From ae46665e30f72ad78f9feb45f0faee2587f8fcd5 Mon Sep 17 00:00:00 2001 From: Tom David Mueller Date: Thu, 19 Mar 2026 12:54:36 +0100 Subject: [PATCH 1/7] Allow publish workflow to build from branch without a release tag --- .github/workflows/publish-docker-images.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index 7f6514b..5eb1686 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -8,7 +8,7 @@ on: inputs: tag: description: 'Release tag to build (e.g., v0.9.15)' - required: true + required: false jobs: @@ -31,16 +31,21 @@ jobs: run: | if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then TAG="${{ github.event.inputs.tag }}" - SHA=$(gh api repos/${{ github.repository }}/git/ref/tags/${TAG} --jq '.object.sha') + if [ -n "$TAG" ]; then + SHA=$(gh api repos/${{ github.repository }}/git/ref/tags/${TAG} --jq '.object.sha') + VERSION="${TAG#v}" + else + # No tag — build from branch HEAD + SHA="${{ github.sha }}" + VERSION="${{ github.ref_name }}" + fi else # workflow_run: get the tag from the head branch (release events set head_branch to the tag) TAG="${{ github.event.workflow_run.head_branch }}" SHA="${{ github.event.workflow_run.head_sha }}" + VERSION="${TAG#v}" fi - # Strip leading 'v' for version - VERSION="${TAG#v}" - echo "Resolved tag=${TAG} version=${VERSION} sha=${SHA}" echo "version=${VERSION}" >> "$GITHUB_OUTPUT" echo "sha=${SHA}" >> "$GITHUB_OUTPUT" From 323b3fe1edcda7007214fd390667126b4418e220 Mon Sep 17 00:00:00 2001 From: Tom David Mueller Date: Thu, 19 Mar 2026 13:22:18 +0100 Subject: [PATCH 2/7] Temporarily disable amd64 build and manifest for arm64-only test --- .github/workflows/publish-docker-images.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index 5eb1686..1db01cb 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -51,6 +51,7 @@ jobs: echo "sha=${SHA}" >> "$GITHUB_OUTPUT" build-amd64: + if: false # temporarily disabled — testing arm64 only needs: resolve-tag runs-on: ubuntu-latest permissions: @@ -135,6 +136,7 @@ jobs: cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache-arm64,mode=max create-manifest: + if: false # temporarily disabled — testing arm64 only needs: [resolve-tag, build-amd64, build-arm64] runs-on: ubuntu-latest permissions: From 18617af4e8e59d65b3dfe65974789d3309c66de6 Mon Sep 17 00:00:00 2001 From: Tom David Mueller Date: Thu, 19 Mar 2026 15:44:28 +0100 Subject: [PATCH 3/7] Fix multi-arch manifest creation and Redis ARM64 startup Add provenance: false to both build steps to prevent Buildx from wrapping images in manifest lists, which caused docker manifest create to fail with "is a manifest list" error. Re-enable amd64 build and create-manifest jobs. Add --ignore-warnings ARM64-COW-BUG to redis-server in both Dockerfiles so Redis starts on ARM64 kernels instead of exiting with a copy-on-write bug warning. --- .github/workflows/publish-docker-images.yml | 4 ++-- Dockerfile | 2 +- Dockerfile.arm | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index 1db01cb..015674a 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -51,7 +51,6 @@ jobs: echo "sha=${SHA}" >> "$GITHUB_OUTPUT" build-amd64: - if: false # temporarily disabled — testing arm64 only needs: resolve-tag runs-on: ubuntu-latest permissions: @@ -88,6 +87,7 @@ jobs: file: Dockerfile push: true tags: ${{ env.IMAGE }}:${{ needs.resolve-tag.outputs.version }}-amd64 + provenance: false build-args: | GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache-amd64 @@ -130,13 +130,13 @@ jobs: file: Dockerfile.arm push: true tags: ${{ env.IMAGE }}:${{ needs.resolve-tag.outputs.version }}-arm64 + provenance: false build-args: | GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache-arm64 cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache-arm64,mode=max create-manifest: - if: false # temporarily disabled — testing arm64 only needs: [resolve-tag, build-amd64, build-arm64] runs-on: ubuntu-latest permissions: diff --git a/Dockerfile b/Dockerfile index 383be30..31275a6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -190,7 +190,7 @@ service cron start\n\ \n\ # Start Redis server in background\n\ echo "Starting Redis server..."\n\ -redis-server --daemonize yes --dir /var/lib/redis --appendonly no\n\ +redis-server --daemonize yes --dir /var/lib/redis --appendonly no --ignore-warnings ARM64-COW-BUG\n\ \n\ # Wait for Redis to be ready\n\ until redis-cli ping > /dev/null 2>&1; do\n\ diff --git a/Dockerfile.arm b/Dockerfile.arm index 6666104..a0241e7 100644 --- a/Dockerfile.arm +++ b/Dockerfile.arm @@ -192,7 +192,7 @@ service cron start\n\ \n\ # Start Redis server in background\n\ echo "Starting Redis server..."\n\ -redis-server --daemonize yes --dir /var/lib/redis --appendonly no\n\ +redis-server --daemonize yes --dir /var/lib/redis --appendonly no --ignore-warnings ARM64-COW-BUG\n\ \n\ # Wait for Redis to be ready\n\ until redis-cli ping > /dev/null 2>&1; do\n\ From 5451218172ab23b43bc27d3a66882fd4e750482e Mon Sep 17 00:00:00 2001 From: Tom David Mueller Date: Thu, 19 Mar 2026 15:45:38 +0100 Subject: [PATCH 4/7] Temporarily disable amd64 and manifest for arm64-only test build --- .github/workflows/publish-docker-images.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index 015674a..2ab8104 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -51,6 +51,7 @@ jobs: echo "sha=${SHA}" >> "$GITHUB_OUTPUT" build-amd64: + if: false # temporarily disabled — arm64-only test build needs: resolve-tag runs-on: ubuntu-latest permissions: @@ -137,6 +138,7 @@ jobs: cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache-arm64,mode=max create-manifest: + if: false # temporarily disabled — arm64-only test build needs: [resolve-tag, build-amd64, build-arm64] runs-on: ubuntu-latest permissions: From b1c6a437a5925de12e736cde83758ed8c91ed156 Mon Sep 17 00:00:00 2001 From: Tom David Mueller Date: Thu, 19 Mar 2026 15:46:38 +0100 Subject: [PATCH 5/7] Re-enable amd64 build and manifest creation --- .github/workflows/publish-docker-images.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index 2ab8104..015674a 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -51,7 +51,6 @@ jobs: echo "sha=${SHA}" >> "$GITHUB_OUTPUT" build-amd64: - if: false # temporarily disabled — arm64-only test build needs: resolve-tag runs-on: ubuntu-latest permissions: @@ -138,7 +137,6 @@ jobs: cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache-arm64,mode=max create-manifest: - if: false # temporarily disabled — arm64-only test build needs: [resolve-tag, build-amd64, build-arm64] runs-on: ubuntu-latest permissions: From 84cf1340bd643701a9c36b3a159899e3414bff22 Mon Sep 17 00:00:00 2001 From: Tom David Mueller Date: Fri, 20 Mar 2026 10:16:44 +0100 Subject: [PATCH 6/7] Fix Docker token leak, add CI disk cleanup, update PATH and actions - Remove ENV GH_TOKEN to prevent token from persisting in published images; use inline env var scoped to the gh release download command only - Re-declare GITHUB_USER/GITHUB_REPO ARGs in run-app stage (ARGs don't persist across FROM boundaries) - Add disk space cleanup step to CI build jobs to prevent runner exhaustion - Remove stale thirdparty PATH entries (Sirius, Fido, etc.) and add Sage - Upgrade actions/checkout from v3 to v4 --- .github/workflows/build-docker-images.yml | 14 ++++++++++++-- Dockerfile | 15 +++++++++------ Dockerfile.arm | 13 ++++++++----- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml index 1b93903..e6854ae 100644 --- a/.github/workflows/build-docker-images.yml +++ b/.github/workflows/build-docker-images.yml @@ -15,7 +15,12 @@ jobs: contents: read steps: - - uses: actions/checkout@v3 + - name: Free disk space + run: | + sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache + sudo apt-get clean + df -h + - uses: actions/checkout@v4 - name: Build the full Docker image run: docker build --file Dockerfile --tag streamlitapp:latest --build-arg GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} --output type=tar,dest=/dev/null . @@ -26,6 +31,11 @@ jobs: contents: read steps: - - uses: actions/checkout@v3 + - name: Free disk space + run: | + sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache + sudo apt-get clean + df -h + - uses: actions/checkout@v4 - name: Build the ARM64 Docker image run: docker build --file Dockerfile.arm --tag streamlitapp:latest-arm64 --build-arg GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} --output type=tar,dest=/dev/null . \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 31275a6..628c2a0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,7 +32,6 @@ ARG OPENMS_BRANCH=FVdeploy ARG PORT=8501 # GitHub token to download latest OpenMS executable for Windows from Github action artifact. ARG GITHUB_TOKEN -ENV GH_TOKEN=${GITHUB_TOKEN} # Streamlit app Gihub user name (to download artifact from). ARG GITHUB_USER=OpenMS # Streamlit app Gihub repository name (to download artifact from). @@ -90,7 +89,7 @@ RUN mkdir /thirdparty && \ cp -r THIRDPARTY/All/* /thirdparty && \ cp -r THIRDPARTY/Linux/x86_64/* /thirdparty && \ chmod -R +x /thirdparty -ENV PATH="/thirdparty/LuciPHOr2:/thirdparty/MSGFPlus:/thirdparty/Sirius:/thirdparty/ThermoRawFileParser:/thirdparty/Comet:/thirdparty/Fido:/thirdparty/MaRaCluster:/thirdparty/MyriMatch:/thirdparty/OMSSA:/thirdparty/Percolator:/thirdparty/SpectraST:/thirdparty/XTandem:/thirdparty/crux:${PATH}" +ENV PATH="/thirdparty/LuciPHOr2:/thirdparty/MSGFPlus:/thirdparty/ThermoRawFileParser:/thirdparty/Comet:/thirdparty/Percolator:/thirdparty/Sage:${PATH}" # Build OpenMS and pyOpenMS. FROM setup-build-system AS compile-openms @@ -250,11 +249,15 @@ RUN mamba run -n streamlit-env python hooks/hook-analytics.py RUN jq '.online_deployment = true' settings.json > tmp.json && mv tmp.json settings.json # Download latest OpenMS App executable as a ZIP file -RUN if [ -n "$GH_TOKEN" ]; then \ - echo "GH_TOKEN is set, proceeding to download the release asset..."; \ - gh release download -R ${GITHUB_USER}/${GITHUB_REPO} -p "OpenMS-App.zip" -D /app; \ +# Re-declare ARGs needed in this stage (ARGs don't persist across FROM) +ARG GITHUB_TOKEN +ARG GITHUB_USER=OpenMS +ARG GITHUB_REPO=FLASHApp +RUN if [ -n "$GITHUB_TOKEN" ]; then \ + echo "Downloading release asset..."; \ + GH_TOKEN="$GITHUB_TOKEN" gh release download -R ${GITHUB_USER}/${GITHUB_REPO} -p "OpenMS-App.zip" -D /app; \ else \ - echo "GH_TOKEN is not set, skipping the release asset download."; \ + echo "No token, skipping download."; \ fi diff --git a/Dockerfile.arm b/Dockerfile.arm index a0241e7..92c9c84 100644 --- a/Dockerfile.arm +++ b/Dockerfile.arm @@ -32,7 +32,6 @@ ARG OPENMS_BRANCH=FVdeploy ARG PORT=8501 # GitHub token to download latest OpenMS executable for Windows from Github action artifact. ARG GITHUB_TOKEN -ENV GH_TOKEN=${GITHUB_TOKEN} # Streamlit app Gihub user name (to download artifact from). ARG GITHUB_USER=OpenMS # Streamlit app Gihub repository name (to download artifact from). @@ -252,11 +251,15 @@ RUN mamba run -n streamlit-env python hooks/hook-analytics.py RUN jq '.online_deployment = true' settings.json > tmp.json && mv tmp.json settings.json # Download latest OpenMS App executable as a ZIP file -RUN if [ -n "$GH_TOKEN" ]; then \ - echo "GH_TOKEN is set, proceeding to download the release asset..."; \ - gh release download -R ${GITHUB_USER}/${GITHUB_REPO} -p "OpenMS-App.zip" -D /app; \ +# Re-declare ARGs needed in this stage (ARGs don't persist across FROM) +ARG GITHUB_TOKEN +ARG GITHUB_USER=OpenMS +ARG GITHUB_REPO=FLASHApp +RUN if [ -n "$GITHUB_TOKEN" ]; then \ + echo "Downloading release asset..."; \ + GH_TOKEN="$GITHUB_TOKEN" gh release download -R ${GITHUB_USER}/${GITHUB_REPO} -p "OpenMS-App.zip" -D /app; \ else \ - echo "GH_TOKEN is not set, skipping the release asset download."; \ + echo "No token, skipping download."; \ fi From 15b03a45eab58fe87763dde4d5c9ad4e4e109a98 Mon Sep 17 00:00:00 2001 From: Tom David Mueller Date: Fri, 20 Mar 2026 12:08:29 +0100 Subject: [PATCH 7/7] Sanitize VERSION for valid Docker tags in publish workflow --- .github/workflows/publish-docker-images.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index 015674a..714e854 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -46,6 +46,9 @@ jobs: VERSION="${TAG#v}" fi + # Sanitize VERSION for valid Docker tags: replace / with -, strip invalid chars + VERSION=$(echo "$VERSION" | tr '/' '-' | tr -cd 'A-Za-z0-9_.-') + echo "Resolved tag=${TAG} version=${VERSION} sha=${SHA}" echo "version=${VERSION}" >> "$GITHUB_OUTPUT" echo "sha=${SHA}" >> "$GITHUB_OUTPUT"