Merge pull request #222 from skyflowapi/skyflow-vivek/SK-2392-maintain-1.16.0-code-in-v1

SK-2392 Migrate code to V1 branch

Author: skyflow-vivek

.github/workflows/Gitleaks.yml

@@ -0,0 +1,97 @@
+name: Gitleaks secrets scan
+
+on:
+  pull_request:
+    branches:
+      - v1
+
+
+permissions:
+  issues: write
+  pull-requests: write
+  contents: read
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Required to get full commit history for diffing
+
+          
+      - name: Get base and head commit SHAs
+        run: |
+          echo "BASE_SHA=${{ github.event.pull_request.base.sha }}" >> $GITHUB_ENV
+          echo "HEAD_SHA=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
+
+  
+      - name: Run Gitleaks on PR changes via Docker
+        run: |
+          docker run --rm -v $(pwd):/repo -w /repo zricethezav/gitleaks:latest detect \
+            --config="/repo/Rule/gitleaks.toml" \
+            --log-opts="--no-merges $BASE_SHA..$HEAD_SHA" \
+            --verbose \
+            --exit-code=0 \
+            --report-format=json \
+            --report-path="/repo/gitleaks-report.json" \
+            --redact
+
+      - name: Upload Gitleaks report
+        uses: actions/upload-artifact@v4
+        with:
+          name: gitleaks-report
+          path: gitleaks-report.json
+
+      - name: Format and comment findings on PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [ ! -f gitleaks-report.json ]; then
+            echo "Report file not found!"
+            exit 1
+          fi
+
+          FINDINGS_JSON=$(cat gitleaks-report.json)
+          COUNT=$(echo "$FINDINGS_JSON" | jq 'length')
+          SHA="${{ github.event.pull_request.head.sha }}"
+          REPO="${{ github.repository }}"
+          PR_NUMBER="${{ github.event.pull_request.number }}"
+          MAX=10
+
+          if [ "$COUNT" -gt 0 ]; then
+            COMMENT="**🔐 Gitleaks Findings: $COUNT issue(s) detected**\n\n"
+            i=0
+            while [ "$i" -lt "$COUNT" ] && [ "$i" -lt "$MAX" ]; do
+              ITEM=$(echo "$FINDINGS_JSON" | jq ".[$i]")
+              RULE=$(echo "$ITEM" | jq -r '.RuleID')
+              DESC=$(echo "$ITEM" | jq -r '.Description')
+              FILE=$(echo "$ITEM" | jq -r '.File')
+              LINE=$(echo "$ITEM" | jq -r '.Line')
+              LINK="https://github.com/$REPO/blob/$SHA/$FILE#L$LINE"
+              SECRET_MASKED="**********"
+              COMMENT+="🔸 **Rule**: \`$RULE\`\n"
+              COMMENT+="📄 **File**: \`$FILE:$LINE\`\n"
+              COMMENT+="📝 **Description**: $DESC\n"
+              COMMENT+="🔑 **Secret**: \`$SECRET_MASKED\`\n"
+              COMMENT+="🔗 **Path**: [$FILE:$LINE]($LINK)\n\n"
+              i=$((i + 1))
+            done
+
+            if [ "$COUNT" -gt "$MAX" ]; then
+              COMMENT+="...and more. Only showing first $MAX findings.\n"
+            fi
+          else
+            COMMENT="✅ **Gitleaks Findings:** No secrets detected. Safe to proceed!"
+          fi
+
+          # Escape newlines for GitHub API
+          COMMENT=$(echo "$COMMENT" | sed ':a;N;$!ba;s/\n/\\n/g')
+
+          curl -X POST \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            -H "Accept: application/vnd.github.v3+json" \
+            -d "{\"body\":\"$COMMENT\"}" \
+            "https://api.github.com/repos/${REPO}/issues/${PR_NUMBER}/comments"

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ jobs:
       - name: Check JIRA ID
         uses: gsactions/commit-message-checker@v1
         with:
-          pattern: '\[?[A-Z]{1,5}-[1-9][0-9]*.+$'
+          pattern: '(\[?[A-Z]{1,5}-[1-9][0-9]*)|(\[AUTOMATED\])|(Merge)|(Release).+$'
           flags: 'gm'
           excludeDescription: 'true'
           checkAllCommitMessages: 'true'
@@ -22,7 +22,7 @@ jobs:
     - uses: actions/checkout@v2
     - uses: actions/setup-python@v2
       with:
-        python-version: '3.7'
+        python-version: '3.8'
 
     - name: create-json
       id: create-json

.github/workflows/codeql-analysis.yml

@@ -13,10 +13,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ main, '*']
+    branches: [ v1, '*']
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ main ]
+    branches: [ v1 ]
 
 jobs:
   analyze:

.github/workflows/internal-release.yml

@@ -0,0 +1,22 @@
+name: Internal Release
+
+on:
+  push:
+    tags-ignore:
+      - '*.*'
+    paths-ignore:
+      - "setup.py"
+      - "*.yml"
+      - "*.md"
+      - "skyflow/version.py"
+      - "samples/**"
+    branches:
+      - release/*
+
+jobs:
+  build-and-deploy:
+    uses: ./.github/workflows/shared-build-and-deploy.yml
+    with:
+      ref: ${{ github.ref_name }}
+      tag: 'internal'
+    secrets: inherit

.github/workflows/main.yml

@@ -1,9 +1,9 @@
-name: main
+name: V1
 
 on:
   push:
     branches:
-      - main
+      - v1
 
 jobs:
   Test:
@@ -12,7 +12,7 @@ jobs:
     - uses: actions/checkout@v2
     - uses: actions/setup-python@v2
       with:
-        python-version: '3.7'
+        python-version: '3.8'
 
     - name: create-json
       id: create-json

.github/workflows/pull_request_template.md

@@ -0,0 +1,22 @@
+Start with a concise summary of the PR. The first three sections are required. The questions present in each section is there to help you guide you what to add. They are meant to be overwritten by your comments.
+## Why
+- Why are you making the change?
+- What is the underlying issue that you are trying to case, in case of fix?
+- Why is it needed by the feature you are working on?
+- What is the intent behind making the change?
+
+## Goal
+- What is the intended outcome?
+- What part of the feature should start working?
+- What are the non-goals or will be covered in future PR?
+
+## Testing
+- How was the code tested?
+- If you haven't written unit tests, why?
+- What more testing is needed? Do you intend to manually test it after deployment?
+- Do you have any concerns if this changed is released to prod?
+
+## Tech debt
+- Is the PR adding to tech debt in any way?
+- Are you addressing some Tech debt in this PR?
+- If both the above are false, feel free to remove this section.

.github/workflows/semgrep.yml

@@ -1,35 +1,64 @@
-name: Semgrep
+name: Semgrep Scan
 
-# Run workflow each time code is pushed to your repository.
 on:
-  push:
-    branches:
-      - main
   pull_request:
     branches:
-      - main
+      - v1
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # Give write permission to PRs
+      issues: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: Install Semgrep
-        run: pip install semgrep
+      - name: Install Semgrep and jq
+        run: |
+          sudo apt install python3-venv jq
+          python3 -m venv .venv
+          .venv/bin/pip install semgrep
 
       - name: Run Semgrep
         run: |
-          semgrep --config .semgreprules/customRule.yml --config auto --severity ERROR --sarif . > results.sarif
+          source .venv/bin/activate
+          semgrep --config auto --severity ERROR --json-output=results.json --no-error
+          cat results.json | jq .results > pretty-results.json
 
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+      - name: Display Raw Semgrep JSON Output
+        run: |
+         echo "Displaying raw Semgrep results..."
+         cat pretty-results.json
+         
+      - name: Add comment on PR if findings are found
+        uses: actions/github-script@v6
         with:
-          # Path to SARIF file relative to the root of the repository
-          sarif_file: results.sarif
+          script: |
+            // Ensure the context has a pull_request
+            if (context.payload.pull_request) {
+              const prNumber = context.payload.pull_request.number;
+              const fs = require('fs');
+              const results = JSON.parse(fs.readFileSync('pretty-results.json', 'utf8'));
+              const highFindings = results.filter(result => result.extra && result.extra.severity === 'ERROR');
 
-      - name: Upload results
-        uses: actions/upload-artifact@v4
-        with:
-          name: semgrep-results
-          path: results.sarif
+              // Comment if findings exist
+              if (highFindings.length > 0) {
+                const comment = `**Semgrep Findings:** Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging.`;
+                await github.rest.issues.createComment({
+                  ...context.repo,
+                  issue_number: prNumber,
+                  body: comment
+                });
+              } else {
+                const noIssuesComment = "**Semgrep findings:** No issues found, Good to merge.";
+                await github.rest.issues.createComment({
+                  ...context.repo,
+                  issue_number: prNumber,
+                  body: noIssuesComment
+                });
+              }
+            } else {
+              console.log("This workflow wasn't triggered by a pull request, so no comment will be added.");
+            }

.github/workflows/shared-build-and-deploy.yml

@@ -0,0 +1,74 @@
+name: Shared Build and Deploy
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        description: 'Git reference to use (e.g., v1 or branch name)'
+        required: true
+        type: string
+
+      tag:
+        description: 'Release Tag'
+        required: true
+        type: string
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-python@v2
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install setuptools wheel twine
+      - name: Resolve Branch for the Tagged Commit
+        id: resolve-branch
+        if: ${{ inputs.tag == 'beta' || inputs.tag == 'public' }} 
+        run: |
+          TAG_COMMIT=$(git rev-list -n 1 ${{ github.ref_name }})
+          BRANCH_NAME=$(git branch -r --contains $TAG_COMMIT | grep -o 'origin/.*' | sed 's|origin/||' | head -n 1)
+          if [ -z "$BRANCH_NAME" ]; then
+            echo "Error: Could not resolve branch for the tag."
+            exit 1
+          fi
+          echo "Resolved Branch Name: $BRANCH_NAME"
+          echo "branch_name=$BRANCH_NAME" >> $GITHUB_ENV
+      - name: Get Previous tag
+        id: previoustag
+        uses: WyriHaximus/github-action-get-previous-tag@v1
+        with:
+          fallback: 1.0.0
+
+      - name: Bump Version
+        run: |
+          chmod +x ./ci-scripts/bump_version.sh
+          if ${{ inputs.tag == 'internal' }}; then
+            ./ci-scripts/bump_version.sh "${{ steps.previoustag.outputs.tag }}" "$(git rev-parse --short "$GITHUB_SHA")"
+          else
+            ./ci-scripts/bump_version.sh "${{ steps.previoustag.outputs.tag }}"
+          fi
+      - name: Commit changes
+        run: |
+          git config user.name "${{ github.actor }}"
+          git config user.email "${{ github.actor }}@users.noreply.github.com"
+          git add setup.py
+          git add skyflow/version.py
+          if [[ "${{ inputs.tag }}" == "internal" ]]; then
+            VERSION="${{ steps.previoustag.outputs.tag }}.dev0+$(git rev-parse --short $GITHUB_SHA)"
+            COMMIT_MESSAGE="[AUTOMATED] Private Release $VERSION"
+            git commit -m "$COMMIT_MESSAGE"
+            git push origin ${{ github.ref_name }} -f
+          fi
+      - name: Build and Publish to JFrog Artifactory
+        if: ${{ inputs.tag == 'internal' }}
+        env:
+          TWINE_USERNAME: ${{ secrets.JFROG_USERNAME }}
+          TWINE_PASSWORD: ${{ secrets.JFROG_PASSWORD }}
+        run: |
+          python setup.py sdist bdist_wheel
+          twine upload --repository-url https://prekarilabs.jfrog.io/artifactory/api/pypi/skyflow-python/ dist/*