG: ${{ github.event.inputs.tf-log-level || 'info' }}∏
 
 jobs:
   test-aws-integration:
     runs-on: ubuntu-latest
+    if: ${{ vars.SKIP_AWS_INTEGRATION_TEST != 'true' }}
     permissions:
       id-token: write
       contents: read
@@ -59,7 +59,7 @@ jobs:
           playwright install
 
       - name: Retrieve secret from Vault
-        uses: hashicorp/vault-action@v2.5.0
+        uses: hashicorp/vault-action@v3.0.0
         with:
           method: jwt
           url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200"

.github/workflows/test_azure_integration.yaml

@@ -0,0 +1,89 @@
+name: Azure Deployment
+
+on:
+  schedule:
+    - cron: "0 0 * * MON"
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Nebari branch to deploy, test, destroy'
+        required: true
+        default: develop
+        type: string
+      image-tag:
+        description: 'Nebari image tag created by the nebari-docker-images repo'
+        required: true
+        default: main
+        type: string
+      tf-log-level:
+        description: 'Change Terraform log levels'
+        required: false
+        default: info
+        type: choice
+        options:
+        - info
+        - warn
+        - debug
+        - trace
+        - error
+
+env:
+  NEBARI_GH_BRANCH: ${{ github.event.inputs.branch || 'develop' }}
+  NEBARI_IMAGE_TAG: ${{ github.event.inputs.image-tag || 'main' }}
+  TF_LOG: ${{ github.event.inputs.tf-log-level || 'info' }}
+
+jobs:
+  test-azure-integration:
+    runs-on: ubuntu-latest
+    if: ${{ vars.SKIP_AZURE_INTEGRATION_TEST != 'true' }}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ env.NEBARI_GH_BRANCH }}
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.11
+
+      - name: Install Nebari
+        run: |
+          pip install .[dev]
+          conda install --quiet --yes conda-build
+          playwright install
+
+      - name: Retrieve secret from Vault
+        uses: hashicorp/vault-action@v3.0.0
+        with:
+          method: jwt
+          url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200"
+          namespace: "admin/quansight"
+          role: "repository-nebari-dev-nebari-role"
+          secrets: |
+            kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci client_id | ARM_CLIENT_ID;
+            kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci tenant_id | ARM_TENANT_ID;
+            kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci subscription_id | ARM_SUBSCRIPTION_ID;
+            kv/data/repository/nebari-dev/nebari/cloudflare/internal-devops@quansight.com/nebari-dev-ci token | CLOUDFLARE_TOKEN;
+
+      - name: 'Azure login'
+        uses: azure/login@v2
+        with:
+          client-id: ${{ env.ARM_CLIENT_ID }}
+          tenant-id: ${{ env.ARM_TENANT_ID }}
+          subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}
+
+      - name: Integration Tests
+        run: |
+          pytest --version
+          pytest tests/tests_integration/ -vvv -s --cloud azure
+        env:
+          NEBARI_SECRET__default_images__jupyterhub: "quay.io/nebari/nebari-jupyterhub:${{ env.NEBARI_IMAGE_TAG }}"
+          NEBARI_SECRET__default_images__jupyterlab: "quay.io/nebari/nebari-jupyterlab:${{ env.NEBARI_IMAGE_TAG }}"
+          NEBARI_SECRET__default_images__dask_worker: "quay.io/nebari/nebari-dask-worker:${{ env.NEBARI_IMAGE_TAG }}"
+          ARM_CLIENT_ID: ${{ env.ARM_CLIENT_ID }}
+          ARM_TENANT_ID: ${{ env.ARM_TENANT_ID }}

.github/workflows/test_do_integration.yaml

@@ -1,4 +1,4 @@
-name: test-gcp-integration
+name: Digital Ocean Deployment
 
 on:
   schedule:
@@ -36,6 +36,7 @@ env:
 jobs:
   test-do-integration:
     runs-on: ubuntu-latest
+    if: ${{ vars.SKIP_DO_INTEGRATION_TEST != 'true' }}
     permissions:
       id-token: write
       contents: read
@@ -57,7 +58,7 @@ jobs:
             playwright install
 
       - name: Retrieve secret from Vault
-        uses: hashicorp/vault-action@v2.5.0
+        uses: hashicorp/vault-action@v3.0.0
         with:
           method: jwt
           url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200"

.github/workflows/test_gcp_integration.yaml

@@ -1,4 +1,4 @@
-name: test-gcp-integration
+name: GCP Deployment
 
 on:
   schedule:
@@ -32,10 +32,10 @@ env:
   NEBARI_IMAGE_TAG: ${{ github.event.inputs.image-tag || 'main' }}
   TF_LOG: ${{ github.event.inputs.tf-log-level || 'info' }}
 
-
 jobs:
   test-gcp-integration:
     runs-on: ubuntu-latest
+    if: ${{ vars.SKIP_GCP_INTEGRATION_TEST != 'true' }}
     permissions:
       id-token: write
       contents: read
@@ -58,7 +58,7 @@ jobs:
           playwright install
 
       - name: Retrieve secret from Vault
-        uses: hashicorp/vault-action@v2.5.0
+        uses: hashicorp/vault-action@v3.0.0
         with:
           method: jwt
           url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200"

.github/workflows/test_helm_charts.yaml

@@ -1,5 +1,5 @@
 # Right now the trigger is set to run on every Monday at 13:00 UTC,
-# or when the workflow file is modified. An aditional manual trigger
+# or when the workflow file is modified. An additional manual trigger
 # is also available.
 name: "Validate Helm Charts downloads"
 

.github/workflows/test_local_integration.yaml

@@ -33,6 +33,7 @@ on:
       pr_number:
         required: true
         type: string
+  workflow_dispatch:
 
 # When the cancel-in-progress: true option is specified, any concurrent jobs or workflows using the same
 # concurrency group will cancel both the pending and currently running jobs or workflows. This allows only
@@ -192,7 +193,10 @@ jobs:
 
       ### CLEANUP AFTER TESTS
       - name: Cleanup nebari deployment
-        if: always()
+        # Since this is not critical for most pull requests and takes more than half of the time
+        # in the CI, it makes sense to only run on merge to main or workflow_dispatch to speed
+        # up feedback cycle
+        if: github.ref_name == 'develop' || github.event_name == 'workflow_dispatch'
         working-directory: local-deployment
         run: |
           nebari destroy --config nebari-config.yaml --disable-prompt

.github/workflows/trivy.yml

@@ -0,0 +1,46 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Code Scanning
+
+on:
+  push:
+    branches: [ "develop", "release/*" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "develop" ]
+  schedule:
+    - cron: '19 23 * * 6'
+
+permissions:
+  contents: read
+
+jobs:
+  SAST:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Trivy config Scan
+    runs-on: "ubuntu-20.04"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'config'
+          hide-progress: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.pre-commit-config.yaml

@@ -22,7 +22,7 @@ ci:
 repos:
   # general
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: end-of-file-fixer
         exclude: "^docs-sphinx/cli.html"
@@ -36,28 +36,32 @@ repos:
       - id: check-executables-have-shebangs
         exclude: "^src/_nebari/template/"
 
+  - repo: https://github.com/crate-ci/typos
+    rev: v1.23.6
+    hooks:
+      - id: typos
+
   - repo: https://github.com/codespell-project/codespell
-    rev: v2.2.6
+    rev: v2.3.0
     hooks:
       - id: codespell
         args:
           [
-            "--builtin=rare,clear,informal,names",
-            "--skip=_build,*/build/*,*/node_modules/*,nebari.egg-info,*.git,*.js,*.json,*.yaml,*.yml",
-            "--ignore-words-list=AKS,aks",
             "--write",
           ]
         language: python
+        additional_dependencies:
+        - tomli
 
   # python
   - repo: https://github.com/psf/black
-    rev: 24.3.0
+    rev: 24.8.0
     hooks:
       - id: black
         args: ["--line-length=88", "--exclude=/src/_nebari/template/"]
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.3.5
+    rev: v0.5.6
     hooks:
       - id: ruff
         args: ["--fix"]
@@ -73,7 +77,7 @@ repos:
 
   # terraform
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.4
+    rev: v1.92.1
     hooks:
       - id: terraform_fmt
         args:

CITATION.cff

@@ -0,0 +1,10 @@
+cff-version: 1.2.0
+message: "If you use this software, please cite it as below."
+authors:
+  - name: "Nebari Development Team"
+type: software
+title: "Nebari"
+version: 2024.4.1
+date-released: 2024-04-20
+url: "https://www.nebari.dev"
+repository-code: "https://github.com/nebari-dev/nebari"

README.md

@@ -14,7 +14,8 @@
 | :---------- | :-----|
 |   Project   | [![License](https://img.shields.io/badge/License-BSD%203--Clause-gray.svg?colorA=2D2A56&colorB=5936D9&style=flat.svg)](https://opensource.org/licenses/BSD-3-Clause) [![Nebari documentation](https://img.shields.io/badge/%F0%9F%93%96%20Read-the%20docs-gray.svg?colorA=2D2A56&colorB=5936D9&style=flat.svg)](https://www.nebari.dev/docs/welcome) [![PyPI](https://img.shields.io/pypi/v/nebari)](https://badge.fury.io/py/nebari) [![conda version](https://img.shields.io/conda/vn/conda-forge/nebari)]((https://anaconda.org/conda-forge/nebari))  |
 |  Community  | [![GH discussions](https://img.shields.io/badge/%F0%9F%92%AC%20-Participate%20in%20discussions-gray.svg?colorA=2D2A56&colorB=5936D9&style=flat.svg)](https://github.com/nebari-dev/nebari/discussions) [![Open an issue](https://img.shields.io/badge/%F0%9F%93%9D%20Open-an%20issue-gray.svg?colorA=2D2A56&colorB=5936D9&style=flat.svg)](https://github.com/nebari-dev/nebari/issues/new/choose) [![Community guidelines](https://img.shields.io/badge/🤝%20Community-guidelines-gray.svg?colorA=2D2A56&colorB=5936D9&style=flat.svg)](https://www.nebari.dev/docs/community/) |
-|     CI      | [![Kubernetes Tests](https://github.com/nebari-dev/nebari/actions/workflows/test_local_integration.yaml/badge.svg)](https://github.com/nebari-dev/nebari/actions/workflows/kubernetes_test.yaml) [![Tests](https://github.com/nebari-dev/nebari/actions/workflows/test.yaml/badge.svg)](https://github.com/nebari-dev/nebari/actions/workflows/test.yaml) [![Test Nebari Provider](https://github.com/nebari-dev/nebari/actions/workflows/test-provider.yaml/badge.svg)](https://github.com/nebari-dev/nebari/actions/workflows/test-provider.yaml) |
+|     CI      | [![Kubernetes Tests](https://github.com/nebari-dev/nebari/actions/workflows/test_local_integration.yaml/badge.svg)](https://github.com/nebari-dev/nebari/actions/workflows/kubernetes_test.yaml) [![Tests](https://github.com/nebari-dev/nebari/actions/workflows/test.yaml/badge.svg)](https://github.com/nebari-dev/nebari/actions/workflows/test.yaml) [![Test Nebari Provider](https://github.com/nebari-dev/nebari/actions/workflows/test-provider.yaml/badge.svg)](https://github.com/nebari-dev/nebari/actions/workflows/test-provider.yaml)|
+| Cloud Providers | [![AWS Deployment Status](https://github.com/nebari-dev/nebari/actions/workflows/test_aws_integration.yaml/badge.svg)](https://github.com/nebari-dev/nebari/actions/workflows/test_aws_integration.yaml) [![Azure Deployment Status](https://github.com/nebari-dev/nebari/actions/workflows/test_azure_integration.yaml/badge.svg)](https://github.com/nebari-dev/nebari/actions/workflows/test_azure_integration.yaml) [![GCP Deployment Status](https://github.com/nebari-dev/nebari/actions/workflows/test_gcp_integration.yaml/badge.svg)](https://github.com/nebari-dev/nebari/actions/workflows/test_gcp_integration.yaml) [![Digital Ocean Deployment Status](https://github.com/nebari-dev/nebari/actions/workflows/test_do_integration.yaml/badge.svg)](https://github.com/nebari-dev/nebari/actions/workflows/test_do_integration.yaml)|
 
 ## Table of contents