Merge branch 'main' into update_faq

.github/workflows/build_docker_images.yml

@@ -31,74 +31,34 @@ on:
     branches:
       - main
       - keycloak-realm-with-groups
+      - fail-fast-off
     tags: [v*]
 
 jobs:
-  create_frontend_docker_image:
+  create_docker_images:
     runs-on: ubuntu-latest
-    env:
-      REGISTRY: ghcr.io
-      IMAGE_NAME: sartography/spiffworkflow-frontend
-      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Check out the repository
-        uses: actions/checkout@v4
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Log in to the Container registry
-        uses: docker/[email protected]
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Get current date
-        id: date
-        run: echo "date=$(date -u +'%Y-%m-%d_%H-%M-%S')" >> "$GITHUB_OUTPUT"
-      - name: Get short commit sha
-        id: commit_sha
-        run: echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/[email protected]
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          labels: |
-            org.opencontainers.image.description=Frontend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams
-            org.opencontainers.image.version=${{ env.BRANCH_NAME }}-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}
-          tags: |
-            type=ref,event=branch,branch=main,suffix=-latest
-            type=ref,event=branch,suffix=-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}
-            type=ref,event=tag,enable=true,format={{version}}
-            type=ref,event=tag,enable=true,format=latest
-
-      - name: Write app version info
-        working-directory: spiffworkflow-frontend
-        run: echo "$DOCKER_METADATA_OUTPUT_JSON" | jq '.labels' > version_info.json
-      - name: Build and push Frontend Docker image
-        uses: docker/[email protected]
-        with:
-          # this action doesn't seem to respect working-directory so set context
-          context: spiffworkflow-frontend
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-      - run: echo 'TAGS' >> "$GITHUB_STEP_SUMMARY"
-      - run: echo 'TAGS ${{ steps.meta.outputs.tags }}' >> "$GITHUB_STEP_SUMMARY"
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - image_name: sartography/spiffworkflow-frontend
+            context: spiffworkflow-frontend
+            description: "Frontend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams"
+          - image_name: sartography/spiffworkflow-backend
+            context: spiffworkflow-backend
+            description: "Backend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams"
+          - image_name: sartography/connector-proxy-demo
+            context: connector-proxy-demo
+            description: "Connector proxy component of SpiffWorkflow, providing integration capabilities for external services"
 
-  create_backend_docker_image:
-    runs-on: ubuntu-latest
     env:
       REGISTRY: ghcr.io
-      IMAGE_NAME: sartography/spiffworkflow-backend
+      IMAGE_NAME: ${{ matrix.image_name }}
       BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
     permissions:
       contents: read
       packages: write
+      security-events: write # Required for uploading Trivy scan results to GitHub Security
     steps:
       - name: Check out the repository
         uses: actions/checkout@v4
@@ -123,7 +83,7 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           labels: |
-            org.opencontainers.image.description=Backend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams
+            org.opencontainers.image.description=${{ matrix.description }}
             org.opencontainers.image.version=${{ env.BRANCH_NAME }}-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}
           tags: |
             type=ref,event=branch,branch=main,suffix=-latest
@@ -132,83 +92,72 @@ jobs:
             type=ref,event=tag,enable=true,format=latest
 
       - name: Write app version info
-        working-directory: spiffworkflow-backend
+        working-directory: ${{ matrix.context }}
         run: echo "$DOCKER_METADATA_OUTPUT_JSON" | jq '.labels' > version_info.json
-      - name: Build and push Backend Docker image
-        uses: docker/[email protected]
+      - name: Generate full image tag
+        id: full_tag
+        run: echo "full_tag=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH_NAME }}-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}" >> "$GITHUB_OUTPUT"
+      - name: Build Docker image
+        uses: docker/[email protected]
         with:
-          # this action doesn't seem to respect working-directory so set context
-          context: spiffworkflow-backend
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
+          context: ${{ matrix.context }}
+          push: false # Don't push yet
+          load: true # Load image to local Docker daemon
+          tags: ${{ steps.full_tag.outputs.full_tag }}
           labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-      - name: Adding markdown
-        run: echo 'TAGS ${{ steps.meta.outputs.tags }}' >> "$GITHUB_STEP_SUMMARY"
-
-  create_demo_proxy_docker_image:
-    runs-on: ubuntu-latest
-    env:
-      REGISTRY: ghcr.io
-      IMAGE_NAME: sartography/connector-proxy-demo
-      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+          # While we ultimately push multi-arch images (amd64/arm64) to registries, we don't want to do that before we scan for vulns.
+          # The Action can only load a single arch image into the local dockerd at a time, so we only build and test one arch here.
+          # It's pretty likely that any vuln in amd64 is also in arm64, and vice-versa, so the trade-off seems reasonable.
+          platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Check out the repository
-        uses: actions/checkout@v4
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Log in to the Container registry
-        uses: docker/[email protected]
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
         with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Get current date
-        id: date
-        run: echo "date=$(date -u +'%Y-%m-%d_%H-%M-%S')" >> "$GITHUB_OUTPUT"
-      - name: Get short commit sha
-        id: commit_sha
-        run: echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/[email protected]
+          image-ref: "${{ steps.full_tag.outputs.full_tag }}"
+          scan-type: "image"
+          hide-progress: false
+          limit-severities-for-sarif: true
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL"
+          exit-code: 1 # Fail the workflow if critical vulnerabilities are found
+          timeout: 15m0s
+          ignore-unfixed: true
+      - name: Check if Trivy results exist
+        if: always()
+        # trivy will fail if vulnerabilities are found but we need to upload them anyway
+        run: |
+          if [ -f "trivy-results.sarif" ]; then
+            echo "UPLOAD_TRIVY_RESULTS=true" >> "$GITHUB_ENV"
+          else
+            echo "Trivy results file not found. Skipping upload."
+            echo "UPLOAD_TRIVY_RESULTS=false" >> "$GITHUB_ENV"
+          fi
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always() && env.UPLOAD_TRIVY_RESULTS == 'true'
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          labels: |
-            org.opencontainers.image.description=spiffworkflow-connector-proxy-demo
-            org.opencontainers.image.version=${{ env.BRANCH_NAME }}-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}
-          tags: |
-            type=ref,event=branch,branch=main,suffix=-latest
-            type=ref,event=branch,suffix=-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}
-            type=ref,event=tag,enable=true,format={{version}}
-            type=ref,event=tag,enable=true,format=latest
+          sarif_file: "trivy-results.sarif"
 
-      - name: Build and push the connector proxy
-        uses: docker/build-push-action@v6.9.0
+      - name: Push Docker image
+        uses: docker/build-push-action@v6.10.0
         with:
-          # this action doesn't seem to respect working-directory so set context
-          context: connector-proxy-demo
+          context: ${{ matrix.context }}
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
       - name: Adding markdown
         run: echo 'TAGS ${{ steps.meta.outputs.tags }}' >> "$GITHUB_STEP_SUMMARY"
 
   quickstart-guide-test:
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/v')
-    needs:
-      [
-        create_frontend_docker_image,
-        create_backend_docker_image,
-        create_demo_proxy_docker_image,
-      ]
+    needs: [create_docker_images]
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/constraints.txt

@@ -1,2 +1,2 @@
 pip==24.3.1
-poetry==1.8.4
+poetry==1.8.5

.github/workflows/tests.yml

@@ -299,10 +299,10 @@ jobs:
           ./bin/run_ci_session coverage
 
       - name: Upload coverage report
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@v5.1.1
 
       - name: SonarCloud Scan
-        uses: sonarsource/sonarcloud-github-action@v3.1.0
+        uses: sonarsource/sonarcloud-github-action@v4.0.0
         # thought about just skipping dependabot
         # if: ${{ github.actor != 'dependabot[bot]' }}
         # but figured all pull requests seems better, since none of them will have access to sonarcloud.
@@ -365,7 +365,7 @@ jobs:
         # if: ${{ github.event_name != 'pull_request' }}
         # so just skip everything but main
         if: github.ref_name == 'main'
-        uses: sonarsource/sonarcloud-github-action@v3.1.0
+        uses: sonarsource/sonarcloud-github-action@v4.0.0
         with:
           projectBaseDir: spiffworkflow-frontend
         env:

.gitignore

@@ -6,7 +6,7 @@ t
 version_info.json
 .coverage*
 UNKNOWN.egg-info/
-process_models/
+process_models
 .ipynb_checkpoints
 .env*
 .cache

.pre-commit-config.yaml

@@ -35,7 +35,7 @@ repos:
         require_serial: true
         # this is also specified in spiffworkflow-backend/pyproject.toml but we run pre-commit
         # with all-files which ignores that
-        exclude: "/migrations/"
+        exclude: "/migrations/|bin/load_test_message_start_event.py"
       - id: ruff-format
         args: [format]
         files: ^spiffworkflow-backend/

connector-proxy-demo/Dockerfile

@@ -22,7 +22,7 @@ FROM base AS deployment
 # vim ftw
 RUN apt-get update \
   && apt-get clean -y \
-  && apt-get install -y -q git-core curl procps gunicorn3 default-mysql-client vim-tiny \
+  && apt-get install -y -q git-core curl procps gunicorn3 default-mysql-client vim-tiny libkrb5support0 libexpat1 \
   && rm -rf /var/lib/apt/lists/*
 
 RUN pip install poetry==1.6.1

docs/Building_Diagrams/Script_Tasks.md

@@ -6,6 +6,40 @@ In SpiffArena, the scripting language used for writing scripts is Python, a wide
 
 Python offers a rich array of libraries, frameworks, and tools that facilitate script development, making it a popular choice for implementing custom logic and automation.
 
+## **Script Task Properties**
+  ```{image} ./images/Script_task_update.png
+:alt: Script Task
+:width: 300px
+:align: right
+```
+1. **General**
+   - **Name**: Allows users to name the Script Task. The name should reflect the task's purpose for easy identification.
+   - **ID**: Automatically generated unique identifier for the Script Task within the workflow. This ID can be used for referencing in code or debugging.
+
+2. **Documentation**
+   - **Element Documentation**: A free-text field to add notes or explanations about the purpose and function of this task. This is helpful for maintaining clear documentation within the workflow for team collaboration or future updates.
+
+3. **Script**
+   - **Script Field**: A text area for entering the code to be executed. This script should be written in Python, adhering to the rules and libraries supported by SpiffWorkflow.
+     - Example: 
+       ```python
+       result = context.get('input_variable', 0) * 2
+       context['output_variable'] = result
+       ```
+     - In the example above:
+       - **context.get** retrieves a process variable.
+       - **context['output_variable']** saves the result back to the workflow.
+   - **Launch Editor**: A button to open a more robust code editor for longer or more complex scripts. This improves readability and enables developers to write, format, and debug scripts more effectively.
+
+4. **Instructions**
+   - **Instructions Field**: Use this section to define task-specific guidance or additional notes visible during task execution.
+     - Example: *"Ensure the input variable `amount` is defined before running this task."*
+   - Markdown-supported formatting enables rich-text documentation.
+
+5. **Input/Output Management Section**
+   - **Inputs**: Define the process variables required for the script task to execute. For example, a variable `amount` could be an input for calculations.
+   - **Outputs**: Specify the variables the task will produce. These variables can be accessed in subsequent tasks in the workflow.
+
 Let's explore an example of a Script Task in our basics section:
 
 1. **Start Event and User Task - "Form"**

docs/Building_Diagrams/custom_process_metadata.md

@@ -0,0 +1,41 @@
+# Custom Process Metadata
+
+This guide will walk you through the steps to create a process model that generates custom metadata using a metadata extraction path and how to query that metadata using process instance filtering.
+
+## Step 1: Define the Process Model
+
+**Create a New Process Model**:
+
+- Navigate to the "Processes" section in SpiffArena.
+- Click on "Add a process model" and fill in the required fields as described elsewhere.
+- In the process model form, specify the metadata extraction path.
+  - This path is used to extract data from your process instances for quick access in searches and perspectives.
+  - Example: If you have a script task that sets `great_color = "blue"`, set both the extraction key and extraction path to `great_color`.
+- Save the process model.
+
+## Step 2: Start the Process
+
+1. **Initiate the Process**:
+
+   - Navigate to the "Home" section and click on "Start New" to initiate the process.
+   - Select the process model you created and start a new instance.
+
+2. **Monitor Process Execution**:
+   - Track the progress of the process instance to ensure it completes successfully and actually generates appropriate task data, such as `great_color` or whatever specific data you are looking for.
+
+## Step 3: Query Custom Metadata
+
+1. **Navigate to Process Instances**:
+
+   - Go to the "Process Instances" section to view all instances.
+
+2. **Expose a column for your Custom Metadata attribute**:
+
+   - Use the plus icon to add a column.
+   - Select the metadata field you defined in the extraction path and click Save.
+   - You should now be able to see your custom metadata as a new column in the process instance report.
+
+3. **View Filtered Results**:
+   - You can also filter process instances based on your custom column using the same column options.
+
+By following these steps, you can create a process model that generates custom metadata and efficiently query that metadata using process instance filtering.