SECURITY-59: Add GHA workflows

[Xiangs18]

No description provided.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (e17f604) to head (efa12c8).
Report is 37 commits behind head on develop.

Additional details and impacted files

@@            Coverage Diff            @@
##           develop       #63   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           20        21    +1     
  Lines          658       660    +2     
=========================================
+ Hits           658       660    +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Xiangs18]

self note:

• - ensure integration tests pass locally
• - add some readmes in jsonrpc directories explaining what's going on, why they're vendored, and where the code came from

[Xiangs18]

[MrCreosote]

Standard question about boilerplate GHA yamls

[Xiangs18]

standard boilerplate GHA yamls

[MrCreosote]

not reviewing the vendored code here, assuming it's an exact C&P. If that's not true LMK

[Xiangs18]

exact C&P

[MrCreosote]

not reviewing the vendored code here, assuming it's an exact C&P. If that's not true LMK

[Xiangs18]

exact C&P

[Xiangs18]

I did add one line to fix the failing unit test; otherwise, it would raise a KeyError.

search_api2/jsonrpcbase/main.py

Line 59 in 4fd352a

-32003: 'Elasticsearch response error',

[MrCreosote]

That suggests we're using the wrong version of this library, if there's a missing handler for an internal exception

[MrCreosote]

yeah, so the last commit for jsonrpcbase is alpha5: https://github.com/kbaseincubator/jsonrpcbase/commits/master/

But this codebase is using alpha6

[MrCreosote]

... never mind the fact that the codebase is using something labeled with an alpha at all

[Xiangs18]

#63 (comment)

[MrCreosote]

Why this change?

[Xiangs18]

This was because the old code could not successfully shut down the container, which caused errors in the integration tests. My current code fixes this problem.

[MrCreosote]

What changed such that the container no longer shuts down correctly?

[Xiangs18]

I'm not sure what you're asking. I didn't change anything that would cause the container to stop shutting down. It simply doesn't shut down when I start running the integration tests.

[MrCreosote]

Presumably the integration tests worked at some point in the past. That means that something changed so that the prior method of shutting down the container stopped working. I'm wondering what that change was.

[Xiangs18]

Yes, it needs to be logger.warning; otherwise, the unit test would not pass either.

We need to switch to docker-compose down approach. It was designed for this.

[MrCreosote]

The reason I'm continuing to ask questions is that the service should respond to a sigterm. What we're seeing is that it's not, and (I assume) the reason docker compose down is working is that it's sending a sigterm, waiting 10 seconds, and then sending a sigkill.

All that being said, this is pretty good evidence that I was wrong, and the devs did allow the tests to pass without the service responding to a sigterm: 728b712

As such, can you make an issue noting that the service / container needs to be updated to respond to sigterm correctly, and then go ahead with the docker compose down fix for now

[Xiangs18]

Without the or change, does it time out and print the warning?

If I change logger.warning to Exception in the unit tests, it will raise a timeout error. Now it kind of justifies why logger.warning is used in the unit tests.

[Xiangs18]

Oh great, there's a commit to verify my comment!
#63 (comment)

[Xiangs18]

fixed by docker compose to shut down the container/service
issue created: #64

[MrCreosote]

Same question - why the change?

[Xiangs18]

Running docker-compose down shuts the containers down gracefully, as confirmed by the presence of the "exited with code 0" message in the container.out file.

[MrCreosote]

Sending a sigterm also shuts the containers down gracefully. If a sigterm isn't enough, then docker is sending a sigkill which isn't a graceful shutdown

[Xiangs18]

When using container_process.send_signal(signal.SIGTERM), Docker will not automatically send a SIGKILL if the container does not stop. The behavior you described applies to docker stop and docker-compose.

[MrCreosote]

Right, what I'm saying is that the container shouldn't require a sigkill to stop - it should respond to just a sigterm

[Xiangs18]

#63 (comment)

[MrCreosote]

Why did this change? This seems like a bug that should be fixed in the search api rather than adjusting the tests. I'm guessing an exception changed and is no longer being caught correctly?

[Xiangs18]

Based on the README documentation, -32003 represents an "Elasticsearch response error." This is also asserted on line 52. Additionally, I traced the code, and if it's correct, it should be raising an Elasticsearch response error.

search_api2/src/search2_rpc/service.py

Line 34 in e17f604

raise ElasticsearchError(resp.text)

[MrCreosote]

I think this is probably related to #63 (comment)

The code in this PR is a revision behind that in the requirements toml file. I'd guess this is fixed in in the alpha 6 release

[Xiangs18]

Where is the Alpha6 release? Alpha5 is the vendored repository that we are currently using. Am i missing something?

[MrCreosote]

Search requires alpha 6, not alpha 5: https://github.com/kbase/search_api2/blob/develop/pyproject.toml#L14

As far as where that code lives, none of the branches in the jsonrpcbase repo look promising since they're all behind master. I'd extract it from pypi and update the readme to explain where the code came from

[Xiangs18]

Extracted jsonrpc alpha6 from PyPI, and the unit test passed.

[MrCreosote]

Did you have to make any changes or is it just strict C&P now?

[Xiangs18]

This is a direct copy with no changes. The only difference between alpha5 and alpha6 is the line 'message': RPC_ERRORS.get(code, 'Server error') in the main.py file.

[MrCreosote]

Just to be sure and leave a record: The data returned from the search api is a super set of the objects and workspaces in the response files in this repo, right?

[Xiangs18]

I verified that the data returned from the search API is a superset of the objects and workspaces in the response files (case-03-response.json) in this repository.

[MrCreosote]

Note to self: all comments above this review are resolved

[MrCreosote]

Suggested change

	Simple JSON-RPC service without transport layer.
	This repository includes a vendored copy of [jsonrpcbase](https://github.com/kbaseincubator/jsonrpcbase) to resolve dependency conflicts.
	Specifically, this is version kbase-jsonrpcbase 0.3.0a6, extracted from [pypi](https://pypi.org/project/kbase-jsonrpcbase/)
	The original repository was only used by this project, so the code has been brought in directly to simplify maintenance and eliminate external dependency issues.
	Simple JSON-RPC service without transport layer.
	This repository includes a vendored copy of [jsonrpcbase](https://pypi.org/project/kbase-jsonrpcbase/) version `0.3.0a6` to resolve dependency conflicts.
	Note that there exists a [github repo](https://github.com/kbaseincubator/jsonrpcbase) which is presumably the source of the PyPi module, but it appears to only contain the alpha5 release of the code vs. PyPi's alpha6. It is not clear where the alpha6 code resides other than PyPi,
	The original repository was only used by this project, so the code has been brought in directly to simplify maintenance and eliminate external dependency issues.

[Xiangs18]

👍

[MrCreosote]

Since subprocess run will block until docker compose down is complete, I don't think all this checking code does anything anymore. It won't run until the down is finished

[Xiangs18]

I believe this check is useful and necessary because it verifies that the containers are actually shutting down.

[MrCreosote]

They must be down at this point. Run blocks until the command exits, and check ensures that the exit code is 0. If not, an exception will be thrown. This code can only be reached if the containers are down

[Xiangs18]

fixed

[MrCreosote]

Interestingly the tests are no longer passing. I don't see how the changes you made could've caused that...

[Xiangs18]

[Xiangs18]

removed .common

[MrCreosote]

Same comment as above

[MrCreosote]

LGTM. @bio-boris do you want to review?