Merge branch 'master' into 6158_azcopy_hides_error_message

Author: adamrtalbot

.github/actions/security-scan-branch/action.yml

@@ -0,0 +1,60 @@
+name: Security SCA scan for branch
+description: Scan nextflow branch for security vulnerabilities on third-party dependencies
+
+inputs: 
+  branch:
+    description: The branch to scan for security vulnerabilities
+    required: true
+
+runs: 
+  using: "composite"
+  steps:
+    - name: Checkout repository first
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+
+    - name: Checkout target branch
+      if: ${{ inputs.branch != '' }}
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+      with:
+        ref: ${{ inputs.branch }}
+        fetch-depth: 0
+        path: target-branch
+
+    - name: Setup Java 
+      uses: actions/setup-java@v4
+      with:
+        java-version: ${{ inputs.java_version || '21' }}
+        distribution: 'temurin'
+        architecture: x64
+        cache: gradle
+
+    - name: Compile
+      shell: bash
+      run: |
+        if [ -d target-branch ]; then
+          cd target-branch
+        fi
+        make assemble
+
+    - name: assume role
+      uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df #v4.2.1
+      with:
+        aws-region: "eu-west-1"
+        role-to-assume: "arn:aws:iam::730335503331:role/AmazonInspectorScanRoleForNextflow" 
+
+    - name: Run SCA scan
+      id: inspector
+      uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@5dc8a4bafed85c4c3d7070b4a7ada5b9d94041e3 #v1.2.1
+      with:
+        artifact_type: "repository"
+        artifact_path: ${{ inputs.branch != '' && './target-branch' || '.' }}
+        display_vulnerability_findings: "enabled"
+        critical_threshold: 1
+        high_threshold: 1
+
+    - name: On vulnerability threshold exceeded
+      run: exit ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}
+      shell: bash
+
+
+

.github/workflows/security-sca-scan-cron.yml

@@ -0,0 +1,26 @@
+name: Security SCA Scan Cron weekly
+# This workflow runs a security scan on the specified branches of the Nextflow repository once a week
+
+on:
+  schedule:
+    - cron: '0 0 * * 0'
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write  
+    strategy:
+      fail-fast: false
+      matrix:
+        branch: 
+          - "STABLE-24.10.x"
+          - "STABLE-25.04.x"
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+      - name: Run Security SCA Scan
+        uses: ./.github/actions/security-scan-branch
+        with:
+          branch: ${{ matrix.branch }}

.github/workflows/security-sca-scan-master.yml

@@ -0,0 +1,18 @@
+name: Security SCA Scan Cron weekly
+# This workflow runs a security scan on master push
+
+on:
+  push:
+    branches:
+      - master
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write  
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+      - name: Run Security SCA Scan
+        uses: ./.github/actions/security-scan-branch

changelog.txt

@@ -1,5 +1,21 @@
 NEXTFLOW CHANGE-LOG
 ===================
+25.04.4 - 16 Jun 2024
+- Fix bug in generated Groovy code (#6082) [ead2f320]
+- Fix default imports in included configs (#6096) [831a577b]
+- Fix variable checking in v2 config parser (#6097) [686ff608]
+- Sort linter errors/warnings by source location (#6098) [f51f339c]
+
+24.10.8 - 6 Jun 2025
+- Add Fusion license validation [02b4dd74]
+- Bump nf-wave@1.7.5-patch1 [cf6af9c5]
+- Bump nf-tower@1.9.3-patch1 [bdef2177]
+
+24.04.5 - 6 Jun 2025
+- Add Fusion license validation [cb7210b9]
+- Bump nf-wave@1.4.2-patch2 [69b63342]
+- Bump nf-tower@1.9.1-patch1 [8bfdc673]
+
 25.05.0-edge - 2 Jun 2025
 - Add Failsafe retry mechanism in K8s (#6083) [9e675c6a]
 - Add Platform info to Fusion license (#6142) [75f1bc52]
@@ -26,6 +42,11 @@ NEXTFLOW CHANGE-LOG
 - Bump nf-google@1.22.0 [0f6498f1]
 - Bump nf-azure@1.17.0 [0b491840]
 
+25.04.3 - 2 Jun 2025
+- Add Platform info to Fusion license (#6142) [375db65a]
+- Force overwritting to trace file (#6105) [59e9d88d]
+- Bump nf-tower@1.11.3 [f7509bce] 
+
 25.04.2 - 13 May 2025
 - Add check subcommand in lineage (#6074) [5ba67bca]
 - Fix issues with `lint` console output (#6064) [7405f513]

docs/aws.md

@@ -86,6 +86,8 @@ Minimal permissions policies to be attached to the AWS account used by Nextflow
   "ecr:ListTagsForResource"
   ```
 
+  Alternatively, you can use AWS provided `AmazonEC2ContainerRegistryReadOnly` managed policy.
+
 :::{note}
 If you are running Fargate or Fargate Spot, you may need the following policies in addition to the listed above:
   ```json

docs/reference/config.md

@@ -8,6 +8,9 @@ This page lists all of the available settings in the {ref}`Nextflow configuratio
 
 ## Unscoped options
 
+`bucketDir`
+: The remote work directory used by hybrid workflows. Equivalent to the `-bucket-dir` option of the `run` command.
+
 `cleanup`
 : If `true`, on a successful completion of a run all files in *work* directory are automatically deleted.
 

docs/reference/process.md

@@ -848,7 +848,7 @@ process hello {
   errorStrategy 'retry'
   maxSubmitAwait '10 mins'
   maxRetries 3
-  queue "${task.submitAttempt==1 : 'spot-compute' : 'on-demand-compute'}"
+  queue "${task.submitAttempt==1 ? 'spot-compute' : 'on-demand-compute'}"
 
   script:
   """

modules/nextflow/src/main/groovy/nextflow/conda/CondaCache.groovy

@@ -166,19 +166,6 @@ class CondaCache {
         str.endsWith('.txt') && !str.contains('\n')
     }
 
-    static protected String sipHash(CharSequence data) {
-        Hashing
-            .sipHash24()
-            .newHasher()
-            .putUnencodedChars(data)
-            .hash()
-            .toString()
-    }
-
-    static protected String sipHash(Path path) {
-        sipHash(path.toAbsolutePath().normalize().toString())
-    }
-
     /**
      * Get the path on the file system where store a Conda environment
      *
@@ -200,7 +187,6 @@ class CondaCache {
             try {
                 final path = condaEnv as Path
                 content = path.text
-                name = 'env-' + sipHash(path)
 
             }
             catch( NoSuchFileException e ) {
@@ -214,7 +200,6 @@ class CondaCache {
             try {
                 final path = condaEnv as Path
                 content = path.text
-                name = 'env-' + sipHash(path)
             }
             catch( NoSuchFileException e ) {
                 throw new IllegalArgumentException("Conda environment file does not exist: $condaEnv")
@@ -284,6 +269,11 @@ class CondaCache {
 
     @PackageScope
     Path createLocalCondaEnv0(String condaEnv, Path prefixPath) {
+        if( prefixPath.isDirectory() ) {
+            log.debug "${binaryName} found local env for environment=$condaEnv; path=$prefixPath"
+            return prefixPath
+        }
+
         log.info "Creating env using ${binaryName}: $condaEnv [cache $prefixPath]"
 
         String opts = createOptions ? "$createOptions " : ''

modules/nextflow/src/main/groovy/nextflow/config/ConfigValidator.groovy

@@ -36,7 +36,6 @@ class ConfigValidator {
      * Hidden options added by ConfigBuilder
      */
     private static final List<String> hiddenOptions = List.of(
-        'bucketDir',
         'cacheable',
         'dumpChannels',
         'libDir',

modules/nextflow/src/main/groovy/nextflow/scm/AzureRepositoryProvider.groovy

@@ -16,6 +16,7 @@
 
 package nextflow.scm
 
+import java.net.http.HttpResponse
 import java.util.regex.Pattern
 
 import groovy.transform.CompileDynamic
@@ -162,14 +163,11 @@ final class AzureRepositoryProvider extends RepositoryProvider {
      *
      * @param connection A {@link HttpURLConnection} connection instance
      */
-    protected checkResponse( HttpURLConnection connection ) {
-
-        if (connection.getHeaderFields().containsKey("x-ms-continuationtoken")) {
-            this.continuationToken = connection.getHeaderField("x-ms-continuationtoken");
-        } else {
-            this.continuationToken = null
-        }
-
+    protected checkResponse( HttpResponse<String> connection ) {
+        this.continuationToken = connection
+                .headers()
+                .firstValue("x-ms-continuationtoken")
+                .orElse(null)
         super.checkResponse(connection)
     }