Skip to content

Fix: GH Action schedule failed to create promotion ticket (#8041)#8110

Merged
nadove-ucsc merged 6 commits into
developfrom
issues/achave11-ucsc/8041-add-GL-schdule
Jul 9, 2026
Merged

Fix: GH Action schedule failed to create promotion ticket (#8041)#8110
nadove-ucsc merged 6 commits into
developfrom
issues/achave11-ucsc/8041-add-GL-schdule

Conversation

@achave11-ucsc

@achave11-ucsc achave11-ucsc commented Jun 11, 2026

Copy link
Copy Markdown
Member

Linked issues: #8041

Checklist

Author

  • PR is assigned to the author
  • Status of PR is In progress
  • PR is a draft
  • Target branch is develop
  • Name of PR branch matches issues/<GitHub handle of author>/<issue#>-<slug>
  • PR is linked to all issues it (partially) resolves
  • Status of linked issues is In progress
  • PR description links to linked issues
  • PR title matches1 that of a linked issue or comment in PR explains why they're different
  • PR title references all linked issues
  • For each linked issue, there is at least one commit whose title references that issue

1 when the issue title describes a problem, the corresponding PR
title is Fix: followed by the issue title

Author (partiality)

  • Added p tag to titles of partial commits
  • This PR is labeled partial or completely resolves all linked issues
  • This PR partially resolves each of the linked issues or does not have the partial label

Author (reindex)

  • Added r tag to commit title or the changes introduced by this PR will not require reindexing of any deployment
  • This PR is labeled reindex:dev or the changes introduced by it will not require reindexing of dev
  • This PR is labeled reindex:anvildev or the changes introduced by it will not require reindexing of anvildev
  • This PR is labeled reindex:anvilprod or the changes introduced by it will not require reindexing of anvilprod
  • This PR is labeled reindex:prod or the changes introduced by it will not require reindexing of prod
  • This PR is labeled reindex:partial and its description documents the specific reindexing procedure for dev, anvildev, anvilprod and prod or requires a full reindex or carries none of the labels reindex:dev, reindex:anvildev, reindex:anvilprod and reindex:prod

Author (mirror)

  • This PR is labeled mirror:dev or the changes introduced by it will not require mirroring of dev
  • This PR is labeled mirror:anvildev or the changes introduced by it will not require mirroring of anvildev
  • This PR is labeled mirror:anvilprod or the changes introduced by it will not require mirroring of anvilprod
  • This PR is labeled mirror:prod or the changes introduced by it will not require mirroring of prod
  • This PR is labeled mirror:partial and its description documents the specific mirroring procedure for dev, anvildev, anvilprod and prod or requires a full mirroring or carries none of the labels mirror:dev, mirror:anvildev, mirror:anvilprod and mirror:prod

Author (API changes)

  • This PR and its linked issues are labeled API or this PR does not modify a REST API
  • Added a (A) tag to commit title for backwards (in)compatible changes or this PR does not modify a REST API
  • Updated REST API version number in app.py or this PR does not modify a REST API

Author (upgrading deployments)

  • Ran make docker_images.json and committed the resulting changes or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable
  • Documented upgrading of deployments in UPGRADING.rst or this PR does not require upgrading deployments
  • Added u tag to commit title or this PR does not require upgrading deployments
  • This PR is labeled upgrade or does not require upgrading deployments
  • This PR is labeled deploy:shared or does not modify docker_images.json, and does not require deploying the shared component for any other reason
  • This PR is labeled deploy:gitlab or does not require deploying the gitlab component
  • This PR is labeled deploy:runner or does not require deploying the runner image

Author (hotfixes)

  • Added F tag to main commit title or this PR does not include permanent fix for a temporary hotfix
  • Reverted the temporary hotfixes for any linked issues or the none of the stable branches (anvilprod and prod) have temporary hotfixes for any of the issues linked to this PR

Author (before every review)

  • Rebased PR branch on develop, squashed fixups from prior reviews
  • Ran make requirements_update or this PR does not modify Dockerfile, environment, requirements*.txt, common.mk, Makefile or environment.boot
  • Added R tag to commit title or this PR does not modify requirements*.txt
  • This PR is labeled reqs or does not modify requirements*.txt
  • make integration_test passes in personal deployment or this PR does not modify functionality that could affect the IT outcome
  • PR is awaiting requested review from a peer
  • Status of PR is Review requested
  • PR is assigned to only the peer and the author

Peer reviewer (after approval)

Note that after requesting changes, the PR must be assigned to only the author.

  • Actually approved the PR
  • PR is not a draft
  • PR is awaiting requested review from system administrator
  • Status of PR is Review requested
  • PR is assigned to only the system administrator and the author

System administrator (after approval)

  • Actually approved the PR
  • Labeled linked issues as demo or no demo
  • Commented on linked issues about demo expectations or all linked issues are labeled no demo
  • Decided if PR can be labeled no sandbox
  • A comment to this PR details the completed security design review
  • PR title is appropriate as title of merge commit
  • N reviews label is accurate
  • Status of PR is Approved
  • Applied upgrade instructions from UPGRADING.rst to GitLab dev
  • Applied upgrade instructions from UPGRADING.rst to GitLab anvildev
  • PR is assigned to only the operator and the author

Operator

  • Checked reindex:… labels and r commit title tag
  • Checked mirror:… labels
  • Checked that demo expectations are clear or all linked issues are labeled no demo
  • Squashed PR branch and rebased onto develop
  • Sanity-checked history
  • Pushed PR branch to GitHub

Operator (deploy .shared and .gitlab components)

  • Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused or this PR is not labeled deploy:shared
  • Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply or this PR is not labeled deploy:gitlab
  • Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused or this PR is not labeled deploy:shared
  • Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply or this PR is not labeled deploy:gitlab
  • Checked the items in the next section or this PR is labeled deploy:gitlab
  • PR is assigned to only the system administrator and the author or this PR is not labeled deploy:gitlab

System administrator (post-deploy of .gitlab component)

  • Background migrations for dev.gitlab are complete or this PR is not labeled deploy:gitlab
  • Background migrations for anvildev.gitlab are complete or this PR is not labeled deploy:gitlab
  • PR is assigned to only the operator and the author

Operator (deploy runner image)

  • Ran _select dev.gitlab && make -C terraform/gitlab/runner or this PR is not labeled deploy:runner
  • Ran _select anvildev.gitlab && make -C terraform/gitlab/runner or this PR is not labeled deploy:runner

Operator (sandbox build)

  • Added sandbox label or PR is labeled no sandbox
  • Pushed PR branch to GitLab dev or PR is labeled no sandbox
  • Pushed PR branch to GitLab anvildev or PR is labeled no sandbox
  • Build passes in sandbox deployment or PR is labeled no sandbox
  • Build passes in anvilbox deployment or PR is labeled no sandbox
  • Reviewed build logs for anomalies in sandbox deployment or PR is labeled no sandbox
  • Reviewed build logs for anomalies in anvilbox deployment or PR is labeled no sandbox
  • Applied upgrade instructions from UPGRADING.rst to sandbox or this PR is not labeled upgrade, or upgrade instructions do not apply to sandbox
  • Applied upgrade instructions from UPGRADING.rst to anvilbox or this PR is not labeled upgrade, or upgrade instructions do not apply to anvilbox
  • Deleted unreferenced indices in sandbox or this PR does not remove catalogs or otherwise causes unreferenced indices in sandbox
  • Deleted unreferenced indices in anvilbox or this PR does not remove catalogs or otherwise causes unreferenced indices in anvilbox
  • Started reindex in sandbox or this PR is not labeled reindex:dev
  • Started reindex in anvilbox or this PR is not labeled reindex:anvildev
  • Checked for failures in sandbox or this PR is not labeled reindex:dev
  • Checked for failures in anvilbox or this PR is not labeled reindex:anvildev
  • Started mirroring in sandbox or this PR is not labeled mirror:dev
  • Started mirroring in anvilbox or this PR is not labeled mirror:anvildev
  • Checked for failures in sandbox or this PR is not labeled mirror:dev
  • Checked for failures in anvilbox or this PR is not labeled mirror:anvildev

Operator (merge the branch)

  • All status checks passed and the PR is mergeable
  • The title of the merge commit starts with the title of this PR
  • Added PR # reference to merge commit title
  • Collected commit title tags in merge commit title but only included p if the PR is also labeled partial
  • Pushed merge commit to GitHub
  • Status of PR is Merged lower
  • Status of blocked issues is Triage or no issues are blocked on the linked issues

Operator (main build)

  • Pushed merge commit to GitLab dev
  • Pushed merge commit to GitLab anvildev
  • Build passes on GitLab dev
  • Reviewed build logs for anomalies on GitLab dev
  • Build passes on GitLab anvildev
  • Reviewed build logs for anomalies on GitLab anvildev
  • Applied upgrade instructions from UPGRADING.rst to dev or this PR is not labeled upgrade, or upgrade instructions do not apply to dev
  • Applied upgrade instructions from UPGRADING.rst to anvildev or this PR is not labeled upgrade, or upgrade instructions do not apply to anvildev
  • Notified developers to apply upgrade instructions from UPGRADING.rst to their personal deployments or this PR is not labeled upgrade, or upgrade instructions do not apply to personal deployments
  • tempdev owner hibernated the deployment
  • Ran _select dev.shared && make -C terraform/shared apply or this PR is not labeled deploy:shared</
    sub>
  • Ran _select anvildev.shared && make -C terraform/shared apply or this PR is not labeled deploy:shared
  • Deleted PR branch from GitHub
  • PR is assigned to only the operator
  • Deleted PR branch from GitLab dev
  • Deleted PR branch from GitLab anvildev
  • Status of linked issues is Lower, or Triage, if PR is partial

Operator (reindex)

  • Deindexed all unreferenced catalogs in dev or this PR is neither labeled reindex:partial nor reindex:dev
  • Deindexed all unreferenced catalogs in anvildev or this PR is neither labeled reindex:partial nor reindex:anvildev
  • Deindexed specific sources in dev or this PR is neither labeled reindex:partial nor reindex:dev
  • Deindexed specific sources in anvildev or this PR is neither labeled reindex:partial nor reindex:anvildev
  • Indexed specific sources in dev or this PR is neither labeled reindex:partial nor reindex:dev
  • Indexed specific sources in anvildev or this PR is neither labeled reindex:partial nor reindex:anvildev
  • Started reindex in dev or this PR does not require reindexing dev
  • Started reindex in anvildev or this PR does not require reindexing anvildev
  • Checked for, triaged and possibly requeued messages in both fail queues in dev or this PR does not require reindexing dev
  • Checked for, triaged and possibly requeued messages in both fail queues in anvildev or this PR does not require reindexing anvildev
  • Emptied fail queues in dev or this PR does not require reindexing dev
  • Emptied fail queues in anvildev or this PR does not require reindexing anvildev
  • Restarted the Data Browser pipeline for the ucsc/hca/dev branch on GitLab in dev or this PR does not require reindexing dev
  • Restarted the Data Browser pipeline for the ucsc/lungmap/dev branch on GitLab in dev or this PR does not require reindexing dev
  • Restarted deploy_browser job in the GitLab pipeline for this PR in dev or this PR does not require reindexing dev
  • Restarted the Data Browser pipeline for the ucsc/anvil/anvildev branch on GitLab in anvildev or this PR does not require reindexing anvildev
  • Restarted deploy_browser job in the GitLab pipeline for this PR in anvildev or this PR does not require reindexing anvildev

Operator (mirroring)

  • Started mirroring in dev or this PR is not labelled mirror:dev
  • Started mirroring in anvildev or this PR is not labelled mirror:anvildev
  • Checked for, triaged and possibly requeued messages in mirror fail queue in dev or this PR is not labelled mirror:dev
  • Checked for, triaged and possibly requeued messages in mirror fail queue in anvildev or this PR is not labelled mirror:anvildev
  • Emptied mirror fail queue in dev or this PR is not labelled mirror:dev
  • Emptied mirror fail queue in anvildev or this PR is not labelled mirror:anvildev

Operator

  • Propagated the upgrade and API labels to the next promotion PRs or this PR carries neither of these labels
  • Propagated the deploy:shared, deploy:gitlab, deploy:runner, reindex:partial, reindex:anvilprod, reindex:prod, mirror:partial, mirror:anvilprod and mirror:prod labels to the next promotion PRs or this PR carries none of these labels
  • Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner, reindex:partial, reindex:anvilprod, reindex:prod, mirror:partial, mirror:anvilprod and mirror:prod labels, from the description of this PR to that of the next promotion PRs or this PR carries none of these labels
  • PR is assigned to no one

Shorthand for review comments

  • L line is too long
  • W line wrapping is wrong
  • Q bad quotes
  • F other formatting problem

@achave11-ucsc achave11-ucsc self-assigned this Jun 11, 2026
@achave11-ucsc achave11-ucsc linked an issue Jun 11, 2026 that may be closed by this pull request
@achave11-ucsc achave11-ucsc marked this pull request as draft June 11, 2026 17:35
@codecov

codecov Bot commented Jun 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.35%. Comparing base (dda3db9) to head (eab7c7a).

Additional details and impacted files
@@           Coverage Diff            @@
##           develop    #8110   +/-   ##
========================================
  Coverage    84.35%   84.35%           
========================================
  Files          166      166           
  Lines        24460    24460           
========================================
  Hits         20633    20633           
  Misses        3827     3827           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@coveralls

coveralls commented Jun 11, 2026

Copy link
Copy Markdown

Coverage Status

coverage: 84.435%. remained the same — issues/achave11-ucsc/8041-add-GL-schdule into develop

@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/8041-add-GL-schdule branch 8 times, most recently from 268e612 to 05a0ec8 Compare June 16, 2026 17:34
@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/8041-add-GL-schdule branch from f7e524d to 76a32f7 Compare June 16, 2026 20:49
@dsotirho-ucsc dsotirho-ucsc removed their assignment Jun 22, 2026

@dsotirho-ucsc dsotirho-ucsc left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merge conflicts.

@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/8041-add-GL-schdule branch from 76a32f7 to 138a360 Compare June 24, 2026 00:43
@achave11-ucsc achave11-ucsc added the upgrade [process] PR includes commit requiring manual upgrade label Jun 24, 2026
@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/8041-add-GL-schdule branch from 138a360 to cdf2f14 Compare June 25, 2026 05:23
@achave11-ucsc achave11-ucsc requested review from dsotirho-ucsc and removed request for dsotirho-ucsc June 25, 2026 06:00
@achave11-ucsc achave11-ucsc removed the request for review from nadove-ucsc June 29, 2026 22:06
@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/8041-add-GL-schdule branch 2 times, most recently from 9b567ee to b2ce00a Compare June 29, 2026 23:20
nadove-ucsc
nadove-ucsc previously approved these changes Jun 30, 2026
@nadove-ucsc nadove-ucsc marked this pull request as ready for review June 30, 2026 05:44
dsotirho-ucsc
dsotirho-ucsc previously approved these changes Jul 1, 2026
Comment thread README.md Outdated
Comment on lines +66 to +69
- Optionally, [GitHub CLI], which is used by the scheduled GitLab job,
`github_schedule`, to create the GitHub issues from templates. You may install
the version set at `azul_ghcli_version` in [environment.py](environment.py),
or any compatible recent version.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Optionally, [GitHub CLI], which is used by the scheduled GitLab job,
`github_schedule`, to create the GitHub issues from templates. You may install
the version set at `azul_ghcli_version` in [environment.py](environment.py),
or any compatible recent version.
- Optionally, the [GitHub CLI]. You should install
the version set at `azul_ghcli_version` in [environment.py](environment.py),
or a more recent, compatible version.

Comment thread UPGRADING.rst Outdated

Next, confirm with the SA that the ``azul_github_access_token`` used in both
instances' ``environment.local.py`` is set, and that its permissions are
equivalent to the ``AZUL_GITHUB_TOKEN`` in the GitHub Action secrets.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
equivalent to the ``AZUL_GITHUB_TOKEN`` in the GitHub Action secrets.
equivalent to that of the token deposited in the ``AZUL_GITHUB_TOKEN`` GitHub Action secret.

Comment thread UPGRADING.rst Outdated
2) Set the interval pattern to ``0 * * * *`` on ``dev`` and ``30 * * * *`` on
``anvildev``.

3) Set the cron timezone to ``Pacific Time (US & Canada)``

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
3) Set the cron timezone to ``Pacific Time (US & Canada)``
3) Set the Cron timezone to ``Pacific Time (US & Canada)``

Comment thread UPGRADING.rst Outdated
instances' ``environment.local.py`` is set, and that its permissions are
equivalent to the ``AZUL_GITHUB_TOKEN`` in the GitHub Action secrets.

Lastly, remove ``AZUL_GITHUB_TOKEN`` from the GitHub Action secrets.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure that operators have the necessary permissions to do this.

hannes-ucsc
hannes-ucsc previously approved these changes Jul 7, 2026
@hannes-ucsc

hannes-ucsc commented Jul 7, 2026

Copy link
Copy Markdown
Member

(Posted by Claude Code)

Superseded — see updated security design review.


Security Design Review

PR Summary: This PR migrates the scheduled GitHub issue creation from a GitHub Action to a GitLab CI job. It installs the GitHub CLI (gh) in the Docker image, adds a github_schedule GitLab CI job that runs .github/workflows/schedule.py using azul_github_access_token, and moves the old GitHub Actions workflow to attic/. The PR also includes routine dependency updates (certifi, click, greenlet, etc.).

Findings

1. No integrity verification for GitHub CLI binary download (Moderate)

The Dockerfile (Dockerfile:64-67) downloads the gh binary from GitHub releases and pipes it directly to tar with no checksum or signature verification:

RUN set -o pipefail \
    && curl --fail --silent --location \
       https://github.com/cli/cli/releases/download/v${azul_ghcli_version}/gh_${azul_ghcli_version}_linux_${TARGETARCH}.tar.gz \
    | tar -xzf - -C /usr/local/bin --strip-components=2 --wildcards "*/bin/gh" --occurrence=1

This contrasts with other tool installations in the same Dockerfile:

  • AWS CLI: GPG signature verified (gpg --verify)
  • Docker credential helper: SHA256 checksum verified
  • Docker packages: signed apt repository

The gh CLI project publishes gh_X.Y.Z_checksums.txt with a detached GPG signature in each release, so verification is feasible. Without it, a compromised release artifact or build-time network attack could inject a malicious binary into the image. Recommend adding checksum verification.

2. Token scope and credential migration (Low)

The azul_github_access_token description in environment.py is expanded from "post status checks" to also "create issues in the Azul repositories." Some issue templates target DataBiosphere/azul-private, requiring a classic PAT with repo scope, which is broad (full access to private repositories the token owner can access). This scope requirement is inherited from the old GitHub Action, not new to this PR.

The credential migration path is sound: UPGRADING.rst properly instructs confirming the GitLab token has equivalent permissions and then removing the old AZUL_GITHUB_TOKEN from GitHub Actions secrets, avoiding lingering unused credentials.

Verified items (no concerns)

  • No command injection risk. subprocess.run in schedule.py is called with list arguments throughout (no shell=True). Front matter values are passed to gh via -f flags, not shell-interpolated.

  • No unsafe deserialization. The YAML-like front matter parser (schedule.py:63-82) is a simple line-by-line key-value parser, not yaml.load().

  • Token not leaked in logs. The gh CLI reads credentials from the GITHUB_TOKEN environment variable, not from command-line arguments. The gh_json logging (Running ['gh', ...]) will not expose the token.

  • Post-creation verification (schedule.py:196-208). After creating an issue, the script verifies that labels, assignees, and type were correctly applied by inspecting the API response, catching silent permission failures.

  • Idempotency. Before creating an issue, the script searches for existing issues with the same title (schedule.py:161-168), preventing duplicates if the job runs more than once in the eligible window.

  • Certifi update (2026.5.20 → 2026.6.17) is a routine CA certificate bundle update — positive security maintenance.

Conclusion

The migration from GitHub Actions to GitLab CI is architecturally sound and the Python script is well-defended against injection and permission issues. The main recommendation is to add checksum or signature verification for the GitHub CLI download in the Dockerfile to match the integrity verification standard established for other tools in the same image.

@hannes-ucsc

Copy link
Copy Markdown
Member

(Posted by Claude Code)

Security Design Review

PR Summary: This PR migrates the scheduled GitHub issue creation from a GitHub Action to a GitLab CI job. It installs the GitHub CLI (gh) in the Docker image with SHA-256 checksum verification, adds a github_schedule GitLab CI job that runs .github/workflows/schedule.py using azul_github_access_token, and moves the old GitHub Actions workflow to attic/. The PR also includes routine dependency updates (certifi, click, greenlet, etc.).

Findings

1. Token scope and credential migration (Low)

The azul_github_access_token description in environment.py is expanded from "post status checks" to also "create issues in the Azul repositories." Some issue templates target DataBiosphere/azul-private, requiring a classic PAT with repo scope, which is broad (full access to private repositories the token owner can access). This scope requirement is inherited from the old GitHub Action, not new to this PR.

The credential migration path is sound: UPGRADING.rst properly instructs confirming the GitLab token has equivalent permissions and then removing the old AZUL_GITHUB_TOKEN from GitHub Actions secrets, avoiding lingering unused credentials.

Verified items (no concerns)

  • GitHub CLI integrity verification. The gh binary is downloaded from GitHub releases over HTTPS, then verified against a SHA-256 checksum committed in bin/checksums/gh_checksums.txt. The checksum file is pinned at review time and can be updated via make gh_checksums. This matches the integrity verification pattern used for other tools in the Dockerfile (ECR credential helper uses SHA-256, AWS CLI uses GPG). Note that the upstream checksums file itself is unsigned, so the trust anchor is the committed checksums file reviewed in this PR, not a cryptographic signature chain.

  • No command injection risk. subprocess.run in schedule.py is called with list arguments throughout (no shell=True). Front matter values are passed to gh via -f flags, not shell-interpolated.

  • No unsafe deserialization. The YAML-like front matter parser (schedule.py:63-82) is a simple line-by-line key-value parser, not yaml.load().

  • Token not leaked in logs. The gh CLI reads credentials from the GITHUB_TOKEN environment variable, not from command-line arguments. The gh_json logging (Running ['gh', ...]) will not expose the token.

  • Post-creation verification (schedule.py:196-208). After creating an issue, the script verifies that labels, assignees, and type were correctly applied by inspecting the API response, catching silent permission failures.

  • Idempotency. Before creating an issue, the script searches for existing issues with the same title (schedule.py:161-168), preventing duplicates if the job runs more than once in the eligible window.

  • Certifi update (2026.5.20 → 2026.6.17) is a routine CA certificate bundle update — positive security maintenance.

Conclusion

No security concerns. The migration from GitHub Actions to GitLab CI is architecturally sound, the Python script is well-defended against injection and permission issues, and the GitHub CLI download is integrity-verified via committed SHA-256 checksums.

hannes-ucsc
hannes-ucsc previously approved these changes Jul 7, 2026
@hannes-ucsc

Copy link
Copy Markdown
Member

Security design review

  • Security design review completed; this PR does not
    • … affect authentication; for example:
      • OAuth 2.0 with the application (API or Swagger UI)
      • Authentication of developers with Google Cloud APIs
      • Authentication of developers with AWS APIs
      • Authentication with a GitLab instance in the system
      • Password and 2FA authentication with GitHub
      • API access token authentication with GitHub
      • Authentication with Terra
    • … affect the permissions of internal users like access to
      • Cloud resources on AWS and GCP
      • GitLab repositories, projects and groups, administration
      • an EC2 instance via SSH
      • GitHub issues, pull requests, commits, commit statuses, wikis, repositories, organizations
    • … affect the permissions of external users like access to
      • TDR snapshots
    • … affect permissions of service or bot accounts
      • Cloud resources on AWS and GCP
    • … affect audit logging in the system, like
      • adding, removing or changing a log message that represents an auditable event
      • changing the routing of log messages through the system
    • … affect monitoring of the system
    • introduce a new software dependency like Fix: GH Action schedule failed to create promotion ticket (#8041) #8110 (comment)
      • Python packages on PYPI
      • Command-line utilities
      • Docker images
      • Terraform providers
    • … add an interface that exposes sensitive or confidential data at the security boundary
    • … affect the encryption of data at rest
    • … require persistence of sensitive or confidential data that might require encryption at rest
    • … require unencrypted transmission of data within the security boundary
    • … affect the network security layer; for example by
      • modifying, adding or removing firewall rules
      • modifying, adding or removing security groups
      • changing or adding a port a service, proxy or load balancer listens on
  • Documentation on any unchecked boxes is provided in comments below

dsotirho-ucsc
dsotirho-ucsc previously approved these changes Jul 7, 2026
@achave11-ucsc

Copy link
Copy Markdown
Member Author

The tempdev deployment has been successfully hibernated:

_hibernate
…
Successfully hibernated tempdev

Comment thread UPGRADING.rst
You may need to ask a system administrator to perform these changes on your
behalf.

Add a new ``github_schedule`` pipeline schedule on the ``dev`` and ``anvildev``

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would have been helpful to describe where in the UI this is.

Comment thread UPGRADING.rst

1) Set the description to "Create Azul scheduled issues on GitHub".

2) Set the interval pattern to ``0 * * * *`` on ``dev`` and ``30 * * * *`` on

@hannes-ucsc hannes-ucsc Jul 8, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2) and 3) should have been swapped since that's the order in which they occur in the UI

Comment thread UPGRADING.rst

4) Set the variable ``azul_gitlab_schedule`` to ``github_schedule``

Next, confirm with the SA that the ``azul_github_access_token`` used in both

@hannes-ucsc hannes-ucsc Jul 8, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should occur first in the instructions, as it needs to be done before the schedule is created.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

0 reviews [process] Lead didn't request any changes reqs [process] PR includes commit requiring ``make requirements`` sandbox [process] Resolution is being verified in sandbox deployment upgrade [process] PR includes commit requiring manual upgrade

Projects

None yet

Development

Successfully merging this pull request may close these issues.

GH Action schedule failed to create promotion ticket

5 participants