nebari-dev · Helion55 · Feb 1, 2025 · Feb 1, 2025 · Feb 1, 2025 · Feb 1, 2025
diff --git a/.github/ISSUE_TEMPLATE/RFD.md b/.github/ISSUE_TEMPLATE/RFD.md
@@ -0,0 +1,52 @@
+---
+name: "Request for Discussion (RFD) 💬"
+about: Open discussion about a feature or design project in Nebari.
+labels:
+  - "type: RFD"
+title: "RFD - Title"
+---
+
+<!-- Example of when and how to create a RFD or RFC (request for comments) -->
+<!-- https://gitpod.notion.site/Decision-Making-RFCs-eb4a57f3a34f40f1afbd95e05322af70 -->
+
+<!-- Use this guide to set the status: Draft 🚧 / Open for comments 💬/ Accepted ✅ /Implemented 🚀/ Obsolete 🗃  -->
+
+| Status            | Draft 🚧 / Open for comments 💬/ Accepted ✅ /Implemented 🚀/ Obsolete 🗃 |
+| ----------------- | ------------------------------------------------------------------------ |
+| Author(s)         | GitHub handle                                                            |
+| Date Created      | dd-MM-YYY                                                                |
+| Date Last updated | dd-MM-YYY                                                                |
+| Decision deadline | dd-MM-YYY                                                                |
+
+# Title
+
+## Summary
+
+<!-- What are we trying to solve here?  Try and make this concise-->
+
+## User benefit
+
+<!-- How will users (or other contributors) benefit from this work? What would be the headline in the release notes or blog post? -->
+
+## Design Proposal
+
+<!--This is the meat of the document, where you explain your proposal.
+
+Explain the design in enough detail for somebody familiar with the project to understand. Include examples of how the feature/implementation will work. Feel free to add schematics, drawings or other supporting visual material.  -->
+
+### Alternatives or approaches considered (if any)
+
+<!-- Make sure to discuss the relative merits of alternatives to your proposal. -->
+
+### Best practices
+
+<!-- Does this proposal change best practices for some aspect of using/developing JupyterLab or other project? How will these changes be communicated/enforced?
+ -->
+
+### User impact
+
+<!-- What are the user-facing changes? How will this feature be rolled out? -->
+
+## Unresolved questions
+
+<!-- Seed this with open questions you require feedback on from the RFD process. -->
@@ -0,0 +1,56 @@
+name: "Documentation 📖"
+description: Did you find an error in our documentation? Report your findings here.
+title: "[DOC] - <title>"
+labels: ["area: documentation 📖"]
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        # Welcome 👋
+
+        Thanks for using Nebari and taking some time to contribute to this project.
+
+        Please fill out each section below. This info allows Nebari maintainers to diagnose (and fix!) your issue as
+        quickly as possible.
+        Before submitting a bug, please make sure the issue hasn't been already addressed by searching through
+        [the past issues](https://github.com/nebari-dev/nebari-docs/issues).
+
+        Useful links:
+
+        - Documentation: https://www.nebari.dev
+        - Contribution guidelines: https://www.nebari.dev/community/
+
+  - type: checkboxes
+    attributes:
+      label: Preliminary Checks
+      description: Please make sure that you verify each checkbox and follow the instructions for them.
+      options:
+        - label: "This issue is not a question, feature request, RFC, or anything other than a bug report. Please post those things in GitHub Discussions: https://github.com/nebari-dev/nebari/discussions"
+          required: true
+  - type: textarea
+    validations:
+      required: true
+    attributes:
+      label: Summary
+      description: |
+        What problem(s) did you run into that caused you to request a fix to the documentation or additional
+        documentation? What questions do you think we should answer?
+
+  - type: textarea
+    validations:
+      required: true
+    attributes:
+      label: Steps to Resolve this Issue
+      description: |
+        How can the problem be solved? Are there any additional steps required? Do any other pages need to be updated?
+      value: |
+        1.
+        2.
+        3.
+        ...
+
+  - type: markdown
+    attributes:
+      value: >
+        Thanks for contributing 🎉!
@@ -0,0 +1,123 @@
+# Build and push images to:
+# GitHub Container Registry (ghcr.io)
+# Red Hat Container Registry (quay.io)
+name: "Build Docker Images"
+
+on:
+  workflow_dispatch: null
+  push:
+    branches:
+      - "*"
+    paths:
+      - "Dockerfile"
+      - "dask-worker/*"
+      - "jupyterhub/*"
+      - "jupyterlab/*"
+      - "nebari-workflow-controller/*"
+
+      - "scripts/*"
+
+      - ".github/workflows/build-push-docker.yaml"
+    tags:
+      - "*"
+
+env:
+  DOCKER_ORG: nebari
+  GPU_BASE_IMAGE: nvidia/cuda:12.8.1-base-ubuntu24.04
+  GPU_IMAGE_SUFFIX: gpu
+  BASE_IMAGE: ubuntu:24.04
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  security-events: write
+
+# https://docs.github.com/en/actions/using-jobs/using-concurrency
+concurrency:
+  # only cancel in-progress jobs or runs for the current workflow - matches against branch & tags
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-images:
+    name: "Build Docker Images"
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        dockerfile:
+          - jupyterlab
+          - jupyterhub
+          - dask-worker
+          - workflow-controller
+        platform:
+          - gpu
+          - cpu
+        exclude:
+          # excludes JupyterHub/GPU, Workflow Controller/GPU
+          - dockerfile: jupyterhub
+            platform: gpu
+          - dockerfile: workflow-controller
+            platform: gpu
+
+    steps:
+      - name: "Checkout Repository 🛎️"
+        uses: actions/checkout@v3
+
+      - name: "Set up Docker Buildx 🛠️"
+        uses: docker/setup-buildx-action@v2
+
+      - name: "Login to GitHub Container Registry 🔐"
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.BOT_GHCR_TOKEN }}
+
+      - name: "Login to Quay Container Registry 🔐"
+        uses: docker/login-action@v2
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+
+      - name: "Set BASE_IMAGE and Image Suffix 📷"
+        if: ${{ matrix.platform == 'gpu' }}
+        run: |
+          echo "GPU Platform Matrix"
+          echo "BASE_IMAGE=$GPU_BASE_IMAGE" >> $GITHUB_ENV
+          echo "IMAGE_SUFFIX=-$GPU_IMAGE_SUFFIX" >> $GITHUB_ENV
+
+      - name: "Generate Docker images tags 🏷️"
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            "quay.io/${{ env.DOCKER_ORG }}/nebari-${{ matrix.dockerfile }}${{ env.IMAGE_SUFFIX }}"
+            "ghcr.io/${{ github.repository_owner }}/nebari-${{ matrix.dockerfile }}${{ env.IMAGE_SUFFIX }}"
+          tags: |
+            # branch event -> e.g. `main-f0f6994-20221001`
+            type=ref, event=branch, suffix=-{{sha}}-{{date 'YYYYMMDD'}}
+            # needed for integration tests
+            type=ref, event=branch
+            # on tag push -> e.g. `2022.10.1`
+            type=ref, event=tag
+
+      - name: "Inspect image dir tree 🔍"
+        run: |
+          sudo apt-get install tree
+          tree .
+
+      - name: "Build docker images 🐳"
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: "Dockerfile"
+          target: ${{ matrix.dockerfile }}
+          tags: ${{ steps.meta.outputs.tags }}
+          push: ${{ github.event_name != 'pull_request' }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: BASE_IMAGE=${{ env.BASE_IMAGE }}
+          platforms: linux/amd64,linux/arm64
@@ -0,0 +1,40 @@
+name: Code Scanning
+
+on:
+  push:
+    branches: [ "main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+
+jobs:
+  SAST:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Trivy config Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in config mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'config'
+          hide-progress: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
@@ -0,0 +1,77 @@
+name: Test Docker images
+
+on:
+  pull_request:
+    paths:
+      - "Dockerfile.*"
+
+      - "dask-worker/*"
+      - "jupyterhub/*"
+      - "jupyterlab/*"
+
+      - "scripts/*"
+
+      - ".github/workflows/build-push-docker.yaml"
+      - ".github/workflows/test-images.yaml"
+
+env:
+  DOCKER_ORG: nebari
+  GITHUB_SHA: ${{ github.sha }}
+  GPU_BASE_IMAGE: nvidia/cuda:12.8.1-base-ubuntu24.04
+  GPU_IMAGE_SUFFIX: gpu
+  BASE_IMAGE: ubuntu:24.04
+
+# https://docs.github.com/en/actions/using-jobs/using-concurrency
+concurrency:
+  # only cancel in-progress jobs or runs for the current workflow - matches against branch & tags
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-test-images:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        dockerfile:
+          - jupyterlab
+          - jupyterhub
+          - dask-worker
+        platform:
+          - gpu
+          - cpu
+        exclude:
+          # excludes JupyterHub/GPU
+          - dockerfile: jupyterhub
+            platform: gpu
+    steps:
+      - name: Checkout Repository 🛎
+        uses: actions/checkout@v3
+
+      - name: Lint Dockerfiles 🔍
+        uses: jbergstroem/hadolint-gh-action@v1
+        with:
+          dockerfile: Dockerfile
+          output_format: tty
+          error_level: 0
+
+      - name: "Set BASE_IMAGE and Image Suffix 📷"
+        if: ${{ matrix.platform == 'gpu' }}
+        run: |
+          echo "GPU Platform Matrix"
+          echo "BASE_IMAGE=$GPU_BASE_IMAGE" >> $GITHUB_ENV
+          echo "IMAGE_SUFFIX=-$GPU_IMAGE_SUFFIX" >> $GITHUB_ENV
+
+      - name: "Set up Docker Buildx 🛠️"
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build Image 🛠
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: "Dockerfile"
+          target: ${{ matrix.dockerfile }}
+          push: false
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: BASE_IMAGE=${{ env.BASE_IMAGE }}
+          platforms: linux/amd64,linux/arm64
@@ -82,3 +82,28 @@ repos:
       - id: terraform_fmt
         args:
           - --args=-write=true
+
+  # Autoformat: markdown, yaml to ensure that it doesn't need to be updated in other repos
+  - repo: https://github.com/pre-commit/mirrors-prettier
+    rev: v2.6.1
+    hooks:
+      - id: prettier
+
+    # Misc...
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.0.1
+    # ref: https://github.com/pre-commit/pre-commit-hooks#hooks-available
+    hooks:
+      # Autoformat: Makes sure files end in a newline and only a newline.
+      - id: end-of-file-fixer
+
+      # Trims trailing whitespace.
+      - id: trailing-whitespace
+        args: [--markdown-linebreak-ext=md]
+
+      # Lint: Check for files with names that would conflict on a
+      # case-insensitive filesystem like MacOS HFS+ or Windows FAT.
+      - id: check-case-conflict
+
+      # Lint: Checks that non-binary executables have a proper shebang.
+      - id: check-executables-have-shebangs